From c51c9456bf8f2a4cce2ff20250a1795d7089afc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Cunha?= <j.a.cunha@gmail.com>
Date: Thu, 25 Sep 2025 20:52:36 +0200
Subject: [PATCH 1/2] Extend the env deduplication on deployments and pods

Webservice deployments and Sidekiq Pods were not considered when we
implemented our `gitlab.godebug.env` template and
`checkDuplicateKeyFromEnv` template. We've now extended both to accept
an extra optional argument which takes the deployment/pod scope to
detect if it finds the duplicated key on their extraEnv and
extraEnvFrom.

Issue: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/6159
MR: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4537
Changelog: fixed
---
 .../webservice/templates/deployment.yaml      |  2 +-
 .../webservice_deployments_spec.rb            | 56 +++++++++++++++++++
 templates/_helpers.tpl                        | 16 +++++-
 3 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/charts/gitlab/charts/webservice/templates/deployment.yaml b/charts/gitlab/charts/webservice/templates/deployment.yaml
index 1ca48e5275..32546c4c7f 100644
--- a/charts/gitlab/charts/webservice/templates/deployment.yaml
+++ b/charts/gitlab/charts/webservice/templates/deployment.yaml
@@ -364,7 +364,7 @@ spec:
           {{- end }}
           env:
             {{- include "gitlab.timeZone.env" $ | nindent 12 }}
-            {{- include "gitlab.godebug.env" $ | nindent 12 }}
+            {{- include "gitlab.godebug.env" (dict "rootScope" $ "deploymentScope" .) | nindent 12 }}
             - name: TMPDIR
               value: "/tmp/gitlab"
             - name: GITLAB_WORKHORSE_AUTH_BACKEND
diff --git a/spec/configuration/webservice_deployments_spec.rb b/spec/configuration/webservice_deployments_spec.rb
index a5177974bc..3ea65d071d 100644
--- a/spec/configuration/webservice_deployments_spec.rb
+++ b/spec/configuration/webservice_deployments_spec.rb
@@ -241,6 +241,62 @@ describe 'Webservice Deployments configuration' do
       expect(items.dig('ConfigMap/test-webservice')).to be_truthy
       expect(items.dig(item_key('ConfigMap', 'tests'))).to be_truthy
     end
+
+    context 'extraEnv configuration for deployments' do
+      let(:extra_env_values) do
+        YAML.safe_load(%(
+        global:
+          extraEnv:
+            GLOBAL_VAR: "global_value"
+        gitlab:
+          webservice:
+            extraEnv:
+              WEBSERVICE_VAR: "webservice_value"
+            deployments:
+              default:
+                ingress:
+                  path: /
+                extraEnv:
+                  DEPLOYMENT_VAR: "default_deployment_value"
+                  WEBSERVICE_VAR: "overridden_webservice_value"
+              api:
+                ingress:
+                  path: /api
+                extraEnv:
+                  API_SPECIFIC_VAR: "api_value"
+                  GODEBUG: "foo=bar"
+        )).deep_merge(default_values)
+      end
+
+      let(:chart_extra_env) { HelmTemplate.new(extra_env_values) }
+
+      it 'properly inherits and merges extraEnv variables across deployment levels' do
+        expect(chart_extra_env.exit_code).to eq(0)
+
+        # Test default deployment - should have global, webservice (overridden), and deployment-specific vars
+        default_env = chart_extra_env.env(item_key('Deployment', 'default'), 'webservice')
+        expect(default_env).to include(env_value('GLOBAL_VAR', 'global_value'))
+        expect(default_env).to include(env_value('WEBSERVICE_VAR', 'overridden_webservice_value'))
+        expect(default_env).to include(env_value('DEPLOYMENT_VAR', 'default_deployment_value'))
+
+        # Test api deployment - should have global, webservice, and api-specific vars
+        api_env = chart_extra_env.env(item_key('Deployment', 'api'), 'webservice')
+        expect(api_env).to include(env_value('GLOBAL_VAR', 'global_value'))
+        expect(api_env).to include(env_value('WEBSERVICE_VAR', 'webservice_value'))
+        expect(api_env).to include(env_value('API_SPECIFIC_VAR', 'api_value'))
+        expect(api_env).not_to include(env_value('DEPLOYMENT_VAR', 'default_deployment_value'))
+        expect(api_env).not_to include(env_value('API_SPECIFIC_VAR', 'default_deployment_value'))
+
+        # Test GODEBUG without deployment overrides
+        default_workhorse_env = chart_extra_env.env(item_key('Deployment', 'default'), 'gitlab-workhorse')
+        expect(default_workhorse_env).to include(env_value('GODEBUG', 'tlsmlkem=0,tlskyber=0'))
+
+        # Test GODEBUG gets overriden on api deployment
+        default_workhorse_env = chart_extra_env.env(item_key('Deployment', 'api'), 'gitlab-workhorse')
+        expect(default_workhorse_env).to_not include(env_value('GODEBUG', 'tlsmlkem=0,tlskyber=0'))
+        expect(default_workhorse_env).to include(env_value('GODEBUG', 'foo=bar'))
+      end
+    end
   end
 
   context 'deployments datamodel' do
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 5c6203259b..8053a1ddf8 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -670,15 +670,19 @@ Return a boolean value that indicates whether a given key exists in the provided
 variables from either local or global scope.
 
 Usage: {{- include checkDuplicateKeyFromEnv (dict "rootScope" $ "keyToFind" "MY_KEY") -}}
+Usage with webservice deployments or sidekiq pods context: {{- include checkDuplicateKeyFromEnv (dict "rootScope" $ "keyToFind" "MY_KEY" "deploymentScope" .) -}}
 */}}
 {{- define "checkDuplicateKeyFromEnv" -}}
   {{- $keyToFind := .keyToFind -}}
   {{- $rootScope := .rootScope -}}
+  {{- $deploymentScope := .deploymentScope -}}
   {{- $localHasKey := and $rootScope.Values.extraEnv (hasKey $rootScope.Values.extraEnv $keyToFind) -}}
   {{- $globalHasKey := and $rootScope.Values.global.extraEnv (hasKey $rootScope.Values.global.extraEnv $keyToFind) -}}
   {{- $localHasKeyFrom := and $rootScope.Values.extraEnvFrom (hasKey $rootScope.Values.extraEnvFrom $keyToFind) -}}
   {{- $globalHasKeyFrom := and $rootScope.Values.global.extraEnvFrom (hasKey $rootScope.Values.global.extraEnvFrom $keyToFind) -}}
-  {{- if or $localHasKey $globalHasKey $localHasKeyFrom $globalHasKeyFrom -}}
+  {{- $deploymentHasKey := and $deploymentScope $deploymentScope.extraEnv (hasKey $deploymentScope.extraEnv $keyToFind) -}}
+  {{- $deploymentHasKeyFrom := and $deploymentScope $deploymentScope.extraEnvFrom (hasKey $deploymentScope.extraEnvFrom $keyToFind) -}}
+  {{- if or $localHasKey $globalHasKey $localHasKeyFrom $globalHasKeyFrom $deploymentHasKey $deploymentHasKeyFrom -}}
 true
   {{- else -}}
 false
@@ -687,9 +691,17 @@ false
 
 {{/*
 Render GODEBUG environment variable if not already defined in extraEnv
+
+Usage: {{- include "gitlab.godebug.env" $ -}}
+Usage with webservice deployments or sidekiq pods context: {{- include "gitlab.godebug.env" (dict "rootScope" $ "deploymentScope" .) -}}
 */}}
 {{- define "gitlab.godebug.env" -}}
-{{- $godebugIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "rootScope" . "keyToFind" "GODEBUG") }}
+{{- $rootScope := . -}}
+{{- $deploymentScope := .deploymentScope -}}
+{{- if .rootScope -}}
+{{-   $rootScope = .rootScope -}}
+{{- end -}}
+{{- $godebugIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "rootScope" $rootScope "keyToFind" "GODEBUG" "deploymentScope" $deploymentScope) }}
 {{- if eq $godebugIsDuplicate "false" }}
 - name: GODEBUG
   value: 'tlsmlkem=0,tlskyber=0'
-- 
GitLab


From 0b653fd85017f7260b49763a3efef9a0b380cf28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Alexandre=20Cunha?= <j.a.cunha@gmail.com>
Date: Fri, 10 Oct 2025 17:34:43 -0300
Subject: [PATCH 2/2] Simplify rootScope presence check

---
 templates/_helpers.tpl | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 8053a1ddf8..219a8c19d1 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -696,12 +696,7 @@ Usage: {{- include "gitlab.godebug.env" $ -}}
 Usage with webservice deployments or sidekiq pods context: {{- include "gitlab.godebug.env" (dict "rootScope" $ "deploymentScope" .) -}}
 */}}
 {{- define "gitlab.godebug.env" -}}
-{{- $rootScope := . -}}
-{{- $deploymentScope := .deploymentScope -}}
-{{- if .rootScope -}}
-{{-   $rootScope = .rootScope -}}
-{{- end -}}
-{{- $godebugIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "rootScope" $rootScope "keyToFind" "GODEBUG" "deploymentScope" $deploymentScope) }}
+{{- $godebugIsDuplicate := include "checkDuplicateKeyFromEnv" (dict "rootScope" (hasKey . "rootScope" | ternary .rootScope . ) "keyToFind" "GODEBUG" "deploymentScope" .deploymentScope) }}
 {{- if eq $godebugIsDuplicate "false" }}
 - name: GODEBUG
   value: 'tlsmlkem=0,tlskyber=0'
-- 
GitLab