From 89b3c29ab56bdf76ab87bcd528a4b0bb205e0779 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Tue, 21 Jan 2025 09:32:00 +0100 Subject: [PATCH 1/7] Allow to configure the chart for IPv6-only - Rails: Support binding IPv6 interfaces to enable healthchecks and metric exports to pass on single stack IPv6 clusters. - KAS: Handle IPv6 representations in private URL. - GitLab Exporter: Allow to configure custom listen address. The default values do not work for IPv6 single-stack environments. You need to update your values per `doc/advanced/ipv6/_index.md` to deploy the chart into IPv6-only clusters. Closes https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2778 Changelog: added --- .../geo-logcursor/templates/configmap.yml | 3 ++- .../gitlab-exporter/templates/configmap.yaml | 2 +- .../gitlab/charts/gitlab-exporter/values.yaml | 2 ++ .../charts/kas/templates/deployment.yaml | 2 +- .../charts/sidekiq/templates/configmap.yaml | 7 +++--- charts/gitlab/charts/sidekiq/values.yaml | 2 ++ .../charts/webservice/templates/configmap.yml | 6 +++-- charts/gitlab/charts/webservice/values.yaml | 5 +++- doc/advanced/_index.md | 1 + doc/advanced/ipv6/_index.md | 18 +++++++++++++ doc/charts/gitlab/gitlab-exporter/_index.md | 1 + doc/charts/gitlab/sidekiq/_index.md | 2 ++ doc/charts/gitlab/webservice/_index.md | 3 ++- examples/values-ipv6.yaml | 25 +++++++++++++++++++ spec/configuration/kas_spec.rb | 4 +-- 15 files changed, 71 insertions(+), 12 deletions(-) create mode 100644 doc/advanced/ipv6/_index.md create mode 100644 examples/values-ipv6.yaml diff --git a/charts/gitlab/charts/geo-logcursor/templates/configmap.yml b/charts/gitlab/charts/geo-logcursor/templates/configmap.yml index 57d353a951..d389503538 100644 --- a/charts/gitlab/charts/geo-logcursor/templates/configmap.yml +++ b/charts/gitlab/charts/geo-logcursor/templates/configmap.yml @@ -94,7 +94,8 @@ data: path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) monitoring: ip_whitelist: - - 0.0.0.0/0 + - "0.0.0.0/0" + - "::/0" sidekiq_exporter: configure: | {{- include "gitlab.scripts.configure.secrets" (dict "required" "rails-secrets" "optional" "postgres redis redis-sentinel") | nindent 4 }} diff --git a/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml b/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml index fd2a38ef5a..bb6761c3b9 100644 --- a/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml +++ b/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml @@ -12,7 +12,7 @@ data: gitlab-exporter.yml.erb: | server: name: webrick - listen_address: 0.0.0.0 + listen_address: {{ .Values.listenAddr | quote }} listen_port: {{ .Values.service.internalPort }} {{ if .Values.tls.enabled -}} tls_enabled: true diff --git a/charts/gitlab/charts/gitlab-exporter/values.yaml b/charts/gitlab/charts/gitlab-exporter/values.yaml index 87360ed231..ce39f4f5b9 100644 --- a/charts/gitlab/charts/gitlab-exporter/values.yaml +++ b/charts/gitlab/charts/gitlab-exporter/values.yaml @@ -7,6 +7,8 @@ image: # pullSecrets: [] # tag: master +listenAddr: 0.0.0.0 + service: name: gitlab-exporter type: ClusterIP diff --git a/charts/gitlab/charts/kas/templates/deployment.yaml b/charts/gitlab/charts/kas/templates/deployment.yaml index 1bd8976a41..35fe1d01bb 100644 --- a/charts/gitlab/charts/kas/templates/deployment.yaml +++ b/charts/gitlab/charts/kas/templates/deployment.yaml @@ -77,7 +77,7 @@ spec: fieldRef: fieldPath: status.podIP - name: OWN_PRIVATE_API_URL - value: "{{ include "gitlab.kas.internal.scheme" . }}://$(POD_IP):{{ .Values.service.privateApiPort }}" + value: "{{ include "gitlab.kas.internal.scheme" . }}://[$(POD_IP)]:{{ .Values.service.privateApiPort }}" {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} {{- include "gitlab.timeZone.env" . | nindent 12 }} diff --git a/charts/gitlab/charts/sidekiq/templates/configmap.yaml b/charts/gitlab/charts/sidekiq/templates/configmap.yaml index 6dfae7dc0c..cb06af5489 100644 --- a/charts/gitlab/charts/sidekiq/templates/configmap.yaml +++ b/charts/gitlab/charts/sidekiq/templates/configmap.yaml @@ -132,11 +132,12 @@ data: webpack: monitoring: ip_whitelist: - - 127.0.0.0/8 + - "127.0.0.0/8" + - "::1/128" sidekiq_exporter: {{- if .Values.metrics.enabled }} enabled: true - address: 0.0.0.0 + address: {{ .Values.metrics.listenAddr | quote }} port: {{ .Values.metrics.port }} log_enabled: {{ .Values.metrics.log_enabled }} {{- if $.Values.metrics.tls.enabled }} @@ -147,7 +148,7 @@ data: {{- end }} sidekiq_health_checks: enabled: true - address: 0.0.0.0 + address: {{ .Values.health_checks.listenAddr | quote }} port: {{ .Values.health_checks.port }} {{- include "gitlab.appConfig.openbao.configuration" . | nindent 6 }} configure: | diff --git a/charts/gitlab/charts/sidekiq/values.yaml b/charts/gitlab/charts/sidekiq/values.yaml index ffdfe5290d..11c9162357 100644 --- a/charts/gitlab/charts/sidekiq/values.yaml +++ b/charts/gitlab/charts/sidekiq/values.yaml @@ -52,6 +52,7 @@ networkpolicy: metrics: enabled: true + listenAddr: "0.0.0.0" port: 3807 path: /metrics log_enabled: false @@ -66,6 +67,7 @@ metrics: # secretName: health_checks: + listenAddr: "0.0.0.0" port: 3808 redis: diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml index 8d42a433ab..a36d39bd3a 100644 --- a/charts/gitlab/charts/webservice/templates/configmap.yml +++ b/charts/gitlab/charts/webservice/templates/configmap.yml @@ -147,11 +147,13 @@ data: monitoring: ip_whitelist: {{- if kindIs "slice" .Values.monitoring.ipWhitelist }} - {{ toYaml .Values.monitoring.ipWhitelist | nindent 10 | trim }} + {{- range $ip := .Values.monitoring.ipWhitelist }} + - {{ $ip | trim | quote }} + {{- end }} {{- end }} web_exporter: enabled: {{ or .Values.monitoring.exporter.enabled (and .Values.metrics.enabled (eq .Values.metrics.port .Values.monitoring.exporter.port)) }} - address: 0.0.0.0 + address: {{ .Values.monitoring.exporter.listenAddr }} port: {{ .Values.monitoring.exporter.port }} {{- if eq (include "webservice-metrics.tls.enabled" $) "true" }} tls_enabled: true diff --git a/charts/gitlab/charts/webservice/values.yaml b/charts/gitlab/charts/webservice/values.yaml index 0c251062a5..95fc4f93e0 100644 --- a/charts/gitlab/charts/webservice/values.yaml +++ b/charts/gitlab/charts/webservice/values.yaml @@ -28,10 +28,12 @@ tolerations: [] monitoring: # Monitoring IP whitelist ipWhitelist: - - 0.0.0.0/0 + - "0.0.0.0/0" + - "::/0" exporter: enabled: false port: 8083 + listenAddr: 0.0.0.0 # Shutdown settings # Defines an interval to block healthcheck, @@ -64,6 +66,7 @@ sshHostKeys: metrics: enabled: true + listenAddr: 0.0.0.0 port: 8083 path: /metrics tls: {} diff --git a/doc/advanced/_index.md b/doc/advanced/_index.md index 5a1d5fb50b..66c8d42019 100644 --- a/doc/advanced/_index.md +++ b/doc/advanced/_index.md @@ -18,3 +18,4 @@ title: Advanced configuration - Enabling [internal TLS between services](internal-tls/_index.md) - After install, [managing Persistent Volumes](persistent-volumes/_index.md) - Using [Red Hat UBI-based images](ubi/_index.md) +- Deploying to [IPv6 clusters](ipv6/_index.md) diff --git a/doc/advanced/ipv6/_index.md b/doc/advanced/ipv6/_index.md new file mode 100644 index 0000000000..db35b6f8e4 --- /dev/null +++ b/doc/advanced/ipv6/_index.md @@ -0,0 +1,18 @@ +--- +stage: Systems +group: Distribution +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Configure for IPv6 deployments +--- + +The GitLab charts can be configured for IPv6 clusters. The default configuration relies on a IPv4 network. + +## Sample values + +We provide an example for GitLab chart values in [`examples/values-ipv6.yaml`](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/values-ipv6.yaml) +which can help you to deploy GitLab into a IPv6 cluster. + +If you configured a custom IP allowlist (`gitlab.webservice.monitoring.ipWhitelist`), +make sure to update existing IPv4 addresses to their IPv6 representation. + +For example, to the IPv4 client with `10.0.0.1` should be mapped to `::10.0.0.1`. diff --git a/doc/charts/gitlab/gitlab-exporter/_index.md b/doc/charts/gitlab/gitlab-exporter/_index.md index fc07064024..7e9aff9913 100644 --- a/doc/charts/gitlab/gitlab-exporter/_index.md +++ b/doc/charts/gitlab/gitlab-exporter/_index.md @@ -92,6 +92,7 @@ to the `helm install` command using the `--set` flags. | `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | | `tls.enabled` | `false` | GitLab Exporter TLS enabled | | `tls.secretName` | `{Release.Name}-gitlab-exporter-tls` | GitLab Exporter TLS secret. Must point to a [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). | +| `listenAddr` | `0.0.0.0` | GitLab Exporter listen address. Change to `::` for IPv6 deployments. | ## Chart configuration examples diff --git a/doc/charts/gitlab/sidekiq/_index.md b/doc/charts/gitlab/sidekiq/_index.md index 1a34ad6dc8..099d258894 100644 --- a/doc/charts/gitlab/sidekiq/_index.md +++ b/doc/charts/gitlab/sidekiq/_index.md @@ -60,6 +60,7 @@ to the `helm install` command using the `--set` flags: | `extraEnvFrom` | | List of extra environment variables from other data sources to expose | | `gitaly.serviceName` | `gitaly` | Gitaly service name | | `health_checks.port` | `3808` | Health check server port | +| `health_checks.listenAddr` | `0.0.0.0` | Health check listen address. Change to `::` for IPv6 deployments. | | `hpa.behaviour` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | | `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | | `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | @@ -96,6 +97,7 @@ to the `helm install` command using the `--set` flags: | `logging.format` | `json` | Set to `text` for non-JSON logs | | `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | | `metrics.port` | `3807` | Metrics endpoint port | +| `metrics.listenAddr` | `0.0.0.0` | Metrics endpoint listen address. Change to `::` for IPv6 deployments. | | `metrics.path` | `/metrics` | Metrics endpoint path | | `metrics.log_enabled` | `false` | Enables or disables metrics server logs written to `sidekiq_exporter.log` | | `metrics.podMonitor.enabled` | `false` | If a PodMonitor should be created to enable Prometheus Operator to manage the metrics scraping | diff --git a/doc/charts/gitlab/webservice/_index.md b/doc/charts/gitlab/webservice/_index.md index eab0269b5f..37192cbe79 100644 --- a/doc/charts/gitlab/webservice/_index.md +++ b/doc/charts/gitlab/webservice/_index.md @@ -110,7 +110,8 @@ to the `helm install` command using the `--set` flags. | `minio.bucket` | `git-lfs` | Name of storage bucket, when using MinIO | | `minio.port` | `9000` | Port for MinIO service | | `minio.serviceName` | `minio-svc` | Name of MinIO service | -| `monitoring.ipWhitelist` | `[0.0.0.0/0]` | List of IPs to whitelist for the monitoring endpoints | +| `monitoring.ipWhitelist` | `[0.0.0.0/0, ::/0]` | List of IPs to whitelist for the monitoring endpoints | +| `monitoring.exporter.listenAddr` | `0.0.0.0` | Metrics listen address. Change to `::` for IPv6 deployments. | | `monitoring.exporter.enabled` | `false` | Enable webserver to expose Prometheus metrics, this is overridden by `metrics.enabled` if the metrics port is set to the monitoring exporter port | | `monitoring.exporter.port` | `8083` | Port number to use for the metrics exporter | | `psql.password.key` | `psql-password` | Key to psql password in psql secret | diff --git a/examples/values-ipv6.yaml b/examples/values-ipv6.yaml new file mode 100644 index 0000000000..bd6ac51958 --- /dev/null +++ b/examples/values-ipv6.yaml @@ -0,0 +1,25 @@ +gitlab: + # Configure Puma for IPv6. + webservice: + extraEnv: + # Configure Puma to listen on IPv6. + BIND_IP6: "true" + monitoring: + # ipWhitelist: [] + expoter: + # Configure webservice metrics listener for IPv6. + listenAddr: "::" + sidekiq: + # Configure sidekiq healthcheck and metrics listeners for IPv6. + metrics: + listenAddr: "::" + health_checks: + listenAddr: "::" + gitlab-exporter: + listenAddr: "::" + +nginx-ingress: + controller: + service: + ipFamilyPolicy: "SingleStack" + ipFamilies: [ IPv6 ] diff --git a/spec/configuration/kas_spec.rb b/spec/configuration/kas_spec.rb index a2e435e37e..22fadba152 100644 --- a/spec/configuration/kas_spec.rb +++ b/spec/configuration/kas_spec.rb @@ -856,7 +856,7 @@ describe 'kas configuration' do it 'sets OWN_PRIVATE_API_URL to use grpc' do expect(env).to include( - { "name" => "OWN_PRIVATE_API_URL", "value" => "grpc://$(POD_IP):8155" } + { "name" => "OWN_PRIVATE_API_URL", "value" => "grpc://[$(POD_IP)]:8155" } ) end @@ -1020,7 +1020,7 @@ describe 'kas configuration' do it 'sets OWN_PRIVATE_API_URL to use grpcs' do expect(deployment['spec']['template']['spec']['containers'].first['env']).to include( - { "name" => "OWN_PRIVATE_API_URL", "value" => "grpcs://$(POD_IP):8155" } + { "name" => "OWN_PRIVATE_API_URL", "value" => "grpcs://[$(POD_IP)]:8155" } ) end -- GitLab From c63a5a2b2ec58130569d1df8adca3d2c92b14a40 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Mon, 31 Mar 2025 11:27:36 +0200 Subject: [PATCH 2/7] Go services: Drop literal address Workhorse, Pages, and Gitaly set a listen address of `0.0.0.0`, for the TCP network, which still results in listening on IPv4 and IPv6 interfaces: >>> For TCP networks, if the host in the address parameter is empty or a literal unspecified IP address, Listen listens on all available unicast and anycast IP addresses of the local system. >>> https://pkg.go.dev/net#Listen We can drop this and leave the address empty, to avoid any confusion about the IPv6 behaviour. --- .../gitaly/templates/_configmap_spec.yaml | 6 ++-- .../gitlab-pages/templates/configmap.yml | 11 ++++--- .../charts/praefect/templates/configmap.yaml | 6 ++-- .../charts/webservice/templates/configmap.yml | 4 +-- spec/configuration/pages_spec.rb | 31 ++++++++++--------- spec/configuration/workhorse_spec.rb | 6 ++-- 6 files changed, 33 insertions(+), 31 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml b/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml index b9e40e5f10..3e275d3fc5 100644 --- a/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml @@ -16,19 +16,19 @@ data: bin_dir = "/usr/local/bin" # listen on a TCP socket. This is insecure (no authentication) - listen_addr = "0.0.0.0:{{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }}" + listen_addr = ":{{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }}" # Directory where internal sockets reside # note: no value will result in a `/tmp/gitlab-internal-*` path # internal_socket_dir = "/home/git" {{- if $.Values.global.gitaly.tls.enabled }} - tls_listen_addr = "0.0.0.0:{{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }}" + tls_listen_addr = ":{{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }}" {{- end }} # If metrics collection is enabled, inform gitaly about that {{- if .Values.metrics.enabled }} - prometheus_listen_addr = "0.0.0.0:{{ default .Values.metrics.port .Values.metrics.metricsPort }}" + prometheus_listen_addr = ":{{ default .Values.metrics.port .Values.metrics.metricsPort }}" {{- end }} # Graceful shutdown timeout, how long to wait for in-flight requests to complete diff --git a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml index 9e58facc51..058c92aa4b 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml +++ b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml @@ -37,16 +37,17 @@ data: {{- end }} {{- $externalAddresses := concat $.Values.global.pages.externalHttp $.Values.global.pages.externalHttps | uniq }} {{- if (empty ($externalAddresses)) }} - listen-proxy=0.0.0.0:{{ .Values.service.internalPort }} - listen-http=0.0.0.0:9090 + listen-proxy=:{{ .Values.service.internalPort | int }} + listen-http=:9090 {{- else }} + {{- $listen := .Values.useHTTPProxy | ternary "proxy" "http" }} {{- if not (empty $.Values.global.pages.externalHttp) }} - listen-{{ if .Values.useHTTPProxy }}proxy{{ else }}http{{ end }}=0.0.0.0:{{ .Values.service.internalPort | int }} + {{- printf "listen-%s=:%d" $listen (.Values.service.internalPort | int) | nindent 4 }} {{- else }} - listen-{{ if .Values.useHTTPProxy }}proxy{{ else }}http{{ end }}=0.0.0.0:9090 + {{- printf "listen-%s=:9090" $listen | nindent 4 }} {{- end }} {{- if not (empty $.Values.global.pages.externalHttps) }} - listen-https{{ if .Values.useProxyV2 }}-proxyv2{{ end }}=0.0.0.0:{{ .Values.service.customDomains.internalHttpsPort | int }} + listen-https{{ if .Values.useProxyV2 }}-proxyv2{{ end }}=:{{ .Values.service.customDomains.internalHttpsPort | int }} root-cert=/etc/gitlab-secrets/pages/{{ template "gitlab.pages.hostname" $ }}.crt root-key=/etc/gitlab-secrets/pages/{{ template "gitlab.pages.hostname" $ }}.key {{- end }} diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 6dd4ca7244..9588d796d4 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -20,14 +20,14 @@ data: {{- end }} config.toml.tpl: | # TCP address to listen on - listen_addr = '0.0.0.0:{{ include "gitlab.praefect.internalPort" . }}' + listen_addr = ':{{ include "gitlab.praefect.internalPort" . }}' {{- if $.Values.global.praefect.tls.enabled }} - tls_listen_addr = '0.0.0.0:{{ include "gitlab.praefect.tls.internalPort" . }}' + tls_listen_addr = ':{{ include "gitlab.praefect.tls.internalPort" . }}' {{- end }} {{- if .Values.metrics.enabled }} - prometheus_listen_addr = '0.0.0.0:{{ .Values.metrics.port }}' + prometheus_listen_addr = ':{{ .Values.metrics.port }}' {{- end }} prometheus_exclude_database_from_default_metrics = {{ eq true .Values.metrics.separate_database_metrics }} diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml index a36d39bd3a..fa69ff5454 100644 --- a/charts/gitlab/charts/webservice/templates/configmap.yml +++ b/charts/gitlab/charts/webservice/templates/configmap.yml @@ -226,7 +226,7 @@ data: max_filesize = {{ $.Values.workhorse.imageScaler.maxFileSizeBytes | int }} [[listeners]] network = "tcp" - addr = "0.0.0.0:{{ default 8181 $.Values.service.workhorseInternalPort | int }}" + addr = ":{{ default 8181 $.Values.service.workhorseInternalPort | int }}" {{- if $.Values.global.workhorse.tls.enabled }} [listeners.tls] certificate = "/etc/gitlab/gitlab-workhorse/tls.crt" @@ -235,7 +235,7 @@ data: {{- if or $.Values.workhorse.monitoring.exporter.enabled $.Values.workhorse.metrics.enabled }} [metrics_listener] network = "tcp" - addr = "0.0.0.0:{{ $.Values.workhorse.monitoring.exporter.port }}" + addr = ":{{ $.Values.workhorse.monitoring.exporter.port }}" {{- $workhorseExporterTlsEnabled := eq (include "workhorse.monitoring.exporter.tls.enabled" $ ) "true" }} {{- if $workhorseExporterTlsEnabled }} [metrics_listener.tls] diff --git a/spec/configuration/pages_spec.rb b/spec/configuration/pages_spec.rb index 38811da961..3eaaf5cb77 100644 --- a/spec/configuration/pages_spec.rb +++ b/spec/configuration/pages_spec.rb @@ -267,6 +267,7 @@ describe 'GitLab Pages' do end it 'populates Pages configuration' do + expect(pages_enabled_template.exit_code).to eq(0), "Unexpected error code #{pages_enabled_template.exit_code} -- #{pages_enabled_template.stderr}" expect(config_yaml_data['production']['pages']).to eq( 'enabled' => true, 'access_control' => true, @@ -441,8 +442,8 @@ describe 'GitLab Pages' do it 'populates Pages config file' do default_content = <<~MSG - listen-proxy=0.0.0.0:8090 - listen-http=0.0.0.0:9090 + listen-proxy=:8090 + listen-http=:9090 pages-domain=pages.example.com pages-root=/srv/gitlab-pages log-format=json @@ -529,8 +530,8 @@ describe 'GitLab Pages' do default_content = <<~MSG gitlab-retrieval-retries=3 header=FOO: BAR;;BAZ: BAT - listen-proxy=0.0.0.0:8090 - listen-http=0.0.0.0:9090 + listen-proxy=:8090 + listen-http=:9090 pages-domain=pages.example.com pages-root=/srv/gitlab-pages log-format=text @@ -646,11 +647,11 @@ describe 'GitLab Pages' do end it 'exposes listen-proxy correctly' do - expect(pages_config_data).to match(/listen-proxy=0.0.0.0:8090/) + expect(pages_config_data).to match(/listen-proxy=:8090/) end it 'configures readiness probe correctly' do - expect(pages_config_data).to match(/listen-http=0.0.0.0:9090/) + expect(pages_config_data).to match(/listen-http=:9090/) expect(pages_config_data).to match(%r{pages-status=/-/readiness}) end end @@ -704,7 +705,7 @@ describe 'GitLab Pages' do end it 'exposes listen-http correctly' do - expect(pages_config_data).to match(/listen-http=0.0.0.0:8090/) + expect(pages_config_data).to match(/listen-http=:8090/) end end @@ -756,13 +757,13 @@ describe 'GitLab Pages' do describe 'pages configuration' do it 'exposes listen-https, root-cert, and root-key' do - expect(pages_config_data).to match(/listen-https=0.0.0.0:8091/) + expect(pages_config_data).to match(/listen-https=:8091/) expect(pages_config_data).to match(%r{root-cert=/etc/gitlab-secrets/pages/pages.example.com.crt}) expect(pages_config_data).to match(%r{root-key=/etc/gitlab-secrets/pages/pages.example.com.key}) end it 'configures readiness probe correctly' do - expect(pages_config_data).to match(/listen-http=0.0.0.0:9090/) + expect(pages_config_data).to match(/listen-http=:9090/) expect(pages_config_data).to match(%r{pages-status=/-/readiness}) end @@ -820,8 +821,8 @@ describe 'GitLab Pages' do describe 'pages configuration' do it 'exposes listen-http, listen-https, root-cert, and root-key' do - expect(pages_config_data).to match(/listen-http=0.0.0.0:8090/) - expect(pages_config_data).to match(/listen-https=0.0.0.0:8091/) + expect(pages_config_data).to match(/listen-http=:8090/) + expect(pages_config_data).to match(/listen-https=:8091/) expect(pages_config_data).to match(%r{root-cert=/etc/gitlab-secrets/pages/pages.example.com.crt}) expect(pages_config_data).to match(%r{root-key=/etc/gitlab-secrets/pages/pages.example.com.key}) end @@ -964,8 +965,8 @@ describe 'GitLab Pages' do describe 'pages configuration' do it 'exposes proper listeners' do - expect(pages_config_data).to match(/listen-https-proxyv2=0.0.0.0:8091/) - expect(pages_config_data).not_to match(/listen-https=0.0.0.0:8091/) + expect(pages_config_data).to match(/listen-https-proxyv2=:8091/) + expect(pages_config_data).not_to match(/listen-https=:8091/) end end end @@ -988,8 +989,8 @@ describe 'GitLab Pages' do describe 'pages configuration' do it 'exposes proper listeners' do - expect(pages_config_data).to match(/listen-proxy=0.0.0.0:8090/) - expect(pages_config_data).not_to match(/listen-http=0.0.0.0:8090/) + expect(pages_config_data).to match(/listen-proxy=:8090/) + expect(pages_config_data).not_to match(/listen-http=:8090/) end end end diff --git a/spec/configuration/workhorse_spec.rb b/spec/configuration/workhorse_spec.rb index 39945833e7..4085653bec 100644 --- a/spec/configuration/workhorse_spec.rb +++ b/spec/configuration/workhorse_spec.rb @@ -542,7 +542,7 @@ CFG it 'renders a TOML configuration file' do expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}" expect(raw_toml).to include %([[listeners]]\n) - expect(raw_toml).to include %(addr = "0.0.0.0:8181"\n) + expect(raw_toml).to include %(addr = ":8181"\n) expect(raw_toml).to include %([listeners.tls]\n) end it 'annotates Ingress for TLS backend' do @@ -555,7 +555,7 @@ CFG shared_examples 'monitoring TLS is enabled' do it 'renders a TOML configuration file' do expect(raw_toml).to include %([metrics_listener]\n) - expect(raw_toml).to include %(addr = "0.0.0.0:9229"\n) + expect(raw_toml).to include %(addr = ":9229"\n) expect(raw_toml).to include %([metrics_listener.tls]\n) end end @@ -622,7 +622,7 @@ CFG listeners = toml['listeners'] expect(listeners.count).to eq(1) expect(listeners.first.keys).to match_array(%w[network addr tls]) - expect(listeners.first['addr']).to eq('0.0.0.0:8181') + expect(listeners.first['addr']).to eq(':8181') end it 'does not annotate Ingress for TLS verify' do -- GitLab From cf65d0c87f8712f70b72add7d0ee7513aebf0ed9 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Thu, 10 Apr 2025 15:36:40 +0200 Subject: [PATCH 3/7] Link known upstream issue --- doc/advanced/ipv6/_index.md | 2 +- examples/values-ipv6.yaml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/advanced/ipv6/_index.md b/doc/advanced/ipv6/_index.md index db35b6f8e4..77cd720ad2 100644 --- a/doc/advanced/ipv6/_index.md +++ b/doc/advanced/ipv6/_index.md @@ -10,7 +10,7 @@ The GitLab charts can be configured for IPv6 clusters. The default configuration ## Sample values We provide an example for GitLab chart values in [`examples/values-ipv6.yaml`](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/values-ipv6.yaml) -which can help you to deploy GitLab into a IPv6 cluster. +which can help you to deploy GitLab into a IPv6 single stack cluster. If you configured a custom IP allowlist (`gitlab.webservice.monitoring.ipWhitelist`), make sure to update existing IPv4 addresses to their IPv6 representation. diff --git a/examples/values-ipv6.yaml b/examples/values-ipv6.yaml index bd6ac51958..bc12da34d3 100644 --- a/examples/values-ipv6.yaml +++ b/examples/values-ipv6.yaml @@ -1,5 +1,4 @@ gitlab: - # Configure Puma for IPv6. webservice: extraEnv: # Configure Puma to listen on IPv6. @@ -11,6 +10,9 @@ gitlab: listenAddr: "::" sidekiq: # Configure sidekiq healthcheck and metrics listeners for IPv6. + # Note: Because of a known bug these services stop working on IPv4 if + # a `::` listen address is used. Do not use this in IPv4 and dual stack + # clusters. https://github.com/ruby/webrick/issues/99 metrics: listenAddr: "::" health_checks: -- GitLab From b93ade6135497c150db78f24c6a6a311c233e3b8 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Fri, 25 Apr 2025 13:41:37 +0200 Subject: [PATCH 4/7] Spamcheck: Support custom listen address - Support custom grpc host. - Set config env var to make sure config from ConfigMap is applied. --- charts/gitlab/charts/spamcheck/templates/configmap.yaml | 5 ++--- charts/gitlab/charts/spamcheck/templates/deployment.yaml | 2 ++ charts/gitlab/charts/spamcheck/values.yaml | 2 ++ doc/charts/gitlab/spamcheck/_index.md | 1 + examples/values-ipv6.yaml | 2 ++ 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/charts/gitlab/charts/spamcheck/templates/configmap.yaml b/charts/gitlab/charts/spamcheck/templates/configmap.yaml index 3799e86d43..5eb2f757b0 100644 --- a/charts/gitlab/charts/spamcheck/templates/configmap.yaml +++ b/charts/gitlab/charts/spamcheck/templates/configmap.yaml @@ -8,13 +8,12 @@ metadata: {{- include "gitlab.standardLabels" . | nindent 4 }} {{- include "gitlab.commonLabels" . | nindent 4 }} data: - # See https://gitlab.com/gitlab-org/spamcheck/-/blob/main/config/config.example.yml + # See https://gitlab.com/gitlab-org/gl-security/security-engineering/security-automation/spam/spamcheck/-/blob/main/config/config.example.yml config.yaml: | - grpc_addr: {{ .Values.service.internalPort | quote }} + grpc_addr: {{ printf "%s:%d" .Values.listenAddr (.Values.service.internalPort | int) | quote }} log_level: {{ .Values.logging.level | quote }} filter: allowList: {} denyList: {} allowed_domains: {} - {{- end }} diff --git a/charts/gitlab/charts/spamcheck/templates/deployment.yaml b/charts/gitlab/charts/spamcheck/templates/deployment.yaml index ea92845774..63d3b8ad97 100644 --- a/charts/gitlab/charts/spamcheck/templates/deployment.yaml +++ b/charts/gitlab/charts/spamcheck/templates/deployment.yaml @@ -60,6 +60,8 @@ spec: - name: grpc containerPort: {{ $.Values.service.internalPort }} env: + - name: SPAMCHECK_CONFIG + value: /app/config/config.yaml {{- include "gitlab.timeZone.env" . | nindent 12 }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} diff --git a/charts/gitlab/charts/spamcheck/values.yaml b/charts/gitlab/charts/spamcheck/values.yaml index 3ecb3381ab..4ff18c651a 100644 --- a/charts/gitlab/charts/spamcheck/values.yaml +++ b/charts/gitlab/charts/spamcheck/values.yaml @@ -45,6 +45,8 @@ image: repository: registry.gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck # tag: +listenAddr: "0.0.0.0" + service: type: ClusterIP externalPort: 8001 diff --git a/doc/charts/gitlab/spamcheck/_index.md b/doc/charts/gitlab/spamcheck/_index.md index 4d4cd1e792..d9285c1a5d 100644 --- a/doc/charts/gitlab/spamcheck/_index.md +++ b/doc/charts/gitlab/spamcheck/_index.md @@ -86,6 +86,7 @@ The table below contains all the possible charts configurations that can be supp | `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | | `keda.behavior` | `hpa.behavior` | The specifications for up- and downscaling behavior. | | `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `listenAddr` | `0.0.0.0` | Internal listen address. Change to `[::]` for IPv6 deployments. | | `logging.level` | `info` | Log level | | `maxReplicas` | `10` | HPA `maxReplicas` | | `maxUnavailable` | `1` | HPA `maxUnavailable` | diff --git a/examples/values-ipv6.yaml b/examples/values-ipv6.yaml index bc12da34d3..019fee749d 100644 --- a/examples/values-ipv6.yaml +++ b/examples/values-ipv6.yaml @@ -19,6 +19,8 @@ gitlab: listenAddr: "::" gitlab-exporter: listenAddr: "::" + spamcheck: + listenAddr: "[::]" nginx-ingress: controller: -- GitLab From c208cb4b1ad3aa782e5159a2833e87925bcec58a Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Thu, 5 Jun 2025 09:54:48 +0200 Subject: [PATCH 5/7] Kas: Drop POD_IP and OWN_PRIVATE_API_URL config KAS now supports to auto discover these settings. https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4072#note_2545346822 --- charts/gitlab/charts/kas/templates/deployment.yaml | 6 ------ spec/configuration/kas_spec.rb | 12 ------------ 2 files changed, 18 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/deployment.yaml b/charts/gitlab/charts/kas/templates/deployment.yaml index 35fe1d01bb..ecb8dad3ff 100644 --- a/charts/gitlab/charts/kas/templates/deployment.yaml +++ b/charts/gitlab/charts/kas/templates/deployment.yaml @@ -72,12 +72,6 @@ spec: env: - name: OWN_PRIVATE_API_HOST value: {{ include "gitlab.kas.serviceHost" . }} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: OWN_PRIVATE_API_URL - value: "{{ include "gitlab.kas.internal.scheme" . }}://[$(POD_IP)]:{{ .Values.service.privateApiPort }}" {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} {{- include "gitlab.timeZone.env" . | nindent 12 }} diff --git a/spec/configuration/kas_spec.rb b/spec/configuration/kas_spec.rb index 22fadba152..6f1dec0543 100644 --- a/spec/configuration/kas_spec.rb +++ b/spec/configuration/kas_spec.rb @@ -854,12 +854,6 @@ describe 'kas configuration' do context 'env' do let(:env) { deployment['spec']['template']['spec']['containers'].first['env'] } - it 'sets OWN_PRIVATE_API_URL to use grpc' do - expect(env).to include( - { "name" => "OWN_PRIVATE_API_URL", "value" => "grpc://[$(POD_IP)]:8155" } - ) - end - it 'sets OWN_PRIVATE_API_HOST to use its service host' do expect(env).to include( { "name" => "OWN_PRIVATE_API_HOST", "value" => "test-kas.default.svc" } @@ -1018,12 +1012,6 @@ describe 'kas configuration' do ))) end - it 'sets OWN_PRIVATE_API_URL to use grpcs' do - expect(deployment['spec']['template']['spec']['containers'].first['env']).to include( - { "name" => "OWN_PRIVATE_API_URL", "value" => "grpcs://[$(POD_IP)]:8155" } - ) - end - it 'creates the TLS secret volume' do init_etc_kas_volume = deployment['spec']['template']['spec']['volumes'].find do |volume| volume['name'] == 'init-etc-kas' -- GitLab From 4b65785245d2f96538d0c846b3c253d26a34f61c Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Tue, 10 Jun 2025 14:00:44 +0200 Subject: [PATCH 6/7] One config for all network stacks Change default so that the default config fits IPv4-only, IPv6-only and dual stack clusters. --- .../gitlab/charts/gitlab-exporter/values.yaml | 2 +- charts/gitlab/charts/sidekiq/values.yaml | 4 +-- charts/gitlab/charts/spamcheck/values.yaml | 2 +- .../charts/webservice/templates/configmap.yml | 2 +- .../webservice/templates/deployment.yaml | 2 ++ charts/gitlab/charts/webservice/values.yaml | 5 ++-- doc/advanced/_index.md | 1 - doc/advanced/ipv6/_index.md | 18 ------------ doc/charts/gitlab/gitlab-exporter/_index.md | 2 +- doc/charts/gitlab/sidekiq/_index.md | 4 +-- doc/charts/gitlab/spamcheck/_index.md | 2 +- doc/charts/gitlab/webservice/_index.md | 3 +- examples/values-ipv6.yaml | 29 ------------------- spec/configuration/sidekiq_spec.rb | 8 +++-- spec/configuration/webservice_metrics_spec.rb | 4 +-- 15 files changed, 23 insertions(+), 65 deletions(-) delete mode 100644 doc/advanced/ipv6/_index.md delete mode 100644 examples/values-ipv6.yaml diff --git a/charts/gitlab/charts/gitlab-exporter/values.yaml b/charts/gitlab/charts/gitlab-exporter/values.yaml index ce39f4f5b9..3e62d55d90 100644 --- a/charts/gitlab/charts/gitlab-exporter/values.yaml +++ b/charts/gitlab/charts/gitlab-exporter/values.yaml @@ -7,7 +7,7 @@ image: # pullSecrets: [] # tag: master -listenAddr: 0.0.0.0 +listenAddr: '::' service: name: gitlab-exporter diff --git a/charts/gitlab/charts/sidekiq/values.yaml b/charts/gitlab/charts/sidekiq/values.yaml index 11c9162357..c9eba3c6fd 100644 --- a/charts/gitlab/charts/sidekiq/values.yaml +++ b/charts/gitlab/charts/sidekiq/values.yaml @@ -52,7 +52,7 @@ networkpolicy: metrics: enabled: true - listenAddr: "0.0.0.0" + listenAddr: "*" port: 3807 path: /metrics log_enabled: false @@ -67,7 +67,7 @@ metrics: # secretName: health_checks: - listenAddr: "0.0.0.0" + listenAddr: "*" port: 3808 redis: diff --git a/charts/gitlab/charts/spamcheck/values.yaml b/charts/gitlab/charts/spamcheck/values.yaml index 4ff18c651a..5a82048b84 100644 --- a/charts/gitlab/charts/spamcheck/values.yaml +++ b/charts/gitlab/charts/spamcheck/values.yaml @@ -45,7 +45,7 @@ image: repository: registry.gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck # tag: -listenAddr: "0.0.0.0" +listenAddr: "[::]" service: type: ClusterIP diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml index fa69ff5454..6f01c6a944 100644 --- a/charts/gitlab/charts/webservice/templates/configmap.yml +++ b/charts/gitlab/charts/webservice/templates/configmap.yml @@ -153,7 +153,7 @@ data: {{- end }} web_exporter: enabled: {{ or .Values.monitoring.exporter.enabled (and .Values.metrics.enabled (eq .Values.metrics.port .Values.monitoring.exporter.port)) }} - address: {{ .Values.monitoring.exporter.listenAddr }} + address: {{ .Values.monitoring.exporter.listenAddr | quote }} port: {{ .Values.monitoring.exporter.port }} {{- if eq (include "webservice-metrics.tls.enabled" $) "true" }} tls_enabled: true diff --git a/charts/gitlab/charts/webservice/templates/deployment.yaml b/charts/gitlab/charts/webservice/templates/deployment.yaml index ca15421687..b7fc9bc4d6 100644 --- a/charts/gitlab/charts/webservice/templates/deployment.yaml +++ b/charts/gitlab/charts/webservice/templates/deployment.yaml @@ -247,6 +247,8 @@ spec: value: "{{ .puma.workerMaxMemory }}" - name: DISABLE_PUMA_WORKER_KILLER value: "{{ .puma.disableWorkerKiller }}" + - name: BIND_IP6 + value: {{ eq .puma.bindIp6 true | quote }} {{- end }} - name: SHUTDOWN_BLACKOUT_SECONDS value: "{{ .shutdown.blackoutSeconds }}" diff --git a/charts/gitlab/charts/webservice/values.yaml b/charts/gitlab/charts/webservice/values.yaml index 95fc4f93e0..a6d95525ae 100644 --- a/charts/gitlab/charts/webservice/values.yaml +++ b/charts/gitlab/charts/webservice/values.yaml @@ -33,7 +33,7 @@ monitoring: exporter: enabled: false port: 8083 - listenAddr: 0.0.0.0 + listenAddr: '*' # Shutdown settings # Defines an interval to block healthcheck, @@ -66,7 +66,7 @@ sshHostKeys: metrics: enabled: true - listenAddr: 0.0.0.0 + listenAddr: '*' port: 8083 path: /metrics tls: {} @@ -151,6 +151,7 @@ puma: max: 4 disableWorkerKiller: true # workerMaxMemory: 1024 # in MB units + bindIp6: true hpa: # targetAverageValue: 1 # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below diff --git a/doc/advanced/_index.md b/doc/advanced/_index.md index 66c8d42019..5a1d5fb50b 100644 --- a/doc/advanced/_index.md +++ b/doc/advanced/_index.md @@ -18,4 +18,3 @@ title: Advanced configuration - Enabling [internal TLS between services](internal-tls/_index.md) - After install, [managing Persistent Volumes](persistent-volumes/_index.md) - Using [Red Hat UBI-based images](ubi/_index.md) -- Deploying to [IPv6 clusters](ipv6/_index.md) diff --git a/doc/advanced/ipv6/_index.md b/doc/advanced/ipv6/_index.md deleted file mode 100644 index 77cd720ad2..0000000000 --- a/doc/advanced/ipv6/_index.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -stage: Systems -group: Distribution -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: Configure for IPv6 deployments ---- - -The GitLab charts can be configured for IPv6 clusters. The default configuration relies on a IPv4 network. - -## Sample values - -We provide an example for GitLab chart values in [`examples/values-ipv6.yaml`](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/values-ipv6.yaml) -which can help you to deploy GitLab into a IPv6 single stack cluster. - -If you configured a custom IP allowlist (`gitlab.webservice.monitoring.ipWhitelist`), -make sure to update existing IPv4 addresses to their IPv6 representation. - -For example, to the IPv4 client with `10.0.0.1` should be mapped to `::10.0.0.1`. diff --git a/doc/charts/gitlab/gitlab-exporter/_index.md b/doc/charts/gitlab/gitlab-exporter/_index.md index 7e9aff9913..55bd5eee21 100644 --- a/doc/charts/gitlab/gitlab-exporter/_index.md +++ b/doc/charts/gitlab/gitlab-exporter/_index.md @@ -92,7 +92,7 @@ to the `helm install` command using the `--set` flags. | `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | | `tls.enabled` | `false` | GitLab Exporter TLS enabled | | `tls.secretName` | `{Release.Name}-gitlab-exporter-tls` | GitLab Exporter TLS secret. Must point to a [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). | -| `listenAddr` | `0.0.0.0` | GitLab Exporter listen address. Change to `::` for IPv6 deployments. | +| `listenAddr` | `::` | GitLab Exporter listen address. | ## Chart configuration examples diff --git a/doc/charts/gitlab/sidekiq/_index.md b/doc/charts/gitlab/sidekiq/_index.md index 099d258894..739fa8a480 100644 --- a/doc/charts/gitlab/sidekiq/_index.md +++ b/doc/charts/gitlab/sidekiq/_index.md @@ -60,7 +60,7 @@ to the `helm install` command using the `--set` flags: | `extraEnvFrom` | | List of extra environment variables from other data sources to expose | | `gitaly.serviceName` | `gitaly` | Gitaly service name | | `health_checks.port` | `3808` | Health check server port | -| `health_checks.listenAddr` | `0.0.0.0` | Health check listen address. Change to `::` for IPv6 deployments. | +| `health_checks.listenAddr` | `*` | Health check listen address. | | `hpa.behaviour` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | | `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | | `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | @@ -97,7 +97,7 @@ to the `helm install` command using the `--set` flags: | `logging.format` | `json` | Set to `text` for non-JSON logs | | `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | | `metrics.port` | `3807` | Metrics endpoint port | -| `metrics.listenAddr` | `0.0.0.0` | Metrics endpoint listen address. Change to `::` for IPv6 deployments. | +| `metrics.listenAddr` | `*` | Metrics endpoint listen address. | | `metrics.path` | `/metrics` | Metrics endpoint path | | `metrics.log_enabled` | `false` | Enables or disables metrics server logs written to `sidekiq_exporter.log` | | `metrics.podMonitor.enabled` | `false` | If a PodMonitor should be created to enable Prometheus Operator to manage the metrics scraping | diff --git a/doc/charts/gitlab/spamcheck/_index.md b/doc/charts/gitlab/spamcheck/_index.md index d9285c1a5d..174529fcc1 100644 --- a/doc/charts/gitlab/spamcheck/_index.md +++ b/doc/charts/gitlab/spamcheck/_index.md @@ -86,7 +86,7 @@ The table below contains all the possible charts configurations that can be supp | `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | | `keda.behavior` | `hpa.behavior` | The specifications for up- and downscaling behavior. | | `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `listenAddr` | `0.0.0.0` | Internal listen address. Change to `[::]` for IPv6 deployments. | +| `listenAddr` | `[::]` | Internal listen address. | | `logging.level` | `info` | Log level | | `maxReplicas` | `10` | HPA `maxReplicas` | | `maxUnavailable` | `1` | HPA `maxUnavailable` | diff --git a/doc/charts/gitlab/webservice/_index.md b/doc/charts/gitlab/webservice/_index.md index 37192cbe79..37862c1f53 100644 --- a/doc/charts/gitlab/webservice/_index.md +++ b/doc/charts/gitlab/webservice/_index.md @@ -111,7 +111,7 @@ to the `helm install` command using the `--set` flags. | `minio.port` | `9000` | Port for MinIO service | | `minio.serviceName` | `minio-svc` | Name of MinIO service | | `monitoring.ipWhitelist` | `[0.0.0.0/0, ::/0]` | List of IPs to whitelist for the monitoring endpoints | -| `monitoring.exporter.listenAddr` | `0.0.0.0` | Metrics listen address. Change to `::` for IPv6 deployments. | +| `monitoring.exporter.listenAddr` | `*` | Metrics listen address. | | `monitoring.exporter.enabled` | `false` | Enable webserver to expose Prometheus metrics, this is overridden by `metrics.enabled` if the metrics port is set to the monitoring exporter port | | `monitoring.exporter.port` | `8083` | Port number to use for the metrics exporter | | `psql.password.key` | `psql-password` | Key to psql password in psql secret | @@ -121,6 +121,7 @@ to the `helm install` command using the `--set` flags. | `puma.workerMaxMemory` | | The maximum memory (in megabytes) for the Puma worker killer | | `puma.threads.min` | `4` | The minimum amount of Puma threads | | `puma.threads.max` | `4` | The maximum amount of Puma threads | +| `puma.bindIp6` | `true` | Bind IPv6 addresses with Puma. | | `rack_attack.git_basic_auth` | `{}` | See [GitLab documentation](https://docs.gitlab.com/administration/settings/protected_paths/) for details | | `redis.serviceName` | `redis` | Redis service name | | `global.registry.api.port` | `5000` | Registry port | diff --git a/examples/values-ipv6.yaml b/examples/values-ipv6.yaml deleted file mode 100644 index 019fee749d..0000000000 --- a/examples/values-ipv6.yaml +++ /dev/null @@ -1,29 +0,0 @@ -gitlab: - webservice: - extraEnv: - # Configure Puma to listen on IPv6. - BIND_IP6: "true" - monitoring: - # ipWhitelist: [] - expoter: - # Configure webservice metrics listener for IPv6. - listenAddr: "::" - sidekiq: - # Configure sidekiq healthcheck and metrics listeners for IPv6. - # Note: Because of a known bug these services stop working on IPv4 if - # a `::` listen address is used. Do not use this in IPv4 and dual stack - # clusters. https://github.com/ruby/webrick/issues/99 - metrics: - listenAddr: "::" - health_checks: - listenAddr: "::" - gitlab-exporter: - listenAddr: "::" - spamcheck: - listenAddr: "[::]" - -nginx-ingress: - controller: - service: - ipFamilyPolicy: "SingleStack" - ipFamilies: [ IPv6 ] diff --git a/spec/configuration/sidekiq_spec.rb b/spec/configuration/sidekiq_spec.rb index fc1fef57f9..ee62e0dcab 100644 --- a/spec/configuration/sidekiq_spec.rb +++ b/spec/configuration/sidekiq_spec.rb @@ -354,7 +354,7 @@ describe 'Sidekiq configuration' do 'sidekiq_exporter' => { 'enabled' => true, 'log_enabled' => false, - 'address' => '0.0.0.0', + 'address' => '*', 'port' => 3807 } ) @@ -385,6 +385,7 @@ describe 'Sidekiq configuration' do enabled: true log_enabled: true port: 2222 + listenAddr: 0.0.0.0 )).deep_merge(default_values) end @@ -430,20 +431,21 @@ describe 'Sidekiq configuration' do expect(monitoring).to include( 'sidekiq_health_checks' => { 'enabled' => true, - 'address' => '0.0.0.0', + 'address' => '*', 'port' => 3808 } ) end end - context 'when custom port is set' do + context 'when custom port and listen address is set' do let(:values) do YAML.safe_load(%( gitlab: sidekiq: health_checks: port: 2222 + listenAddr: 0.0.0.0 )).deep_merge(default_values) end diff --git a/spec/configuration/webservice_metrics_spec.rb b/spec/configuration/webservice_metrics_spec.rb index 3813966535..11093cfc62 100644 --- a/spec/configuration/webservice_metrics_spec.rb +++ b/spec/configuration/webservice_metrics_spec.rb @@ -15,7 +15,7 @@ describe 'Webservice monitoring/metrics configuration' do expect(monitoring).to include( 'web_exporter' => { 'enabled' => true, - 'address' => '0.0.0.0', + 'address' => '*', 'port' => 8083 } ) @@ -36,7 +36,7 @@ describe 'Webservice monitoring/metrics configuration' do expect(monitoring).to include( 'web_exporter' => { 'enabled' => false, - 'address' => '0.0.0.0', + 'address' => '*', 'port' => 8083 } ) -- GitLab From d278780b4c136366334c521fa84c04326b403753 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Thu, 19 Jun 2025 16:23:46 +0200 Subject: [PATCH 7/7] NGINX Default IP Family values --- values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/values.yaml b/values.yaml index 631c977cbd..57c98ef502 100644 --- a/values.yaml +++ b/values.yaml @@ -1002,6 +1002,9 @@ nginx-ingress: &nginx-ingress service: externalTrafficPolicy: "Local" + # Configure no IP families to delegate assignment to controller based on cluster config. + ipFamilies: [] + ipFamilyPolicy: "PreferDualStack" ingressClassByName: false ingressClassResource: name: '{{ include "ingress.class.name" $ | quote }}' -- GitLab