gitlab-org/gitlab-environment-toolkit 3.4.0

on GitLab

ℹ  The GitLab Environment Toolkit is a collection of opinionated Terraform and Ansible scripts to assist with the deployment of a self managed GitLab environment. It's recommended that users review the Before You Start section before use. Users should have a good working knowledge of Infrastructure management, Terraform, Ansible and GitLab administration as well as be aware that ultimately self managed environments are the responsibility of the user. As such, it's strongly recommended that you independently review the Toolkit in full to ensure it meets your requirements, especially around security or data integrity.

If upgrading, it's always recommended to review the release notes in full as well as the relevant documentation and to upgrade the Toolkit first before the environment.

• New Key Features
  • Debian 12 and Ubuntu 24.04 support
  • GCP Cloud SQL Geo replication support
  • Direct GitLab NGINX SSL support
• Further Updates and Improvements
• Upgrade Notes
  • Ansible 10 version upgrade
  • Terraform 1.9.0 version upgrade
  • Expected Terraform Changes
• Deprecation Notices
  • Support for RHEL 8 / Amazon Linux 2
  • Support for Ubuntu 20.04
• Feedback

New Key Features

Debian 12 and Ubuntu 24.04 support

• Merge Request(s): !1373

Support has been added for Debian 12 / Ubuntu 24.04 targets!

GCP Cloud SQL Geo replication support

• Merge Request(s): !1390
• Documentation

Support has been added to configure GCP Cloud SQL Geo replicas across different regions!

Direct GitLab NGINX SSL support

• Merge Request(s): !1330 (thanks @niskhakova @nprabakaran!)
• Documentation (External URL), Documentation (NGINX Internal SSL)

It's now possible to configure SSL for GitLab NGINX in Linux Package deployments. This is available for both external SSL (single node setups) and internal SSL (behind load balancers).

Further Updates and Improvements

• Ansible supported version has been increased to 10.0 (community) / 2.17 (core) !1373
  • ℹ Note that this version of Ansible removes support for RHEL 8 and Amazon Linux 2 targets but the previous version of Ansible is available until May 2025 and is compatible with the Toolkit. Refer to this section for more information.
• Terraform supported version has been increased to 1.9.0 and above. !1402
• Terraform GCP supported provider version has been increased to 6.x. !1393
• Terraform Azure supported provider version has been increased to 4.x. !1406
• GCP Private Service Access setup has been improved to be more graceful and can now also be disabled if already existing on a target VPC. !1393
• Additional setup options are now supported for AWS OpenSearch Service. !1383
• Added ability to pass in different existing subnets for AWS Cloud Services. !1387
• Set timeout defaults for AWS Elasticache and GCP Memorystore instances. !1379
• Options have been added to allow for multiple Patroni Geo secondary sites. !1386 (thanks @nwestbury!)
• Cloud Provider Tags / Labels are now applied to instance disks for AWS and GCP VMs for better identification. !1377
• AWS RDS creation timeouts have been increased to 2 hours. !1337 (thanks @cmiskell!)
• GitLab Chart releases can now be optionally verified against a GPG key. !1351 (thanks @julbrady!)
• Geo Tracking databases are now gracefully deleted as part of failovers. !1370 (thanks @nwestbury!)
• HAProxy Docker containers restart strategy has been switched to always. !1398
• HAProxy version has been updated to 3.0 LTS. !1419
• Added option to configure custom userdata for AWS EC2 instances. !1414 !1416 (thanks @KielDevops1 @niskhakova!)
• It's now possible to pass in SSL certificates directly for Gitaly and NGINX connections instead of only by files. !1401 !1410 !1411 (thanks @jarv @james.a.adamo @vishal.s.patel!)
• Added the ability to configure the URL used for health checking the environment during a Zero Downtime upgrade. !1371 (thanks @niskhakova!)
• Added option to allow for downgrading GitLab package versions. Note this is a destructive option and requires additional manual steps, refer to the documentation for more information. !1397 (thanks @skarbek!)
• Fixed an configuration issue for GKE Zonal Cluster deployments. !1368 (thanks @niskhakova @ibaum!)
• Fixed an issue with Geo setup when an invalid license has been used. !1409 (thanks @nwestbury!)
• Fixed an issue with Gitaly client storage config on Cloud Native Hybrid setups. !1424 (thanks @nwestbury!)
• AWS Security Groups have been refactored to use recommended Terraform resources and have clearer naming schemes. !1394
• GCP Firewall rules have been refactored to have clearer naming schemes and more graceful handling. !1396
• Documentation has been updated to include guidance for Upgrades with Downtime and when VPC Peering is needed for Geo setups. !1381 !1417 (thanks @anton @nwestbury!)
• Various other small updates, improvements and fixes.

Upgrade Notes

Ansible 10 version upgrade

The minimum supported version of Ansible has been increased to 10.0 (community) / 2.17 (core). Users will need to upgrade their version if it's lower before running Ansible.

ℹ  **Note that **this version of Ansible removes support for RHEL 8 and Amazon Linux 2 targets but the previous version of Ansible is available until May 2025 and is compatible with the Toolkit. Refer to this section for more information.

Terraform 1.9.0 version upgrade

The minimum supported version of Terraform has been increased to 1.9.0. Users will need to upgrade their version if it's lower before running Terraform.

Expected Terraform Changes

• Several AWS Security groups will be recreated and switched over to newer Terraform resources
  • AWS EKS Node Group VMs will be recreated to use the recreated Security Groups. This is handled automatically by AWS and should have no impact on availability.
• AWS Elasticache and GCP Memorystore deployments will have timeouts configured
• Several GCP firewall rules will be recreated to follow clearer naming practices
• GCP Private Service Access setup will default to be update only if the access already exists on the VPC
• GCP resources will get some new internal labels from the new provider version.
• Azure created subnets now have private_endpoint_network_policies set to disabled, following the latest provider default.

Deprecation Notices

Support for RHEL 8 / Amazon Linux 2

The latest version of Ansible has dropped support for RHEL 8 and Amazon Linux 2 targets. As such, support in the Toolkit is now deprecated and will end along with the EOL of Ansible 9.0 / 2.16 in May 2025.

Users who are targeting these OS types can upgrade to this version of the Toolkit but you will need to continue using Ansible 9.0 / 2.16. If you are using the GitLab Environment Toolkit Docker Image you will need to subsequently downgrade the version of Ansible in the container to match.

Users who are targeting these OS versions are recommended to upgrade at the earliest opportunity to a newer OS version for continued support and compatibility with the GitLab Environment Toolkit.

Support for Ubuntu 20.04

Ubuntu 20.04 maintenance support is expected to reach End of Life in April 2025. To give as much notice as possible, support in the Toolkit will be deprecated after this date.

Users who are targeting this OS version are recommended to upgrade at the earliest opportunity to a newer OS version for continued support and compatibility with the GitLab Environment Toolkit.

Feedback

Got any feedback or found an issue? Please feel free to create an issue on our tracker.