Add basic support for Gitaly TLS
What does this MR do?
This enables Gitaly TLS for a Hybrid Cloud Native environment via the
gitaly_tls_enabled
variable. SSL certs have to be manually generated
and installed in /etc/gitlab/ssl/{cert,key}.pem
.
The root and intermediate certificates have to be set in the Helm
Chart via the global.certificates.customCAs
variable.
For UBI containers, global.extraEnv
has to have SSL_CERT_FILE
set
to /etc/pki/tls/certs/ca-bundle.crt
until
gitlab-org/charts/gitlab#3032 (closed) is resolved.
Praefect nor the internal load balancer are supported at the moment.
Related issues
Author's checklist
When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers
:
- Merge request:
-
Corresponding Issue raised and reviewed by the GET maintainers team. -
Merge Request Title and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline -
MR has no new security alerts in the widget from the Secret Detection
andIaC Scan (SAST)
jobs.
-
- Code:
-
Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.). -
Documentation created/updated in the same MR. -
If this MR adds an optional configuration - check that all permutations continue to work. -
For Terraform changes: setup a previous version environment, then run a terraform plan
with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
-
-
Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.
Edited by Stan Hu