Add Topology Service mTLS support to GitLab Shell
What does this MR do and why?
GitLab Shell needs to authenticate to the Topology Service gRPC endpoint using an mTLS client certificate for Cells SSH routing.
The GitLab Helm chart already wires Topology Service mTLS for the Rails components (webservice, sidekiq, toolbox, migrations) via global.appConfig.cell.topologyServiceClient, but the gitlab-shell subchart had no Topology Service configuration.
This MR adds the gitlab-shell subchart wiring to:
- Render a
topology_serviceblock in GitLab Shell'sconfig.yml(enabled,address,tls.{enabled,cert_file,key_file}). - Mount the existing Topology Service TLS secret (the same
cell-1-<env>-mtls-certreused by Rails) into the GitLab Shell pod via theshell-init-secretsprojected volume and theconfigureinit script, at/etc/gitlab-secrets/shell/topology-service/.
It reuses the shared global.appConfig.cell.topologyServiceClient block — no new top-level values key is introduced.
The config is only emitted when both global.appConfig.cell.enabled and global.appConfig.cell.topologyServiceClient.tls.enabled are true. When unset (the default), no topology_service config is rendered, so self-managed and GDK deployments are unaffected.
Related issue: gitlab-org/gitlab-shell#845
Author's checklist
- Templates render correctly (
helm template) for enabled, disabled, and default cases. - Added RSpec template tests in
spec/configuration/gitlab_shell_spec.rb(enabled renders config + projected volume + configure commands; disabled renders nothing).42 examples, 0 failuresacrossgitlab_shell_spec+cell_spec. - Documentation updated (
doc/development/cells/tls_configuration.md), including the certificate-rotation note (GitLab Shell loads the cert once at startup; a rolling restart is required after rotation).
Notes
- Certificate rotation: GitLab Shell's client loads the certificate once at startup (no hot-reload). After the mounted certificate is rotated (e.g. by cert-manager), GitLab Shell pods must be restarted (rolling update) to pick up the new certificate. A follow-up issue will track adding hot-reload support to the GitLab Shell client.