Skip to content

Documentation: Clarify TLS config for praefect and gitaly

Mark Wood requested to merge gitaly-update-tls-config into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Feedback was received under #336429 (closed):

The TLS documentation is incorrect (https://docs.gitlab.com/ee/administration/reference_architectures/3k_users.html#gitaly-cluster-tls-support and in all other places)

  • If you activate TLS in Praefect & Gitaly, the git_data_dirs port has to be 3305. In all places of the documentation that mention TLS in Gitaly Cluster, the Port is stated as 2305, which is the Non-TLS Port.
  • The documentation does not state that Praefect TLS only works when Gitaly also has TLS. At the beginning, we only had Praefect TLS and Gitaly on TCP. We found in the Gitaly code that Gitaly looks for the origin of the call and uses that to select the Praefect Port. So if Praefect accesses to the Gitaly TCP port, Gitaly calls the Praefect TCP port, even though it won't be open. So TLS only works when both components have tls_listen_addr configured. Generally, naming isn't ideal as TLS is also via TCP.

This MR attempts to clarify the above points and correct our documentation.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Mark Wood

Merge request reports

Loading