Add Redis and Sentinel TLS support to GitLab Helm Chart

What does this MR do?

This commit adds comprehensive TLS support for both Redis and Redis Sentinel connections across all GitLab components (webservice, sidekiq, kas, gitlab-exporter, mailroom, and workhorse).

Key changes:

• Add redisTLS configuration for Redis client certificates and CA certificates
• Add sentinelTLS configuration for Sentinel client certificates and CA certificates
• Add validation to ensure consistent SSL settings across all Sentinel entries.
• Update Rails Redis configuration to include ssl flag for redis-rb v5+ compatibility
• Add TLS secret mounting for all components
• Update documentation with TLS configuration examples
• Add comprehensive test coverage for Redis and Sentinel TLS scenarios

Configuration supports:

• Client certificates (cert/key)
• CA certificates for server verification
• Per-sentinel SSL flag override
• Both global and per-Redis-instance TLS settings

How to validate locally

Related Omnibus merge request: gitlab-org/omnibus-gitlab!9031 (merged)

These instructions assume you have the GitLab Helm Chart already running on Google Kubernetes Engine (GKE) and access to provision a Google Compute Engine VM.

1. On a Google Compute Engine VM with Docker and Docker Compose installed, start up a Sentinel cluster and Redis master:

git clone https://gitlab.com/stanhu/redis-sentinel-setup.git
cd redis-sentinel-setup
./generate-certs.sh
chmod a+r tls/*
docker-compose up

This starts up a container named redis-master with a Redis master name of mymaster.

2. Open up a firewall port to allow GKE access to VM ports 6379, 26379, 26380, and 26381. For example, I created a tag of redis to allow these ports:

Assign the VM this tag and verify using the toolbox container that these ports are accessible via busybox nc.

3. Load tls/ca.crt as a Kubernetes secret for both redis-ca and sentinel-ca:

kubectl create secret generic redis-ca --from-file=ca.crt=tls/ca.crt

4. Load tls/redis.crt, and tls/redis.key as a Kubernetes secret:

kubectl create secret generic redis-client-secrets --from-file=redis-client.crt=tls/redis.crt --from-file=redis-client.key=tls/redis.key

5. Create a Kubernetes Service and Endpoint for redis-master with the internal IP (e.g. 10.128.0.28):

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: redis-master
  namespace: default
spec:
  clusterIP: None
  ports:
    - port: 6379
---
apiVersion: v1
kind: Endpoints
metadata:
  name: redis-master
  namespace: default
subsets:
  - addresses:
      - ip: 10.128.0.28
    ports:
      - port: 6379
EOF

6. Add these Kubernetes services and endpoints with the internal IP (e.g. 10.128.0.28):

kubectl apply -f - <<EOF
# sentinel1 → 10.128.0.28:26379
apiVersion: v1
kind: Endpoints
metadata:
  name: sentinel1
subsets:
  - addresses:
      - ip: 10.128.0.28
    ports:
      - port: 26379
---
apiVersion: v1
kind: Service
metadata:
  name: sentinel1
spec:
  ports:
    - port: 26379
      targetPort: 26379
  clusterIP: None   # Headless – DNS resolves directly to the endpoint IP

---
# sentinel2 → 10.128.0.28:26380
apiVersion: v1
kind: Endpoints
metadata:
  name: sentinel2
subsets:
  - addresses:
      - ip: 10.128.0.28
    ports:
      - port: 26380
---
apiVersion: v1
kind: Service
metadata:
  name: sentinel2
spec:
  ports:
    - port: 26380
      targetPort: 26380
  clusterIP: None

---
# sentinel3 → 10.128.0.28:26381
apiVersion: v1
kind: Endpoints
metadata:
  name: sentinel3
subsets:
  - addresses:
      - ip: 10.128.0.28
    ports:
      - port: 26381
---
apiVersion: v1
kind: Service
metadata:
  name: sentinel3
spec:
  ports:
    - port: 26381
      targetPort: 26381
  clusterIP: None
EOF

7. Set the following values.yaml:

global:
  redis:
    auth:
      enabled: false
    host: mymaster
    port: 6379
    scheme: rediss
    redisTLS:
      caFile:
        secret: redis-ca
        key: ca.crt
      cert:
        secret: redis-client-secrets
        key: redis-client.crt
      key:
        secret: redis-client-secrets
        key: redis-client.key
    sentinels:
    - host: sentinel1
      port: 23679
    - host: sentinel2
      port: 23680
    - host: sentinel3
      port: 26381
    sentinelTLS:
      enabled: true
      caFile:
        secret: sentinel-ca
        key: ca.crt

Some notes for mutual TLS to work properly:

• Workhorse needs gitlab-org/gitlab!224435 (merged).
• GitLab Exporter needs to be updated to v16.4.0 or higher: !4830 (merged)
• MailRoom needs v0.1.0 or higher: gitlab-org/build/CNG!2842 (merged)

Related issues

Relates to:

• #5958 (closed)
• gitlab-org/gitlab#477982 (closed)

Author checklist

For general guidance, please follow our Contributing guide.

Required

For anything in this list which will not be completed, please provide a reason in the MR discussion.

• Merge Request Title and Description are up to date, accurate, and descriptive.
• MR targeting the appropriate branch.
• MR has a green pipeline.
• Documentation created/updated.
• Tests added/updated, and test plan for scenarios not covered by automated tests.
• Equivalent MR/issue for omnibus-gitlab opened.

Reviewers checklist

• MR has a green pipeline on https://gitlab.com/gitlab-org/charts/gitlab.
• Consider downstream impact to the Operator, as per evaluating impact from changes to GitLab chart.