From 6735f6fd5490c9c5a0e627d1bc045eb1a96e1350 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 6 Aug 2025 15:38:29 +0200 Subject: [PATCH] Webservice: Default to IPv6 compatible binds We disabled IPv6 compatible binds in https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4382 because of a issue with throttling of unauthenticated web traffic. Now with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196981 rails should see the real client IP, even if the client or one of the intermediate proxies was mapped to an IPv6 address, so we can default to IPv6 compatible binds. Closes https://gitlab.com/gitlab-org/charts/gitlab/-/issues/6084 --- charts/gitlab/charts/webservice/values.yaml | 6 +++--- doc/charts/gitlab/webservice/_index.md | 6 +++--- spec/configuration/webservice_metrics_spec.rb | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/gitlab/charts/webservice/values.yaml b/charts/gitlab/charts/webservice/values.yaml index f72bebe851..1f6a660297 100644 --- a/charts/gitlab/charts/webservice/values.yaml +++ b/charts/gitlab/charts/webservice/values.yaml @@ -33,7 +33,7 @@ monitoring: exporter: enabled: false port: 8083 - listenAddr: '0.0.0.0' + listenAddr: '*' # Shutdown settings # Defines an interval to block healthcheck, @@ -66,7 +66,7 @@ sshHostKeys: metrics: enabled: true - listenAddr: '0.0.0.0' + listenAddr: '*' port: 8083 path: /metrics tls: {} @@ -151,7 +151,7 @@ puma: max: 4 disableWorkerKiller: true # workerMaxMemory: 1024 # in MB units - bindIp6: false + bindIp6: true controlPort: 9293 hpa: diff --git a/doc/charts/gitlab/webservice/_index.md b/doc/charts/gitlab/webservice/_index.md index d3984e62de..d035dd1ab7 100644 --- a/doc/charts/gitlab/webservice/_index.md +++ b/doc/charts/gitlab/webservice/_index.md @@ -100,7 +100,7 @@ to the `helm install` command using the `--set` flags. | `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | | `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | | `metrics.port` | `8083` | Metrics endpoint port | -| `metrics.listenAddr` | `0.0.0.0` | Metrics listen address. | +| `metrics.listenAddr` | `*` | Metrics listen address. | | `metrics.path` | `/metrics` | Metrics endpoint path | | `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | | `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | @@ -112,7 +112,7 @@ to the `helm install` command using the `--set` flags. | `minio.port` | `9000` | Port for MinIO service | | `minio.serviceName` | `minio-svc` | Name of MinIO service | | `monitoring.ipWhitelist` | `[0.0.0.0/0, ::/0]` | List of IPs to whitelist for the monitoring endpoints | -| `monitoring.exporter.listenAddr` | `0.0.0.0` | Metrics listen address. | +| `monitoring.exporter.listenAddr` | `*` | Metrics listen address. | | `monitoring.exporter.enabled` | `false` | Enable webserver to expose Prometheus metrics, this is overridden by `metrics.enabled` if the metrics port is set to the monitoring exporter port | | `monitoring.exporter.port` | `8083` | Port number to use for the metrics exporter | | `psql.password.key` | `psql-password` | Key to psql password in psql secret | @@ -122,7 +122,7 @@ to the `helm install` command using the `--set` flags. | `puma.workerMaxMemory` | | The maximum memory (in megabytes) for the Puma worker killer | | `puma.threads.min` | `4` | The minimum amount of Puma threads | | `puma.threads.max` | `4` | The maximum amount of Puma threads | -| `puma.bindIp6` | `false` | Bind IPv6 addresses with Puma. Currently defaults to false due to a [known issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/6084) related to rate limiting. | +| `puma.bindIp6` | `true` | Bind IPv6 addresses with Puma. | | `rack_attack.git_basic_auth` | `{}` | See [GitLab documentation](https://docs.gitlab.com/administration/settings/protected_paths/) for details | | `redis.serviceName` | `redis` | Redis service name | | `global.registry.api.port` | `5000` | Registry port | diff --git a/spec/configuration/webservice_metrics_spec.rb b/spec/configuration/webservice_metrics_spec.rb index 3813966535..11093cfc62 100644 --- a/spec/configuration/webservice_metrics_spec.rb +++ b/spec/configuration/webservice_metrics_spec.rb @@ -15,7 +15,7 @@ describe 'Webservice monitoring/metrics configuration' do expect(monitoring).to include( 'web_exporter' => { 'enabled' => true, - 'address' => '0.0.0.0', + 'address' => '*', 'port' => 8083 } ) @@ -36,7 +36,7 @@ describe 'Webservice monitoring/metrics configuration' do expect(monitoring).to include( 'web_exporter' => { 'enabled' => false, - 'address' => '0.0.0.0', + 'address' => '*', 'port' => 8083 } ) -- GitLab