From abd4758a7a2f1bdb3fdda8ccffba6d390b75fe0f Mon Sep 17 00:00:00 2001 From: dustinmm80 Date: Thu, 12 Jun 2025 11:46:07 -0500 Subject: [PATCH] Set GODEBUG defaults and fix env override checks - Fix the checkDuplicateKeyFromEnv template to consider both local and global scopes. - Also set GODEBUG to tlsmlkem=0,tlskyber=0. These was required due to an internal discussion on https://gitlab.com/groups/gitlab-org/-/epics/17700. Users can still make use of `global.extraEnv` to override this behaviour. MR: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4359 Changelog: changed --- .../gitaly/templates/_statefulset_spec.yaml | 3 +- .../gitlab-pages/templates/deployment.yaml | 1 + .../gitlab-shell/templates/deployment.yaml | 1 + .../charts/kas/templates/deployment.yaml | 1 + .../praefect/templates/statefulset.yaml | 2 +- .../webservice/templates/deployment.yaml | 1 + charts/registry/templates/deployment.yaml | 2 ++ templates/_helpers.tpl | 31 ++++++++++++++----- 8 files changed, 32 insertions(+), 10 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index 04691ec775..4c46dbc7c8 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -141,7 +141,7 @@ spec: value: '/etc/gitaly/config.toml' - name: SSL_CERT_DIR value: '/etc/ssl/certs' - {{- $gomemlimitIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "keyToFind" "GOMEMLIMIT" "extraEnv" .Values.extraEnv "extraEnvFrom" .Values.extraEnvFrom ) }} + {{- $gomemlimitIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "rootScope" $ "keyToFind" "GOMEMLIMIT") }} {{- if and (.Values.gomemlimit.enabled) (((.Values.resources).limits).memory) (eq $gomemlimitIsDuplicate "false") }} - name: GOMEMLIMIT valueFrom: @@ -149,6 +149,7 @@ spec: containerName: {{ .Chart.Name }} resource: limits.memory {{- end }} + {{- include "gitlab.godebug.env" $ | nindent 12 }} {{- include "gitlab.tracing.env" . | nindent 12 }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} diff --git a/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml b/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml index 2e6e1b8c73..258e30c2c3 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml +++ b/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml @@ -97,6 +97,7 @@ spec: {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} {{- include "gitlab.containerSecurityContext" $ | indent 10 }} env: + {{- include "gitlab.godebug.env" $ | nindent 12 }} {{- include "gitlab.extraEnv" $ | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} - name: CONFIG_TEMPLATE_DIRECTORY diff --git a/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml b/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml index 67abde629c..546bc63607 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml +++ b/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml @@ -108,6 +108,7 @@ spec: value: '/etc/gitlab-secrets/ssh' - name: SSH_DAEMON value: {{ .Values.sshDaemon | quote }} + {{- include "gitlab.godebug.env" $ | nindent 12 }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} {{- include "gitlab.timeZone.env" . | nindent 12 }} diff --git a/charts/gitlab/charts/kas/templates/deployment.yaml b/charts/gitlab/charts/kas/templates/deployment.yaml index ecb8dad3ff..e25bab5fad 100644 --- a/charts/gitlab/charts/kas/templates/deployment.yaml +++ b/charts/gitlab/charts/kas/templates/deployment.yaml @@ -72,6 +72,7 @@ spec: env: - name: OWN_PRIVATE_API_HOST value: {{ include "gitlab.kas.serviceHost" . }} + {{- include "gitlab.godebug.env" $ | nindent 12 }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} {{- include "gitlab.timeZone.env" . | nindent 12 }} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index f678a94dbb..d0a7b0c356 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -112,6 +112,7 @@ spec: value: '{{ .Values.global.praefect.autoMigrate | int }}' - name: NTP_HOST value: '{{ .Values.global.praefect.ntpHost }}' + {{- include "gitlab.godebug.env" $ | nindent 8 }} {{- include "gitlab.tracing.env" . | nindent 8 }} {{- include "gitlab.extraEnv" . | nindent 8 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 8 }} @@ -168,4 +169,3 @@ spec: path: "praefect.key" {{- end }} {{- include "gitlab.certificates.volumes" . | nindent 6 }} - diff --git a/charts/gitlab/charts/webservice/templates/deployment.yaml b/charts/gitlab/charts/webservice/templates/deployment.yaml index 039a504e6d..a2c844000f 100644 --- a/charts/gitlab/charts/webservice/templates/deployment.yaml +++ b/charts/gitlab/charts/webservice/templates/deployment.yaml @@ -359,6 +359,7 @@ spec: {{- end }} env: {{- include "gitlab.timeZone.env" $ | nindent 12 }} + {{- include "gitlab.godebug.env" $ | nindent 12 }} - name: TMPDIR value: "/tmp/gitlab" - name: GITLAB_WORKHORSE_AUTH_BACKEND diff --git a/charts/registry/templates/deployment.yaml b/charts/registry/templates/deployment.yaml index 9d095faac8..fc1de3300e 100644 --- a/charts/registry/templates/deployment.yaml +++ b/charts/registry/templates/deployment.yaml @@ -113,7 +113,9 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.godebug.env" $ | nindent 10 }} {{- include "gitlab.timeZone.env" . | nindent 10 }} {{- include "gitlab.extraEnv" . | nindent 10 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 10 }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d462d8a8fa..8ca4b6daca 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -633,16 +633,31 @@ result in different hash values due to fields like `Release.IsUpgrade`, {{/* Return a boolean value that indicates whether a given key exists in the provided environment -variables. +variables from either local or global scope. -Usage: {{- include checkDuplicateKeyFromEnv (dict "keyToFind" "MY_KEY", "extraEnv" .Values.extraEnv, "extraEnvFrom" -.Values.extraEnvFrom) -}} +Usage: {{- include checkDuplicateKeyFromEnv (dict "rootScope" $ "keyToFind" "MY_KEY") -}} */}} {{- define "checkDuplicateKeyFromEnv" -}} {{- $keyToFind := .keyToFind -}} - {{- $extraEnv := .extraEnv -}} - {{- $extraEnvFrom := .extraEnvFrom -}} - {{- $combinedKeys := merge $extraEnv $extraEnvFrom -}} - - {{ hasKey $combinedKeys $keyToFind }} + {{- $rootScope := .rootScope -}} + {{- $localHasKey := and $rootScope.Values.extraEnv (hasKey $rootScope.Values.extraEnv $keyToFind) -}} + {{- $globalHasKey := and $rootScope.Values.global.extraEnv (hasKey $rootScope.Values.global.extraEnv $keyToFind) -}} + {{- $localHasKeyFrom := and $rootScope.Values.extraEnvFrom (hasKey $rootScope.Values.extraEnvFrom $keyToFind) -}} + {{- $globalHasKeyFrom := and $rootScope.Values.global.extraEnvFrom (hasKey $rootScope.Values.global.extraEnvFrom $keyToFind) -}} + {{- if or $localHasKey $globalHasKey $localHasKeyFrom $globalHasKeyFrom -}} +true + {{- else -}} +false + {{- end -}} +{{- end -}} + +{{/* +Render GODEBUG environment variable if not already defined in extraEnv +*/}} +{{- define "gitlab.godebug.env" -}} +{{- $godebugIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "rootScope" . "keyToFind" "GODEBUG") }} +{{- if eq $godebugIsDuplicate "false" }} +- name: GODEBUG + value: 'tlsmlkem=0,tlskyber=0' +{{- end }} {{- end -}} \ No newline at end of file -- GitLab