Add Topology Service mTLS support to GitLab Shell

What does this MR do and why?

GitLab Shell needs to authenticate to the Topology Service gRPC endpoint using an mTLS client certificate for Cells SSH routing.

The GitLab Helm chart already wires Topology Service mTLS for the Rails components (webservice, sidekiq, toolbox, migrations) via global.appConfig.cell.topologyServiceClient, but the gitlab-shell subchart had no Topology Service configuration.

This MR adds the gitlab-shell subchart wiring to:

  • Render a topology_service block in GitLab Shell's config.yml (enabled, address, tls.{enabled,cert_file,key_file}).
  • Mount the existing Topology Service TLS secret (the same cell-1-<env>-mtls-cert reused by Rails) into the GitLab Shell pod via the shell-init-secrets projected volume and the configure init script, at /etc/gitlab-secrets/shell/topology-service/.

It reuses the shared global.appConfig.cell.topologyServiceClient block — no new top-level values key is introduced.

The config is only emitted when both global.appConfig.cell.enabled and global.appConfig.cell.topologyServiceClient.tls.enabled are true. When unset (the default), no topology_service config is rendered, so self-managed and GDK deployments are unaffected.

Related issue: gitlab-org/gitlab-shell#845

Author's checklist

  • Templates render correctly (helm template) for enabled, disabled, and default cases.
  • Added RSpec template tests in spec/configuration/gitlab_shell_spec.rb (enabled renders config + projected volume + configure commands; disabled renders nothing). 42 examples, 0 failures across gitlab_shell_spec + cell_spec.
  • Documentation updated (doc/development/cells/tls_configuration.md), including the certificate-rotation note (GitLab Shell loads the cert once at startup; a rolling restart is required after rotation).

Notes

  • Certificate rotation: GitLab Shell's client loads the certificate once at startup (no hot-reload). After the mounted certificate is rotated (e.g. by cert-manager), GitLab Shell pods must be restarted (rolling update) to pick up the new certificate. A follow-up issue will track adding hot-reload support to the GitLab Shell client.

Merge request reports

Loading