[Mailroom] Fix ineffectual service desk auth token secret key
What does this MR do?
While rolling out Mailroom webhook delivery method, we observed that the mounted generated secret key did not match the one we declared in the helm value. This mismatch made all involving pods fail to start, because the init-*-secret containers fail to reference to the appointed secret key. After a while, helm apply command timed out waiting for those pods to be ready. We had to rollback the change.
- The helm value file was set to:
gitlab:
appConfig:
incomingEmail:
deliveryMethod: webhook
authToken:
secret: gitlab-mailroom-imap-v1
key: incoming_email_auth_token
serviceDeskEmail:
deliveryMethod: webhook
authToken:
secret: gitlab-mailroom-imap-v1
key: service_desk_email_auth_token
- The changes in
init-webservice-secrets
and similar containers contain the following changes:
- secret:
name: "gitlab-mailroom-imap-v1"
items:
- key: "incoming_email_auth_token"
path: mailroom/incoming_email_webhook_secret
- secret:
name: "gitlab-mailroom-imap-v1"
items:
- key: "authToken" # Notice the authToken key here
path: mailroom/service_desk_email_webhook_secret
After debugging, we realize there is one small problem with the mailroom helm chart. The new mailroom configurations were introduced in !2358 (merged). In the MR, we include a template to declare the mailroom secret configurations to webservice's configMap. This template then includes another template to get the secret key:
{{- define "gitlab.appConfig.serviceDeskEmail.mountSecrets" -}}
# mount secrets for serviceDeskEmail
{{- if and $.Values.global.appConfig.serviceDeskEmail.enabled (eq $.Values.global.appConfig.serviceDeskEmail.deliveryMethod "webhook") }}
- secret:
name: {{ template "gitlab.appConfig.serviceDeskEmail.authToken.secret" . }}
items:
- key: {{ template "gitlab.appConfig.serviceDeskEmail.authToken.key" }}
path: mailroom/service_desk_email_webhook_secret
{{- end }}
{{- end -}}{{/* "gitlab.appConfig.serviceDeskEmail.mountSecrets" "*/}}
# ...
{{- define "gitlab.appConfig.serviceDeskEmail.authToken.key" -}}
{{- default "authToken" $.Values.global.appConfig.serviceDeskEmail.authToken.key | quote -}}
{{- end -}}
Unfortunately, the second template call does not pass the scope. The key template cannot access the callee's data. As a result, it always fallbacks to authToken
. The fix is simply adding scope to that template call.
How to test this MR
This MR does not introduce any UI changes. Instead, we verify the rendered yaml before and after this change.
- Step 1: Update
values.yml
with the following lines:
incomingEmail:
enabled: true
address: "incoming-staging+%{key}@gitlab.com"
user: incoming-staging@gitlab.com
password:
secret: gitlab-mailroom-imap-v1
key: incoming_email_password
deliveryMethod: webhook
authToken:
secret: gitlab-mailroom-imap-v1
key: incoming_email_auth_token
serviceDeskEmail:
enabled: true
address: "contact-project-staging+%{key}@incoming.gitlab.com"
user: contact-project-staging@incoming.gitlab.com
password:
secret: gitlab-mailroom-imap-v1
key: service_desk_email_password
deliveryMethod: webhook
authToken:
secret: gitlab-mailroom-imap-v1
key: service_desk_email_auth_token
- Step 2: Run the following command to print out dry-run render yaml content:
helm template --debug -f ./values.yaml gitlab-local ./ | grep incomingEmail -A 10
# And
helm template --debug -f ./values.yaml gitlab-local ./ | grep serviceDeskEmail -A 10
Before (master branch)
- secret:
name: "gitlab-mailroom-imap-v1"
items:
- key: "incoming_email_auth_token"
path: mailroom/incoming_email_webhook_secret
- secret:
name: "gitlab-mailroom-imap-v1"
items:
- key: "authToken"
path: mailroom/service_desk_email_webhook_secret
After
- secret:
name: "gitlab-mailroom-imap-v1"
items:
- key: "incoming_email_auth_token"
path: mailroom/incoming_email_webhook_secret
- secret:
name: "gitlab-mailroom-imap-v1"
items:
- key: "service_desk_email_auth_token"
path: mailroom/service_desk_email_webhook_secret
Related issues
- Failed Rollout issue: gitlab-com/gl-infra/production#6344 (closed)
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
Merge Request Title and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for omnibus-gitlab opened