From 7f0de8d811c32ef1579006647cfb44d04f52dd09 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Fri, 12 Sep 2025 15:12:08 +0200 Subject: [PATCH] PoC: NGINX server snippets for proxy buffering --- .../charts/webservice/templates/_datamodel.tpl | 1 + .../gitlab/charts/webservice/templates/_nginx.tpl | 15 +++++++++++++++ charts/gitlab/charts/webservice/values.yaml | 1 + values.yaml | 3 ++- 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/webservice/templates/_datamodel.tpl b/charts/gitlab/charts/webservice/templates/_datamodel.tpl index 56ef98fed2..5052c58a05 100644 --- a/charts/gitlab/charts/webservice/templates/_datamodel.tpl +++ b/charts/gitlab/charts/webservice/templates/_datamodel.tpl @@ -55,6 +55,7 @@ This is output as YAML, it can be read back in as a dict via `toYaml`. annotations: {{- $v.annotations | toYaml | nindent 4 }} proxyConnectTimeout: {{ $v.proxyConnectTimeout }} + proxyRequestBufferingOffRegex: {{ $v.proxyRequestBufferingOffRegex }} proxyReadTimeout: {{ $v.proxyReadTimeout }} proxyBodySize: {{ $v.proxyBodySize | quote }} serviceUpstream: {{ $v.serviceUpstream | quote }} diff --git a/charts/gitlab/charts/webservice/templates/_nginx.tpl b/charts/gitlab/charts/webservice/templates/_nginx.tpl index d7d9740444..8490e17709 100644 --- a/charts/gitlab/charts/webservice/templates/_nginx.tpl +++ b/charts/gitlab/charts/webservice/templates/_nginx.tpl @@ -37,7 +37,22 @@ Returns a YAML string with the annotations. {{- $_ := set $annotations "nginx.ingress.kubernetes.io/proxy-read-timeout" $ingress.local.proxyReadTimeout -}} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/proxy-connect-timeout" $ingress.local.proxyConnectTimeout -}} {{- $_ := set $annotations "nginx.ingress.kubernetes.io/service-upstream" $ingress.local.serviceUpstream -}} +{{- if $ingress.local.proxyRequestBufferingOffRegex -}} +{{- $regex := $ingress.local.proxyRequestBufferingOffRegex -}} +{{- $workhorse := (include "gitlab.workhorse.url" .root) -}} +{{- $snippet := (include "webservice.ingress.nginx.proxyRequestBufferingOffSnippet" (dict "regex" $regex "workhorse" $workhorse)) -}} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/server-snippet" $snippet -}} +{{- $_ := set $annotations "nginx.ingress.kubernetes.io/proxy-request-buffering" "on" -}} +{{- end }} {{- $annotations | toYaml -}} {{- end }} {{- end }} {{- end }} + +{{- define "webservice.ingress.nginx.proxyRequestBufferingOffSnippet" -}} +location ~ ({{ .regex }}) { + proxy_cache off; + proxy_pass {{ .workhorse }}; + proxy_request_buffering off; +} +{{- end -}} diff --git a/charts/gitlab/charts/webservice/values.yaml b/charts/gitlab/charts/webservice/values.yaml index 34c55e0e97..1b92a9f78b 100644 --- a/charts/gitlab/charts/webservice/values.yaml +++ b/charts/gitlab/charts/webservice/values.yaml @@ -114,6 +114,7 @@ ingress: proxyConnectTimeout: 15 proxyReadTimeout: 600 proxyBodySize: "512m" + proxyRequestBufferingOffRegex: "/api/v\\d/jobs/\\d+/artifacts$|/import/gitlab_project$|\\.git/git-receive-pack$|\\.git/ssh-receive-pack$|\\.git/ssh-upload-pack$|\\.git/gitlab-lfs/objects|\\.git/info/lfs/objects/batch$" tls: {} # secretName: # smartcardSecretName: diff --git a/values.yaml b/values.yaml index b788a8906b..9e8fd813ae 100644 --- a/values.yaml +++ b/values.yaml @@ -1012,8 +1012,9 @@ nginx-ingress: &nginx-ingress digest: "sha256:016a25cf89bf7f930869ccd7cb3dd4acbe106cd4da1419804951ef9c8636f053" addHeaders: Referrer-Policy: strict-origin-when-cross-origin + allowSnippetAnnotations: true config: &nginx-ingress-controller-config - annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"" + annotation-value-word-blocklist: "load_module,lua_package,_by_lua,root,serviceaccount,',\"" hsts: "true" hsts-include-subdomains: "false" hsts-max-age: "63072000" -- GitLab