Merge pull request #467 from tobiashuste/monitoring-whitelist

Normo · web-flow · commit 7f0bec571935 · 2025-08-18T12:38:24.000+02:00
Make monitoring whitelist variable configurable
diff --git a/roles/gitlab/README.md b/roles/gitlab/README.md
@@ -392,6 +392,15 @@ gitlab_postgresql_db_password: 'changeme'
 
 **Caution: You have to use your own private and encrypted password here.**
 
+#### Configure monitoring whitelist for Gitlab rails
+
+Configure the monitoring whitelist for GitLab-Rails:
+
+```yaml
+gitlab_rails_monitoring_whitelist:
+  - "{{ gitlab_ip_range }}"
+```
+
 #### Configure GitLab Registry
 
 Enable GitLab container registry:
diff --git a/roles/gitlab/defaults/main.yml b/roles/gitlab/defaults/main.yml
@@ -95,6 +95,9 @@ gitlab_mattermost_only_context: "false"
 
 gitlab_feature_flags: []
 
+# List of IP addresses or IP ranges that are allowed to access monitoring endpoints
+gitlab_rails_monitoring_whitelist:
+  - "{{ gitlab_ip_range }}"
 # Internal variable to determine whether the configuration object for Gitaly
 # is already present in gitlab_additional_configurations
 __gitaly_configuration_exists: false
diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/gitlab/templates/gitlab.rb.j2
@@ -28,7 +28,7 @@ gitlab_rails['redis_sentinels'] = [
 gitlab_rails['redis_sentinels_password'] = "{{ gitlab_redis_sentinel_password }}"
 {% endif %}
 {% endif %}
-gitlab_rails['monitoring_whitelist'] = ["{{ gitlab_ip_range }}"]
+gitlab_rails['monitoring_whitelist'] = [{{ gitlab_rails_monitoring_whitelist | map('to_json') | join(', ') }}]
 
 {% if gitlab_use_internal_gitaly %}
 {% if not __gitaly_configuration_exists %}
