gitlab-org/gitlab-environment-toolkit 3.6.0

on GitLab

[!important]
The GitLab Environment Toolkit is a collection of opinionated Terraform and Ansible scripts to assist with the deployment of a self managed GitLab environment. It's recommended that users review the Before You Start section before use. Users should have a good working knowledge of Infrastructure management, Terraform, Ansible and GitLab administration as well as be aware that ultimately self managed environments are the responsibility of the user. As such, it's strongly recommended that you independently review the Toolkit in full to ensure it meets your requirements, especially around security or data integrity.

If upgrading, it's always recommended to review the release notes in full as well as the relevant documentation and to upgrade the Toolkit first before the environment.

[[TOC]]

New Key Features

GCP Data Disk Snapshot Restores

• Merge Request(s): !1418
  
• Documentation
  

Restoring from a Snapshot when creating new Data Disks on GCP is now supported!

AWS Data Disk Snapshot Restores

• Merge Request(s): !1568
  
• Documentation
  

Restoring from Snapshot(s) when creating new Data Disks on AWS is now supported!

AWS RDS Snapshot Restores

• Merge Request(s): !1549
  
• Documentation
  

Restoring from Snapshot(s) when creating new AWS RDS instances is now supported!

Thanks @KielDevops1!

GCP Cloud IAP SSH Support

• Merge Request(s): !1567
  
• Documentation
  

GCP Cloud IAP SSH firewall access can now be enabled via the Toolkit for both VMs and GKE nodes!

Beta GitLab Operator Geo Support

• Merge Request(s): !1514
  
• Documentation
  

Deploying Geo Cloud Native environments with the GitLab Operator is now available in beta!

[!note]
Support for this feature in the Toolkit is in Beta.

Thanks @niskhakova!

Further Updates and Improvements

• Default Postgres version for AWS RDS and GCP Cloud SQL has been updated to 16, which is required from GitLab 18 and higher. !1550 (thanks @axugl!)
  
• GCP Service Account permissions have been updated for GKE nodes to include defaultNodeServiceAccount role as required. !1553
  
• Added GCP option to configure binary authorization for GKE Clusters. !1552 (thanks @bbechtel!)
  
• AWS RDS Security Group description has been added. !1560 (thanks @julbrady!)
  
• AWS RDS Security Group ID output has been added in Terraform. !1572 (thanks @caseyclark!)
  
• Webservice worker counts can now be configured directly for Cloud Native environments. Additional handling in automatic calculation to support different CPU formats has also been added. !1570
  
• Advanced Search backend username and password can now be configured. !1530 (thanks @psingh29!)
  
• Additional safeguard added for AWS Elasticache instances to prevent accidental destroys when setting snapshot restore. !1578
  
• Additional outputs for GCP instance zones and Service Account IDs have been added. !1524 (thanks @bbechtel!)
  
• Ansible will show clearer output when creating files. !1546 (thanks @hlohmar!)
  
• Updated version of geerlingguy.docker to 7.4.6, which included a fix for Debian environments. !1563
  
• Improved error handling when an invalid GitLab License file has been set. !1559 (thanks @axugl!)
  
• Add graceful handling for transient settings gathering failure. !1562 (thanks @axugl!)
  
• All Documentation notes have been switched to the new built in GitLab format. !1551 (thanks @psingh29!)
  
• Several improvements and fixes have been made for Geo deployments. !1556 !1557
  
• Various other small updates, improvements and fixes.
  

Upgrade Notes

AWS RDS / GCP Cloud SQL Postgres Default Version

The default Postgres version for AWS RDS and GCP Cloud SQL has been updated to 16 in preparation of the upcoming GitLab 18 release, which requires this Postgres version.

If you have not already pinned your version as recommended (AWS RDS / GCP Cloud SQL) upgrading to this Toolkit version will trigger a Postgres upgrade when running against one of these services. Therefore it's recommended to pin beforehand or plan to upgrade.

GCP GKE Additional Role Requirement

To follow GCP recommendations, the Toolkit will now configure GKE Node Service Accounts with the defaultNodeServiceAccount role.

To be able to do this in turn the Toolkit requires the Project IAM Admin to be assigned to the GCP account it's running with. This should be added before running this version of the Toolkit.

AWS Elasticache Snapshot Restore Safeguard

An additional safeguard has been added for AWS Elasticache setups when using Snapshot restore functionality. Attempting to restore a snapshot on an existing instance will now be ignored to prevent any accidental deletions.

For users who wish to restore a snapshot to an existing instance they should destroy the instance first separately or via Terraform options first and then recreate with the setting configured.

Expected Terraform Changes

• AWS RDS security group will be replaced to update it's description. It's ID is also added to Terraform output.
  
• GCP GKE Node Service Accounts will have the defaultNodeServiceAccount role permission added as recommended by GCP.
  
• GCP Service Accounts will now have their ID's show in Terraform output.
  
• GCP VM's will now have their zones shown in Terraform output.
  

Deprecation Notices

Support for Ubuntu 20.04 / RHEL 8 / Amazon Linux 2

[!note]
For awareness, the same notices from previous releases are being repeated.

Support for the following OS versions will removed in the next GET release (3.7.0) as previously announced for the following reasons:

• Ubuntu 20.04 - Reaching EOL in April 2025
  
• RHEL 8 / Amazon Linux 2 - Ansible support was deprecated in version 10 and is scheduled to end in May 2025.
  

Users who are targeting these OS versions are recommended to upgrade at the earliest opportunity to a newer OS version for continued support and compatibility with the GitLab Environment Toolkit.

Feedback

Got any feedback or found an issue? Please feel free to create an issue on our tracker.