From d60127b619785b5d9331ae33fa27c8f1afd09b32 Mon Sep 17 00:00:00 2001
From: Tobias Huste <t.huste@hzdr.de>
Date: Fri, 15 Aug 2025 14:18:44 +0200
Subject: [PATCH 1/3] Make monitoring whitelist variable configurable

---
 roles/gitlab/README.md              | 8 ++++++++
 roles/gitlab/defaults/main.yml      | 2 ++
 roles/gitlab/templates/gitlab.rb.j2 | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/roles/gitlab/README.md b/roles/gitlab/README.md
index 1733d91..e70cbf1 100644
--- a/roles/gitlab/README.md
+++ b/roles/gitlab/README.md
@@ -392,6 +392,14 @@ gitlab_postgresql_db_password: 'changeme'
 
 **Caution: You have to use your own private and encrypted password here.**
 
+#### Configure monitoring whitelist for Gitlab rails
+
+Configure the monitoring whitelist for GitLab-Rails:
+
+```yaml
+gitlab_rails_monitoring_whitelist: ["{{ gitlab_ip_range }}"]
+```
+
 #### Configure GitLab Registry
 
 Enable GitLab container registry:
diff --git a/roles/gitlab/defaults/main.yml b/roles/gitlab/defaults/main.yml
index 832239e..3321952 100644
--- a/roles/gitlab/defaults/main.yml
+++ b/roles/gitlab/defaults/main.yml
@@ -95,6 +95,8 @@ gitlab_mattermost_only_context: "false"
 
 gitlab_feature_flags: []
 
+gitlab_rails_monitoring_whitelist: ["{{ gitlab_ip_range }}"]
+
 # Internal variable to determine whether the configuration object for Gitaly
 # is already present in gitlab_additional_configurations
 __gitaly_configuration_exists: false
diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/gitlab/templates/gitlab.rb.j2
index cfbb2c6..baef7fc 100644
--- a/roles/gitlab/templates/gitlab.rb.j2
+++ b/roles/gitlab/templates/gitlab.rb.j2
@@ -28,7 +28,7 @@ gitlab_rails['redis_sentinels'] = [
 gitlab_rails['redis_sentinels_password'] = "{{ gitlab_redis_sentinel_password }}"
 {% endif %}
 {% endif %}
-gitlab_rails['monitoring_whitelist'] = ["{{ gitlab_ip_range }}"]
+gitlab_rails['monitoring_whitelist'] = ["{{ gitlab_rails_monitoring_whitelist | join('","') }}"]
 
 {% if gitlab_use_internal_gitaly %}
 {% if not __gitaly_configuration_exists %}

From 4c2072cc089bf5f12b45688c2c00321b219428e8 Mon Sep 17 00:00:00 2001
From: Tobias Huste <tobias.huste+github@mailbox.org>
Date: Mon, 18 Aug 2025 06:35:59 +0200
Subject: [PATCH 2/3] Apply suggestions from code review

Co-authored-by: Norman Ziegner <normo157@gmail.com>
---
 roles/gitlab/README.md         | 3 ++-
 roles/gitlab/defaults/main.yml | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/roles/gitlab/README.md b/roles/gitlab/README.md
index e70cbf1..259a801 100644
--- a/roles/gitlab/README.md
+++ b/roles/gitlab/README.md
@@ -397,7 +397,8 @@ gitlab_postgresql_db_password: 'changeme'
 Configure the monitoring whitelist for GitLab-Rails:
 
 ```yaml
-gitlab_rails_monitoring_whitelist: ["{{ gitlab_ip_range }}"]
+gitlab_rails_monitoring_whitelist:
+  - "{{ gitlab_ip_range }}"
 ```
 
 #### Configure GitLab Registry
diff --git a/roles/gitlab/defaults/main.yml b/roles/gitlab/defaults/main.yml
index 3321952..e7ce2cb 100644
--- a/roles/gitlab/defaults/main.yml
+++ b/roles/gitlab/defaults/main.yml
@@ -95,8 +95,9 @@ gitlab_mattermost_only_context: "false"
 
 gitlab_feature_flags: []
 
-gitlab_rails_monitoring_whitelist: ["{{ gitlab_ip_range }}"]
-
+# List of IP addresses or IP ranges that are allowed to access monitoring endpoints
+gitlab_rails_monitoring_whitelist:
+  - "{{ gitlab_ip_range }}"
 # Internal variable to determine whether the configuration object for Gitaly
 # is already present in gitlab_additional_configurations
 __gitaly_configuration_exists: false

From 6ac999f21527d18abc7c952ca8af598b494c1f0f Mon Sep 17 00:00:00 2001
From: Tobias Huste <tobias.huste+github@mailbox.org>
Date: Mon, 18 Aug 2025 09:59:10 +0200
Subject: [PATCH 3/3] Fix monitoring whitelist when empty list is specified

Co-authored-by: Norman Ziegner <normo157@gmail.com>
---
 roles/gitlab/templates/gitlab.rb.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/gitlab/templates/gitlab.rb.j2
index baef7fc..baedbf6 100644
--- a/roles/gitlab/templates/gitlab.rb.j2
+++ b/roles/gitlab/templates/gitlab.rb.j2
@@ -28,7 +28,7 @@ gitlab_rails['redis_sentinels'] = [
 gitlab_rails['redis_sentinels_password'] = "{{ gitlab_redis_sentinel_password }}"
 {% endif %}
 {% endif %}
-gitlab_rails['monitoring_whitelist'] = ["{{ gitlab_rails_monitoring_whitelist | join('","') }}"]
+gitlab_rails['monitoring_whitelist'] = [{{ gitlab_rails_monitoring_whitelist | map('to_json') | join(', ') }}]
 
 {% if gitlab_use_internal_gitaly %}
 {% if not __gitaly_configuration_exists %}