Gitlab Backup Strategy Using Minio

setup Minio somewhere

Minio is an object storage server compatible with the S3 protocol. Head to https://minio.io/ to learn more.

Hint: You might want to use MINIO_WORM=on to pretect against accidental or malicious deletion of your backups.

seperate users with iam policies

Since RELEASE.2018-10-18T00-28-58Z minio supports seperate users with attached IAM policies. Instead of (or additionally to) using MINIO_WORM=on you could create a new user and attach a writeonly policy:

$ cat gitlab-wo.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::gitlab/*"
      ]
    }
  ]
}
$ mc admin policies add myminio gitlab-wo gitlab-wo.json
Added policy `gitlab-wo` successfully.
$ mc admin users add myminio gitlab $randomkey gitlab-wo
Added used `gitlab` successfully.

Note that only allowing s3:PutObject is not the same as using MINIO_WORM: the user can still overwrite existing files.

configure Gitlab Omnibus

Add the following to your /etc/gitlab/gitlab.rb:

gitlab_rails['backup_upload_connection'] = {
  'provider' => 'AWS',
  'aws_access_key_id' => 'YOUR-ACCESS-KEY-OR-USERNAME-HERE',
  'aws_secret_access_key' => 'YOUR-SECRET-KEY-HERE',
  'endpoint' => 'https://minio.yourdomain.com:9000',
  'path_style' => true
}
gitlab_rails['backup_upload_remote_directory'] = 'gitlab'

Note the addition of 'path_style' => true and the endpoint url. The bucket gitlab should exist already:

$ mc mb myminio/gitlab
Bucket created successfully `myminio/gitlab`.

Afterwards run gitlab-ctl reconfigure as usual and launch a backup with gitlab-rake gitlab:backup:create to verify correct operation.

$ mc ls myminio/gitlab
[2018-07-27 14:47:48 CEST] 288MiB 1532695658_2018_07_27_10.8.4_gitlab_backup.tar