Feature: Need way to configure listen-proxy when external IP addresses are used for GitLab Pages
Summary
For our helm chart:
{{- $externalAddresses := concat $.Values.global.pages.externalHttp $.Values.global.pages.externalHttps | uniq }}
{{- if (empty ($externalAddresses)) }}
listen-proxy=0.0.0.0:{{ .Values.service.internalPort }}
listen-http=0.0.0.0:9090
{{- else }}
{{- if not (empty $.Values.global.pages.externalHttp) }}
listen-http=0.0.0.0:{{ .Values.service.internalPort }}
{{- else }}
listen-http=0.0.0.0:9090
{{- end }}
{{- if not (empty $.Values.global.pages.externalHttps) }}
listen-https{{ if .Values.useProxyV2 }}-proxyv2{{ end }}=0.0.0.0:{{ .Values.service.customDomains.internalHttpsPort | int }}
root-cert=/etc/gitlab-secrets/pages/{{ template "gitlab.pages.hostname" $ }}.crt
root-key=/etc/gitlab-secrets/pages/{{ template "gitlab.pages.hostname" $ }}.key
{{- end }}
{{- end }}
We validate that we're using external IP (to the cluster) addresses, and if true, we'll use the listen-http
option. We'll always have this option set for us, so for .com, and our the use of our helm chart, we do not currently have a way to use listen-proxy
with the way our chart is currently configured.
We'll need to solve this problem otherwise we cannot move forward. This came out of efda7b9c which contain the following design decision:
- When custom domains are used, Pages handles all requests - both via
<naemspace>.<pages domain>
and via custom domain. This is done by specifyinglisten-http
andlisten-https
directives in Pages config file.- When custom domains are used,
listen-proxy
is no longer used because of point above. Instead, we are reusing the internal port (8090) for HTTP requests. HTTPS requests are handled by a different port (8091).
@jaime and or @vshushlin if you have any useful information to provide some context here that can also be helpful as I tackle this issue.
Configuration used
Example configuration of our preprod
environment for .com: https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/afa29acada09f4be5f509fac53519a5865166312/releases/gitlab/values/pre.yaml.gotmpl#L268-280
pages:
accessControl: true
authSecret:
secret: gitlab-pages-auth-secret-v1
enabled: true
# gcloud compute address pages-gke-pre
externalHttp:
# gcloud compute address pages-gke-pre
- 10.232.20.119
externalHttps:
# gcloud compute address pages-gke-pre
- 10.232.20.119
host: pre.gitlab.io
Current behavior
listen-proxy
is unable to be configured in tandem with externalIP
Expected behavior
listen-proxy
can be configured to accept traffic enabling the use of capturing client IP addresses instead of Loadbalancer IP addresses.
Versions
- Chart:
efda7b9ca381e579aca446de9e6b688fff852eeb