Finishing touches

[clofour]

Summary by CodeRabbit

• New Features

  • Added monitoring stack integration with Grafana dashboards
  • Enabled SSH gateway listener for improved connectivity

• Updates

  • Upgraded GitLab to version 9.11.2
  • Configured Gateway API routes for GitLab Shell, Pages, and Registry components

• Chores

  • Updated storage credentials to use Cloudflare R2
  • Added Prometheus Community Helm repository for monitoring support

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f3b655ae-c2d6-4bc5-855f-29e5d95136ef

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR updates GitLab from chart version 9.10.3 to 9.11.2 with Gateway API routing for shell, pages, and registry components; adds a kube-prometheus-stack Helm release for monitoring with Grafana; configures a TCP SSH listener in the Gateway; removes the Terraform Helm provider; and updates GitLab S3 secrets to use Cloudflare R2 credentials instead of account credentials.

Changes

Monitoring Infrastructure

Layer / File(s)	Summary
Helm Repository Source flux/runtime/repositories/prometheus-community.yaml	New HelmRepository named gitlab pointing to Prometheus Community Helm charts with 5-minute refresh interval.
HelmRelease Deployment flux/runtime/releases/kube-prometheus-stack.yaml	New HelmRelease for kube-prometheus-stack chart v83.6.0 targeting monitoring namespace with dependencies on envoy-gateway and gitlab, Grafana ingress disabled and Gateway route enabled with templated hostnames.
Configuration terraform/fluxcd.tf	grafana_host variable added to Flux runtime-values ConfigMap to support templated Grafana hostname in Gateway route.

GitLab and Gateway Infrastructure

Layer / File(s)	Summary
Gateway Listener helm/gateway-config/chart/templates/gateway.yaml	New tcp-ssh listener added to Gateway on port 22 accepting TCP traffic from all namespaces.
GitLab Chart Upgrade and Routing flux/runtime/releases/gitlab.yaml	GitLab HelmRelease upgraded from v9.10.3 to v9.11.2 with Gateway API gatewayRoute.sectionName entries configured for gitlab-shell (tcp-ssh), gitlab-pages (https), and registry (https).

Terraform Provider and Credential Management

Layer / File(s)	Summary
Provider Removal terraform/providers.tf, terraform/versions.tf	Helm provider configuration and version constraint removed from Terraform declarations (now Flux-managed).
Storage Credential Update terraform/kubernetes.tf	GitLab S3 secret resources (gitlab_s3_main and gitlab_s3_backup) credential sources switched from Cloudflare account credentials to Cloudflare R2 access credentials.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Rework networking #20: Both PRs update Gateway and Envoy Gateway configurations, modify GitLab Helm values for Gateway API integration, and reconfigure ingress/routing through Gateway resources.
• Migrate to GitOps #24: Both PRs update GitLab HelmRelease specifications, introduce/configure kube-prometheus-stack monitoring infrastructure, and add Prometheus service monitor settings for GitLab components.
• Implement GitLab and add terraform-validate action #2: Both PRs modify the GitLab Helm deployment configuration and update GitLab chart version/values; this PR adds Gateway API routing while updating from v9.10.3 to v9.11.2.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Finishing touches' is vague and generic, using non-descriptive phrasing that does not convey meaningful information about the substantial changes in this pull request.	Consider using a more specific title that captures the main changes, such as 'Upgrade GitLab chart, add monitoring stack, and improve S3 credentials management' or break into focused commits with clear titles.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[clofour]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f9b33149-ad5d-40b9-a9dd-ecef2ceac482

📥 Commits

Reviewing files that changed from the base of the PR and between 2ed0a11 and f17c1e4.

📒 Files selected for processing (8)

• flux/runtime/releases/gitlab.yaml
• flux/runtime/releases/kube-prometheus-stack.yaml
• flux/runtime/repositories/prometheus-community.yaml
• helm/gateway-config/chart/templates/gateway.yaml
• terraform/fluxcd.tf
• terraform/kubernetes.tf
• terraform/providers.tf
• terraform/versions.tf

💤 Files with no reviewable changes (2)

• terraform/versions.tf
• terraform/providers.tf

📜 Review details

🧰 Additional context used

🪛 Trivy (0.69.3)

flux/runtime/repositories/prometheus-community.yaml

[info] 6-8: resource quota usage

A resource quota policy with hard memory and CPU limits should be configured per namespace

Rule: KSV-0040

Learn more

(IaC/Kubernetes)

flux/runtime/releases/kube-prometheus-stack.yaml

[info] 6-42: resource quota usage

A resource quota policy with hard memory and CPU limits should be configured per namespace

Rule: KSV-0040

Learn more

(IaC/Kubernetes)

🔇 Additional comments (4)

terraform/kubernetes.tf (1)

129-130: Credential migration is applied consistently in both S3 secrets.

Switching to dedicated R2 access key credentials here is correct and improves secret hygiene versus reusing account/API-token fields.

Also applies to: 168-169

terraform/fluxcd.tf (1)

12-12: Good runtime value wiring for Grafana host.

This addition is consistent with the new Grafana host templating flow.

flux/runtime/releases/gitlab.yaml (1)

149-159: Gateway route section mappings look consistent.

The new sectionName values align with the defined Gateway listeners and complete the route wiring.

Also applies to: 173-174

flux/runtime/releases/kube-prometheus-stack.yaml (1)

23-33: Grafana host and Gateway parentRef wiring looks good.

The templated hostname and parent reference are set up correctly for Gateway-based exposure.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo_file="$(fd -i 'prometheus-community.yaml' flux/runtime/repositories | head -n1)"
release_file="$(fd -i 'kube-prometheus-stack.yaml' flux/runtime/releases | head -n1)"

echo "Repository file: $repo_file"
echo "Release file:    $release_file"
echo

echo "[HelmRepository metadata.name]"
awk '
  /^metadata:/ {in_meta=1; next}
  in_meta && /^[^[:space:]]/ {in_meta=0}
  in_meta && /^[[:space:]]*name:/ {print; exit}
' "$repo_file"

echo "[HelmRelease sourceRef.name]"
awk '
  /sourceRef:/ {in_src=1; next}
  in_src && /^[^[:space:]]/ {in_src=0}
  in_src && /^[[:space:]]*name:/ {print; exit}
' "$release_file"

Repository: clofour/gitlab-kubernetes

Length of output: 315

---

Rename HelmRepository to match the HelmRelease sourceRef.

kube-prometheus-stack references sourceRef.name: prometheus-community, but this repository is named gitlab. Flux cannot resolve that source, and the release will fail to fetch its chart.

Suggested fix

 metadata:
-  name: gitlab
+  name: prometheus-community
   namespace: flux-system

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: gitlab
	namespace: flux-system
	spec:
	interval: 5m
	url: https://prometheus-community.github.io/helm-charts
	name: prometheus-community
	namespace: flux-system
	spec:
	interval: 5m
	url: https://prometheus-community.github.io/helm-charts

🧰 Tools

🪛 Trivy (0.69.3)

[info] 6-8: resource quota usage

A resource quota policy with hard memory and CPU limits should be configured per namespace

Rule: KSV-0040

Learn more

(IaC/Kubernetes)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Kubernetes Gateway API v1, what are the recommended secure alternatives to allowedRoutes.namespaces.from: All for TCP listeners (especially SSH/port 22)?

💡 Result:

In Kubernetes Gateway API v1, the recommended secure alternatives to allowedRoutes.namespaces.from: All for TCP listeners (including SSH on port 22) are: 1. from: Same - Restricts TCPRoute attachments to only the same namespace as the Gateway. This is the default and most secure option for single-namespace isolation. 2. from: Selector with a namespace label selector - Allows TCPRoutes from a specific set of labeled namespaces, enabling controlled cross-namespace access without opening to all namespaces. Label namespaces with stable keys like kubernetes.io/metadata.name for precision. Example for a TCP listener on port 22 (SSH): apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: ssh-gateway namespace: infra spec: gatewayClassName: example-class listeners: - name: ssh protocol: TCP port: 22 allowedRoutes: kinds: - kind: TCPRoute namespaces: from: Selector selector: matchLabels: ssh-access: "allowed" Additionally, if TCPRoutes reference backends (e.g., Services) in other namespaces, use ReferenceGrant in the backend's namespace to explicitly authorize those cross-namespace references. This provides defense-in-depth. These apply uniformly to all listeners, including TCP, as allowedRoutes.namespaces is a core field shared across protocols. Official docs emphasize Same or Selector as best practices to prevent unintended Route attachments in multi-tenant clusters, especially avoiding All.

Citations:

• 1: https://gateway-api.sigs.k8s.io/guides/multiple-ns/
• 2: https://gateway-api.sigs.k8s.io/reference/1.3/spec/
• 3: https://gateway-api.sigs.k8s.io/guides/multiple-ns
• 4: https://gateway-api.sigs.k8s.io/reference/spec/?h=sectionname
• 5: https://gateway-api.sigs.k8s.io/concepts/api-overview/?h=tcproute
• 6: https://gateway-api.sigs.k8s.io/concepts/security/

---

🏁 Script executed:

# Check if the file exists and read the relevant section
cat -n helm/gateway-config/chart/templates/gateway.yaml | head -50

Repository: clofour/gitlab-kubernetes

Length of output: 1140

---

Restrict namespace attachment on the SSH listener.

Allowing from: All on port 22 lets any namespace attach a TCPRoute to this listener. Use from: Selector with namespace label matching to limit attachment to trusted namespaces only.

Suggested hardening

       allowedRoutes:
         namespaces:
-          from: All
+          from: Selector
+          selector:
+            matchLabels:
+              gateway-access: "true"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	allowedRoutes:
	namespaces:
	from: All
	allowedRoutes:
	namespaces:
	from: Selector
	selector:
	matchLabels:
	gateway-access: "true"