From a9d6d6906217a58cac4ce95e4bac2c2d5f02ebdf Mon Sep 17 00:00:00 2001 From: Ash McKenzie Date: Wed, 17 Jul 2024 17:10:12 +1000 Subject: [PATCH 1/2] Add LFS Pure SSH protocol support --- .../gitlab-shell/templates/configmap.yml | 4 +- .../charts/gitlab-shell/values.schema.json | 10 ++++ charts/gitlab/charts/gitlab-shell/values.yaml | 2 + doc/charts/gitlab/gitlab-shell/index.md | 3 +- doc/charts/globals.md | 15 ++++++ spec/configuration/gitlab_shell_spec.rb | 49 +++++++++++++++++++ values.yaml | 3 ++ 7 files changed, 84 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/gitlab-shell/templates/configmap.yml b/charts/gitlab/charts/gitlab-shell/templates/configmap.yml index 2250bb7e2b..e5f808d2d4 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/configmap.yml +++ b/charts/gitlab/charts/gitlab-shell/templates/configmap.yml @@ -90,13 +90,15 @@ data: gssapi: # Enable the gssapi-with-mic authentication method. Defaults to false. enabled: {{ .Values.config.gssapi.enabled }} - # Library path for gssapi shared library - defaults to libgssapi_krb5.so.2 + # Library path for gssapi shared library - defaults to libgssapi_krb5.so.2 libpath: {{ .Values.config.gssapi.libpath }} # Keytab path. Defaults to "", system default (usually /etc/krb5.keytab). keytab: "/etc/krb5.keytab" # The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file. service_principal_name: {{ .Values.config.gssapi.servicePrincipalName }} {{- end }} + lfs: + pure_ssh_protocol: {{ .Values.config.lfs.pureSSHProtocol }} krb5.conf: | {{- .Values.config.gssapi.krb5Config | nindent 4 }} # Leave this here - This line denotes end of block to the parser. diff --git a/charts/gitlab/charts/gitlab-shell/values.schema.json b/charts/gitlab/charts/gitlab-shell/values.schema.json index 603b841137..e6d346ecfc 100644 --- a/charts/gitlab/charts/gitlab-shell/values.schema.json +++ b/charts/gitlab/charts/gitlab-shell/values.schema.json @@ -146,6 +146,16 @@ }, "title": "GSS-API related settings", "type": "object" + }, + "lfs": { + "properties": { + "pureSSHProtocol": { + "title": "Enable LFS pure SSH protocol support", + "type": "boolean" + } + }, + "title": "LFS related settings", + "type": "object" } }, "required": [ diff --git a/charts/gitlab/charts/gitlab-shell/values.yaml b/charts/gitlab/charts/gitlab-shell/values.yaml index cf4be1f21a..93264ac69c 100644 --- a/charts/gitlab/charts/gitlab-shell/values.yaml +++ b/charts/gitlab/charts/gitlab-shell/values.yaml @@ -142,6 +142,8 @@ config: key: keytab krb5Config: "" servicePrincipalName: "" + lfs: + pureSSHProtocol: false ## Allow to overwrite under which User and Group the Pod will be running. securityContext: diff --git a/doc/charts/gitlab/gitlab-shell/index.md b/doc/charts/gitlab/gitlab-shell/index.md index e3201c8b00..b18520fb92 100644 --- a/doc/charts/gitlab/gitlab-shell/index.md +++ b/doc/charts/gitlab/gitlab-shell/index.md @@ -57,7 +57,8 @@ controlled by `global.shell.port`. | `config.gssapi.keytab.key` | `keytab` | Key holding the keytab in the Kubernetes secret | | `config.gssapi.krb5Config` | | Content of the `/etc/krb5.conf` file in the GitLab Shell container | | `config.gssapi.servicePrincipalName` | | The Kerberos service name to be used by the `gitlab-sshd` daemon | -| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | +| `config.lfs.pureSSHProtocol` | `false` | Enable LFS Pure SSH protocol support | +| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | | `deployment.livenessProbe.initialDelaySeconds` | 10 | Delay before liveness probe is initiated | | `deployment.livenessProbe.periodSeconds` | 10 | How often to perform the liveness probe | | `deployment.livenessProbe.timeoutSeconds` | 3 | When the liveness probe times out | diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 7b8b3988f6..1b541309bf 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -1942,6 +1942,8 @@ global: hostKeys: {} tcp: proxyProtocol: false + lfs: + pureSSHProtocol: false ``` | Name | Type | Default | Description | @@ -1950,6 +1952,7 @@ global: | `authToken` | | | See [authToken](gitlab/gitlab-shell/index.md#authtoken) in the GitLab Shell chart specific documentation. | | `hostKeys` | | | See [hostKeys](gitlab/gitlab-shell/index.md#hostkeyssecret) in the GitLab Shell chart specific documentation. | | `tcp.proxyProtocol` | Boolean | `false` | See [TCP proxy protocol](#tcp-proxy-protocol) below for specific documentation. | +| `lfs.pureSSHProtocol` | Boolean | `false` | See [LFS pure SSH protocol support](#lfs-pure-ssh-protocol-support) below for specific documentation. | ### Port @@ -1993,6 +1996,18 @@ global: proxyProtocol: true # default false ``` +### LFS Pure SSH protocol support + +LFS Pure SSH support offers the ability to perform LFS operations over SSH (instead +of the HTTP which is the default). + +```yaml +global: + shell: + lfs: + pureSSHProtocol: true # default false +``` + ## Configure GitLab Pages The global GitLab Pages settings that are used by other charts are documented diff --git a/spec/configuration/gitlab_shell_spec.rb b/spec/configuration/gitlab_shell_spec.rb index edbf1a1028..19804a8b6b 100644 --- a/spec/configuration/gitlab_shell_spec.rb +++ b/spec/configuration/gitlab_shell_spec.rb @@ -178,4 +178,53 @@ describe 'gitlab-shell configuration' do expect(t.dig('ServiceAccount/test-gitlab-shell', 'metadata', 'labels')).to include('global' => 'shell') end end + + context 'for LFS Pure SSH protocol support' do + let(:lfs_pure_ssh_protocol) { nil } + + let(:values) do + YAML.safe_load(%( + gitlab: + gitlab-shell: + config: + lfs: + pureSSHProtocol: #{lfs_pure_ssh_protocol} + )).deep_merge(default_values) + end + + let(:config) { t.dig('ConfigMap/test-gitlab-shell', 'data', 'config.yml.tpl') } + + let(:rendered_config) do + rendered = RuntimeTemplate.gomplate(raw_template: config) + YAML.safe_load(rendered, aliases: true) + end + + context 'when unset' do + it 'renders lfs.pure_ssh_protocol as disabled by default' do + expect_successful_exit_code + + expect(rendered_config['lfs']['pure_ssh_protocol']).to eq(false) + end + end + + context 'when disabled' do + let(:lfs_pure_ssh_protocol) { false } + + it 'renders lfs.pure_ssh_protocol as disabled' do + expect_successful_exit_code + + expect(rendered_config['lfs']['pure_ssh_protocol']).to eq(false) + end + end + + context 'when enabled' do + let(:lfs_pure_ssh_protocol) { true } + + it 'renders lfs.pure_ssh_protocol as enabled' do + expect_successful_exit_code + + expect(rendered_config['lfs']['pure_ssh_protocol']).to eq(true) + end + end + end end diff --git a/values.yaml b/values.yaml index 33fc203a0a..3975b62102 100644 --- a/values.yaml +++ b/values.yaml @@ -617,6 +617,9 @@ global: ## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol tcp: proxyProtocol: false + ## https://docs.gitlab.com/charts/charts/globals#lfs-pure-ssh-protocol-support + lfs: + pureSSHProtocol: false ## Rails application secrets ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret -- GitLab From 07ceef76572afe166a2c4b322694c89e825bd11c Mon Sep 17 00:00:00 2001 From: Ash McKenzie Date: Wed, 24 Jul 2024 14:47:34 +1000 Subject: [PATCH 2/2] Remove lfs.pureSSHProtocol setting from global --- doc/charts/globals.md | 15 --------------- values.yaml | 5 +---- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 1b541309bf..7b8b3988f6 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -1942,8 +1942,6 @@ global: hostKeys: {} tcp: proxyProtocol: false - lfs: - pureSSHProtocol: false ``` | Name | Type | Default | Description | @@ -1952,7 +1950,6 @@ global: | `authToken` | | | See [authToken](gitlab/gitlab-shell/index.md#authtoken) in the GitLab Shell chart specific documentation. | | `hostKeys` | | | See [hostKeys](gitlab/gitlab-shell/index.md#hostkeyssecret) in the GitLab Shell chart specific documentation. | | `tcp.proxyProtocol` | Boolean | `false` | See [TCP proxy protocol](#tcp-proxy-protocol) below for specific documentation. | -| `lfs.pureSSHProtocol` | Boolean | `false` | See [LFS pure SSH protocol support](#lfs-pure-ssh-protocol-support) below for specific documentation. | ### Port @@ -1996,18 +1993,6 @@ global: proxyProtocol: true # default false ``` -### LFS Pure SSH protocol support - -LFS Pure SSH support offers the ability to perform LFS operations over SSH (instead -of the HTTP which is the default). - -```yaml -global: - shell: - lfs: - pureSSHProtocol: true # default false -``` - ## Configure GitLab Pages The global GitLab Pages settings that are used by other charts are documented diff --git a/values.yaml b/values.yaml index 3975b62102..af6ac0039d 100644 --- a/values.yaml +++ b/values.yaml @@ -617,9 +617,6 @@ global: ## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol tcp: proxyProtocol: false - ## https://docs.gitlab.com/charts/charts/globals#lfs-pure-ssh-protocol-support - lfs: - pureSSHProtocol: false ## Rails application secrets ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret @@ -885,7 +882,7 @@ global: ## https://docs.gitlab.com/charts/charts/globals/#jobs job: nameSuffixOverride: - + traefik: apiVersion: "" # newer apiVersion: "traefik.io/v1alpha1" -- GitLab