From 7f2a8261bdf05a7d5a5ab3d73d06aaf7e0ef0663 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Mon, 7 Jul 2025 11:35:48 +0200 Subject: [PATCH] Webservice: Default to IPv4-only binds We enabled IPv6 support by default in https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2778. After deploying this change to the staging environment, rate limiting unexpectedly began throttling unauthenticated requests. To avoid affecting customers, we reverted to IPv4 bindings only until this bug has been fixed. Related https://gitlab.com/gitlab-org/charts/gitlab/-/issues/6084 Changelog: changed --- charts/gitlab/charts/webservice/values.yaml | 6 +++--- doc/charts/gitlab/webservice/_index.md | 5 +++-- spec/configuration/webservice_metrics_spec.rb | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/charts/gitlab/charts/webservice/values.yaml b/charts/gitlab/charts/webservice/values.yaml index a6d95525ae..52fe1f64a8 100644 --- a/charts/gitlab/charts/webservice/values.yaml +++ b/charts/gitlab/charts/webservice/values.yaml @@ -33,7 +33,7 @@ monitoring: exporter: enabled: false port: 8083 - listenAddr: '*' + listenAddr: '0.0.0.0' # Shutdown settings # Defines an interval to block healthcheck, @@ -66,7 +66,7 @@ sshHostKeys: metrics: enabled: true - listenAddr: '*' + listenAddr: '0.0.0.0' port: 8083 path: /metrics tls: {} @@ -151,7 +151,7 @@ puma: max: 4 disableWorkerKiller: true # workerMaxMemory: 1024 # in MB units - bindIp6: true + bindIp6: false hpa: # targetAverageValue: 1 # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below diff --git a/doc/charts/gitlab/webservice/_index.md b/doc/charts/gitlab/webservice/_index.md index 6e6b3e9254..286269d576 100644 --- a/doc/charts/gitlab/webservice/_index.md +++ b/doc/charts/gitlab/webservice/_index.md @@ -100,6 +100,7 @@ to the `helm install` command using the `--set` flags. | `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | | `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | | `metrics.port` | `8083` | Metrics endpoint port | +| `metrics.listenAddr` | `0.0.0.0` | Metrics listen address. | | `metrics.path` | `/metrics` | Metrics endpoint path | | `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | | `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | @@ -111,7 +112,7 @@ to the `helm install` command using the `--set` flags. | `minio.port` | `9000` | Port for MinIO service | | `minio.serviceName` | `minio-svc` | Name of MinIO service | | `monitoring.ipWhitelist` | `[0.0.0.0/0, ::/0]` | List of IPs to whitelist for the monitoring endpoints | -| `monitoring.exporter.listenAddr` | `*` | Metrics listen address. | +| `monitoring.exporter.listenAddr` | `0.0.0.0` | Metrics listen address. | | `monitoring.exporter.enabled` | `false` | Enable webserver to expose Prometheus metrics, this is overridden by `metrics.enabled` if the metrics port is set to the monitoring exporter port | | `monitoring.exporter.port` | `8083` | Port number to use for the metrics exporter | | `psql.password.key` | `psql-password` | Key to psql password in psql secret | @@ -121,7 +122,7 @@ to the `helm install` command using the `--set` flags. | `puma.workerMaxMemory` | | The maximum memory (in megabytes) for the Puma worker killer | | `puma.threads.min` | `4` | The minimum amount of Puma threads | | `puma.threads.max` | `4` | The maximum amount of Puma threads | -| `puma.bindIp6` | `true` | Bind IPv6 addresses with Puma. | +| `puma.bindIp6` | `false` | Bind IPv6 addresses with Puma. Currently defaults to false due to a [known issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/6084) related to rate limiting. | | `rack_attack.git_basic_auth` | `{}` | See [GitLab documentation](https://docs.gitlab.com/administration/settings/protected_paths/) for details | | `redis.serviceName` | `redis` | Redis service name | | `global.registry.api.port` | `5000` | Registry port | diff --git a/spec/configuration/webservice_metrics_spec.rb b/spec/configuration/webservice_metrics_spec.rb index 11093cfc62..3813966535 100644 --- a/spec/configuration/webservice_metrics_spec.rb +++ b/spec/configuration/webservice_metrics_spec.rb @@ -15,7 +15,7 @@ describe 'Webservice monitoring/metrics configuration' do expect(monitoring).to include( 'web_exporter' => { 'enabled' => true, - 'address' => '*', + 'address' => '0.0.0.0', 'port' => 8083 } ) @@ -36,7 +36,7 @@ describe 'Webservice monitoring/metrics configuration' do expect(monitoring).to include( 'web_exporter' => { 'enabled' => false, - 'address' => '*', + 'address' => '0.0.0.0', 'port' => 8083 } ) -- GitLab