Using the Shared-Secrets chart

The shared-secrets sub-chart is responsible for provisioning a variety of secrets used across the installation, unless otherwise manually specified. This includes:

  1. Initial root password
  2. Self-signed TLS certificates for all public services: GitLab, MinIO, and Registry
  3. Registry authentication certificates
  4. MinIO, Registry, GitLab Shell, and Gitaly secrets
  5. Redis and Postgres passwords
  6. SSH host keys

Installation command line options

The table below contains all the possible charts configurations that can be supplied to the helm install command using the --set flag:

ParameterDefaultDescription
enabledtrueSee Below
envproductionRails environment
image.pullPolicyAlwaysGitaly image pull policy
image.pullSecrets Secrets for the image repository
image.repositoryregistry.gitlab.com/gitlab-org/build/cng/kubectlGitaly image repository
image.tag1f8690f03f7aeef27e727396927ab3cc96ac89e7Gitaly image tag
rbac.createtrueCreate RBAC roles and bindings
resources resource requests, limits
securitContext.fsGroup65534User ID to mount filesystems as
securitContext.runAsUser65534User ID to run the container as
selfsign.caSubjectGitLab Helm Chartselfsign CA Subject
selfsign.imageregistry.gitlab.com/gitlab-org/build/cnf/cfssl-self-signselfsign image repository
selfsign.keyAlgorithmrsaselfsign cert key algorithm
selfsign.keySize4096selfsign cert key size
selfsign.tag selfsign image tag
tolerations[]Toleration labels for pod assignment

Chart configuration examples

tolerations

tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations:

tolerations:
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"

Disable functionality

Some users may wish to explicitly disable the functionality provided by this sub-chart. To do this, we have provided the enabled flag as a boolean, defaulting to true.

To disable the chart, pass --set shared-secrets.enabled=false, or pass the following in a YAML via the -f flag to helm:

shared-secrets:
  enabled: false
Note: If you disable this sub-chart, you must manually create all secrets, and provide all necessary secret content. See installation/secrets for further details.