From b8ca4b2ceb7a7973ae7dbfa7d293fb625f048f5b Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Tue, 9 Dec 2025 09:40:15 +0100 Subject: [PATCH 1/3] Disable OpenBao HTTP audit See https://gitlab.com/gitlab-org/gitlab/-/issues/582828 --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index e7f6d5f1d0..f85d5dfb99 100644 --- a/values.yaml +++ b/values.yaml @@ -1556,7 +1556,7 @@ openbao: boundIssuer: '{{ include "gitlab.gitlab.url" . }}' audit: http: - enabled: true + enabled: false streamingUri: '{{ include "gitlab.workhorse.url" . }}/api/v4/internal/secrets_manager/audit_logs' storage: postgresql: -- GitLab From 1d811b0badd0036936e73c5df0d4f647b22f3e14 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Tue, 9 Dec 2025 12:04:42 +0100 Subject: [PATCH 2/3] Document OpenBao audit events disabled --- doc/charts/openbao/_index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/charts/openbao/_index.md b/doc/charts/openbao/_index.md index 9900e3961c..027fee5cbd 100644 --- a/doc/charts/openbao/_index.md +++ b/doc/charts/openbao/_index.md @@ -39,6 +39,8 @@ OpenBao, which is required to enable the [GitLab secrets manager](https://docs.g - You can't deploy OpenBao with [GitLab Operator](https://gitlab.com/gitlab-org/cloud-native/gitlab-operator). - A FIPS variant of the OpenBao image is already being build, but OpenBao is not FIPS validated. FIPS validation is tracked in [GitLab issue 574875](https://gitlab.com/gitlab-org/gitlab/-/issues/574875). +- The OpenBao chart and streaming of OpenBao auditing events to GitLab cannot be enabled at the same time. + This is tracked in [GitLab issue 582828](https://gitlab.com/gitlab-org/gitlab/-/issues/582828). ## Setup GitLab secret manager and OpenBao @@ -241,7 +243,7 @@ The OpenBao chart configures [auditing devices](https://openbao.org/docs/audit/) |----------------------------------------------------------|---------------------------------------------------------|-------------| | `global.openbao.httpAudit.secret` | `-openbao-audit-secret` | Name of the secret storing the token shared between OpenBao and GitLab. | | `global.openbao.httpAudit.key` | `token` | Secret key storing the shared token. | -| `config.audit.http.enabled` | true | Enable streaming of auditing events by using HTTP to GitLab. | +| `config.audit.http.enabled` | false | Enable streaming of auditing events by using HTTP to GitLab. Must disabled when enabling the OpenBao chart. This limitation is tracked in [GitLab issue 582828](https://gitlab.com/gitlab-org/gitlab/-/issues/582828). | | `config.audit.http.streamingUri` | Internal workhorse URL | Endpoint to stream auditing events to. | | `config.audit.http.authTokenPath` | `/srv/openbao/audit/gitlab-auth` | Path the token shared with GitLab is mounted at. | | `httpAuditSecret.generate` | false | Generate a secret to be shared with GitLab for authenticated auditing. Defaults to false as managed by GitLab charts shared-secret chart. | -- GitLab From 31c68514bcc4c034ea178019b9f64e4e053209f7 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Fri, 12 Dec 2025 06:01:02 +0100 Subject: [PATCH 3/3] Apply 2 suggestion(s) to 1 file(s) Co-authored-by: Marcel Amirault --- doc/charts/openbao/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/charts/openbao/_index.md b/doc/charts/openbao/_index.md index 027fee5cbd..cb17be8640 100644 --- a/doc/charts/openbao/_index.md +++ b/doc/charts/openbao/_index.md @@ -40,7 +40,7 @@ OpenBao, which is required to enable the [GitLab secrets manager](https://docs.g - A FIPS variant of the OpenBao image is already being build, but OpenBao is not FIPS validated. FIPS validation is tracked in [GitLab issue 574875](https://gitlab.com/gitlab-org/gitlab/-/issues/574875). - The OpenBao chart and streaming of OpenBao auditing events to GitLab cannot be enabled at the same time. - This is tracked in [GitLab issue 582828](https://gitlab.com/gitlab-org/gitlab/-/issues/582828). + For more information, see [issue 582828](https://gitlab.com/gitlab-org/gitlab/-/issues/582828). ## Setup GitLab secret manager and OpenBao @@ -243,7 +243,7 @@ The OpenBao chart configures [auditing devices](https://openbao.org/docs/audit/) |----------------------------------------------------------|---------------------------------------------------------|-------------| | `global.openbao.httpAudit.secret` | `-openbao-audit-secret` | Name of the secret storing the token shared between OpenBao and GitLab. | | `global.openbao.httpAudit.key` | `token` | Secret key storing the shared token. | -| `config.audit.http.enabled` | false | Enable streaming of auditing events by using HTTP to GitLab. Must disabled when enabling the OpenBao chart. This limitation is tracked in [GitLab issue 582828](https://gitlab.com/gitlab-org/gitlab/-/issues/582828). | +| `config.audit.http.enabled` | false | Enable streaming of auditing events by using HTTP to GitLab. Must be disabled when enabling the OpenBao chart. For more information, see [issue 582828](https://gitlab.com/gitlab-org/gitlab/-/issues/582828). | | `config.audit.http.streamingUri` | Internal workhorse URL | Endpoint to stream auditing events to. | | `config.audit.http.authTokenPath` | `/srv/openbao/audit/gitlab-auth` | Path the token shared with GitLab is mounted at. | | `httpAuditSecret.generate` | false | Generate a secret to be shared with GitLab for authenticated auditing. Defaults to false as managed by GitLab charts shared-secret chart. | -- GitLab