From 8ec8fbf50c256cfe3df4cf40b2b8cebaf2c3e12a Mon Sep 17 00:00:00 2001
From: "Balasankar \"Balu\" C" <balasankar@gitlab.com>
Date: Mon, 9 Sep 2024 10:41:30 +0530
Subject: [PATCH] Support setting allowed_hosts in gitlab.yml

Changelog: added
Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>
---
 .../charts/webservice/templates/configmap.yml |  1 +
 .../webservice/templates/deployment.yaml      |  4 +
 charts/gitlab/templates/_gitlab.yaml.tpl      | 20 +++++
 doc/charts/globals.md                         |  1 +
 spec/configuration/gitlab-yml-erb_spec.rb     | 76 +++++++++++++++++++
 values.yaml                                   |  1 +
 6 files changed, 103 insertions(+)

diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml
index 08496080db..ecee13832b 100644
--- a/charts/gitlab/charts/webservice/templates/configmap.yml
+++ b/charts/gitlab/charts/webservice/templates/configmap.yml
@@ -66,6 +66,7 @@ data:
         {{- end }}
         time_zone: {{ .Values.global.time_zone | quote }}
         {{- include "gitlab.outgoing_email_settings" . | indent 8 }}
+        {{- include "gitlab.appConfig.allowedHosts.configuration" . | nindent 8 }}
       {{- with .Values.global.appConfig }}
       {{- if eq .contentSecurityPolicy.enabled true }}
       {{-   include "gitlab.appConfig.content_security_policy" . | nindent 8 }}
diff --git a/charts/gitlab/charts/webservice/templates/deployment.yaml b/charts/gitlab/charts/webservice/templates/deployment.yaml
index 8eea9fa178..1093539116 100644
--- a/charts/gitlab/charts/webservice/templates/deployment.yaml
+++ b/charts/gitlab/charts/webservice/templates/deployment.yaml
@@ -249,6 +249,10 @@ spec:
             {{- end }}
             - name: WORKHORSE_ARCHIVE_CACHE_DISABLED
               value: "true"
+            - name: POD_PRIVATE_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             {{- include "webservice.extraEnv" (dict "global" $.Values.global "local" .) | nindent 12 }}
             {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
           volumeMounts:
diff --git a/charts/gitlab/templates/_gitlab.yaml.tpl b/charts/gitlab/templates/_gitlab.yaml.tpl
index 006400fda6..a468b6d146 100644
--- a/charts/gitlab/templates/_gitlab.yaml.tpl
+++ b/charts/gitlab/templates/_gitlab.yaml.tpl
@@ -172,3 +172,23 @@ gitlab_docs:
   enabled: {{ eq $.Values.global.appConfig.gitlab_docs.enabled true }}
   host: {{ $.Values.global.appConfig.gitlab_docs.host | quote }}
 {{- end -}}{{/* "gitlab.appConfig.gitlab_docs.configuration" */}}
+
+{{- define "gitlab.appConfig.allowedHosts.configuration" -}}
+{{- if not (empty $.Values.global.appConfig.allowedHosts) }}
+{{/* GitLab Shell access GitLab over localhost*/}}
+{{- $allowed_hosts := append $.Values.global.appConfig.allowedHosts "localhost" -}}
+
+{{/* The environment variable `POD_PRIVATE_IP` is populated in the webservice deployment*/}}
+{{- $allowed_hosts = append $allowed_hosts "<%= ENV['POD_PRIVATE_IP'] %>" -}}
+
+{{/* Iterate over all deployments and add their service DNS entries */}}
+{{- range $.Values.deployments -}}
+{{- $name := include "webservice.fullname.withSuffix" . }}
+{{- $item := printf "%s.%s.svc" $name $.Release.Namespace }}
+{{- $allowed_hosts = append $allowed_hosts $item -}}
+{{- end -}}
+
+{{/* toRawJson because we want to retain the ERB statement as-is*/}}
+allowed_hosts: {{ toRawJson $allowed_hosts }}
+{{- end -}}
+{{- end -}}
diff --git a/doc/charts/globals.md b/doc/charts/globals.md
index 609f6c9806..49c30e3546 100644
--- a/doc/charts/globals.md
+++ b/doc/charts/globals.md
@@ -1145,6 +1145,7 @@ application are described below:
 | `defaultProjectsFeatures.*feature*` | Boolean | `true`  | [See below](#defaultprojectsfeatures). |
 | `webhookTimeout`                    | Integer | (empty) | Waiting time in seconds before a [hook is deemed to have failed](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#webhook-fails-or-multiple-webhook-requests-are-triggered). |
 | `graphQlTimeout`                    | Integer | (empty) | Time in seconds the Rails has to [complete a GraphQL request](https://docs.gitlab.com/ee/api/graphql/#limits). |
+| `allowedHosts`                      |         | `[]`    | An array of hosts that will be passed on as to `Rails.application.config.hosts` that will be used to validate the Host header by Rails middleware. |
 
 #### Content Security Policy
 
diff --git a/spec/configuration/gitlab-yml-erb_spec.rb b/spec/configuration/gitlab-yml-erb_spec.rb
index fb044651e6..88939a8234 100644
--- a/spec/configuration/gitlab-yml-erb_spec.rb
+++ b/spec/configuration/gitlab-yml-erb_spec.rb
@@ -8,6 +8,82 @@ describe 'gitlab.yml.erb configuration' do
     HelmTemplate.defaults
   end
 
+  context 'with default values' do
+    it 'populates gitlab.yml.erb with default values' do
+      t = HelmTemplate.new(default_values)
+      expect(t.dig(
+        'ConfigMap/test-webservice',
+        'data',
+        'gitlab.yml.erb'
+      )).not_to include('allowed_hosts:')
+    end
+  end
+
+  context 'when allowedHosts are specified' do
+    context 'with a single deployment' do
+      let(:required_values) do
+        YAML.safe_load(%(
+          global:
+            appConfig:
+              allowedHosts: ['123.123.123.123', '123.123.123.124']
+        )).merge(default_values)
+      end
+
+      it 'populates gitlab.yml.erb with expected values' do
+        t = HelmTemplate.new(required_values)
+        expect(t.dig(
+          'ConfigMap/test-webservice',
+          'data',
+          'gitlab.yml.erb'
+        )).to include('allowed_hosts: ["123.123.123.123","123.123.123.124","localhost","<%= ENV[\'POD_PRIVATE_IP\'] %>","test-webservice-default.default.svc"]')
+      end
+    end
+
+    context 'with multiple webservice deployments' do
+      let(:required_values) do
+        YAML.safe_load(%(
+          global:
+            appConfig:
+              allowedHosts: ['123.123.123.123', '123.123.123.124']
+          gitlab:
+            webservice:
+              deployments:
+                api:
+                  ingress:
+                    path: /api
+                  common:
+                    labels:
+                      api_common: true
+                      foo: api-common
+                  pod:
+                    labels:
+                      api_pod: true
+                      foo: api-pod
+                web:
+                  ingress:
+                    path: /
+                  common:
+                    labels:
+                      web_common: true
+                      foo: web-common
+                  pod:
+                    labels:
+                      web_pod: true
+                      foo: web-pod
+        )).merge(default_values)
+      end
+
+      it 'populates gitlab.yml.erb with expected values' do
+        t = HelmTemplate.new(required_values)
+        expect(t.dig(
+          'ConfigMap/test-webservice',
+          'data',
+          'gitlab.yml.erb'
+        )).to include('allowed_hosts: ["123.123.123.123","123.123.123.124","localhost","<%= ENV[\'POD_PRIVATE_IP\'] %>","test-webservice-api.default.svc","test-webservice-web.default.svc"]')
+      end
+    end
+  end
+
   context 'when CSP is disabled' do
     it 'does not populate the gitlab.yml.erb' do
       t = HelmTemplate.new(default_values)
diff --git a/values.yaml b/values.yaml
index c3fe541102..3af03f8664 100644
--- a/values.yaml
+++ b/values.yaml
@@ -256,6 +256,7 @@ global:
     graphQlTimeout:
     webhookTimeout:
     maxRequestDurationSeconds:
+    allowedHosts: []
 
     ## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings
     cron_jobs: {}
-- 
GitLab