Disable Duo Chat through the chart
Summary
We cannot disable Duo Chat through the chart and it was enabled by default when upgrading to 16.11.x from 16.10.x. We need to be able to disable AI features, Duo Chat, through the chart to keep our configuration and features consistent and declarative through code.
We are in a regulated industry and AI features are not generally available or are highly restricted and monitored. Disabling features such as this through the GUI after the fact and after users can access them before we can disable them presents a problem. The setting for duoAuth is disabled in the config and I would expect that if authentication is disabled then all of the GUI features should be as well. We should not be presenting broken features to end users.
Steps to reproduce
Upgrade from earlier that 16.11.x version of the chart to 16.11.x
Configuration used
global:
appConfig:
enableSeatLink: false
enableImpersonation: true
ldap:
preventSignin: true
backups:
bucket: storage
tmpBucket: storage
lfs:
bucket: storage
connection:
secret: storage
key: connection
artifacts:
bucket: storage
connection:
secret: storage
key: connection
uploads:
bucket: storage
connection:
secret: storage
key: connection
packages:
bucket: storage
connection:
secret: storage
key: connection
externalDiffs:
enabled: true
when: outdated
bucket: storage
connection:
secret: storage
key: connection
terraformState:
enabled: true
bucket: storage
connection:
secret: storage
key: connection
pseudonymizer:
bucket: storage
connection:
secret: storage
key: connection
dependencyProxy:
enabled: true
bucket: storage
connection:
secret: storage
key: connection
omniauth:
<redacted>
duoAuth:
enabled: false
grafana:
enabled: false
hosts:
domain: v
hostSuffix: gitlab
gitlab:
name: v
ingress:
tls:
enabled: true
configureCertmanager: false
class: nginx
annotations:
cert-manager.io/cluster-issuer: v
kas:
enabled: true
minio:
enabled: false
psql:
database: v
host: v
password:
secret: v
key: v
username: v
redis:
host: v
sentinels:
- host: v
port: v
auth:
enabled: true
secret: v
key: v
registry:
bucket: v
time_zone: v
antiAffinity: hard
registry:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
tls:
secretName: v
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: '0'
storage:
secret: s3
debug:
prometheus:
enabled: true
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
gitlab:
gitaly:
metrics:
enabled: true
serviceMonitor:
enabled: true
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
gitlab-shell:
nodeSelector:
v/node-role: gitvlab
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
gitlab-runner:
enabled: true
migrations:
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
sidekiq:
metrics:
enabled: true
podMonitor:
enabled: true
resources:
requests:
cpu: 500m
memory: 1Gi
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
webservice:
metrics:
enabled: true
serviceMonitor:
enabled: true
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
ingress:
tls:
secretName: v
extraEnv:
GITLAB_THROTTLE_USER_ALLOWLIST: '37'
toolbox:
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
backups:
objectStorage:
config:
secret: v
key: config
gitlab-exporter:
metrics:
enabled: true
serviceMonitor:
enabled: true
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
kas:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
tls:
secretName: v
nodeSelector:
v/node-role: v
tolerations:
- key: v/gitlab
operator: Equal
value: 'true'
effect: NoExecute
gitlab-runner:
runners:
config: |
[[runners]]
[runners.kubernetes]
image = "ubuntu:20.04"
pull_policy = ["always", "if-not-present"]
namespace = v
cpu_limit = "1"
cpu_limit_overwrite_max_allowed = "4"
cpu_request = "1"
cpu_request_overwrite_max_allowed = "4"
poll_timeout = 300
[runners.kubernetes.node_selector]
"v/node-role" = v
[runners.kubernetes.node_tolerations]
"v/ci=true" = "NoExecute"
[runners.cache]
Type = "s3"
Path = v
Shared = true
[runners.cache.s3]
ServerAddress = "s3"
BucketName = v
BucketLocation = "us-east"
cache:
secretName: v
concurrent: 25
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: v
operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: v
release: gitlab
topologyKey: v
tolerations:
- key: v
operator: Equal
value: 'true'
effect: NoExecute
metrics:
enabled: true
serviceMonitor:
enabled: true
service:
enabled: true # needed for ServiceMonitor
hpa:
minReplicas: 2
maxReplicas: 10
metrics:
- type: Pods
pods:
metric:
name: v
target:
averageValue: "10"
type: AverageValue
certmanager:
install: false
nginx-ingress:
enabled: false
prometheus:
install: false
redis:
install: false
postgresql:
install: false
Current behavior
Upgrade enabled AI powered features we cannot allow in our environment.
Expected behavior
When I upgrade to a new version, something as significant as AI features, Duo, should not be enabled by default and I should be able to easily gate the feature availability in the chart values.yaml file.
Versions
- Chart: 16.10.3 --> 16.11.4
- Platform:
- Self-hosted: (Cloud)
Relevant logs
None
Edited by David Peyton