Store Gerrit Secrets to AWS Secret Manager

AWS Secret Manager is a secure way of storing and managing secrets. These scripts make use of it to retrieve sensitive information required to run gerrit, such as private keys and passwords.

In order to do that, such secrets must be previously uploaded to the secret manager, so that they can be found and used during deployment.

To store the secret you can run the relevant script to upload them to AWS Secret Manager: ./add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory secret_prefix aws-region-id

for example:

./add_secrets_aws_secrets_manager.sh /tmp/secrets secret_prefix us-east-1`

When secret_prefix is omitted, it is set to gerrit_secret by default.

The script expects secrets to be available in a specified directory (e.g. /tmp/secrets).

The expected secrets are the following.

SSH Host Keys

The SSH keys you will need to add are the one usually created and used by Gerrit:

  • ssh_host_ecdsa_384_key
  • ssh_host_ecdsa_384_key.pub
  • ssh_host_ecdsa_521_key
  • ssh_host_ecdsa_521_key.pub
  • ssh_host_ecdsa_key
  • ssh_host_ecdsa_key.pub
  • ssh_host_ed25519_key
  • ssh_host_ed25519_key.pub
  • ssh_host_rsa_key
  • ssh_host_rsa_key.pub

You will have to create the keys and place them for example in /tmp/secrets directory, which you can then feed to the add_secrets_aws_secrets_manager.sh script. These SSH host keys are generated by gerrit during the init script, so you could copy them from a previous installation (etc/*key* files), if you have one.

cp <previous_installation>/etc/*key* /tmp/secrets

If you don't have a previous installation of gerrit you can initialize a new gerrit and copy the generated ones, as follows:

cd /tmp/
wget https://gerrit-releases.storage.googleapis.com/gerrit-<version>.war
java -jar gerrit-<version>.war init -d /tmp/foobar --dev --batch --no-auto-start
cp /tmp/foobar/etc/*key* /tmp/secrets

Email Private Key

You will need to create a secret and put it in a file called registerEmailPrivateKey in the same directory of the SSH keys (e.g. /tmp/secrets).

LDAP Password

You will need to put the admin LDAP password in a file called ldapPassword in the same directory of the SSH keys (e.g. /tmp/secrets).

SMTP Password

You will need to put the SMTP password in a file called smtpPassword in the same directory of the SSH keys (e.g. /tmp/secrets).

Prometheus Bearer Token

Optional. This is only needed if you are setting up a monitoring stack as described here Generate a bearer token to be used for monitoring with Prometheus:

openssl rand -hex 20 > /tmp/secrets/prometheus_bearer_token

Private/public SSH key for replication (required only for recipes involving replicas)

You will also need to create private and public SSH keys used by the replication plugin to replicate from primaries to replicas, for example:

ssh-keygen -b 2048 -m PEM -t rsa -f /tmp/secrets/replication_user_id_rsa -q -N ""
  • replication_user_id_rsa
  • replication_user_id_rsa.pub

Pull-Replication Bearer Token Authentication

Optional. This is only needed if you are setting up a recipe that requires replication (i.e. primary-replica or dual-primary)

openssl rand -hex 20 > /tmp/secrets/pull_replication_bearer_token