This document intends to provide documentation on how to configure this Helm chart with an external Gitaly service.
If you don’t have Gitaly configured, for on-premise or deployment to VM, consider using our Omnibus GitLab package.
gitaly chart and the Gitaly service it provides, and point the other services to the external service.
You need to set the following parameters:
global.gitaly.enabled: Set to
falseto disable the included Gitaly chart.
global.gitaly.host: Set to the hostname of the external Gitaly, can be a domain or an IP address.
global.gitaly.authToken.secret: The name of the secret which contains the token for authentication.
global.gitaly.authToken.key: The key within the secret, which contains the token content.
gitlab.gitaly.shell.authToken.secret: The name of the secret which contains secret for GitLab Shell.
gitlab.gitaly.shell.authToken.key: The key within the secret, which contains the secret content.
Items below can be further customized if you are not using the defaults:
global.gitaly.port: The port the service is available on, defaults to
helm install . \ --set global.gitaly.enabled=false \ --set global.gitaly.host=gitaly.example \ --set global.gitaly.authToken.secret=gitaly-secret \ --set global.gitaly.authToken.key=token
If your implementation uses multiple Gitaly nodes external to these charts, you can define multiple hosts as well. The syntax is slightly different, as to allow the complexity required.
An example values file is provided, which shows the
appropriate set of configuration. The content of this values file is not
interpreted correctly via
--set arguments, so should be passed to Helm
-f / --values flag.
If your external Gitaly server listens over TLS port, you can make your GitLab instance communicate with it over TLS. To do this, you have to
Create a Kubernetes secret containing the certificate of the Gitaly server
kubectl create secret generic gitlab-gitaly-tls-certificate --from-file=gitaly-tls.crt=<path to certificate>
Add the certificate of external Gitaly server to the list of custom Certificate Authorities In the values file, specify the following
global: certificates: customCAs: - secret: gitlab-gitaly-tls-certificate
or pass it to the
helm upgradecommand using
Enable Gitaly TLS by setting
customCAsto avoid collision since all keys within the secrets will be mounted. You do not need to provide the key for the certificate, as this is the client side.