Various bug fixes and improvements

[clofour]

No description provided.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b29c29f8-9f15-4d33-8f59-5982701f251c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Infrastructure configuration for GitLab Kubernetes deployment is established with a new Makefile for Terraform automation, security enhancements (Redis SSL, PostgreSQL SSL enforcement), DNS/domain resource refactoring, Kubernetes manifest templating with email variable injection, and automated secret generation and storage for initial root password.

Changes

Cohort / File(s)	Summary
Build Automation Makefile	Added Makefile with .PHONY targets for init, plan, deploy, and destroy that invoke Terraform commands in the terraform directory.
Helm Values Configuration helm/gitlab/values.yaml, helm/ingress-nginx/values.yaml	Updated GitLab Helm values with initial root password secret reference, Redis SSL scheme (rediss), and PostgreSQL SSL enforcement. Updated ingress-nginx annotation key from service.beta.kubernetes.io/do-name to service.beta.kubernetes.io/do-loadbalancer-name.
Kubernetes Cluster Configuration kubernetes/cluster-issuer.yaml	Added spec.acme.email field to ClusterIssuer ACME configuration for account registration.
Terraform DNS & Domain Resources terraform/dns.tf, terraform/domain.tf	Refactored domain management: removed standalone domain resource and introduced new DNS configuration file with domain resource and A record pointing to ingress service load balancer IP.
Terraform Kubernetes & Secrets terraform/kubernetes.tf	Updated ClusterIssuer manifest rendering to use templatefile() with email variable injection. Added random password generation, Kubernetes secret for initial root password, and data source for ingress-nginx service discovery.
Terraform Configuration terraform/variables.tf, terraform/outputs.tf	Added input variable email (string, required) and output gitlab_initial_root_password (sensitive) sourced from generated password.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Configure Terraform #1: Directly conflicts at code level with this PR on digitalocean_domain.main resource definition (this PR removes it in domain.tf while the retrieved PR adds/manages it).

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Various bug fixes and improvements' is vague and generic, using non-descriptive language that doesn't convey meaningful information about the specific changes in this substantial infrastructure update.	Use a more specific title that highlights the main change, such as 'Add Terraform DNS configuration and GitLab initialization setup' or 'Configure domain management and secure database/Redis connections'.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether any description relates to the changeset.	Add a pull request description that explains the purpose of these changes, including why Terraform DNS configuration, GitLab password initialization, and security settings were added.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3cbfead3-c42b-46e6-bb05-8e4cac610d39

📥 Commits

Reviewing files that changed from the base of the PR and between 7f0fb27 and 1c31b90.

📒 Files selected for processing (10)

• Makefile
• helm/gitlab/values.yaml
• helm/ingress-nginx/values.yaml
• kubernetes/cluster-issuer.yaml
• terraform/dns.tf
• terraform/domain.tf
• terraform/kubernetes.tf
• terraform/outputs.tf
• terraform/variables.tf
• terraform/versions.tf

💤 Files with no reviewable changes (1)

• terraform/domain.tf

📜 Review details

🧰 Additional context used

🪛 checkmake (0.2.2)

Makefile

[warning] 1-1: Missing required phony target "all"

(minphony)

---

[warning] 1-1: Missing required phony target "clean"

(minphony)

---

[warning] 1-1: Missing required phony target "test"

(minphony)

🪛 Checkov (3.2.513)

helm/gitlab/values.yaml

[low] 5-6: Base64 High Entropy String

(CKV_SECRET_6)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use var.gitlab_host for the A record name.

The chart already allows overriding the GitLab hostname, but this record is pinned to "gitlab". Any non-default gitlab_host will publish the wrong DNS name and the ingress host won't resolve.

🛠 Suggested change

 resource "digitalocean_record" "gitlab" {
     domain = digitalocean_domain.main.name
     type = "A"
-    name = "gitlab"
+    name = var.gitlab_host
     value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
     ttl = 300
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	resource "digitalocean_record" "gitlab" {
	domain = digitalocean_domain.main.name
	type = "A"
	name = "gitlab"
	value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
	ttl = 300
	resource "digitalocean_record" "gitlab" {
	domain = digitalocean_domain.main.name
	type = "A"
	name = var.gitlab_host
	value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
	ttl = 300
	}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add this secret to helm_release.gitlab.depends_on.

helm/gitlab/values.yaml now makes the release depend on gitlab-initial-root-password, but the provided terraform/helm.tf snippet still only waits on the older secrets. On a fresh apply, Helm can start before this secret exists and fail the install.

🛠 Follow-up change outside this hunk

 resource "helm_release" "gitlab" {
   ...
   depends_on = [
+    kubernetes_secret_v1.gitlab_initial_root_password,
     kubernetes_secret_v1.gitlab_postgres,
     kubernetes_secret_v1.gitlab_redis,
     kubernetes_secret_v1.gitlab_s3_main,
     digitalocean_database_db.gitlab
   ]
 }

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E '\.tf$' | head -20

Repository: clofour/gitlab-kubernetes

Length of output: 316

---

🏁 Script executed:

wc -l terraform/kubernetes.tf

Repository: clofour/gitlab-kubernetes

Length of output: 96

---

🏁 Script executed:

cat -n terraform/kubernetes.tf

Repository: clofour/gitlab-kubernetes

Length of output: 4560

---

🏁 Script executed:

cat -n terraform/dns.tf

Repository: clofour/gitlab-kubernetes

Length of output: 445

---

🏁 Script executed:

cat -n terraform/helm.tf

Repository: clofour/gitlab-kubernetes

Length of output: 2275

---

🏁 Script executed:

rg "ingress_nginx" terraform/ -A 3 -B 3

Repository: clofour/gitlab-kubernetes

Length of output: 1448

---

🏁 Script executed:

rg "digitalocean_record\|digitalocean_domain" terraform/ -A 2 -B 2

Repository: clofour/gitlab-kubernetes

Length of output: 51

---

🏁 Script executed:

cat -n terraform/dns.tf

Repository: clofour/gitlab-kubernetes

Length of output: 445

---

🏁 Script executed:

rg "timeouts\|wait" terraform/ -i

Repository: clofour/gitlab-kubernetes

Length of output: 51

---

🏁 Script executed:

rg "lifecycle\|create_before_destroy" terraform/

Repository: clofour/gitlab-kubernetes

Length of output: 51

---

🏁 Script executed:

cat -n terraform/outputs.tf

Repository: clofour/gitlab-kubernetes

Length of output: 1478

---

Add timeout to data source to wait for load balancer provisioning.

The depends_on = [helm_release.ingress_nginx] only ensures the Service is created. DigitalOcean's cloud controller provisioning the load balancer IP in status.load_balancer.ingress is asynchronous and can complete after the helm release, causing the DNS record creation in terraform/dns.tf line 9 to fail when it tries to access an empty ingress list on first apply.

Add a timeouts block to the data source or use a resource-based waiter to poll until the load balancer is ready before the DNS record is created.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E "terraform|kubernetes" | head -20

Repository: clofour/gitlab-kubernetes

Length of output: 419

---

🏁 Script executed:

cat -n terraform/variables.tf | head -60

Repository: clofour/gitlab-kubernetes

Length of output: 1245

---

🏁 Script executed:

cat -n terraform/kubernetes.tf | grep -A 5 -B 5 "email"

Repository: clofour/gitlab-kubernetes

Length of output: 434

---

🏁 Script executed:

cat -n kubernetes/cluster-issuer.yaml

Repository: clofour/gitlab-kubernetes

Length of output: 485

---

🏁 Script executed:

cat -n terraform/variables.tf | grep -A 10 "validation"

Repository: clofour/gitlab-kubernetes

Length of output: 51

---

🏁 Script executed:

web_search
What is the Terraform variable validation block syntax for string variables?

Repository: clofour/gitlab-kubernetes

Length of output: 162

---

🌐 Web query:

Terraform variable validation block syntax for string trimspace

💡 Result:

The syntax for a Terraform variable validation block using trimspace checks if a string variable has no leading or trailing whitespace by comparing the original value to its trimmed version. Example: variable "hostname" { type = string validation { condition = var.hostname == trimspace(var.hostname) error_message = "Hostname must not contain leading or trailing whitespace." } } This uses the built-in trimspace function, which removes Unicode whitespace (spaces, tabs, newlines, etc.) from both ends of the string. The validation block requires a boolean condition expression that must evaluate to true and a descriptive error_message. Terraform evaluates this during plan creation; if false, it errors with the message and halts. You can add multiple validation blocks for different checks or use trimspace(var.name) in locals for normalization without validation.

Citations:

• 1: https://developer.hashicorp.com/terraform/language/block/variable
• 2: https://developer.hashicorp.com/terraform/language/expressions/custom-conditions
• 3: https://oneuptime.com/blog/post/2026-02-23-how-to-use-trimspace-function-in-terraform/view
• 4: https://developer.hashicorp.com/terraform/language/functions/trimspace
• 5: https://www.terraform.io/language/functions/trimspace

---

Reject empty ACME emails at plan time.

This variable is required, but "" and whitespace-only values still pass and render an invalid ClusterIssuer manifest. Add validation so the failure happens during terraform plan, not after cert-manager tries to apply the manifest.

🔍 Suggested change

 variable "email" {
     type = string
+    validation {
+        condition     = trimspace(var.email) != ""
+        error_message = "email must be non-empty."
+    }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	variable "email" {
	type = string
	}
	variable "email" {
	type = string
	validation {
	condition = trimspace(var.email) != ""
	error_message = "email must be non-empty."
	}
	}