From 1267b681c76f42040344ee696747e7191bf0d125 Mon Sep 17 00:00:00 2001
From: Clemens Beck <cbeck@gitlab.com>
Date: Fri, 24 Oct 2025 13:25:29 +0200
Subject: [PATCH] PoC: AIGW subchart

---
 Chart.yaml                                    |  5 ++
 templates/_ai_gateway.tpl                     | 62 +++++++++++++++++++
 .../shared-secrets/_generate_secrets.sh.tpl   |  4 ++
 values.yaml                                   | 14 +++++
 4 files changed, 85 insertions(+)
 create mode 100644 templates/_ai_gateway.tpl

diff --git a/Chart.yaml b/Chart.yaml
index fa79c0df28..24f39ca1ac 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -58,6 +58,11 @@ dependencies:
   version: 0.6.1
   repository: https://charts.gitlab.io/
   condition: openbao.install
+# Dummy AIGW dependency. To make this work, manually package the chart and move the archive to charts/.
+- name: ai-gateway
+  version: 1.2.3
+  repository: https://charts.gitlab.io/
+  condition: ai-gateway.install
 - name: traefik
   repository: https://helm.traefik.io/traefik
   condition: traefik.install
diff --git a/templates/_ai_gateway.tpl b/templates/_ai_gateway.tpl
new file mode 100644
index 0000000000..5e1bd0e38f
--- /dev/null
+++ b/templates/_ai_gateway.tpl
@@ -0,0 +1,62 @@
+{{/*
+Returns the secret name of AI Gateway/Duo signing key.
+This secret will be generated by shared secrets.
+*/}}
+{{- define "gitlab.ai-gateway.signing.secret" -}}
+{{- printf "%s-ai-gateway-signing-secret" .Release.Name -}}
+{{- end -}}
+
+{{/*
+Returns the secret key of AI Gateway/Duo signing key.
+This key matches the expected AIGW envionment variable.
+*/}}
+{{- define "gitlab.ai-gateway.signing.key" -}}
+DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY
+{{- end -}}
+
+{{/*
+Returns the AI Gateway URL.
+*/}}
+{{- define "gitlab.ai-gateway.url" -}}
+{{- $scheme := or .Values.global.hosts.https .Values.global.hosts.aiGateway.https | ternary "https" "http" -}}
+{{- $host := (include "gitlab.ai-gateway.hostname" .) -}}
+{{- printf "%s://%s" $scheme $host -}}
+{{- end -}}
+
+{{/*
+Returns the AI Gateway host.
+*/}}
+{{- define "gitlab.ai-gateway.hostname" -}}
+{{- coalesce .Values.global.hosts.aiGateway.name (include "gitlab.assembleHost"  (dict "name" "aigw" "context" . )) -}}
+{{- end -}}
+
+{{/*
+Renders if the AI Gateway Ingress should be enabled.
+Behaves similar to "gitlab.ingress.enabled" but checks for the local `gitlabIngress`
+because AI Gateway has currently two Ingress configurations.
+*/}}
+{{- define "gitlab.ai-gateway.ingress.enabled" -}}
+{{- $globalSet := and (hasKey .Values.global.ingress "enabled") (kindIs "bool" .Values.global.ingress.enabled) -}}
+{{- $localSet := and (hasKey .Values.gitlabIngress "enabled") (kindIs "bool" .Values.gitlabIngress.enabled) -}}
+{{- if $localSet }}
+{{-   .Values.gitlabIngress.enabled }}
+{{- else if $globalSet }}
+{{-  .Values.global.ingress.enabled }}
+{{- else }}
+{{-   true }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Renders if the AI Gateway Ingress should use TLS.
+Behaves similar to "gitlab.ingress.tls.enabled" but checks for the local `gitlabIngress`
+because AI Gateway has currently two Ingress configurations.
+*/}}
+{{- define "gitlab.ai-gateway.ingress.tls.enabled" -}}
+{{- if (((.Values).gitlabIngress).tls).enabled }}
+{{-   .Values.gitlabIngress.tls.enabled }}
+{{- else }}
+{{-   include "gitlab.global.ingress.tls.enabled" . }}
+{{- end -}}
+{{- end -}}
+
diff --git a/templates/shared-secrets/_generate_secrets.sh.tpl b/templates/shared-secrets/_generate_secrets.sh.tpl
index 4cd2272bc1..924b1b816f 100644
--- a/templates/shared-secrets/_generate_secrets.sh.tpl
+++ b/templates/shared-secrets/_generate_secrets.sh.tpl
@@ -266,3 +266,7 @@ generate_secret_if_needed {{ template "gitlab.zoekt.gateway.basicAuth.secretName
 {{ if .Values.openbao.install -}}
 generate_secret_if_needed {{ template "gitlab.openbao.unseal.secret" . }} --from-literal={{ template "gitlab.openbao.unseal.key" . }}="$(gen_random_bytes 32)"
 {{ end }}
+
+{{ if (index .Values "ai-gateway" "install") -}}
+generate_secret_if_needed {{ template "gitlab.ai-gateway.signing.secret" . }} --from-file={{ template "gitlab.ai-gateway.signing.key" . }}=/dev/stdin <<< "$(openssl genrsa 4096)"
+{{ end }}
diff --git a/values.yaml b/values.yaml
index 4e7adbcfa7..1ae3ad3683 100644
--- a/values.yaml
+++ b/values.yaml
@@ -74,6 +74,7 @@ global:
     pages: {}
     openbao: {}
     workspaces: {}
+    aiGateway: {}
 
   ## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings
   ingress:
@@ -1546,3 +1547,16 @@ openbao:
           database: ''
           username: ''
           sslMode: ''
+
+# Installation & configuration of AI Gateway
+ai-gateway:
+  install: false
+  extraSecretRefs:
+    - name: gitlab-ai-gateway-signing-secret # TODO: use templating "gitlab.ai-gateway.signing.secret"
+  gitlabIngress:
+    enabled: true
+  gitlab:
+    url: '{{ template "gitlab.gitlab.url" }}'
+    apiUrl: '{{ template "gitlab.gitlab.url" }}/api/v4/'
+  image:
+    tag: "self-hosted-v18.5.0-ee" # TODO: this should be defined by the charts appVersion or default values
-- 
GitLab