gitlab-pages certificate rotation fails
Summary
The gitlab-pages deployment uses a Secret for its TLS certificate. However it does not reload the certificate when it gets renewed and the secret is updated.
This leads to an outage every time the certificate expires, even if it was renewed in time (for example by cert-manager), if an admin doesn't force a restart of the gitlab-pages Deployment.
Steps to reproduce
- Install GitLab with gitlab-pages using the Helm chart. Set
global.pages.enabled=trueandgitlab.gitlab-pages.ingress.tls.secretNameto the name of a Secret - Update the Secret using kubectl apply or kubectl replace
- Observe that gitlab-pages still uses the old certificate
The Secret is not even mounted in the container that serves pages, it is read by a initContainer and written to a separate Memory volume.
Configuration used
(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))
global:
edition: ce
hosts:
domain: example.com
pages:
name: example.org
ingress:
class: haproxy
configureCertmanager: false
provider: haproxy
tls:
enabled: false # haproxy does TLS, no need to do anything here
pages:
enabled: true
host: example.org
externalHttp:
- "203.0.113.3"
externalHttps:
- "203.0.113.3"
certmanager:
installCRDs: false
install: false
nginx-ingress:
enabled: false
gitlab:
gitlab-pages:
ingress:
tls:
secretName: tls-example.orgCurrent behavior
- Certificate rotation fails every single time, threatening outages every 60 days
Expected behavior
- If I update the certificate, gitlab-pages uses the new certificate
Versions
- Chart: 7.2.1
- Platform:
- Self-hosted: kubeadm
- Kubernetes: (
kubectl version)- Client: 1.26.6
- Server: 1.26.6
- Helm: (
helm version)- Client: 3.12.2
- Server: that's not a thing