LDAP AD Integration fails using GitLab Operator on Openshift

Hi, I’m trying to integrate AD into GitLab (CE edition) running on Openshift 4.9 but hitting an error that indicates my GitLab CRD might be wrong but I can’t work out why.

The error is:

oc logs gitlab-toolbox-54599d8f9c-t2q2t
Begin parsing .erb templates from /var/opt/gitlab/templates
Writing /srv/gitlab/config/cable.yml
Writing /srv/gitlab/config/database.yml
Writing /srv/gitlab/config/gitlab.yml
/var/opt/gitlab/templates/gitlab.yml.erb:115:in `read': No such file or directory @ rb_sysopen - /etc/gitlab/ldap/main/password (Errno::ENOENT)
        from /var/opt/gitlab/templates/gitlab.yml.erb:115:in `<main>'
        from /usr/lib/ruby/2.7.0/erb.rb:905:in `eval'
        from /usr/lib/ruby/2.7.0/erb.rb:905:in `result'
        from /usr/lib/ruby/2.7.0/erb.rb:890:in `run'
        from /usr/bin/erb:154:in `run'
        from /usr/bin/erb:175:in `<main>'

Under the spec.chart.values section of my gitlab.yaml definition, I have

global:
  appConfig:
    ldap:
      enabled: false
      prevent_ldap_sign_in: false
      servers:
        main:
          active_directory: true
          base: OU=Users,OU=Local Objects,DC=somewhere,DC=com
          bind_dn: CN=sa_gitlab,OU=Service Accounts,OU=Local Objects,DC=somewhere,DC=com
          encryption: plain
          host: domctl.somewhere.com
          label: Active Directory
          lowercase_usernames: true
          password:
            key: bind_password
            secret: gitlab-ldap-bind-secret
          port: 389
          uid: sAMAccountName
          user_filter: (memberof:1.2.840.113556.1.4.1941:=CN=GitLab,OU=Security,OU=Groups,OU=Local
            Objects,DC=somewhere,DC=com)
          verify_certificates: false
  edition: ce

If I change the password section to simply a plain value, the parse complains that is needs the secret and key name.

oc get secret gitlab-ldap-bind-secret
NAME                      TYPE     DATA   AGE
gitlab-ldap-bind-secret   Opaque   1      4d18h

What am I missing please?

1 Like

we have exactly the same problem, with chart 5.9.3 on openshift 4.10.16…

+ /scripts/set-config /var/opt/gitlab/templates /srv/gitlab/config
Begin parsing .erb templates from /var/opt/gitlab/templates
Writing /srv/gitlab/config/cable.yml
Writing /srv/gitlab/config/database.yml
Writing /srv/gitlab/config/gitlab.yml
/var/opt/gitlab/templates/gitlab.yml.erb:115:in `read': No such file or directory @ rb_sysopen - /etc/gitlab/ldap/main/password (Errno::ENOENT)
from /var/opt/gitlab/templates/gitlab.yml.erb:115:in `<main>'
from /usr/lib/ruby/2.7.0/erb.rb:905:in `eval'
from /usr/lib/ruby/2.7.0/erb.rb:905:in `result'
from /usr/lib/ruby/2.7.0/erb.rb:890:in `run'
from /usr/bin/erb:154:in `run'
from /usr/bin/erb:175:in `<main>

Hello,

I could resolve it by deleting the deployments the operator should manage, and let the operator recreate it, now it seems working.

Thanks for reaching out!

Based on this description, I think the root cause here is #581 (closed). This was fixed by !489 (merged), which was included in the Operator starting with version 0.10.0.

I recommend upgrading to 0.10.0 - let me know if that addresses the issue for you :+1: