From 4df74ef9fda4a6df34c4ffb3e21e15004ce412f2 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 19 Nov 2025 14:51:29 +0000 Subject: [PATCH 1/8] Add new Geo setting to gitlab.yml This enables admins to setup allowed origins for websocket requests through ActionCable in order to ensure communication between secondary and primary Geo sites via websockets Changelog: added --- charts/gitlab/templates/_geo.tpl | 1 + spec/configuration/gitlab-yml-erb_spec.rb | 75 +++++++++++++++++++++++ values.yaml | 6 ++ 3 files changed, 82 insertions(+) diff --git a/charts/gitlab/templates/_geo.tpl b/charts/gitlab/templates/_geo.tpl index 2ac73a2c51..c95ba574eb 100644 --- a/charts/gitlab/templates/_geo.tpl +++ b/charts/gitlab/templates/_geo.tpl @@ -17,6 +17,7 @@ geo: registry_replication: enabled: {{ eq true (default false .Values.global.geo.registry.replication.enabled) }} primary_api_url: {{ .Values.global.geo.registry.replication.primaryApiUrl | quote }} + action_cable_allowed_origins: {{ .Values.global.geo.actionCableAllowedOrigins | default (list) | toJson }} {{- end -}} {{- end -}} diff --git a/spec/configuration/gitlab-yml-erb_spec.rb b/spec/configuration/gitlab-yml-erb_spec.rb index 3914ebdefa..f4f1a79ee0 100644 --- a/spec/configuration/gitlab-yml-erb_spec.rb +++ b/spec/configuration/gitlab-yml-erb_spec.rb @@ -791,4 +791,79 @@ describe 'gitlab.yml.erb configuration' do end end end + + context 'Geo action_cable_allowed_origins' do + let(:required_values) do + YAML.safe_load(%( + global: + geo: + enabled: true + actionCableAllowedOrigins: #{value} + psql: + host: foo + password: + secret: bar + )).deep_merge!(default_values) + end + + context 'when configured with array of origins' do + let(:value) { '["https://primary.example.com", "https://secondary.example.com"]' } + + it 'populates the gitlab.yml.erb with the origins array' do + t = HelmTemplate.new(required_values) + expect(t.exit_code).to eq(0) + + # Test webservice + webservice_yml = YAML.safe_load(t.dig('ConfigMap/test-webservice', 'data', 'gitlab.yml.erb')) + expect(webservice_yml['production']['geo']['action_cable_allowed_origins']).to eq(['https://primary.example.com', 'https://secondary.example.com']) + + # Test sidekiq + sidekiq_yml = YAML.safe_load(t.dig('ConfigMap/test-sidekiq', 'data', 'gitlab.yml.erb')) + expect(sidekiq_yml['production']['geo']['action_cable_allowed_origins']).to eq(['https://primary.example.com', 'https://secondary.example.com']) + + # Test toolbox + toolbox_yml = YAML.safe_load(t.dig('ConfigMap/test-toolbox', 'data', 'gitlab.yml.erb')) + expect(toolbox_yml['production']['geo']['action_cable_allowed_origins']).to eq(['https://primary.example.com', 'https://secondary.example.com']) + end + end + + context 'when not configured' do + let(:value) { nil } + + it 'populates the gitlab.yml.erb with empty array' do + t = HelmTemplate.new(required_values) + expect(t.exit_code).to eq(0) + + # Test webservice + webservice_yml = YAML.safe_load(t.dig('ConfigMap/test-webservice', 'data', 'gitlab.yml.erb')) + expect(webservice_yml['production']['geo']['action_cable_allowed_origins']).to eq([]) + + # Test sidekiq + sidekiq_yml = YAML.safe_load(t.dig('ConfigMap/test-sidekiq', 'data', 'gitlab.yml.erb')) + expect(sidekiq_yml['production']['geo']['action_cable_allowed_origins']).to eq([]) + end + end + + context 'when Geo is disabled' do + let(:required_values) do + YAML.safe_load(%( + global: + geo: + enabled: false + psql: + host: foo + password: + secret: bar + )).deep_merge!(default_values) + end + + it 'does not populate geo configuration in gitlab.yml.erb' do + t = HelmTemplate.new(required_values) + expect(t.exit_code).to eq(0) + + webservice_yml = YAML.safe_load(t.dig('ConfigMap/test-webservice', 'data', 'gitlab.yml.erb')) + expect(webservice_yml['production']).not_to have_key('geo') + end + end + end end diff --git a/values.yaml b/values.yaml index fb989359cb..bf17c9f0bd 100644 --- a/values.yaml +++ b/values.yaml @@ -640,6 +640,12 @@ global: enabled: false primaryApiUrl: ## Consumes global.registry.notificationSecret + # Allowed origins for websockets communication between secondary and primary + # Set to be the external and internal URLs of Geo sites + actionCableAllowedOrigins: + # - http://primary.com + # - http://secondary.com + # - http://unified.com ## https://docs.gitlab.com/charts/charts/gitlab/kas/ kas: -- GitLab From 5bf4859efa796fbf24364f1e6ce1842c32ee4385 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 19 Nov 2025 15:27:01 +0000 Subject: [PATCH 2/8] Add examples and documentation --- doc/advanced/geo/_index.md | 5 +++++ examples/geo/primary.yaml | 4 ++++ examples/geo/secondary.yaml | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/doc/advanced/geo/_index.md b/doc/advanced/geo/_index.md index d66aa855db..c4b0ae67f6 100644 --- a/doc/advanced/geo/_index.md +++ b/doc/advanced/geo/_index.md @@ -165,6 +165,8 @@ external_url 'http://gitlab.example.com' roles ['geo_primary_role'] # The unique identifier for the Geo node. gitlab_rails['geo_node_name'] = 'London Office' +# Allow cross-site origins for ActionCable requests +gitlab_rails['geo_action_cable_allowed_origins'] = ['https://london.gitlab.example.com', 'https://shangai.gitlab.example.com', 'https://gitlab.example.com'] gitlab_rails['auto_migrate'] = false ## turn off everything but the DB sidekiq['enable']=false @@ -193,6 +195,9 @@ We must replace several items: - `gitlab_rails['geo_node_name']` must be replaced with a unique name for your site. See the Name field in [Common settings](https://docs.gitlab.com/administration/geo_sites/#common-settings). +- `gitlab_rails['geo_action_cable_allowed_origins']` must be replaced with an array + containing the URLs of all clusters: primary and secondary internal URLs as well as + the external URL of all clusters. - `gitlab_user_password_hash` must be replaced with the hashed form of the `gitlab` password. - `postgresql['md5_auth_cidr_addresses']` can be update to be a list of diff --git a/examples/geo/primary.yaml b/examples/geo/primary.yaml index e54d2b5990..fdf578782b 100644 --- a/examples/geo/primary.yaml +++ b/examples/geo/primary.yaml @@ -16,6 +16,10 @@ nodeName: London Office enabled: true role: primary + actionCableAllowedOrigins: + - https://gitlab.london.example.com # primary internal URL + - https://gitlab.shanghai.example.com # secondary internal URL + - https://gitlab.example.com # unified URL # configure Geo Nginx Controller for internal Geo site traffic nginx-ingress-geo: enabled: true diff --git a/examples/geo/secondary.yaml b/examples/geo/secondary.yaml index e8ec7b1214..c6adc7b722 100644 --- a/examples/geo/secondary.yaml +++ b/examples/geo/secondary.yaml @@ -19,6 +19,10 @@ enabled: true role: secondary nodeName: Shanghai Office + actionCableAllowedOrigins: + - https://gitlab.london.example.com # primary internal URL + - https://gitlab.shanghai.example.com # secondary internal URL + - https://gitlab.example.com # unified URL psql: host: geo-2.db.example.com port: 5431 -- GitLab From a55a68dac5ef6f48b9651fdb82989831ac761c26 Mon Sep 17 00:00:00 2001 From: c_fons Date: Thu, 20 Nov 2025 18:30:27 +0000 Subject: [PATCH 3/8] Move setting out of Geo --- .../charts/sidekiq/templates/configmap.yaml | 1 + .../charts/toolbox/templates/configmap.yaml | 1 + .../charts/webservice/templates/configmap.yml | 1 + charts/gitlab/templates/_geo.tpl | 1 - doc/advanced/geo/_index.md | 4 ++-- spec/configuration/gitlab-yml-erb_spec.rb | 22 +++++++++---------- values.yaml | 10 ++++----- 7 files changed, 19 insertions(+), 21 deletions(-) diff --git a/charts/gitlab/charts/sidekiq/templates/configmap.yaml b/charts/gitlab/charts/sidekiq/templates/configmap.yaml index b5b8ac21dc..db24816386 100644 --- a/charts/gitlab/charts/sidekiq/templates/configmap.yaml +++ b/charts/gitlab/charts/sidekiq/templates/configmap.yaml @@ -39,6 +39,7 @@ data: {{- if .cdnHost }} cdn_host: {{ .cdnHost | quote }} {{- end }} + action_cable_allowed_origins: {{ .actionCableAllowedOrigins | default (list) | toJson }} max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} impersonation_enabled: {{ .enableImpersonation }} application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} diff --git a/charts/gitlab/charts/toolbox/templates/configmap.yaml b/charts/gitlab/charts/toolbox/templates/configmap.yaml index 76c9b70c3c..9f701cc7eb 100644 --- a/charts/gitlab/charts/toolbox/templates/configmap.yaml +++ b/charts/gitlab/charts/toolbox/templates/configmap.yaml @@ -34,6 +34,7 @@ data: {{- if .cdnHost }} cdn_host: {{ .cdnHost | quote }} {{- end }} + action_cable_allowed_origins: {{ .actionCableAllowedOrigins | default (list) | toJson }} max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} impersonation_enabled: {{ .enableImpersonation }} application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml index 9134f5ad29..803df04a67 100644 --- a/charts/gitlab/charts/webservice/templates/configmap.yml +++ b/charts/gitlab/charts/webservice/templates/configmap.yml @@ -48,6 +48,7 @@ data: {{- if .cdnHost }} cdn_host: {{ .cdnHost | quote }} {{- end }} + action_cable_allowed_origins: {{ .actionCableAllowedOrigins | default (list) | toJson }} max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} impersonation_enabled: {{ .enableImpersonation }} application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} diff --git a/charts/gitlab/templates/_geo.tpl b/charts/gitlab/templates/_geo.tpl index c95ba574eb..2ac73a2c51 100644 --- a/charts/gitlab/templates/_geo.tpl +++ b/charts/gitlab/templates/_geo.tpl @@ -17,7 +17,6 @@ geo: registry_replication: enabled: {{ eq true (default false .Values.global.geo.registry.replication.enabled) }} primary_api_url: {{ .Values.global.geo.registry.replication.primaryApiUrl | quote }} - action_cable_allowed_origins: {{ .Values.global.geo.actionCableAllowedOrigins | default (list) | toJson }} {{- end -}} {{- end -}} diff --git a/doc/advanced/geo/_index.md b/doc/advanced/geo/_index.md index c4b0ae67f6..c547c4aeb2 100644 --- a/doc/advanced/geo/_index.md +++ b/doc/advanced/geo/_index.md @@ -166,7 +166,7 @@ roles ['geo_primary_role'] # The unique identifier for the Geo node. gitlab_rails['geo_node_name'] = 'London Office' # Allow cross-site origins for ActionCable requests -gitlab_rails['geo_action_cable_allowed_origins'] = ['https://london.gitlab.example.com', 'https://shangai.gitlab.example.com', 'https://gitlab.example.com'] +gitlab_rails['action_cable_allowed_origins'] = ['https://london.gitlab.example.com', 'https://shangai.gitlab.example.com', 'https://gitlab.example.com'] gitlab_rails['auto_migrate'] = false ## turn off everything but the DB sidekiq['enable']=false @@ -195,7 +195,7 @@ We must replace several items: - `gitlab_rails['geo_node_name']` must be replaced with a unique name for your site. See the Name field in [Common settings](https://docs.gitlab.com/administration/geo_sites/#common-settings). -- `gitlab_rails['geo_action_cable_allowed_origins']` must be replaced with an array +- `gitlab_rails['action_cable_allowed_origins']` must be replaced with an array containing the URLs of all clusters: primary and secondary internal URLs as well as the external URL of all clusters. - `gitlab_user_password_hash` must be replaced with the hashed form of the diff --git a/spec/configuration/gitlab-yml-erb_spec.rb b/spec/configuration/gitlab-yml-erb_spec.rb index f4f1a79ee0..43212f6e04 100644 --- a/spec/configuration/gitlab-yml-erb_spec.rb +++ b/spec/configuration/gitlab-yml-erb_spec.rb @@ -792,17 +792,12 @@ describe 'gitlab.yml.erb configuration' do end end - context 'Geo action_cable_allowed_origins' do + context 'ActionCable allowed origins' do let(:required_values) do YAML.safe_load(%( global: - geo: - enabled: true + appConfig: actionCableAllowedOrigins: #{value} - psql: - host: foo - password: - secret: bar )).deep_merge!(default_values) end @@ -815,15 +810,18 @@ describe 'gitlab.yml.erb configuration' do # Test webservice webservice_yml = YAML.safe_load(t.dig('ConfigMap/test-webservice', 'data', 'gitlab.yml.erb')) - expect(webservice_yml['production']['geo']['action_cable_allowed_origins']).to eq(['https://primary.example.com', 'https://secondary.example.com']) + expect(webservice_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')) + .to eq(['https://primary.example.com', 'https://secondary.example.com']) # Test sidekiq sidekiq_yml = YAML.safe_load(t.dig('ConfigMap/test-sidekiq', 'data', 'gitlab.yml.erb')) - expect(sidekiq_yml['production']['geo']['action_cable_allowed_origins']).to eq(['https://primary.example.com', 'https://secondary.example.com']) + expect(sidekiq_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')) + .to eq(['https://primary.example.com', 'https://secondary.example.com']) # Test toolbox toolbox_yml = YAML.safe_load(t.dig('ConfigMap/test-toolbox', 'data', 'gitlab.yml.erb')) - expect(toolbox_yml['production']['geo']['action_cable_allowed_origins']).to eq(['https://primary.example.com', 'https://secondary.example.com']) + expect(toolbox_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')) + .to eq(['https://primary.example.com', 'https://secondary.example.com']) end end @@ -836,11 +834,11 @@ describe 'gitlab.yml.erb configuration' do # Test webservice webservice_yml = YAML.safe_load(t.dig('ConfigMap/test-webservice', 'data', 'gitlab.yml.erb')) - expect(webservice_yml['production']['geo']['action_cable_allowed_origins']).to eq([]) + expect(webservice_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')).to eq([]) # Test sidekiq sidekiq_yml = YAML.safe_load(t.dig('ConfigMap/test-sidekiq', 'data', 'gitlab.yml.erb')) - expect(sidekiq_yml['production']['geo']['action_cable_allowed_origins']).to eq([]) + expect(sidekiq_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')).to eq([]) end end diff --git a/values.yaml b/values.yaml index bf17c9f0bd..faedcf436b 100644 --- a/values.yaml +++ b/values.yaml @@ -602,6 +602,10 @@ global: initialDefaults: {} # signupEnabled: # gitlabProductUsageData: true + + ## Allowed origins for websockets communication between sites. Use if you have Geo enabled. + ## Set to be the external and internal URLs of Geo sites + actionCableAllowedOrigins: [] ## End of global.appConfig oauth: @@ -640,12 +644,6 @@ global: enabled: false primaryApiUrl: ## Consumes global.registry.notificationSecret - # Allowed origins for websockets communication between secondary and primary - # Set to be the external and internal URLs of Geo sites - actionCableAllowedOrigins: - # - http://primary.com - # - http://secondary.com - # - http://unified.com ## https://docs.gitlab.com/charts/charts/gitlab/kas/ kas: -- GitLab From 7aef9693b1cf0b842c495ed63da4d8634a957d09 Mon Sep 17 00:00:00 2001 From: c_fons Date: Thu, 20 Nov 2025 18:31:53 +0000 Subject: [PATCH 4/8] Update geo examples --- examples/geo/primary.yaml | 8 ++++---- examples/geo/secondary.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/geo/primary.yaml b/examples/geo/primary.yaml index fdf578782b..14e3e1aa4b 100644 --- a/examples/geo/primary.yaml +++ b/examples/geo/primary.yaml @@ -12,14 +12,14 @@ secret: geo key: postgresql-password # configure geo (primary) + actionCableAllowedOrigins: + - https://gitlab.london.example.com # primary internal URL + - https://gitlab.shanghai.example.com # secondary internal URL + - https://gitlab.example.com # unified URL geo: nodeName: London Office enabled: true role: primary - actionCableAllowedOrigins: - - https://gitlab.london.example.com # primary internal URL - - https://gitlab.shanghai.example.com # secondary internal URL - - https://gitlab.example.com # unified URL # configure Geo Nginx Controller for internal Geo site traffic nginx-ingress-geo: enabled: true diff --git a/examples/geo/secondary.yaml b/examples/geo/secondary.yaml index c6adc7b722..a298b33b42 100644 --- a/examples/geo/secondary.yaml +++ b/examples/geo/secondary.yaml @@ -14,15 +14,15 @@ password: secret: geo key: postgresql-password + actionCableAllowedOrigins: + - https://gitlab.london.example.com # primary internal URL + - https://gitlab.shanghai.example.com # secondary internal URL + - https://gitlab.example.com # unified URL # configure geo (secondary) geo: enabled: true role: secondary nodeName: Shanghai Office - actionCableAllowedOrigins: - - https://gitlab.london.example.com # primary internal URL - - https://gitlab.shanghai.example.com # secondary internal URL - - https://gitlab.example.com # unified URL psql: host: geo-2.db.example.com port: 5431 -- GitLab From 0a52241554bbcf521182fc6a1106abaef038b3df Mon Sep 17 00:00:00 2001 From: c_fons Date: Mon, 24 Nov 2025 09:42:53 +0000 Subject: [PATCH 5/8] Remove toolbox + fix examples --- charts/gitlab/charts/toolbox/templates/configmap.yaml | 1 - examples/geo/primary.yaml | 9 +++++---- examples/geo/secondary.yaml | 9 +++++---- spec/configuration/gitlab-yml-erb_spec.rb | 5 ----- 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/configmap.yaml b/charts/gitlab/charts/toolbox/templates/configmap.yaml index 9f701cc7eb..76c9b70c3c 100644 --- a/charts/gitlab/charts/toolbox/templates/configmap.yaml +++ b/charts/gitlab/charts/toolbox/templates/configmap.yaml @@ -34,7 +34,6 @@ data: {{- if .cdnHost }} cdn_host: {{ .cdnHost | quote }} {{- end }} - action_cable_allowed_origins: {{ .actionCableAllowedOrigins | default (list) | toJson }} max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} impersonation_enabled: {{ .enableImpersonation }} application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} diff --git a/examples/geo/primary.yaml b/examples/geo/primary.yaml index 14e3e1aa4b..4a6a9b14f3 100644 --- a/examples/geo/primary.yaml +++ b/examples/geo/primary.yaml @@ -11,11 +11,12 @@ password: secret: geo key: postgresql-password + appConfig: + actionCableAllowedOrigins: + - https://gitlab.london.example.com # primary internal URL + - https://gitlab.shanghai.example.com # secondary internal URL + - https://gitlab.example.com # unified URL # configure geo (primary) - actionCableAllowedOrigins: - - https://gitlab.london.example.com # primary internal URL - - https://gitlab.shanghai.example.com # secondary internal URL - - https://gitlab.example.com # unified URL geo: nodeName: London Office enabled: true diff --git a/examples/geo/secondary.yaml b/examples/geo/secondary.yaml index a298b33b42..2f3323d817 100644 --- a/examples/geo/secondary.yaml +++ b/examples/geo/secondary.yaml @@ -14,10 +14,11 @@ password: secret: geo key: postgresql-password - actionCableAllowedOrigins: - - https://gitlab.london.example.com # primary internal URL - - https://gitlab.shanghai.example.com # secondary internal URL - - https://gitlab.example.com # unified URL + appConfig: + actionCableAllowedOrigins: + - https://gitlab.london.example.com # primary internal URL + - https://gitlab.shanghai.example.com # secondary internal URL + - https://gitlab.example.com # unified URL # configure geo (secondary) geo: enabled: true diff --git a/spec/configuration/gitlab-yml-erb_spec.rb b/spec/configuration/gitlab-yml-erb_spec.rb index 43212f6e04..b35714079f 100644 --- a/spec/configuration/gitlab-yml-erb_spec.rb +++ b/spec/configuration/gitlab-yml-erb_spec.rb @@ -817,11 +817,6 @@ describe 'gitlab.yml.erb configuration' do sidekiq_yml = YAML.safe_load(t.dig('ConfigMap/test-sidekiq', 'data', 'gitlab.yml.erb')) expect(sidekiq_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')) .to eq(['https://primary.example.com', 'https://secondary.example.com']) - - # Test toolbox - toolbox_yml = YAML.safe_load(t.dig('ConfigMap/test-toolbox', 'data', 'gitlab.yml.erb')) - expect(toolbox_yml.dig('production', 'gitlab', 'action_cable_allowed_origins')) - .to eq(['https://primary.example.com', 'https://secondary.example.com']) end end -- GitLab From cdcfc7714e3be2eedf9865a7e53e2ac53eb9d0a9 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 3 Dec 2025 12:08:58 +0000 Subject: [PATCH 6/8] Remove example from secondary (not needed) --- examples/geo/secondary.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/examples/geo/secondary.yaml b/examples/geo/secondary.yaml index 2f3323d817..e8ec7b1214 100644 --- a/examples/geo/secondary.yaml +++ b/examples/geo/secondary.yaml @@ -14,11 +14,6 @@ password: secret: geo key: postgresql-password - appConfig: - actionCableAllowedOrigins: - - https://gitlab.london.example.com # primary internal URL - - https://gitlab.shanghai.example.com # secondary internal URL - - https://gitlab.example.com # unified URL # configure geo (secondary) geo: enabled: true -- GitLab From ff9e66b52d3096c258970be689517f3506e24ab9 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 3 Dec 2025 14:35:27 +0000 Subject: [PATCH 7/8] Clarify URLs and use cases --- doc/advanced/geo/_index.md | 8 ++++---- examples/geo/primary.yaml | 7 +++---- values.yaml | 5 +++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/advanced/geo/_index.md b/doc/advanced/geo/_index.md index c547c4aeb2..2b0dd8a6f7 100644 --- a/doc/advanced/geo/_index.md +++ b/doc/advanced/geo/_index.md @@ -165,8 +165,8 @@ external_url 'http://gitlab.example.com' roles ['geo_primary_role'] # The unique identifier for the Geo node. gitlab_rails['geo_node_name'] = 'London Office' -# Allow cross-site origins for ActionCable requests -gitlab_rails['action_cable_allowed_origins'] = ['https://london.gitlab.example.com', 'https://shangai.gitlab.example.com', 'https://gitlab.example.com'] +# Allow cross-site origins for ActionCable requests. This is optional of the primary and secondary clusters use the same external URL +gitlab_rails['action_cable_allowed_origins'] = ['https://primary-external.example.com', 'https://secondary-external.example.com'] gitlab_rails['auto_migrate'] = false ## turn off everything but the DB sidekiq['enable']=false @@ -196,8 +196,8 @@ We must replace several items: site. See the Name field in [Common settings](https://docs.gitlab.com/administration/geo_sites/#common-settings). - `gitlab_rails['action_cable_allowed_origins']` must be replaced with an array - containing the URLs of all clusters: primary and secondary internal URLs as well as - the external URL of all clusters. + containing the **external URLs** of all clusters: both primary and secondary. + You can skip this if the clusters have the same external URL. - `gitlab_user_password_hash` must be replaced with the hashed form of the `gitlab` password. - `postgresql['md5_auth_cidr_addresses']` can be update to be a list of diff --git a/examples/geo/primary.yaml b/examples/geo/primary.yaml index 4a6a9b14f3..448ce2faf7 100644 --- a/examples/geo/primary.yaml +++ b/examples/geo/primary.yaml @@ -12,10 +12,9 @@ secret: geo key: postgresql-password appConfig: - actionCableAllowedOrigins: - - https://gitlab.london.example.com # primary internal URL - - https://gitlab.shanghai.example.com # secondary internal URL - - https://gitlab.example.com # unified URL + actionCableAllowedOrigins: # Skip if your primary and secondary **external** URLs are the same + - https://primary-external.example.com # primary external URL + - https://secondary-external.example.com # secondary external URL # configure geo (primary) geo: nodeName: London Office diff --git a/values.yaml b/values.yaml index faedcf436b..c412e5ba9d 100644 --- a/values.yaml +++ b/values.yaml @@ -603,8 +603,9 @@ global: # signupEnabled: # gitlabProductUsageData: true - ## Allowed origins for websockets communication between sites. Use if you have Geo enabled. - ## Set to be the external and internal URLs of Geo sites + # ActionCable allowed request origins + # Customize if you browse your GitLab application through multiple URLs + # If you have GitLab Geo enabled, then add the external URLs of every site: actionCableAllowedOrigins: [] ## End of global.appConfig -- GitLab From 353848c477dbaabcae154b0ef993087c40bdc486 Mon Sep 17 00:00:00 2001 From: c_fons Date: Thu, 4 Dec 2025 10:16:28 +0000 Subject: [PATCH 8/8] Revise wording after feedback --- doc/advanced/geo/_index.md | 8 ++++---- examples/geo/primary.yaml | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/advanced/geo/_index.md b/doc/advanced/geo/_index.md index 2b0dd8a6f7..b8c87b35fd 100644 --- a/doc/advanced/geo/_index.md +++ b/doc/advanced/geo/_index.md @@ -165,8 +165,8 @@ external_url 'http://gitlab.example.com' roles ['geo_primary_role'] # The unique identifier for the Geo node. gitlab_rails['geo_node_name'] = 'London Office' -# Allow cross-site origins for ActionCable requests. This is optional of the primary and secondary clusters use the same external URL -gitlab_rails['action_cable_allowed_origins'] = ['https://primary-external.example.com', 'https://secondary-external.example.com'] +# Allow cross-site origins for ActionCable requests. +gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com'] gitlab_rails['auto_migrate'] = false ## turn off everything but the DB sidekiq['enable']=false @@ -196,8 +196,8 @@ We must replace several items: site. See the Name field in [Common settings](https://docs.gitlab.com/administration/geo_sites/#common-settings). - `gitlab_rails['action_cable_allowed_origins']` must be replaced with an array - containing the **external URLs** of all clusters: both primary and secondary. - You can skip this if the clusters have the same external URL. + containing the **external URLs** of all clusters: both primary and secondary, + or their unified URL if they have the same external URL. - `gitlab_user_password_hash` must be replaced with the hashed form of the `gitlab` password. - `postgresql['md5_auth_cidr_addresses']` can be update to be a list of diff --git a/examples/geo/primary.yaml b/examples/geo/primary.yaml index 448ce2faf7..3127fc2e09 100644 --- a/examples/geo/primary.yaml +++ b/examples/geo/primary.yaml @@ -12,9 +12,10 @@ secret: geo key: postgresql-password appConfig: - actionCableAllowedOrigins: # Skip if your primary and secondary **external** URLs are the same - - https://primary-external.example.com # primary external URL - - https://secondary-external.example.com # secondary external URL + actionCableAllowedOrigins: + - https://primary-external.example.com # primary external URL; + - https://secondary-external.example.com # secondary external URL; OR + - https://unified.example.com # unified external URL # configure geo (primary) geo: nodeName: London Office -- GitLab