feat(smtp): support reading SMTP username from a Kubernetes Secret
What does this MR do?
Add support for configuring the SMTP username via a Kubernetes Secret, mirroring the existing pattern used for the SMTP password. This allows sensitive usernames (e.g. AWS SES Access Key IDs) to be stored securely and rotated without requiring a Helm re-deploy.
When global.smtp.user_name_secret.secret is set, the username is read from a mounted file at runtime using File.read(), rather than being embedded as a plain string in the rendered ConfigMap. The plain-text global.smtp.user_name field remains available as a fallback.
Changes
charts/gitlab/templates/_smtp.tpl: Whenglobal.smtp.user_name_secret.secretis set, renderuser_name: File.read("/etc/gitlab/smtp/smtp-username").stripinstead of the plain-text value. Also mount the secret ingitlab.smtp.mountSecrets.values.yaml: Addglobal.smtp.user_name_secretwithsecretandkeysub-fields (defaults to empty, preserving backward compatibility).spec/configuration/smtp_spec.rb: Add tests for both plain-text and secret-based username configurations.doc/installation/secrets.md: Document the new SMTP username secret.doc/installation/command-line-options.md: Add table entries for the new values.doc/charts/globals.md: Add commented example ofuser_name_secretin the SMTP config block.
Example usage
kubectl create secret generic smtp-username --from-literal=username=AKIAIOSFODNN7EXAMPLEglobal:
smtp:
enabled: true
authentication: login
user_name_secret:
secret: smtp-username
key: username
password:
secret: smtp-password
key: passwordRelated issues
Closes #4962 (closed)
Author checklist
For general guidance, please follow our Contributing guide.
Required
For anything in this list which will not be completed, please provide a reason in the MR discussion.
- Merge Request Title and Description are up to date, accurate, and descriptive.
- MR targeting the appropriate branch.
- MR has a green pipeline.
- Documentation created/updated.
- Tests added/updated, and test plan for scenarios not covered by automated tests.
- Equivalent MR/issue for omnibus-gitlab opened.
Edited by Jason Plum