Using the Shared-Secrets Job
Tier: Free, Premium, Ultimate
Offering: Self-managed
The shared-secrets job is responsible for provisioning a variety of secrets
used across the installation, unless otherwise manually specified. This includes:
- Initial root password
- Self-signed TLS certificates for all public services: GitLab, MinIO, and Registry
- Registry authentication certificates
- MinIO, Registry, GitLab Shell, and Gitaly secrets
- Redis and PostgreSQL passwords
- SSH host keys
- GitLab Rails secret for encrypted credentials
Installation command line options
The table below contains all the possible configurations that can be supplied to
the helm install command using the --set flag:
| Parameter | Default | Description |
|---|---|---|
enabled
| true
| See Below |
env
| production
| Rails environment |
podLabels
| Supplemental Pod labels. Will not be used for selectors. | |
annotations
| Supplemental Pod annotations. | |
image.pullPolicy
| Always
|
DEPRECATED: Use global.kubectl.image.pullPolicy instead.
|
image.pullSecrets
|
DEPRECATED: Use global.kubectl.image.pullSecrets instead.
| |
image.repository
| registry.gitlab.com/gitlab-org/build/cng/kubectl
|
DEPRECATED: Use global.kubectl.image.repository instead.
|
image.tag
| 1f8690f03f7aeef27e727396927ab3cc96ac89e7
|
DEPRECATED: Use global.kubectl.image.tag instead.
|
priorityClassName
| Priority class assigned to pods | |
rbac.create
| true
| Create RBAC roles and bindings |
resources
| resource requests, limits | |
securitContext.fsGroup
| 65534
| User ID to mount filesystems as |
securitContext.runAsUser
| 65534
| User ID to run the container as |
selfsign.caSubject
| GitLab Helm Chart
| selfsign CA Subject |
selfsign.image.repository
| registry.gitlab.com/gitlab-org/build/cnf/cfssl-self-sign
| selfsign image repository |
selfsign.image.pullSecrets
| Secrets for the image repository | |
selfsign.image.tag
| selfsign image tag | |
selfsign.keyAlgorithm
| rsa
| selfsign cert key algorithm |
selfsign.keySize
| 4096
| selfsign cert key size |
serviceAccount.enabled
| true
| Define serviceAccountName on job(s) |
serviceAccount.create
| true
| Create ServiceAccount |
serviceAccount.name
| RELEASE_NAME-shared-secrets
| Service account name to specify on job(s) (and on the serviceAccount itself if serviceAccount.create=true)
|
tolerations
| []
| Toleration labels for pod assignment |
Job configuration examples
tolerations
tolerations allow you schedule pods on tainted worker nodes
Below is an example use of tolerations:
tolerations:
- key: "node_label"
operator: "Equal"
value: "true"
effect: "NoSchedule"
- key: "node_label"
operator: "Equal"
value: "true"
effect: "NoExecute"
Disable functionality
Some users may wish to explicitly disable the functionality provided by this job.
To do this, we have provided the enabled flag as a boolean, defaulting to true.
To disable the job, pass --set shared-secrets.enabled=false, or pass the following
in a YAML via the -f flag to helm:
shared-secrets:
enabled: false
If you disable this job, you must manually create all secrets,
and provide all necessary secret content. See installation/secrets
for further details.