Using the Shared-Secrets Job

The shared-secrets job is responsible for provisioning a variety of secrets used across the installation, unless otherwise manually specified. This includes:

  1. Initial root password
  2. Self-signed TLS certificates for all public services: GitLab, MinIO, and Registry
  3. Registry authentication certificates
  4. MinIO, Registry, GitLab Shell, and Gitaly secrets
  5. Redis and PostgreSQL passwords
  6. SSH host keys
  7. GitLab Rails secret for encrypted credentials

Installation command line options

The table below contains all the possible configurations that can be supplied to the helm install command using the --set flag:

enabledtrueSee Below
envproductionRails environment
podLabels Supplemental Pod labels. Will not be used for selectors.
annotations Supplemental Pod annotations.
image.pullPolicyAlwaysGitaly image pull policy
image.pullSecrets Secrets for the image repository image repository
image.tag1f8690f03f7aeef27e727396927ab3cc96ac89e7Gitaly image tag
priorityClassName  Priority class assigned to pods
rbac.createtrueCreate RBAC roles and bindings
resources resource requests, limits
securitContext.fsGroup65534User ID to mount filesystems as
securitContext.runAsUser65534User ID to run the container as
selfsign.caSubjectGitLab Helm Chartselfsign CA Subject image repository
selfsign.image.pullSecrets Secrets for the image repository
selfsign.image.tag selfsign image tag
selfsign.keyAlgorithmrsaselfsign cert key algorithm
selfsign.keySize4096selfsign cert key size
serviceAccount.enabledtrueDefine serviceAccountName on job(s)
serviceAccount.createtrueCreate ServiceAccount
serviceAccount.nameRELEASE_NAME-shared-secretsService account name to specify on job(s) (and on the serviceAccount itself if serviceAccount.create=true)
tolerations[]Toleration labels for pod assignment

Job configuration examples


tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations:

- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"

Disable functionality

Some users may wish to explicitly disable the functionality provided by this job. To do this, we have provided the enabled flag as a boolean, defaulting to true.

To disable the job, pass --set shared-secrets.enabled=false, or pass the following in a YAML via the -f flag to helm:

  enabled: false
If you disable this job, you must manually create all secrets, and provide all necessary secret content. See installation/secrets for further details.