Documentation: Clarify TLS config for praefect and gitaly
What does this MR do and why?
Describe in detail what your merge request does and why.
Feedback was received under #336429 (closed):
The TLS documentation is incorrect (https://docs.gitlab.com/ee/administration/reference_architectures/3k_users.html#gitaly-cluster-tls-support and in all other places)
- If you activate TLS in Praefect & Gitaly, the
git_data_dirs
port has to be 3305. In all places of the documentation that mention TLS in Gitaly Cluster, the Port is stated as 2305, which is the Non-TLS Port.- The documentation does not state that Praefect TLS only works when Gitaly also has TLS. At the beginning, we only had Praefect TLS and Gitaly on TCP. We found in the Gitaly code that Gitaly looks for the origin of the call and uses that to select the Praefect Port. So if Praefect accesses to the Gitaly TCP port, Gitaly calls the Praefect TCP port, even though it won't be open. So TLS only works when both components have
tls_listen_addr
configured. Generally, naming isn't ideal as TLS is also via TCP.
This MR attempts to clarify the above points and correct our documentation.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Mark Wood