Skip to content

[Mailroom] Fix ineffectual service desk auth token secret key

Quang-Minh Nguyen requested to merge qmnguyen0711/fix-mailroom-chart-secret-key into master

What does this MR do?

While rolling out Mailroom webhook delivery method, we observed that the mounted generated secret key did not match the one we declared in the helm value. This mismatch made all involving pods fail to start, because the init-*-secret containers fail to reference to the appointed secret key. After a while, helm apply command timed out waiting for those pods to be ready. We had to rollback the change.

  • The helm value file was set to:
gitlab:
  appConfig:
    incomingEmail:
      deliveryMethod: webhook
      authToken:
        secret: gitlab-mailroom-imap-v1
        key: incoming_email_auth_token
    serviceDeskEmail:
      deliveryMethod: webhook
      authToken:
        secret: gitlab-mailroom-imap-v1
        key: service_desk_email_auth_token
  • The changes in init-webservice-secrets and similar containers contain the following changes:
           - secret:
               name: "gitlab-mailroom-imap-v1"
               items:
                 - key: "incoming_email_auth_token"
                   path: mailroom/incoming_email_webhook_secret

           - secret:
               name: "gitlab-mailroom-imap-v1"
               items:
                 - key: "authToken" # Notice the authToken key here
                   path: mailroom/service_desk_email_webhook_secret

After debugging, we realize there is one small problem with the mailroom helm chart. The new mailroom configurations were introduced in !2358 (merged). In the MR, we include a template to declare the mailroom secret configurations to webservice's configMap. This template then includes another template to get the secret key:

{{- define "gitlab.appConfig.serviceDeskEmail.mountSecrets" -}}
# mount secrets for serviceDeskEmail
{{- if and $.Values.global.appConfig.serviceDeskEmail.enabled (eq $.Values.global.appConfig.serviceDeskEmail.deliveryMethod "webhook") }}
- secret:
    name: {{ template "gitlab.appConfig.serviceDeskEmail.authToken.secret" . }}
    items:
      - key: {{ template "gitlab.appConfig.serviceDeskEmail.authToken.key" }}
        path: mailroom/service_desk_email_webhook_secret
{{- end }}
{{- end -}}{{/* "gitlab.appConfig.serviceDeskEmail.mountSecrets" "*/}}

# ...

{{- define "gitlab.appConfig.serviceDeskEmail.authToken.key" -}}
{{- default "authToken" $.Values.global.appConfig.serviceDeskEmail.authToken.key | quote -}}
{{- end -}}

Unfortunately, the second template call does not pass the scope. The key template cannot access the callee's data. As a result, it always fallbacks to authToken. The fix is simply adding scope to that template call.

How to test this MR

This MR does not introduce any UI changes. Instead, we verify the rendered yaml before and after this change.

  • Step 1: Update values.yml with the following lines:
    incomingEmail:
      enabled: true
      address: "incoming-staging+%{key}@gitlab.com"
      user: incoming-staging@gitlab.com
      password:
        secret: gitlab-mailroom-imap-v1
        key: incoming_email_password
      deliveryMethod: webhook
      authToken:
        secret: gitlab-mailroom-imap-v1
        key: incoming_email_auth_token

    serviceDeskEmail:
      enabled: true
      address: "contact-project-staging+%{key}@incoming.gitlab.com"
      user: contact-project-staging@incoming.gitlab.com
      password:
        secret: gitlab-mailroom-imap-v1
        key: service_desk_email_password
      deliveryMethod: webhook
      authToken:
        secret: gitlab-mailroom-imap-v1
        key: service_desk_email_auth_token
  • Step 2: Run the following command to print out dry-run render yaml content:
helm template --debug -f ./values.yaml gitlab-local ./ | grep incomingEmail -A 10

# And

helm template --debug -f ./values.yaml gitlab-local ./ | grep serviceDeskEmail -A 10

Before (master branch)

          - secret:
              name: "gitlab-mailroom-imap-v1"
              items:
                - key: "incoming_email_auth_token"
                  path: mailroom/incoming_email_webhook_secret

          - secret:
              name: "gitlab-mailroom-imap-v1"
              items:
                - key: "authToken"
                  path: mailroom/service_desk_email_webhook_secret

After

          - secret:
              name: "gitlab-mailroom-imap-v1"
              items:
                - key: "incoming_email_auth_token"
                  path: mailroom/incoming_email_webhook_secret
          - secret:
              name: "gitlab-mailroom-imap-v1"
              items:
                - key: "service_desk_email_auth_token"
                  path: mailroom/service_desk_email_webhook_secret

Related issues

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened
Edited by Quang-Minh Nguyen

Merge request reports