Configure charts using globals

To reduce configuration duplication when installing our wrapper Helm chart, several configuration settings are available to be set in the global section of values.yaml. These global settings are used across several charts, while all other settings are scoped within their chart. See the Helm documentation on globals for more information on how the global variables work.

Configure Host settings

The GitLab global host settings are located under the global.hosts key.

global:
  hosts:
    domain: example.com
    hostSuffix: staging
    https: false
    externalIP:
    gitlab:
      name: gitlab.example.com
      https: false
    registry:
      name: registry.example.com
      https: false
    minio:
      name: minio.example.com
      https: false
    smartcard:
      name: smartcard.example.com
    kas:
      name: kas.example.com
    pages:
      name: pages.example.com
      https: false
    ssh: gitlab.example.com

hostSuffix

The hostSuffix is appended to the subdomain when assembling a hostname using the base domain, but is not used for hosts that have their own name set.

Defaults to being unset. If set, the suffix is appended to the subdomain with a hyphen. The example below would result in using external hostnames like gitlab-staging.example.com and registry-staging.example.com:

global:
  hosts:
    domain: example.com
    hostSuffix: staging

Configure Horizontal Pod Autoscaler settings

The GitLab global host settings for HPA are located under the global.hpa key:

Configure PodDisruptionBudget settings

The GitLab global host settings for PDB are located under the global.pdb key:

Configure CronJob settings

The GitLab global host settings for CronJobs are located under the global.batch.cronJob key:

Configure Monitoring settings

The GitLab global settings for ServiceMonitors and PodMonitors are located under the global.monitoring key:

Configure Ingress settings

The GitLab global host settings for Ingress are located under the global.ingress key:

Sample configurations for various cloud providers can be found in the examples folder.

• AWS
• GKE

Ingress Path

This chart employs global.ingress.path as a means to assist those users that need to alter the definition of path entries for their Ingress objects. Many users have no need for this setting, and should not configure it.

For those users who need to have their path definitions end in /* to match their load balancer / proxy behaviors, such as when using ingress.class: gce in GCP, ingress.class: alb in AWS, or another such provider.

This setting ensures that all path entries in Ingress resources throughout this chart are rendered with this. The only exception is when populating the gitlab/webservice deployments settings, where path must be specified.

Cloud provider LoadBalancers

Various cloud providers’ LoadBalancer implementations have an impact on configuration of the Ingress resources and NGINX controller deployed as part of this chart. The next table provides examples.

global.ingress.configureCertmanager

Global setting that controls the automatic configuration of cert-manager for Ingress objects. If true, relies on certmanager-issuer.email being set.

If false and global.ingress.tls.secretName is not set, and global.ingress.tls.enabled is true or unset, then this will activate automatic self-signed certificate generation, which creates a wildcard certificate for all Ingress objects.

If you wish to use an external cert-manager, you must provide the following:

• gitlab.webservice.ingress.tls.secretName
• registry.ingress.tls.secretName
• minio.ingress.tls.secretName
• global.ingress.annotations

global.ingress.useNewIngressForCerts

Global setting that changes the behavior of the cert-manager to perform the ACME challenge validation with a new Ingress created dynamically each time.

The default logic (when global.ingress.useNewIngressForCerts is false) reuses existing Ingresses for validation. This default is not suitable in some situations. Setting the flag to true will mean that a new Ingress object is created for each validation.

global.ingress.useNewIngressForCerts cannot be set to true when used with GKE Ingress Controllers.

GitLab Version

The GitLab version used in the default image tag for the charts can be changed using the global.gitlabVersion key:

--set global.gitlabVersion=11.0.1

This impacts the default image tag used in the webservice, sidekiq, and migration charts. Note that the gitaly, gitlab-shell and gitlab-runner image tags should be separately updated to versions compatible with the GitLab version.

Adding suffix to all image tags

If you wish to add a suffix to the name of all images used in the Helm chart, you can use the global.image.tagSuffix key. An example of this use case might be if you wish to use FIPS-compliant container images from GitLab, which are all built with the -fips extension to the image tag.

--set global.image.tagSuffix="-fips"

Custom time zone for all containers

If you wish to set a custom time zone for all the GitLab containers, you can use the global.time_zone key. Refer to TZ identifier on the List of tz database time zones for the available values. Default is UTC.

--set global.time_zone="America/Chicago"

Configure PostgreSQL settings

The GitLab global PostgreSQL settings are located under the global.psql key. GitLab is using two database connections: one for main database and one for ci. By default, they point to the same PostgreSQL database.

The values under global.psql are defaults and are applied to both database configurations. If you want to use two databases, you can specify the connection details in global.psql.main and global.psql.ci.

global:
  psql:
    host: psql.example.com
    # serviceName: pgbouncer
    port: 5432
    database: gitlabhq_production
    username: gitlab
    applicationName:
    preparedStatements: false
    databaseTasks: true
    connectTimeout:
    keepalives:
    keepalivesIdle:
    keepalivesInterval:
    keepalivesCount:
    tcpUserTimeout:
    password:
      useSecret: true
      secret: gitlab-postgres
      key: psql-password
      file:
    main: {}
      # host: postgresql-main.hostedsomewhere.else
      # ...
    ci: {}
      # host: postgresql-ci.hostedsomewhere.else
      # ...

PostgreSQL per chart

In some complex deployments, it may be desired to configure different parts of this chart with different configurations for PostgreSQL. As of v4.2.0, all properties available within global.psql can be set on a per-chart basis, for example gitlab.sidekiq.psql. The local settings will override global values when supplied, inheriting any not present from global.psql, with the exception of psql.load_balancing.

PostgreSQL load balancing will never inherit from the global, by design.

PostgreSQL SSL

If you want to connect GitLab with a PostgreSQL database over mutual TLS, create a secret containing the client key, client certificate and server certificate authority as different secret keys. Then describe the secret’s structure using the global.psql.ssl mapping.

global:
  psql:
    ssl:
      secret: db-example-ssl-secrets # Name of the secret
      clientCertificate: cert.pem    # Secret key storing the certificate
      clientKey: key.pem             # Secret key of the certificate's key
      serverCA: server-ca.pem        # Secret key containing the CA for the database server

You may also need to set extraEnv values to export environment values to point to the correct keys.

global:
  extraEnv:
      PGSSLCERT: '/etc/gitlab/postgres/ssl/client-certificate.pem'
      PGSSLKEY: '/etc/gitlab/postgres/ssl/client-key.pem'
      PGSSLROOTCERT: '/etc/gitlab/postgres/ssl/server-ca.pem'

PostgreSQL load balancing

This feature requires the use of an external PostgreSQL, as this chart does not deploy PostgreSQL in an HA fashion.

The Rails components in GitLab have the ability to make use of PostgreSQL clusters to load balance read-only queries.

This feature can be configured in two fashions:

• Using a static lists of hostnames for the secondaries.
• Using a DNS based service discovery mechanism.

Configuration with a static list of is straight forward:

global:
  psql:
    host: primary.database
    load_balancing:
       hosts:
       - secondary-1.database
       - secondary-2.database

Configuration of service discovery can be more complex. For a complete details of this configuration, the parameters and their associated behaviors, see Service Discovery in the GitLab Administration documentation.

global:
  psql:
    host: primary.database
    load_balancing:
      discover:
        record:  secondary.postgresql.service.consul
        # record_type: A
        # nameserver: localhost
        # port: 8600
        # interval: 60
        # disconnect_timeout: 120
        # use_tcp: false
        # max_replica_pools: 30

Further tuning is also available, in regards to the handling of stale reads. The GitLab Administration documentation covers these items in detail, and those properties can be added directly under load_balancing.

global:
  psql:
    load_balancing:
      max_replication_difference: # See documentation
      max_replication_lag_time:   # See documentation
      replica_check_interval:     # See documentation

Configure multiple database connections

In GitLab 16.0, GitLab defaults to using two database connections that point to the same PostgreSQL database.

Configure Redis settings

The GitLab global Redis settings are located under the global.redis key.

By default we use an single, non-replicated Redis instance. If a highly available Redis is required, we recommend using an external Redis instance.

You can bring an external Redis instance by setting redis.install=false, and following our advanced documentation for configuration.

global:
  redis:
    host: redis.example.com
    serviceName: redis
    database: 7
    port: 6379
    auth:
      enabled: true
      secret: gitlab-redis
      key: redis-password
    scheme:

Configure Redis chart-specific settings

Settings to configure the Redis chart directly are located under the redis key:

redis:
  install: true
  image:
    registry: registry.example.com
    repository: example/redis
    tag: x.y.z

Refer to the full list of settings for more information.

Redis Sentinel support

The current Redis Sentinel support only supports Sentinels that have been deployed separately from the GitLab chart. As a result, the Redis deployment through the GitLab chart should be disabled with redis.install=false. The Kubernetes Secret containing the Redis password will need to be manually created before deploying the GitLab chart.

The installation of an HA Redis cluster from the GitLab chart does not support using sentinels. If sentinel support is desired, a Redis cluster needs to be created separately from the GitLab chart install. This can be done inside or outside the Kubernetes cluster.

An issue to track the supporting of sentinels in a GitLab deployed Redis cluster has been created for tracking purposes.

redis:
  install: false
global:
  redis:
    host: redis.example.com
    serviceName: redis
    port: 6379
    sentinels:
      - host: sentinel1.example.com
        port: 26379
      - host: sentinel2.example.com
        port: 26379
    auth:
      enabled: true
      secret: gitlab-redis
      key: redis-password

All the prior Redis attributes in the general configure Redis settings continue to apply with the Sentinel support unless re-specified in the table above.

Redis Sentinel password support

redis:
  install: false
global:
  redis:
    host: redis.example.com
    serviceName: redis
    port: 6379
    sentinels:
      - host: sentinel1.example.com
        port: 26379
      - host: sentinel2.example.com
        port: 26379
    auth:
      enabled: true
      secret: gitlab-redis
      key: redis-password
    sentinelAuth:
      enabled: false
      secret: gitlab-redis-sentinel
      key: sentinel-password

global.redis.sentinelAuth can be used to configure a Sentinel password for all Sentinel instances.

Note that sentinelAuth cannot be overridden with Redis instance-specific settings or global.redis.redisYmlOverride.

Multiple Redis support

The GitLab chart includes support for running with separate Redis instances for different persistence classes, currently:

Any number of the instances may be specified. Any instances not specified will be handled by the primary Redis instance specified by global.redis.host or use the deployed Redis instance from the chart. The only exception is for the GitLab agent server (KAS), which looks for Redis configuration in the following order:

1. global.redis.kas
2. global.redis.sharedState
3. global.redis.host

For example:

redis:
  install: false
global:
  redis:
    host: redis.example
    port: 6379
    auth:
      enabled: true
      secret: redis-secret
      key: redis-password
    actioncable:
      host: cable.redis.example
      port: 6379
      password:
        enabled: true
        secret: cable-secret
        key: cable-password
    cache:
      host: cache.redis.example
      port: 6379
      password:
        enabled: true
        secret: cache-secret
        key: cache-password
    kas:
      host: kas.redis.example
      port: 6379
      password:
        enabled: true
        secret: kas-secret
        key: kas-password
    queues:
      host: queues.redis.example
      port: 6379
      password:
        enabled: true
        secret: queues-secret
        key: queues-password
    rateLimiting:
      host: rateLimiting.redis.example
      port: 6379
      password:
        enabled: true
        secret: rateLimiting-secret
        key: rateLimiting-password
    repositoryCache:
      host: repositoryCache.redis.example
      port: 6379
      password:
        enabled: true
        secret: repositoryCache-secret
        key: repositoryCache-password
    sessions:
      host: sessions.redis.example
      port: 6379
      password:
        enabled: true
        secret: sessions-secret
        key: sessions-password
    sharedState:
      host: shared.redis.example
      port: 6379
      password:
        enabled: true
        secret: shared-secret
        key: shared-password
    traceChunks:
      host: traceChunks.redis.example
      port: 6379
      password:
        enabled: true
        secret: traceChunks-secret
        key: traceChunks-password
    workhorse:
      host: workhorse.redis.example
      port: 6379
      password:
        enabled: true
        secret: workhorse-secret
        key: workhorse-password

The following table describes the attributes for each dictionary of the Redis instances.

The primary Redis definition is required as there are additional persistence classes that have not been separated.

Each instance definition may also use Redis Sentinel support. Sentinel configurations are not shared and needs to be specified for each instance that uses Sentinels. Please refer to the Sentinel configuration for the attributes that are used to configure Sentinel servers.

Specify secure Redis scheme (SSL)

To connect to Redis with SSL:

1. Update your configuration to use the rediss (double s) scheme parameter.

2. In your configuration, set authClients to false:

   global:
     redis:
       scheme: rediss
   redis:
     tls:
       enabled: true
       authClients: false

   This configuration is required because Redis defaults to mutual TLS, which not all chart components support.

3. Follow Bitnami’s steps to enable TLS. Make sure the chart components trust the certificate authority used to create Redis certificates.

4. Optional. If you use a custom certificate authority, see the Custom Certificate Authorities global configuration.

Password-less Redis Servers

Some Redis services such as Google Cloud Memorystore do not make use of passwords and the associated AUTH command. The use and requirement for a password can be disabled via the following configuration setting:

global:
  redis:
    auth:
      enabled: false
    host: ${REDIS_PRIVATE_IP}
redis:
  enabled: false

Configure Registry settings

The global Registry settings are located under the global.registry key.

global:
  registry:
    bucket: registry
    certificate:
    httpSecret:
    notificationSecret:
    notifications: {}
    ## Settings used by other services, referencing registry:
    enabled: true
    host:
    api:
      protocol: http
      serviceName: registry
      port: 5000
    tokenIssuer: gitlab-issuer

For more details on bucket, certificate, httpSecret, and notificationSecret settings, see the documentation within the registry chart.

For details on enabled, host, api and tokenIssuer see documentation for command line options and Webservice

host is used to override autogenerated external registry hostname reference.

notifications

This setting is used to configure Registry notifications. It takes in a map (following upstream specification), but with an added feature of providing sensitive headers as Kubernetes secrets. For example, consider the following snippet where the Authorization header contains sensitive data while other headers contain regular data:

global:
  registry:
    notifications:
      events:
        includereferences: true
      endpoints:
        - name: CustomListener
          url: https://mycustomlistener.com
          timeout: 500mx
          # DEPRECATED: use `maxretries` instead https://gitlab.com/gitlab-org/container-registry/-/issues/1243.
          # When using `maxretries`, `threshold` is ignored: https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#endpoints
          threshold: 5
          maxretries: 5
          backoff: 1s
          headers:
            X-Random-Config: [plain direct]
            Authorization:
              secret: registry-authorization-header
              key: password

In this example, the header X-Random-Config is a regular header and its value can be provided in plaintext in the values.yaml file or via --set flag. However, the header Authorization is a sensitive one, so mounting it from a Kubernetes secret is preferred. For details regarding the structure of the secret, refer the secrets documentation

Configure Gitaly settings

The global Gitaly settings are located under the global.gitaly key.

global:
  gitaly:
    internal:
      names:
        - default
        - default2
    external:
      - name: node1
        hostname: node1.example.com
        port: 8075
    authToken:
      secret: gitaly-secret
      key: token
    tls:
      enabled: true
      secretName: gitlab-gitaly-tls

Gitaly hosts

Gitaly is a service that provides high-level RPC access to Git repositories, which handles all Git calls made by GitLab.

Administrators can chose to use Gitaly nodes in the following ways:

• Internal to the chart, as part of a StatefulSet via the Gitaly chart.
• External to the chart, as external pets.
• Mixed environment using both internal and external nodes.

See Repository Storage Paths documentation for details on managing which nodes will be used for new projects.

If gitaly.host is provided, gitaly.internal and gitaly.external properties will be ignored. See the deprecated Gitaly settings.

The Gitaly authentication token is expected to be identical for all Gitaly services at this time, internal or external. Ensure these are aligned. See issue #1992 for further details.

internal

The internal key currently consists of only one key, names, which is a list of storage names to be managed by the chart. For each listed name, in logical order, one pod will be spawned, named ${releaseName}-gitaly-${ordinal}, where ordinal is the index within the names list. If dynamic provisioning is enabled, the PersistentVolumeClaim will match.

This list defaults to ['default'], which provides for 1 pod related to one storage path.

Manual scaling of this item is required, by adding or removing entries in gitaly.internal.names. When scaling down, any repository that has not been moved to another node will become unavailable. Since the Gitaly chart is a StatefulSet, dynamically provisioned disks will not be reclaimed. This means the data disks will persist, and the data on them can be accessed when the set is scaled up again by re-adding a node to the names list.

A sample configuration of multiple internal nodes can be found in the examples folder.

external

The external key provides a configuration for Gitaly nodes external to the cluster. Each item of this list has 3 keys:

• name: The name of the storage. An entry with name: default is required.
• hostname: The host of Gitaly services.
• port: (optional) The port number to reach the host on. Defaults to 8075.
• tlsEnabled: (optional) Override global.gitaly.tls.enabled for this particular entry.

We provide an advanced configuration guide for using an external Gitaly service. You can also find sample configuration of multiple external services in the examples folder.

You may use an external Praefect to provide highly available Gitaly services. Configuration of the two is interchangeable, as from the viewpoint of the clients, there is no difference.

Mixed

It is possible to use both internal and external Gitaly nodes, but be aware that:

• There must always be a node named default, which Internal provides by default.
• External nodes will be populated first, then Internal.

A sample configuration of mixed internal and external nodes can be found in the examples folder.

authToken

The authToken attribute for Gitaly has two sub keys:

• secret defines the name of the Kubernetes Secret to pull from.
• key defines the name of the key in the above secret that contains the authToken.

All Gitaly nodes must share the same authentication token.

Deprecated Gitaly settings

TLS settings

Configuring Gitaly to serve via TLS is detailed in the Gitaly chart’s documentation.

Configure Praefect settings

The global Praefect settings are located under the global.praefect key.

Praefect is disabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will need to be manually created on the default PostgreSQL instance.

Enable Praefect

To enable Praefect with default settings, set global.praefect.enabled=true.

For more information, see Gitaly Cluster (Praefect).

Global settings for Praefect

global:
  praefect:
    enabled: false
    virtualStorages:
    - name: default
      gitalyReplicas: 3
      maxUnavailable: 1
    dbSecret: {}
    psql: {}

Configure MinIO settings

The GitLab global MinIO settings are located under the global.minio key. For more details on these settings, see the documentation within the MinIO chart.

global:
  minio:
    enabled: true
    credentials: {}

Configure appConfig settings

The Webservice, Sidekiq, and Gitaly charts share multiple settings, which are configured with the global.appConfig key.

global:
  appConfig:
    # cdnHost:
    relativeUrlRoot: ""
    contentSecurityPolicy:
      enabled: false
      report_only: true
      # directives: {}
    enableUsagePing: true
    enableSeatLink: true
    enableImpersonation: true
    applicationSettingsCacheSeconds: 60
    usernameChangingEnabled: true
    issueClosingPattern:
    defaultTheme:
    defaultColorMode:
    defaultSyntaxHighlightingTheme:
    defaultProjectsFeatures:
      issues: true
      mergeRequests: true
      wiki: true
      snippets: true
      builds: true
      containerRegistry: true
    webhookTimeout:
    gravatar:
      plainUrl:
      sslUrl:
    extra:
      googleAnalyticsId:
      matomoUrl:
      matomoSiteId:
      matomoDisableCookies:
      oneTrustId:
      googleTagManagerNonceId:
      bizible:
    object_store:
      enabled: false
      proxy_download: true
      storage_options: {}
      connection: {}
    lfs:
      enabled: true
      proxy_download: true
      bucket: git-lfs
      connection: {}
    artifacts:
      enabled: true
      proxy_download: true
      bucket: gitlab-artifacts
      connection: {}
    uploads:
      enabled: true
      proxy_download: true
      bucket: gitlab-uploads
      connection: {}
    packages:
      enabled: true
      proxy_download: true
      bucket: gitlab-packages
      connection: {}
    externalDiffs:
      enabled:
      when:
      proxy_download: true
      bucket: gitlab-mr-diffs
      connection: {}
    terraformState:
      enabled: false
      bucket: gitlab-terraform-state
      connection: {}
    ciSecureFiles:
      enabled: false
      bucket: gitlab-ci-secure-files
      connection: {}
    dependencyProxy:
      enabled: false
      bucket: gitlab-dependency-proxy
      connection: {}
    backups:
      bucket: gitlab-backups
    microsoft_graph_mailer:
      enabled: false
      user_id: "YOUR-USER-ID"
      tenant: "YOUR-TENANT-ID"
      client_id: "YOUR-CLIENT-ID"
      client_secret:
        secret:
        key: secret
      azure_ad_endpoint: "https://login.microsoftonline.com"
      graph_endpoint: "https://graph.microsoft.com"
    incomingEmail:
      enabled: false
      address: ""
      host: "imap.gmail.com"
      port: 993
      ssl: true
      startTls: false
      user: ""
      password:
        secret:
        key: password
      mailbox: inbox
      idleTimeout: 60
      inboxMethod: "imap"
      clientSecret:
        key: secret
      pollInterval: 60
      deliveryMethod: webhook
      authToken: {}

    serviceDeskEmail:
      enabled: false
      address: ""
      host: "imap.gmail.com"
      port: 993
      ssl: true
      startTls: false
      user: ""
      password:
        secret:
        key: password
      mailbox: inbox
      idleTimeout: 60
      inboxMethod: "imap"
      clientSecret:
        key: secret
      pollInterval: 60
      deliveryMethod: webhook
      authToken: {}

    cron_jobs: {}
    sentry:
      enabled: false
      dsn:
      clientside_dsn:
      environment:
    gitlab_docs:
      enabled: false
      host: ""
    oidcProvider:
      openidIdTokenExpireInSeconds: 120
    smartcard:
      enabled: false
      CASecret:
      clientCertificateRequiredHost:
    sidekiq:
      routingRules: []

General application settings

The appConfig settings that can be used to tweak the general properties of the Rails application are described below:

Content Security Policy

Setting a Content Security Policy (CSP) can help thwart JavaScript cross-site scripting (XSS) attacks. See GitLab documentation for configuration details. Content Security Policy Documentation

GitLab automatically provides secure default values for the CSP.

global:
  appConfig:
    contentSecurityPolicy:
      enabled: true
      report_only: false

To add a custom CSP:

global:
  appConfig:
    contentSecurityPolicy:
      enabled: true
      report_only: false
      directives:
        default_src: "'self'"
        script_src: "'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com"
        frame_ancestors: "'self'"
        frame_src: "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
        img_src: "* data: blob:"
        style_src: "'self' 'unsafe-inline'"

Improperly configuring the CSP rules could prevent GitLab from working properly. Before rolling out a policy, you may also want to change report_only to true to test the configuration.

Configure a relative URL root

Though you should install GitLab on its own domain or subdomain, you can install under a relative URL if required. For example, https://example.com/gitlab.

The ingresses of all webservice deployments will have this path prefixed.

global:
  appConfig:
    relativeUrlRoot: "/gitlab"
  hosts:
    domain: example.com
    gitlab:
      name: example.com

defaultProjectsFeatures

Flags to decide if new projects should be created with the respective features by default. All flags default to true.

defaultProjectsFeatures:
  issues: true
  mergeRequests: true
  wiki: true
  snippets: true
  builds: true
  containerRegistry: true

Gravatar/Libravatar settings

By default, the charts work with Gravatar avatar service available at gravatar.com. However, a custom Libravatar service can also be used if needed:

Hooking Analytics services to the GitLab instance

Settings to configure Analytics services like Google Analytics and Matomo are defined under the extra key below appConfig:

Consolidated object storage

In addition to the following section that describes how to configure individual settings for object storage, we’ve added a consolidated object storage configuration to ease the use of shared configuration for these items. Making use of object_store, you can configure a connection once, and it will be used for any and all object storage backed features that are not individually configured with a connection property.

  enabled: true
  proxy_download: true
  storage_options:
  connection:
    secret:
    key:

The property structure is shared, and all properties here can be overridden by the individual items below. The connection property structure is identical.

When using the AWS provider for the connection (which is any S3 compatible provider such as the included MinIO), GitLab Workhorse can offload all storage related uploads. This will automatically be enabled for you, when using this consolidated configuration.

Specify buckets

Each object type should be stored in different buckets. By default, GitLab uses these bucket names for each type:

You can use these defaults or configure the bucket names:

--set global.appConfig.artifacts.bucket=<BUCKET NAME> \
--set global.appConfig.lfs.bucket=<BUCKET NAME> \
--set global.appConfig.packages.bucket=<BUCKET NAME> \
--set global.appConfig.uploads.bucket=<BUCKET NAME> \
--set global.appConfig.externalDiffs.bucket=<BUCKET NAME> \
--set global.appConfig.terraformState.bucket=<BUCKET NAME> \
--set global.appConfig.ciSecureFiles.bucket=<BUCKET NAME> \
--set global.appConfig.dependencyProxy.bucket=<BUCKET NAME>

storage_options

The storage_options are used to configure S3 Server Side Encryption.

Setting a default encryption on an S3 bucket is the easiest way to enable encryption, but you may want to set a bucket policy to ensure only encrypted objects are uploaded. To do this, you must configure GitLab to send the proper encryption headers in the storage_options configuration section:

Example:

  enabled: true
  proxy_download: true
  connection:
    secret: gitlab-rails-storage
    key: connection
  storage_options:
    server_side_encryption: aws:kms
    server_side_encryption_kms_key_id: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

LFS, Artifacts, Uploads, Packages, External MR diffs, and Dependency Proxy

Details on these settings are below. Documentation is not repeated individually, as they are structurally identical aside from the default value of the bucket property.

  enabled: true
  proxy_download: true
  bucket:
  connection:
    secret:
    key:

connection

The connection property has been transitioned to a Kubernetes Secret. The contents of this secret should be a YAML formatted file. Defaults to {} and will be ignored if global.minio.enabled is true.

This property has two sub-keys: secret and key.

• secret is the name of a Kubernetes Secret. This value is required to use external object storage.
• key is the name of the key in the secret which houses the YAML block. Defaults to connection.

Valid configuration keys can be found in the GitLab Job Artifacts Administration documentation. This matches to Fog, and is different between provider modules.

Examples for AWS and Google providers can be found in examples/objectstorage.

• rails.s3.yaml
• rails.gcs.yaml
• rails.azurerm.yaml

Once a YAML file containing the contents of the connection has been created, use this file to create the secret in Kubernetes.

kubectl create secret generic gitlab-rails-storage \
    --from-file=connection=rails.yaml

when (only for External MR Diffs)

externalDiffs setting has an additional key when to conditionally store specific diffs on object storage. This setting is left empty by default in the charts, for a default value to be assigned by the Rails code.

cdn (only for CI Artifacts)

artifacts setting has an additional key cdn to configure Google CDN in front of a Google Cloud Storage bucket.

Incoming email settings

The incoming email settings are explained in the command line options page.

KAS settings

Custom secret

One can optionally customize the KAS secret name as well as key, either by using Helm’s --set variable option:

--set global.appConfig.gitlab_kas.secret=custom-secret-name \
--set global.appConfig.gitlab_kas.key=custom-secret-key \

or by configuring your values.yaml:

global:
  appConfig:
    gitlab_kas:
      secret: "custom-secret-name"
      key: "custom-secret-key"

If you’d like to customize the secret value, refer to the secrets documentation.

Custom URLs

The URLs used for KAS by the GitLab backend can be customized using Helm’s --set variable option:

--set global.appConfig.gitlab_kas.externalUrl="wss://custom-kas-url.example.com" \
--set global.appConfig.gitlab_kas.internalUrl="grpc://custom-internal-url" \
--set global.appConfig.gitlab_kas.clientTimeoutSeconds=10 # Optional, default is 5 seconds

or by configuring your values.yaml:

global:
  appConfig:
    gitlab_kas:
      externalUrl: "wss://custom-kas-url.example.com"
      internalUrl: "grpc://custom-internal-url"
      clientTimeoutSeconds: 10 # Optional, default is 5 seconds

External KAS

The GitLab backend can be made aware of an external KAS server (i.e. not managed by the chart) by explicitly enabling it and configuring the required URLs. You can do so using Helm’s --set variable option:

--set global.appConfig.gitlab_kas.enabled=true \
--set global.appConfig.gitlab_kas.externalUrl="wss://custom-kas-url.example.com" \
--set global.appConfig.gitlab_kas.internalUrl="grpc://custom-internal-url" \
--set global.appConfig.gitlab_kas.clientTimeoutSeconds=10 # Optional, default is 5 seconds

or by configuring your values.yaml:

global:
  appConfig:
    gitlab_kas:
      enabled: true
      externalUrl: "wss://custom-kas-url.example.com"
      internalUrl: "grpc://custom-internal-url"
      clientTimeoutSeconds: 10 # Optional, default is 5 seconds

TLS settings

KAS supports TLS communication between its kas pods and other GitLab chart components.

Prerequisites:

• Use GitLab 15.5.1 or later. You can set your GitLab version with global.gitlabVersion: <version>. If you need to force an image update after an initial deployment, also set global.image.pullPolicy: Always.
• Create the certificate authority and certificates that your kas pods will trust.

To configure kas to use the certificates you created, set the following values.

For example, you could use the following in your values.yaml file to deploy your chart:

.internal-ca: &internal-ca gitlab-internal-tls-ca # The secret name you used to share your TLS CA.
.internal-tls: &internal-tls gitlab-internal-tls # The secret name you used to share your TLS certificate.

global:
  certificates:
    customCAs:
    - secret: *internal-ca
  hosts:
    domain: gitlab.example.com # Your gitlab domain
  kas:
    tls:
      enabled: true
      secretName: *internal-tls
      caSecretName: *internal-ca

Suggested Reviewers settings

One can optionally customize the Suggested Reviewers secret name as well as key, either by using Helm’s --set variable option:

--set global.appConfig.suggested_reviewers.secret=custom-secret-name \
--set global.appConfig.suggested_reviewers.key=custom-secret-key \

or by configuring your values.yaml:

global:
  appConfig:
    suggested_reviewers:
      secret: "custom-secret-name"
      key: "custom-secret-key"

If you’d like to customize the secret value, refer to the secrets documentation.

LDAP

The ldap.servers setting allows for the configuration of LDAP user authentication. It is presented as a map, which will be translated into the appropriate LDAP servers configuration in gitlab.yml, as with an installation from source.

Configuring passwords can be done by supplying a secret which holds the password. This password will then be injected into the GitLab configuration at runtime.

An example configuration snippet:

ldap:
  preventSignin: false
  servers:
    # 'main' is the GitLab 'provider ID' of this LDAP server
    main:
      label: 'LDAP'
      host: '_your_ldap_server'
      port: 636
      uid: 'sAMAccountName'
      bind_dn: 'cn=administrator,cn=Users,dc=domain,dc=net'
      base: 'dc=domain,dc=net'
      password:
        secret: my-ldap-password-secret
        key: the-key-containing-the-password

Example --set configuration items, when using the global chart:

--set global.appConfig.ldap.servers.main.label='LDAP' \
--set global.appConfig.ldap.servers.main.host='your_ldap_server' \
--set global.appConfig.ldap.servers.main.port='636' \
--set global.appConfig.ldap.servers.main.uid='sAMAccountName' \
--set global.appConfig.ldap.servers.main.bind_dn='cn=administrator\,cn=Users\,dc=domain\,dc=net' \
--set global.appConfig.ldap.servers.main.base='dc=domain\,dc=net' \
--set global.appConfig.ldap.servers.main.password.secret='my-ldap-password-secret' \
--set global.appConfig.ldap.servers.main.password.key='the-key-containing-the-password'

Disable LDAP web sign in

It can be useful to prevent using LDAP credentials through the web UI when an alternative such as SAML is preferred. This allows LDAP to be used for group sync, while also allowing your SAML identity provider to handle additional checks like custom 2FA.

When LDAP web sign in is disabled, users will not see a LDAP tab on the sign in page. This does not disable using LDAP credentials for Git access.

To disable the use of LDAP for web sign-in, set global.appConfig.ldap.preventSignin: true.

Using a custom CA or self signed LDAP certificates

If the LDAP server uses a custom CA or self-signed certificate, you must:

1. Ensure that the custom CA/Self-Signed certificate is created as a Secret or ConfigMap in the cluster/namespace:

   # Secret
   kubectl -n gitlab create secret generic my-custom-ca-secret --from-file=unique_name.crt=my-custom-ca.pem
   
   # ConfigMap
   kubectl -n gitlab create configmap my-custom-ca-configmap --from-file=unique_name.crt=my-custom-ca.pem

2. Then, specify:

   # Configure a custom CA from a Secret
   --set global.certificates.customCAs[0].secret=my-custom-ca-secret
   
   # Or from a ConfigMap
   --set global.certificates.customCAs[0].configMap=my-custom-ca-configmap
   
   # Configure the LDAP integration to trust the custom CA
   --set global.appConfig.ldap.servers.main.ca_file=/etc/ssl/certs/unique_name.pem

This ensures that the CA certificate is mounted in the relevant pods at /etc/ssl/certs/unique_name.pem and specifies its use in the LDAP configuration.

See Custom Certificate Authorities for more info.

duoAuth

Use these settings to enable two-factor authentication (2FA) with Cisco Duo.

global:
  appConfig:
    duoAuth:
      enabled:
      hostname:
      integrationKey:
      secretKey:
      #  secret:
      #  key:

Configure the Cisco Duo secret key

To configure Cisco Duo auth integration in the GitLab Helm chart you must provide a secret in the global.appConfig.duoAuth.secretKey.secret setting containing Cisco Duo auth secret_key value.

To create a Kubernetes secret object to store your Cisco Duo account secretKey, from the command line, run:

kubectl create secret generic <secret_object_name> --from-literal=secretKey=<duo_secret_key_value>

OmniAuth

GitLab can leverage OmniAuth to allow users to sign in using GitHub, Google, and other popular services. Expanded documentation can be found in the OmniAuth documentation for GitLab.

omniauth:
  enabled: false
  autoSignInWithProvider:
  syncProfileFromProvider: []
  syncProfileAttributes: ['email']
  allowSingleSignOn: ['saml']
  blockAutoCreatedUsers: true
  autoLinkLdapUser: false
  autoLinkSamlUser: false
  autoLinkUser: ['openid_connect']
  externalProviders: []
  allowBypassTwoFactor: []
  providers: []
  # - secret: gitlab-google-oauth2
  #   key: provider
  # - name: group_saml

providers

providers is presented as an array of maps that are used to populate gitlab.yml as when installed from source. See GitLab documentation for the available selection of Supported Providers. Defaults to [].

This property has two sub-keys: secret and key:

• secret: (required) The name of a Kubernetes Secret containing the provider block.
• key: (optional) The name of the key in the Secret containing the provider block. Defaults to provider

Alternatively, if the provider has no other configuration than its name, you may use a second form with only a name attribute, and optionally a label or icon attribute. The eligible providers are:

• group_saml
• kerberos

The Secret for these entries contains YAML or JSON formatted blocks, as described in OmniAuth Providers. To create this secret, follow the appropriate instructions for retrieval of these items, and create a YAML or JSON file.

Example of configuration of Google OAuth 2.0:

name: google_oauth2
label: Google
app_id: 'APP ID'
app_secret: 'APP SECRET'
args:
  access_type: offline
  approval_prompt: ''

SAML configuration example:

name: saml
label: 'SAML'
args:
  assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback'
  idp_cert_fingerprint: 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
  idp_sso_target_url: 'https://SAML_IDP/app/xxxxxxxxx/xxxxxxxxx/sso/saml'
  issuer: 'https://gitlab.example.com'
  name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'

Microsoft Azure OAuth 2.0 OmniAuth provider configuration example:

name: azure_activedirectory_v2
label: Azure
args:
  client_id: '<CLIENT_ID>'
  client_secret: '<CLIENT_SECRET>'
  tenant_id: '<TENANT_ID>'

This content can be saved as provider.yaml, and then a secret created from it:

kubectl create secret generic -n NAMESPACE SECRET_NAME --from-file=provider=provider.yaml

Once created, the providers are enabled by providing the maps in configuration, as shown below:

omniauth:
  providers:
    - secret: gitlab-google-oauth2
    - secret: azure_activedirectory_v2
    - secret: gitlab-azure-oauth2
    - secret: gitlab-cas3

Group SAML configuration example:

omniauth:
  providers:
    - name: group_saml

Example configuration --set items, when using the global chart:

--set global.appConfig.omniauth.providers[0].secret=gitlab-google-oauth2 \

Due to the complexity of using --set arguments, a user may wish to use a YAML snippet, passed to helm with -f omniauth.yaml.

Cron jobs related settings

Sidekiq includes maintenance jobs that can be configured to run on a periodic basis using cron style schedules. A few examples are included below. See the cron_jobs and ee_cron_jobs sections in the sample gitlab.yml for more job examples.

These settings are shared between Sidekiq, Webservice (for showing tooltips in UI) and Toolbox (for debugging purposes) pods.

global:
  appConfig:
    cron_jobs:
      stuck_ci_jobs_worker:
        cron: "0 * * * *"
      pipeline_schedule_worker:
        cron: "3-59/10 * * * *"
      expire_build_artifacts_worker:
        cron: "*/7 * * * *"

Sentry settings

Use these settings to enable GitLab error reporting with Sentry.

global:
  appConfig:
    sentry:
      enabled:
      dsn:
      clientside_dsn:
      environment:

gitlab_docs settings

Use these settings to enable gitlab_docs.

global:
  appConfig:
    gitlab_docs:
      enabled:
      host:

OpenID Connect token expiration

Configure OpenID Connect (OIDC) provider token expiration.

global:
  appConfig:
    oidcProvider:
      openidIdTokenExpireInSeconds: 120

Smartcard Authentication settings

global:
  appConfig:
    smartcard:
      enabled: false
      CASecret:
      clientCertificateRequiredHost:
      sanExtensions: false
      requiredForGitAccess: false

Sidekiq routing rules settings

GitLab supports routing a job from a worker to a desired queue before it is scheduled. Sidekiq clients match a job against a configured list of routing rules. Rules are evaluated from first to last, and as soon as a match for a given worker is found, the processing for that worker is stopped (first match wins). If the worker doesn’t match any rule, it falls back the queue name generated from the worker name.

By default, the routing rules are not configured (or denoted with an empty array), all the jobs are routed to the queue generated from the worker name.

The routing rules list is an ordered array of tuples of query and corresponding queue:

• The query is following the worker matching query syntax.
• The <queue_name> must match a valid Sidekiq queue name sidekiq.pods[].queues defined under sidekiq.pods. If the queue name is nil, or an empty string, the worker is routed to the queue generated by the name of the worker instead. See Full example of Sidekiq configuration as a reference.

The query supports wildcard matching *, which matches all workers. As a result, the wildcard query must stay at the end of the list or the later rules are ignored:

global:
  appConfig:
    sidekiq:
      routingRules:
      - ["resource_boundary=cpu", "cpu-boundary"]
      - ["feature_category=pages", null]
      - ["feature_category=search", "search"]
      - ["feature_category=memory|resource_boundary=memory", "memory-bound"]
      - ["*", "default"]

Configure Rails settings

A large portion of the GitLab suite is based upon Rails. As such, many containers within this project operate with this stack. These settings apply to all of those containers, and provide an easy access method to setting them globally versus individually.

global:
  rails:
    bootsnap:
      enabled: true

Configure Workhorse settings

Several components of the GitLab suite speak to the APIs via GitLab Workhorse. This is currently a part of the Webservice chart. These settings are consumed by all charts that need to contact GitLab Workhorse, providing an easy access to set them globally vs individually.

global:
  workhorse:
    serviceName: webservice-default
    host: api.example.com
    port: 8181

Bootsnap Cache

Our Rails codebase makes use of Shopify Bootsnap Gem. Settings here are used to configure that behavior.

bootsnap.enabled controls the activation of this feature. It defaults to true.

Testing showed that enabling Bootsnap resulted in overall application performance boost. When a pre-compiled cache is available, some application containers see gains in excess of 33%. At this time, GitLab does not ship this pre-compiled cache with their containers, resulting in a gain of “only” 14%. There is a cost to this gain without the pre-compiled cache present, resulting in an intense spike of small IO at initial startup of each Pod. Due to this, we’ve exposed a method of disabling the use of Bootsnap in environments where this would be an issue.

When possible, we recommend leaving this enabled.

Configure GitLab Shell

There are several items for the global configuration of GitLab Shell chart.

global:
  shell:
    port:
    authToken: {}
    hostKeys: {}
    tcp:
      proxyProtocol: false

Port

You can control the port used by the Ingress to pass SSH traffic, as well as the port used in SSH URLs provided from GitLab via global.shell.port. This is reflected in the port on which the service listens, as well as the SSH clone URLs provided in project UI.

global:
  shell:
    port: 32022

You can combine global.shell.port and nginx-ingress.controller.service.type=NodePort to set a NodePort for the NGINX controller Service object. Note that if nginx-ingress.controller.service.nodePorts.gitlab-shell is set, it will override global.shell.port when setting the NodePort for NGINX.

global:
  shell:
    port: 32022

nginx-ingress:
  controller:
    service:
      type: NodePort

TCP proxy protocol

You can enable handling proxy protocol on the SSH Ingress to properly handle a connection from an upstream proxy that adds the proxy protocol header. By doing so, this will prevent SSH from receiving the additional headers and not break SSH.

One common environment where one needs to enable handling of proxy protocol is when using AWS with an ELB handling the inbound connections to the cluster. You can consult the AWS layer 4 load balancer example to properly set it up.

global:
  shell:
    tcp:
      proxyProtocol: true # default false

Configure GitLab Pages

The global GitLab Pages settings that are used by other charts are documented under the global.pages key.

global:
  pages:
    enabled:
    accessControl:
    path:
    host:
    port:
    https:
    externalHttp:
    externalHttps:
    customDomainMode:
    artifactsServer:
    objectStore:
      enabled:
      bucket:
      proxy_download: true
      connection: {}
        secret:
        key:
    localStore:
      enabled: false
      path:
    apiSecret: {}
      secret:
      key:
    namespaceInPath: false

Configure Webservice

The global Webservice settings (that are used by other charts also) are located under the global.webservice key.

global:
  webservice:
    workerTimeout: 60