gitlab-org/gitlab-environment-toolkit 3.3.0

on GitLab

ℹ  The GitLab Environment Toolkit is a collection of opinionated Terraform and Ansible scripts to assist with the deployment of a self managed GitLab environment. It's recommended that users review the Before You Start section before use. Users should have a good working knowledge of Infrastructure management, Terraform, Ansible and GitLab administration as well as be aware that ultimately self managed environments are the responsibility of the user. As such, it's strongly recommended that you independently review the Toolkit in full to ensure it meets your requirements, especially around security or data integrity.

If upgrading, it's always recommended to review the release notes in full as well as the relevant documentation and to upgrade the Toolkit first before the environment.

• New Key Features
  • GKE Workload Identity support
  • GCP / AWS Customer Managed Encryption Keys expanded support
  • EKS Node Group AMI expanded support
  • Single Node expanded support
  • RHEL 9 support
• Further Updates and Improvements
• Upgrade Notes
  • Minimum supported version of GitLab
  • PostgreSQL and Redis version upgrades on Cloud Services
  • Cloud Native Hybrid - Webservice Memory changes and NGinx node switch
  • Cloud Native Hybrid - Object Storage Direct Download
  • Expected Terraform Changes
• Deprecation Notices
  • Terraform variables
• Feedback

New Key Features

GKE Workload Identity support

• Merge Request(s): !1298 !1325
• Documentation

Support has been added to enable GKE Workload Identity!

GCP / AWS Customer Managed Encryption Keys expanded support

• Merge Request(s): !1311
• Documentation (GCP), Documentation (AWS)

Customer Managed Encryption Keys (CMEK) support has been expanded for GCP Object Storage and AWS EKS node disks!

EKS Node Group AMI expanded support

• Merge Request(s): !1284 !1308
• Documentation

Node Group AMI options for EKS have been notably expanded, including support for Amazon Linux 2023 AMIs (which is planned to be the default in EKS 1.30).

Single Node expanded support

• Merge Request(s): !1303 !1297
• Documentation

It's now possible to deploy a Single Node environment of GitLab without a separate Load Balancer!

Thanks @niskhakova @ali.isola21!

RHEL 9 support

• Merge Request(s): !1320

Support for RHEL 9 is now available!

Further Updates and Improvements

• Webservice and Nginx pod configuration for Cloud Native Hybrids have been updated to follow latest Reference Architecture guidance. See this section for more info. Refer to the Upgrade Notes section for more information. !1299
• Example configs have been updated to follow latest Reference Architecture recommendations. !1302 (thanks @niskhakova!).
• To confirm with licensing changes a Terraform binary is no longer bundled in the Docker image but it's still possible to install it via mise as required. !1294
• The default Postgres version for AWS RDS and GCP Cloud SQL have been bumped to 14.0 to match the minimum GitLab 17 requirement. Refer to the Upgrade Notes section for more information. !1291 (thanks @vishal.s.patel!)
• The default Redis version for AWS Elasticache and GCP Memorystore has been bumped up to 7.0 to match the minimum GitLab 17 requirement. Refer to the Upgrade Notes section for more information. !1309 (thanks @niskhakova!)
• Geo setup for Cloud Native Hybrids have been redesigned for Secondary sites to be more graceful via restarts instead of full redeployments. !1314
• Custom Config and Custom Files have been expanded to allow for config or files to be added for all Linux package nodes. !1304 !1319 (thanks @yushao.sqpc!)
• Ansible roles have been refactored to be notably faster. !1324
• Python packages installed on Ansible controller and target hosts have been updated. !1327
• Object Storage direct download is now enabled for Cloud Native Hybrid setups. Refer to the Upgrade Notes section for more information. !1290
• GCP Cloud SQL settings have been expanded and improved. SSD disks are now selected by default for new setups. !1292
• Sidekiq memory killer settings have been set to Linux package defaults. !1283 (thanks @nprabakaran!)
• AWS Data Disks will no longer be destroyed in Terraform if their VM specifically is. !1326
• AWS EKS first time set ups now gracefully handle additional dependencies if present. !1328 (thanks @ktchernov!)
• The optional Kube Prometheus Stack monitoring chart for Cloud Native Hybrids has been bumped to v0.73.2 !1276 !1327
• HAProxy version has been updated to 2.8.9. !1327
• OpenSearch version (VM) has been updated to 2.14.0. !1327
• AWS RDS options have been expanded to include settings for Cloudwatch Logs, CA Cert Identifier and IAM Authentication. !1275 (thanks @jburnitz!) !1312 !1331
• Strengthened permissions on Custom Config files. !1321
• Fixed GCP IAM configuration to not overwrite existing config if present. !1286
• Fixed a transient issue with the Node Exporter role in Ansible triggering GitHub rate limits. Node Exporter is now also pinned to 1.8.0 by default. !1272
• Fixed a rare issue with AWS Data Disks not being mounted correctly. !1282
• Fixed an issue for GitLAb Shell port format for the charts. !1301 (thanks @vmondo!)
• Worked around Azure python requirement issues. !1293
• Various other small updates, improvements and fixes.

Upgrade Notes

Minimum supported version of GitLab

As per the Statement of Support - With the release of GitLab 17, the minimum supported version of GitLab that the Toolkit supports is now 15.0.

PostgreSQL and Redis version upgrades on Cloud Services

PostgreSQL and Redis versions have been updated to 14.0 and 7.0 on supported Cloud Services (AWS RDS, AWS Elasticache, Cloud SQL and GCP Memorystore) to follow the minimum supported versions for GitLab 17.

If these versions have not been pinned in existing environments an upgrade will be triggered accordingly. If this is undesired pin the versions before running this version of the Toolkit.

Cloud Native Hybrid - Webservice Memory changes and NGinx node switch

The following changes have been made for Cloud Native Hybrid setups to follow latest Reference Architecture recommendations:

• Webservice pods have been updated to have a memory limit of 7G. On existing GCP setups increase hardware specs may be required to accommodate.
• Nginx pods are now run on the Webservice nodes via a DaemonSet to increase capacity dynamically across various environment setups.

Cloud Native Hybrid - Object Storage Direct Download

Object Storage Direct Download is now enabled for Cloud Native Hybrid deployment. Proxy download can still be enabled via Custom Config if desired.

Expected Terraform Changes

The following Terraform changes will be seen when first upgrading with this version of the Toolkit.

• GCP
  • Firewall rules have updated descriptions
  • IAM configurations have been switched from bindings to member calls to prevent overwrites
  • Registry and Backup buckets have had their permissions strengthened
• AWS
  • Additional outputs have been added

Deprecation Notices

Terraform variables

The following Terraform variables have been replaced with others and are now deprecated - To be removed in the (currently unplanned) 4.0.0 release:

• AWS
  • eks_ami_id > eks_node_group_custom_ami_id
  • external_ssh_port > gitlab_shell_ssh_port
  • default_kms_key_arn is now deprecated and it's now recommended to pass in KMS keys individually for each service type via default_disk_kms_key_arn, object_storage_kms_key_arn, eks_default_disk_kms_key_arn, rds_postgres_kms_key_arn, elasticache_redis_kms_key_arn and opensearch_service_kms_key_arn accordingly.
• GCP
  • external_ssh_port > gitlab_shell_ssh_port
• Azure
  • external_ssh_port > gitlab_shell_ssh_port

Feedback

Got any feedback or found an issue? Please feel free to create an issue on our tracker.