From ad2fbb19bdf3498bbf03bd5eb9b0e4b535280415 Mon Sep 17 00:00:00 2001
From: Harsh Chouraria <hchouraria@gitlab.com>
Date: Sun, 6 Jun 2021 22:43:00 +0530
Subject: [PATCH] Emit CSP settings also when disabled

This just generally helps in emitting an explicit form of
configuration
---
 charts/gitlab/charts/webservice/templates/configmap.yml | 4 +---
 spec/configuration/gitlab-yml-erb_spec.rb               | 7 ++++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml
index 2775cae375..42b83595ac 100644
--- a/charts/gitlab/charts/webservice/templates/configmap.yml
+++ b/charts/gitlab/charts/webservice/templates/configmap.yml
@@ -62,15 +62,13 @@ data:
         time_zone: {{ .Values.global.time_zone | quote }}
         {{- include "gitlab.outgoing_email_settings" . | indent 8 }}
       {{- with .Values.global.appConfig }}
-      {{- if eq .contentSecurityPolicy.enabled true }}
-      {{-   include "gitlab.appConfig.content_security_policy" . | nindent 8 }}
-      {{- end }}
       {{-   if eq .incomingEmail.enabled true }}
       {{-     include "gitlab.appConfig.incoming_email" . | nindent 6 }}
       {{-   end }}
       {{-   if eq .serviceDeskEmail.enabled true }}
       {{-     include "gitlab.appConfig.service_desk_email" . | nindent 6 }}
       {{-   end }}
+      {{-   include "gitlab.appConfig.content_security_policy" . | nindent 6 }}
       {{-   include "gitlab.appConfig.cronJobs" . | nindent 6 }}
       gravatar:
         plain_url: {{ .gravatar.plainUrl }}
diff --git a/spec/configuration/gitlab-yml-erb_spec.rb b/spec/configuration/gitlab-yml-erb_spec.rb
index f725f690dc..6fd4ed3556 100644
--- a/spec/configuration/gitlab-yml-erb_spec.rb
+++ b/spec/configuration/gitlab-yml-erb_spec.rb
@@ -12,13 +12,13 @@ describe 'gitlab.yml.erb configuration' do
   end
 
   context 'when CSP is disabled' do
-    it 'does not populate the gitlab.yml.erb' do
+    it 'populates the gitlab.yml.erb' do
       t = HelmTemplate.new(default_values)
       expect(t.dig(
         'ConfigMap/test-webservice',
         'data',
         'gitlab.yml.erb'
-      )).not_to include('content_security_policy')
+      )).to match(/content_security_policy:\s+enabled: false/)
     end
   end
 
@@ -56,7 +56,8 @@ describe 'gitlab.yml.erb configuration' do
         'ConfigMap/test-webservice',
         'data',
         'gitlab.yml.erb'
-      )).to include('content_security_policy')
+      )).to match(/content_security_policy:\s+enabled: true\s+report_only: false\s+directives:/)
+        .and include('unsafe-inline')
     end
 
     it 'fails when we are missing a required value' do
-- 
GitLab