feat(smtp): support reading SMTP username from a Kubernetes Secret

What does this MR do?

Add support for configuring the SMTP username via a Kubernetes Secret, mirroring the existing pattern used for the SMTP password. This allows sensitive usernames (e.g. AWS SES Access Key IDs) to be stored securely and rotated without requiring a Helm re-deploy.

When global.smtp.user_name_secret.secret is set, the username is read from a mounted file at runtime using File.read(), rather than being embedded as a plain string in the rendered ConfigMap. The plain-text global.smtp.user_name field remains available as a fallback.

Changes

  • charts/gitlab/templates/_smtp.tpl: When global.smtp.user_name_secret.secret is set, render user_name: File.read("/etc/gitlab/smtp/smtp-username").strip instead of the plain-text value. Also mount the secret in gitlab.smtp.mountSecrets.
  • values.yaml: Add global.smtp.user_name_secret with secret and key sub-fields (defaults to empty, preserving backward compatibility).
  • spec/configuration/smtp_spec.rb: Add tests for both plain-text and secret-based username configurations.
  • doc/installation/secrets.md: Document the new SMTP username secret.
  • doc/installation/command-line-options.md: Add table entries for the new values.
  • doc/charts/globals.md: Add commented example of user_name_secret in the SMTP config block.

Example usage

kubectl create secret generic smtp-username --from-literal=username=AKIAIOSFODNN7EXAMPLE
global:
  smtp:
    enabled: true
    authentication: login
    user_name_secret:
      secret: smtp-username
      key: username
    password:
      secret: smtp-password
      key: password

Closes #4962 (closed)

Author checklist

For general guidance, please follow our Contributing guide.

Required

For anything in this list which will not be completed, please provide a reason in the MR discussion.

  • Merge Request Title and Description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • MR has a green pipeline.
  • Documentation created/updated.
  • Tests added/updated, and test plan for scenarios not covered by automated tests.
  • Equivalent MR/issue for omnibus-gitlab opened.
Edited by Jason Plum

Merge request reports

Loading