Using the Shared-Secrets Job

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

The shared-secrets job is responsible for provisioning a variety of secrets used across the installation, unless otherwise manually specified. This includes:

  1. Initial root password
  2. Self-signed TLS certificates for all public services: GitLab, MinIO, and Registry
  3. Registry authentication certificates
  4. MinIO, Registry, GitLab Shell, and Gitaly secrets
  5. Redis and PostgreSQL passwords
  6. SSH host keys
  7. GitLab Rails secret for encrypted credentials

Installation command line options

The table below contains all the possible configurations that can be supplied to the helm install command using the --set flag:

ParameterDefaultDescription
enabledtrueSee Below
envproductionRails environment
podLabelsSupplemental Pod labels. Will not be used for selectors.
annotationsSupplemental Pod annotations.
image.pullPolicyAlwaysDEPRECATED: Use global.kubectl.image.pullPolicy instead.
image.pullSecretsDEPRECATED: Use global.kubectl.image.pullSecrets instead.
image.repositoryregistry.gitlab.com/gitlab-org/build/cng/kubectlDEPRECATED: Use global.kubectl.image.repository instead.
image.tag1f8690f03f7aeef27e727396927ab3cc96ac89e7DEPRECATED: Use global.kubectl.image.tag instead.
priorityClassNamePriority class assigned to pods
rbac.createtrueCreate RBAC roles and bindings
resourcesresource requests, limits
securityContext.fsGroup65534User ID to mount filesystems as
securityContext.runAsUser65534User ID to run the container as
selfsign.caSubjectGitLab Helm Chartselfsign CA Subject
selfsign.image.repositoryregistry.gitlab.com/gitlab-org/build/cnf/cfssl-self-signselfsign image repository
selfsign.image.pullSecretsSecrets for the image repository
selfsign.image.tagselfsign image tag
selfsign.keyAlgorithmrsaselfsign cert key algorithm
selfsign.keySize4096selfsign cert key size
serviceAccount.enabledtrueDefine serviceAccountName on job(s)
serviceAccount.createtrueCreate ServiceAccount
serviceAccount.nameRELEASE_NAME-shared-secretsService account name to specify on job(s) (and on the serviceAccount itself if serviceAccount.create=true)
tolerations[]Toleration labels for pod assignment

Job configuration examples

tolerations

tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations:

tolerations:
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"

Disable functionality

Some users may wish to explicitly disable the functionality provided by this job. To do this, we have provided the enabled flag as a boolean, defaulting to true.

To disable the job, pass --set shared-secrets.enabled=false, or pass the following in a YAML via the -f flag to helm:

shared-secrets:
  enabled: false

If you disable this job, you must manually create all secrets, and provide all necessary secret content. See installation/secrets for further details.