From e64888d50d43ac3e70c12572ba0be0c1e024f100 Mon Sep 17 00:00:00 2001 From: Tarun Khandelwal Date: Wed, 9 Jul 2025 10:25:27 +0530 Subject: [PATCH 1/3] feat: add topology service tls secret to the toolbox pod --- .../charts/toolbox/templates/_helpers.tpl | 6 ++++++ .../charts/toolbox/templates/configmap.yaml | 9 +++++++++ .../charts/toolbox/templates/deployment.yaml | 19 +++++++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/charts/gitlab/charts/toolbox/templates/_helpers.tpl index 10c03cc69a..4e664c4189 100644 --- a/charts/gitlab/charts/toolbox/templates/_helpers.tpl +++ b/charts/gitlab/charts/toolbox/templates/_helpers.tpl @@ -67,3 +67,9 @@ Usage: {{- end -}} {{- end -}} +{{/* +Return the Topology Service TLS Secret name +*/}} +{{- define "topology-service.tls.secret" -}} +{{- default (printf "%s-topology-service-tls" .Release.Name) $.Values.global.appConfig.cell.topologyServiceClient.tls.secret | quote -}} +{{- end -}} diff --git a/charts/gitlab/charts/toolbox/templates/configmap.yaml b/charts/gitlab/charts/toolbox/templates/configmap.yaml index f465e6a7a5..9418f5c1f4 100644 --- a/charts/gitlab/charts/toolbox/templates/configmap.yaml +++ b/charts/gitlab/charts/toolbox/templates/configmap.yaml @@ -155,6 +155,15 @@ data: mv "/${secret_dir}/objectstorage/.s3cfg" "/${secret_dir}/.s3cfg" fi {{- end }} + {{- if $.Values.global.appConfig.cell.enabled }} + if [ -d /init-config/topology-service ]; then + mkdir -p /init-secrets/topology-service + {{- if $.Values.global.appConfig.cell.topologyServiceClient.tls.enabled }} + cp -v -L /init-config/topology-service/tls.key /init-secrets/topology-service/tls.key + cp -v -L /init-config/topology-service/tls.crt /init-secrets/topology-service/tls.crt + {{- end }} + fi + {{- end }} configure-gsutil: | if [ -e "$GOOGLE_APPLICATION_CREDENTIALS" ]; then # The following script is used to configure gsutil when creating backups diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index dca0f6997b..05ae5a4078 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -73,6 +73,16 @@ spec: - name: toolbox-secrets mountPath: /init-secrets readOnly: false + {{- if and $.Values.global.appConfig.cell.enabled $.Values.global.appConfig.cell.topologyServiceClient.tls.enabled }} + - name: toolbox-secrets + mountPath: /srv/gitlab/config/topology-service/tls.crt + subPath: topology-service/tls.crt + readOnly: true + - name: toolbox-secrets + mountPath: /srv/gitlab/config/topology-service/tls.key + subPath: topology-service/tls.key + readOnly: true + {{- end }} resources: {{- toYaml .Values.init.resources | nindent 12 }} {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} @@ -210,6 +220,15 @@ spec: {{- range $.Values.local.psql }} {{- include "gitlab.psql.secret" . | nindent 10 }} {{- end }} + {{- if and $.Values.global.appConfig.cell.enabled $.Values.global.appConfig.cell.topologyServiceClient.tls.enabled }} + - secret: + name: {{ template "topology-service.tls.secret" $ }} + items: + - key: "tls.crt" + path: "topology-service/tls.crt" + - key: "tls.key" + path: "topology-service/tls.key" + {{- end }} {{- if include "gitlab.geo.secondary" $ }} - secret: name: {{ template "gitlab.geo.psql.password.secret" . }} -- GitLab From 8a8e2b7d8765f900028b687ecd4f9926493e6681 Mon Sep 17 00:00:00 2001 From: Tarun Khandelwal Date: Wed, 9 Jul 2025 11:48:21 +0530 Subject: [PATCH 2/3] fix the volume location for the toolbox deployment --- .../charts/toolbox/templates/deployment.yaml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 05ae5a4078..27444c8cbc 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -73,16 +73,6 @@ spec: - name: toolbox-secrets mountPath: /init-secrets readOnly: false - {{- if and $.Values.global.appConfig.cell.enabled $.Values.global.appConfig.cell.topologyServiceClient.tls.enabled }} - - name: toolbox-secrets - mountPath: /srv/gitlab/config/topology-service/tls.crt - subPath: topology-service/tls.crt - readOnly: true - - name: toolbox-secrets - mountPath: /srv/gitlab/config/topology-service/tls.key - subPath: topology-service/tls.key - readOnly: true - {{- end }} resources: {{- toYaml .Values.init.resources | nindent 12 }} {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} @@ -166,6 +156,16 @@ spec: - name: toolbox-secrets mountPath: /srv/gitlab/config/secrets.yml subPath: rails-secrets/secrets.yml + {{- if and $.Values.global.appConfig.cell.enabled $.Values.global.appConfig.cell.topologyServiceClient.tls.enabled }} + - name: toolbox-secrets + mountPath: /srv/gitlab/config/topology-service/tls.crt + subPath: topology-service/tls.crt + readOnly: true + - name: toolbox-secrets + mountPath: /srv/gitlab/config/topology-service/tls.key + subPath: topology-service/tls.key + readOnly: true + {{- end }} - name: toolbox-tmp mountPath: '/srv/gitlab/tmp' {{- if and .Values.persistence.enabled .Values.persistence.subPath }} -- GitLab From 366ecff5d081f403e2de45ef8e3e42a199ce89dd Mon Sep 17 00:00:00 2001 From: Tarun Khandelwal Date: Wed, 9 Jul 2025 12:36:38 +0530 Subject: [PATCH 3/3] move the topology-service tls secret name template to the parent chart --- charts/gitlab/charts/toolbox/templates/_helpers.tpl | 7 ------- charts/gitlab/charts/webservice/templates/_helpers.tpl | 7 ------- templates/_helpers.tpl | 9 ++++++++- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/charts/gitlab/charts/toolbox/templates/_helpers.tpl index 4e664c4189..a9799ca7f5 100644 --- a/charts/gitlab/charts/toolbox/templates/_helpers.tpl +++ b/charts/gitlab/charts/toolbox/templates/_helpers.tpl @@ -66,10 +66,3 @@ Usage: path: objectstorage/.s3cfg {{- end -}} {{- end -}} - -{{/* -Return the Topology Service TLS Secret name -*/}} -{{- define "topology-service.tls.secret" -}} -{{- default (printf "%s-topology-service-tls" .Release.Name) $.Values.global.appConfig.cell.topologyServiceClient.tls.secret | quote -}} -{{- end -}} diff --git a/charts/gitlab/charts/webservice/templates/_helpers.tpl b/charts/gitlab/charts/webservice/templates/_helpers.tpl index 82c2d1fa18..762e0b9eb9 100644 --- a/charts/gitlab/charts/webservice/templates/_helpers.tpl +++ b/charts/gitlab/charts/webservice/templates/_helpers.tpl @@ -308,10 +308,3 @@ cp -v -r -L /init-config/redis-sentinel/redis-sentinel-password /init-secrets-wo {{- end -}} {{- $_ := set . "redisConfigName" "" }} {{- end -}} - -{{/* -Return the Topology Service TLS Secret name -*/}} -{{- define "topology-service.tls.secret" -}} -{{- default (printf "%s-topology-service-tls" .Release.Name) $.Values.global.appConfig.cell.topologyServiceClient.tls.secret | quote -}} -{{- end -}} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 8ca4b6daca..1cc803922c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -660,4 +660,11 @@ Render GODEBUG environment variable if not already defined in extraEnv - name: GODEBUG value: 'tlsmlkem=0,tlskyber=0' {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Return the Topology Service TLS Secret name +*/}} +{{- define "topology-service.tls.secret" -}} +{{- default (printf "%s-topology-service-tls" .Release.Name) $.Values.global.appConfig.cell.topologyServiceClient.tls.secret | quote -}} +{{- end -}} -- GitLab