From 62f3e4bc153d4d56a06b069e89dabab75928735e Mon Sep 17 00:00:00 2001 From: safwanuahmed Date: Thu, 11 Sep 2025 17:38:53 -0400 Subject: [PATCH] Add workspaces hostname config with ingress and TLS support. Adds config support for workspaces hostname and ingress generation with TLS on provided hostname(WIP). Changelog: added --- .../charts/kas/templates/_default-config.yaml | 4 +- .../gitlab/charts/kas/templates/_helpers.tpl | 13 ++++++ .../kas/templates/ingress-workspaces.yaml | 45 +++++++++++++++++++ .../gitlab/charts/kas/templates/ingress.yaml | 2 +- charts/gitlab/charts/kas/values.yaml | 5 ++- .../charts/sidekiq/templates/configmap.yaml | 1 + .../charts/toolbox/templates/configmap.yaml | 1 + .../charts/webservice/templates/configmap.yml | 1 + charts/gitlab/templates/_gitlab.yaml.tpl | 8 ++++ charts/gitlab/templates/_kas.tpl | 8 ++++ spec/configuration/gitlab-yml-erb_spec.rb | 32 +++++++++++++ spec/configuration/kas_spec.rb | 18 +++++++- templates/_helpers.tpl | 2 + values.yaml | 7 +++ 14 files changed, 141 insertions(+), 6 deletions(-) create mode 100644 charts/gitlab/charts/kas/templates/ingress-workspaces.yaml diff --git a/charts/gitlab/charts/kas/templates/_default-config.yaml b/charts/gitlab/charts/kas/templates/_default-config.yaml index a0f11acb4d..6900321b39 100644 --- a/charts/gitlab/charts/kas/templates/_default-config.yaml +++ b/charts/gitlab/charts/kas/templates/_default-config.yaml @@ -71,9 +71,9 @@ autoflow: authorized_user_emails: {{ default list ((((.Values.autoflow).temporal).workflowDataEncryption).codecServer).authorizedUserEmails | toJson }} {{- end }} -{{- if (.Values.workspaces).enabled }} +{{- if .Values.global.workspaces.enabled }} workspaces: - enabled: {{ .Values.workspaces.enabled }} + enabled: true listen: network: "tcp" address: ":{{ .Values.service.workspacesServerPort }}" diff --git a/charts/gitlab/charts/kas/templates/_helpers.tpl b/charts/gitlab/charts/kas/templates/_helpers.tpl index 69f112170b..876c8356e5 100644 --- a/charts/gitlab/charts/kas/templates/_helpers.tpl +++ b/charts/gitlab/charts/kas/templates/_helpers.tpl @@ -57,3 +57,16 @@ Labels to select Pods created by the KAS Deployment. Used for Service, PodMonito app: {{ template "name" . }} release: {{ .Release.Name }} {{- end -}} + + +{{/* +Returns the secret name for the Secret containing the TLS certificate and key for Workspaces. +Uses `ingress.tls.workspacesSecretName` first and falls back to `global.ingress.tls.workspacesSecretName`. +*/}} +{{- define "workspaces.tlsSecret" -}} +{{- $defaultName := (dict "workspacesSecretName" "") -}} +{{- if .Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "workspacesSecretName" (printf "%s-kas-workspaces-tls" .Release.Name) -}} +{{- end -}} +{{- pluck "workspacesSecretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}} +{{- end -}} diff --git a/charts/gitlab/charts/kas/templates/ingress-workspaces.yaml b/charts/gitlab/charts/kas/templates/ingress-workspaces.yaml new file mode 100644 index 0000000000..b1236c299a --- /dev/null +++ b/charts/gitlab/charts/kas/templates/ingress-workspaces.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.global.kas.enabled .Values.global.workspaces.enabled -}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}} +{{- $hostname := include "gitlab.workspaces.hostname" . -}} +{{- $tlsSecret := include "workspaces.tlsSecret" . -}} +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "fullname" . }}-workspaces + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if eq "nginx" .Values.global.ingress.provider }} + nginx.ingress.kubernetes.io/proxy-buffering: "off" + nginx.ingress.kubernetes.io/custom-http-errors: "" + {{- end }} + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ include "gitlab.workspaces.hostname" . | quote }} + http: + paths: + - path: "/" + pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} + backend: + service: + name: {{ template "gitlab.kas.serviceName" . }} + port: + number: {{ .Values.service.workspacesServerPort }} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} + tls: + - hosts: + - {{ $hostname }} + secretName: {{ $tlsSecret }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/kas/templates/ingress.yaml b/charts/gitlab/charts/kas/templates/ingress.yaml index cd02911661..15934b4e75 100644 --- a/charts/gitlab/charts/kas/templates/ingress.yaml +++ b/charts/gitlab/charts/kas/templates/ingress.yaml @@ -79,7 +79,7 @@ spec: servicePort: {{ .Values.service.autoflowCodecServerApiPort }} {{- end }} {{- end }} - {{ if (.Values.workspaces).enabled }} + {{ if .Values.global.workspaces.enabled }} - path: "{{ trimSuffix "/" $.Values.ingress.workspacesServerApiPath }}{{ $.Values.global.ingress.path }}" pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} backend: diff --git a/charts/gitlab/charts/kas/values.yaml b/charts/gitlab/charts/kas/values.yaml index f183c5c824..e4c8593c00 100644 --- a/charts/gitlab/charts/kas/values.yaml +++ b/charts/gitlab/charts/kas/values.yaml @@ -7,6 +7,8 @@ global: ingress: {} kas: enabled: true + workspaces: + enabled: false redis: # host: '0.0.0.0' auth: {} @@ -14,6 +16,8 @@ global: # kas: # name: kas.example.com # https: true + # workspaces: + # name: workspaces.example.com init: image: {} @@ -160,7 +164,6 @@ privateApi: {} # key: workspaces: - enabled: false listenGracePeriod: "1s" shutdownGracePeriod: "300s" diff --git a/charts/gitlab/charts/sidekiq/templates/configmap.yaml b/charts/gitlab/charts/sidekiq/templates/configmap.yaml index 74e470708d..3b24a2d4b6 100644 --- a/charts/gitlab/charts/sidekiq/templates/configmap.yaml +++ b/charts/gitlab/charts/sidekiq/templates/configmap.yaml @@ -122,6 +122,7 @@ data: backup: path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) {{- include "gitlab.appConfig.kas" . | nindent 6 }} + {{- include "gitlab.appConfig.workspaces" . | nindent 6 }} {{- include "gitlab.appConfig.cell" . | nindent 6 }} {{- include "gitlab.appConfig.suggested_reviewers" . | nindent 6 }} {{- include "gitlab.appConfig.zoekt" . | nindent 6 }} diff --git a/charts/gitlab/charts/toolbox/templates/configmap.yaml b/charts/gitlab/charts/toolbox/templates/configmap.yaml index 158bdfd8b9..6094f2e445 100644 --- a/charts/gitlab/charts/toolbox/templates/configmap.yaml +++ b/charts/gitlab/charts/toolbox/templates/configmap.yaml @@ -105,6 +105,7 @@ data: backup: path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) {{- include "gitlab.appConfig.kas" . | nindent 6 }} + {{- include "gitlab.appConfig.workspaces" . | nindent 6 }} {{- include "gitlab.appConfig.cell" . | nindent 6 }} {{- include "gitlab.appConfig.suggested_reviewers" . | nindent 6 }} {{- include "gitlab.appConfig.zoekt" . | nindent 6 }} diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml index 2795a39260..cba6433f77 100644 --- a/charts/gitlab/charts/webservice/templates/configmap.yml +++ b/charts/gitlab/charts/webservice/templates/configmap.yml @@ -134,6 +134,7 @@ data: backup: path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) {{- include "gitlab.appConfig.kas" . | nindent 6 }} + {{- include "gitlab.appConfig.workspaces" . | nindent 6 }} {{- include "gitlab.appConfig.cell" . | nindent 6 }} {{- include "gitlab.appConfig.suggested_reviewers" . | nindent 6 }} {{- include "gitlab.appConfig.zoekt" . | nindent 6 }} diff --git a/charts/gitlab/templates/_gitlab.yaml.tpl b/charts/gitlab/templates/_gitlab.yaml.tpl index 75b188909e..8838fa764d 100644 --- a/charts/gitlab/templates/_gitlab.yaml.tpl +++ b/charts/gitlab/templates/_gitlab.yaml.tpl @@ -54,6 +54,14 @@ gitlab_kas: {{- end -}} {{- end -}} +{{- define "gitlab.appConfig.workspaces" -}} +{{- if .Values.global.workspaces.enabled -}} +workspaces: + enabled: true + host: {{ include "gitlab.workspaces.hostname" . | quote }} +{{- end -}} +{{- end -}} + {{- define "gitlab.appConfig.cell" -}} {{- if eq .Values.global.appConfig.cell.enabled true -}} {{- with .Values.global.appConfig.cell -}} diff --git a/charts/gitlab/templates/_kas.tpl b/charts/gitlab/templates/_kas.tpl index 299b215fa0..99353cf205 100644 --- a/charts/gitlab/templates/_kas.tpl +++ b/charts/gitlab/templates/_kas.tpl @@ -36,6 +36,14 @@ Returns the KAS external URL (for external agentk connections) {{- end -}} {{- end -}} +{{/* +Returns the workspaces external hostname +*/}} +{{- define "gitlab.workspaces.hostname" -}} +{{- $hostname := $.Values.global.hosts.workspaces.name | required "Missing required workspaces host. Make sure to set `.Values.global.hosts.workspaces.name`" -}} +{{- $hostname -}} +{{- end -}} + {{- define "gitlab.kas.internal.scheme" -}} {{- printf "%s" (ternary "grpcs" "grpc" (eq $.Values.global.kas.tls.enabled true)) -}} {{- end -}} diff --git a/spec/configuration/gitlab-yml-erb_spec.rb b/spec/configuration/gitlab-yml-erb_spec.rb index ae6ddfa4de..63ef4915eb 100644 --- a/spec/configuration/gitlab-yml-erb_spec.rb +++ b/spec/configuration/gitlab-yml-erb_spec.rb @@ -665,4 +665,36 @@ describe 'gitlab.yml.erb configuration' do end end end + + context 'Workspaces host' do + let(:values) { HelmTemplate.defaults } + let(:template) { HelmTemplate.new(values) } + + def gitlab_yml(chart) + YAML.safe_load( + template.dig("ConfigMap/test-#{chart}", 'data', 'gitlab.yml.erb') + )['production']['workspaces']['host'] + end + + %w[webservice toolbox sidekiq].each do |chart| + context "for #{chart}" do + context 'is configured' do + let(:values) do + HelmTemplate.with_defaults(%( + global: + hosts: + workspaces: + name: workspaces.example.com + workspaces: + enabled: true + )) + end + + it 'populates the value to gitlab.yml.erb' do + expect(gitlab_yml(chart)).to eq('workspaces.example.com') + end + end + end + end + end end diff --git a/spec/configuration/kas_spec.rb b/spec/configuration/kas_spec.rb index 76379908a6..13e60491b6 100644 --- a/spec/configuration/kas_spec.rb +++ b/spec/configuration/kas_spec.rb @@ -321,9 +321,14 @@ describe 'kas configuration' do gitlab: kas: workspaces: - enabled: true listenGracePeriod: "10s" shutdownGracePeriod: "100s" + global: + hosts: + workspaces: + name: workspaces.example.com + workspaces: + enabled: true ))) end @@ -870,7 +875,12 @@ describe 'kas configuration' do "address" => :"9000" } } - } + }, + 'global' => { 'hosts' => { + 'workspaces' => { + 'name' => 'workspaces.example.com' + } + } } } ) end @@ -1072,6 +1082,10 @@ describe 'kas configuration' do enabled: true listenGracePeriod: "10s" shutdownGracePeriod: "100s" + global: + hosts: + workspaces: + name: workspaces.example.com ))) end diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d70b28960b..fba26117af 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -412,6 +412,7 @@ We're explicitly checking for an actual value being present, not the existence o {{- $minio := pluck "secretName" $.Values.minio.ingress.tls | first -}} {{- $pages := pluck "secretName" ((index $.Values.gitlab "gitlab-pages").ingress).tls | first -}} {{- $kas := pluck "secretName" $.Values.gitlab.kas.ingress.tls | first -}} +{{- $workspaces := pluck "workspacesSecretName" $.Values.gitlab.kas.ingress.tls | first -}} {{- $smartcard := pluck "smartcardSecretName" $.Values.gitlab.webservice.ingress.tls | first -}} {{/* Set each item to configured value, or !enabled This works because `false` is the same as empty, so we'll use the value when `enabled: true` @@ -426,6 +427,7 @@ We're explicitly checking for an actual value being present, not the existence o {{- $minio := default $minio (not $.Values.global.minio.enabled) -}} {{- $pages := default $pages (not $.Values.global.pages.enabled) -}} {{- $kas := default $kas (not $.Values.global.kas.enabled) -}} +{{- $workspaces := default $workspaces (not $.Values.global.workspaces.enabled) -}} {{- $smartcard := default $smartcard (not $.Values.global.appConfig.smartcard.enabled) -}} {{/* Check that all enabled items have been configured */}} {{- if or $global (and $webservice $registry $minio $pages $kas $smartcard) -}} diff --git a/values.yaml b/values.yaml index 3660d3f15b..e94baafcff 100644 --- a/values.yaml +++ b/values.yaml @@ -73,6 +73,7 @@ global: kas: {} pages: {} openbao: {} + workspaces: {} ## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings ingress: @@ -508,6 +509,8 @@ global: # externalUrl: # internalUrl: # clientTimeoutSeconds: + + workspaces: {} ## Configure GitLab Cells. Cells is a GitLab internal-use experiment. ## https://docs.gitlab.com/administration/cells/ @@ -638,6 +641,10 @@ global: # secretName: # caSecretName: + workspaces: + ## If workspaces is enabled, you must provide a hostname under global.hosts + enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/spamcheck/ spamcheck: enabled: false -- GitLab