gitlab-org/gitlab-environment-toolkit 3.10.0

on GitLab

[!important]

The GitLab Environment Toolkit automates deploying and managing scaled GitLab environments following the Reference Architectures. It's recommended that users review the Before You Start section before use. Users are expected to have a good working knowledge of Terraform, Ansible, GitLab administration, and infrastructure management, as environments ultimately remain the responsibility of the user. As such, it's strongly recommended that you independently review the Toolkit in full before any use to ensure it meets your requirements, especially around security or data integrity.

If upgrading, it's always recommended to review the release notes in full as well as the relevant documentation and to upgrade the Toolkit first before the environment.

[[TOC]]

New Key Features

Envoy Gateway Support (Cloud Native)

• Merge Request(s): !1778 !1823 !1825 !1828
  
• Documentation: Ingress Configuration (Envoy Gateway and NGINX Ingress)
  

Support for Envoy Gateway has been added for Cloud Native and Hybrid deployments, aligning with the GitLab Charts' adoption of the Gateway API. For GitLab 19.0 and later, Envoy Gateway replaces NGINX as the default ingress controller. For more details and migration guidance, please refer to the Upgrade Notes.

Gitaly on Kubernetes - Generally Available

• Merge Request(s): !1830 !1811
  
• Documentation: Migrating Gitaly from VMs to Kubernetes
  

Gitaly on Kubernetes has been promoted to GA following the feature reaching GA in GitLab itself. This includes the ability to deploy Gitaly storages on both Kubernetes and VMs for migrations.

Zero Downtime Upgrades for GitLab Helm Charts

• Merge Request(s): !1781
  
• Documentation: Zero Downtime Upgrades
  

Zero Downtime Upgrade support has been extended for GitLab Helm Charts installations.

Further Updates and Improvements

• Bumped default PostgreSQL versions for AWS RDS and GCP CloudSQL to 17 to match the GitLab 19.0 requirement. !1831
  
• Added EKS Node Group per-AZ distribution option for Gitaly and Supporting pools to ensure stable zone placement for stateful workloads with EBS volumes. !1789
  
• Added support for configurable EC2 instance metadata options (metadata_options variable) for AWS deployments. !1795 (thanks @shenson!)
  
• Expanded custom security group support to all AWS VM node types, with new custom_security_group_ids and per-component *_custom_security_group_ids variables. Deprecates gitlab_rails_security_group_ids and monitor_security_group_ids. !1806
  
• Added support for custom tasks in the OpenSearch Ansible role. !1822 (thanks @4censord, @daniel.koschuetzki!)
  
• Added support for separate Kubernetes namespaces for Geo primary and secondary sites via geo_primary_cloud_native_release_namespace and geo_secondary_cloud_native_release_namespace. !1800
  
• Added support for Geo playbooks to work with custom Kubernetes contexts for clusters not provisioned by GET. !1797
  
• Added automatic Workhorse correlation ID propagation configuration for Geo deployments. !1799 (thanks @victorprete!)
  
• Added a maintenance playbook and guidance for cleaning up stale Let's Encrypt certificates after an environment URL change when using HAProxy. !1833
  
• Added option to make Kubernetes workload nodeSelector optional via gitlab_charts_node_selector_enabled. !1820 !1824 (thanks @e.pisarchik, @ctimberlake_bdd!)
  
• Added ability to override zdu_start_point via ZDU_START_POINT environment variable for Zero Downtime Upgrades. !1837 (thanks @sven.rediske!)
  
• Added support for OpenBao AWS KMS unseal functionality. !1815
  
• Defaulted to s3_v2 for the AWS Container Registry storage driver, following the GitLab 18.3+ default and the deprecation of the S3v1 driver. !1836
  
• Added support for Advanced Search via the GitLab Registration Features program. !1840
  
• Improved Gitaly initContainer CPU resource limits for more reliable startup. !1804 (thanks @SamirHafez!)
  
• Improved GPG key handling for RPM-based systems by switching to rpm --import. !1813 !1812 !1801
  
• Fixed Python package installation on Amazon Linux 2023. !1803 (thanks @Frogvall!)
  
• Ensured Gitaly secrets are updated correctly when running Geo across different deployment types. !1816
  
• Ensured secrets are transferred correctly for full Cloud Native Geo migration scenarios. !1796
  
• Fixed aws_db_instance.gitlab.allocated_storage always being set to prevent configuration drift between primary and secondary RDS instances. !1819 (thanks @ryanpham-gitlab!)
  
• Fixed an issue where Zero Downtime Upgrades could fail during the PostgreSQL update step. !1810 (thanks @repush1!)
  
• Bumped minimum Terraform AWS provider version to 6.40. !1839
  
• Updated Ansible variable calls to use ansible_facts for future compatibility. !1791
  
• Various other small updates, improvements, and fixes.
  

Upgrade Notes

Envoy Gateway is now the default for GitLab 19.0+

Following the upstream transition in the GitLab Charts, Envoy Gateway is now the default ingress controller for Cloud Native deployments on GitLab 19.0 and later. This shift aligns with the official deprecation of NGINX Ingress.

Before upgrading existing environments to GitLab 19.0, please review the Envoy Gateway migration guide in the GitLab Charts documentation alongside the GET-specific configuration guidance to ensure a smooth transition.

If you need to temporarily retain NGINX Ingress, you can opt back in by setting gitlab_charts_nginx_ingress_enable: true. Please note that NGINX Ingress support will be removed entirely in GitLab 20.0.

Default PostgreSQL version bumped to 17 for AWS RDS and GCP CloudSQL

To align with GitLab 19.0 requirements, the default managed PostgreSQL version for AWS RDS and GCP CloudSQL has been updated to 17.

For existing environments, please note that if you haven't explicitly set postgres_version in your Terraform configuration, your next terraform apply will update your database to version 17. If you'd like to stay on your current version for now, you can simply define it (e.g., postgres_version = "16") in your configuration before applying.

AWS S3 storage driver defaults to s3_v2

The AWS Container Registry storage driver (container_registry_aws_storage_driver) now defaults to s3_v2 for GitLab 18.3 and up, following the upstream GitLab deprecation of the S3v1 driver.

Minimum Terraform AWS provider version bumped to 6.40

The minimum required Terraform AWS provider version has been bumped to 6.40.0 to bring in an upstream bug fix related to AWS's deprecation of SSE-C encryption for S3 buckets. Users may need to run terraform init -upgrade to pick up the new provider version.

Feedback

Got any feedback or found an issue? Please feel free to create an issue on our tracker (https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/issues).