gitlab-org/gitlab-environment-toolkit 3.2.0

on GitLab

ℹ  The GitLab Environment Toolkit is a collection of opinionated Terraform and Ansible scripts to assist with the deployment of a self managed GitLab environment. It's recommended that users review the Before You Start section before use. Users should have a good working knowledge of Infrastructure management, Terraform, Ansible and GitLab administration as well as be aware that ultimately self managed environments are the responsibility of the user. As such, it's strongly recommended that you independently review the Toolkit in full to ensure it meets your requirements, especially around security or data integrity.

If upgrading, it's always recommended to review the release notes in full as well as the relevant documentation and to upgrade the Toolkit first before the environment.

• New Key Features
  • Environment Migration support via Geo (Cloud Native Hybrid)
  • Terraform GCP Provider 5.x upgrade
  • Expanded Customer-managed encryption keys (CMEK) support for GCP
  • Geo documentation refresh
• Further Updates and Improvements
• Upgrade Notes
  • Terraform GCP 5.x changes
  • GCP Service Account changes
  • Expected Terraform Changes
• Deprecation Notices
  • Ansible variable name changes
• Feedback

New Key Features

Environment Migration support via Geo (Cloud Native Hybrid)

• Merge Request(s): !1250
• Documentation

The Toolkit now supports the ability to migrate from a non Toolkit controlled environment to a Toolkit controlled environment via Geo for Cloud Native Hybrid environments!

Thanks @nwestbury!

Terraform GCP Provider 5.x upgrade

• Merge Request(s): !1220 !1263

The Terraform GCP Provider has been upgraded to 5.x! (5.11.0+)

This provider has several upstream changes for new environments. Refer to the this section for more information.

Expanded Customer-managed encryption keys (CMEK) support for GCP

• Merge Request(s): !1206
• Documentation

Expanded options to enable Customer-managed encryption keys (CMEK) for GCP have been added where possible!

Geo documentation refresh

• Merge Request(s): !1033 !1233
• Documentation

The Geo documentation has been refreshed and expanded.

Thanks @nwestbury!

Further Updates and Improvements

• Added support for several AWS Elasticache upgrade paths / changes. !1208
• Several Elasticache snapshot options where added. !1217
• Google Cloud SQL settings were updated to follow recommendations and added the ability for users to pass in their own. !1216
• Permissions required for the GCP Service Account used for running Terraform have been adjusted to follow best practices. Refer to the this section for more information. !1232
• Fixed upstream issue with OpenSearch 2.12 !1257
• Docker image versions have been pinned for HAProxy and OpenSearch for further stability. !1265
• Ensure noeviction policy is set for AWS Elasticache and GCP Memorystore services as required. !1264
• AWS EKS clusters now have the new Access Entries feature enabled with the ability to configure access directly in Terraform. Refer to the documentation for more information. !1261
• Terraform AWS provider has been bumped to 5.33+. !1261
• Added ability to pass SSL keys for Pages directly from secret managers. !1231 (thanks @bwilkerson!)
• Added ability to configure firewall rules in GCP for Identity Aware Proxy setups. !1235
• Added additional options for AWS S3 replication setups. !1245 (thanks @agpaul!)
• Created GCP Service Accounts have had their permissions changed to follow best practices as well as several code refactors for more modularity. Refer to the this section for more information. !1227 (thanks @andrewn!)
• Added the ability to configure GitLab version via environment variable. !1219 (thanks @jimbaumgardner!)
• Added AWS EKS variable to force EKS node upgrades. !1249 !1260
• Added option to set AWS S3 endpoint. !1240 !1260 (thanks @jedge1!)
• Added documentation for Linux package NGinx trusted addresses setting. !1251
• Switch Sidekiq configuration to follow latest config changes. !1242 !1246
• Adjusted timeouts for waitsy with Cloud Native Hybrid environments. !1259
• Adjusted Geo patroni path to account for different paths. !1253 (thanks @nwestbury!)
• Fixed an issue with License check. !1211
• Fixed PgBouncer deploying on PostgreSQL nodes when for Database Load Balancing to only occur when there's more than one node. !1214
• Fixed an issue with OpenSearch needing short host names for it's configuration. !1221
• Fixed an issue with Let's Encrypt renewals for Linux package environments. !1247
• Documentation has been added to highlight several disk settings. !1215
• rtx has been renamed to it's new name of mise in the documentation and Docker image. !1213
• Various other small updates, improvements and fixes.

Upgrade Notes

Terraform GCP 5.x changes

Several upstream changes were made in this provider version that the Toolkit has followed (non-breaking):

• New GKE clusters will now default to regional instead of zonal. This does not impact existing clusters.
  • The Toolkit now has a new variable gcp_gke_location that can be set to a region or zone to allow for kubeconfig setup. This replaces gcp_zone, which is now deprecated.
• A new setting to block GKE deletions was added on the Terraform layer. To maintain backwards compatibility this has been disabled but the option has been made available.
• Autoscaling has been enabled by default for GKE clusters and configuration tweak to ensure node counts are honoured correctly across zones as GCP now offers this feature. Previously the Toolkit attempted to do this roughly on it's end.

GCP Service Account changes

The required permissions for both the Service Account running Terraform and the accounts the Toolkit's create have been adjusted to follow best practices.

Refer to this section in the documentation for the updated list of permissions required for the Service Account running Terraform.

Expected Terraform Changes

• Several GCP labels will be added as part of the provider upgrade.
• AWS Elasticache and GCP Memorystore configurations have been adjusted.
• GCP Service Accounts are moved in Terraform state but remain the same.

Deprecation Notices

Ansible variable name changes

The following Ansible variables have been renamed for consistency reasons. The old names are now deprecated but will continue to work until the next major release (4.x):

• gcp_zone > gcp_gke_location
• geo_primary_site_gcp_zone > geo_primary_site_gcp_gke_location
• geo_secondary_site_gcp_zone > geo_secondary_site_gcp_gke_location

Feedback

Got any feedback or found an issue? Please feel free to create an issue on our tracker.