GitLab Helm chart deployment options

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

This page lists commonly used values of the GitLab chart. For a complete list of the available options, refer to the documentation for each subchart.

You can pass values to the helm install command by using a YAML file and the --values <values file> flag or by using multiple --set flags. It is recommended to use a values file that contains only the overrides needed for your release.

For the source of the default values.yaml file, see the GitLab chart repository. These contents change over releases, but you can use Helm itself to retrieve these on a per-version basis:

helm inspect values gitlab/gitlab

Basic configuration

ParameterDefaultDescription
gitlab.migrations.initialRootPassword.keypasswordKey pointing to the root account password in the migrations secret
gitlab.migrations.initialRootPassword.secret{Release.Name}-gitlab-initial-root-passwordGlobal name of the secret containing the root account password
global.gitlab.license.keylicenseKey pointing to the Enterprise license in the license secret
global.gitlab.license.secretnoneGlobal name of the secret containing the Enterprise license
global.application.createfalseCreate an Application resource for GitLab
global.editioneeThe edition of GitLab to install. Enterprise Edition (ee) or Community Edition (ce)
global.gitaly.enabledtrueGitaly enable flag
global.hosts.domainRequiredDomain name that will be used for all publicly exposed services
global.hosts.externalIPRequiredStatic IP to assign to NGINX Ingress Controller
global.hosts.sshgitlab.{global.hosts.domain}Domain name that will be used for Git SSH access
global.imagePullPolicyIfNotPresentDEPRECATED: Use global.image.pullPolicy instead
global.image.pullPolicynone (default behavior is IfNotPresent)Set default imagePullPolicy for all charts
global.image.pullSecretsnoneSet default imagePullSecrets for all charts (use a list of name and value pairs)
global.minio.enabledtrueMinIO enable flag
global.psql.hostUses in-cluster non-production PostgreSQLGlobal hostname of an external psql, overrides subcharts’ psql configuration
global.psql.password.keyUses in-cluster non-production PostgreSQLKey pointing to the psql password in the psql secret
global.psql.password.secretUses in-cluster non-production PostgreSQLGlobal name of the secret containing the psql password
global.registry.bucketregistryregistry bucket name
global.service.annotations{}Annotations to add to every Service
global.rails.sessionStore.sessionCookieTokenPrefix""Prefix for the generated session cookies
global.deployment.annotations{}Annotations to add to every Deployment
global.time_zoneUTCGlobal time zone

TLS configuration

ParameterDefaultDescription
certmanager-issuer.emailfalseEmail for Let’s Encrypt account
gitlab.webservice.ingress.tls.secretNamenoneExisting Secret containing TLS certificate and key for GitLab
gitlab.webservice.ingress.tls.smartcardSecretNamenoneExisting Secret containing TLS certificate and key for the GitLab smartcard auth domain
global.hosts.httpstrueServe over https
global.ingress.configureCertmanagertrueConfigure cert-manager to get certificates from Let’s Encrypt
global.ingress.tls.secretNamenoneExisting Secret containing wildcard TLS certificate and key
minio.ingress.tls.secretNamenoneExisting Secret containing TLS certificate and key for MinIO
registry.ingress.tls.secretNamenoneExisting Secret containing TLS certificate and key for registry

Outgoing Email configuration

ParameterDefaultDescription
global.email.display_nameGitLabName that appears as the sender for emails from GitLab
global.email.fromgitlab@example.comEmail address that appears as the sender for emails from GitLab
global.email.reply_tonoreply@example.comReply-to email listed in emails from GitLab
global.email.smime.certNametls.crtSecret object key value for locating the S/MIME certificate file
global.email.smime.enabledfalseAdd the S/MIME signatures to outgoing email
global.email.smime.keyNametls.keySecret object key value for locating the S/MIME key file
global.email.smime.secretName""Kubernetes Secret object to find the X.509 certificate (S/MIME Cert for creation )
global.email.subject_suffix""Suffix on the subject of all outgoing email from GitLab
global.smtp.addresssmtp.mailgun.orgHostname or IP of the remote mail server
global.smtp.authenticationplainType of SMTP authentication (“plain”, “login”, “cram_md5”, or "" for no authentication)
global.smtp.domain""Optional HELO domain for SMTP
global.smtp.enabledfalseEnable outgoing email
global.smtp.openssl_verify_modepeerTLS verification mode (“none”, “peer”, “client_once”, or “fail_if_no_peer_cert”)
global.smtp.password.keypasswordKey in global.smtp.password.secret that contains the SMTP password
global.smtp.password.secret""Name of a Secret containing the SMTP password
global.smtp.port2525Port for SMTP
global.smtp.starttls_autofalseUse STARTTLS if enabled on the mail server
global.smtp.tlsnoneEnables SMTP/TLS (SMTPS: SMTP over direct TLS connection)
global.smtp.user_name""Username for SMTP authentication https
global.smtp.open_timeout30Seconds to wait while attempting to open a connection.
global.smtp.read_timeout60Seconds to wait while reading one block.
global.smtp.poolfalseEnables SMTP connection pooling

Microsoft Graph Mailer settings

ParameterDefaultDescription
global.appConfig.microsoft_graph_mailer.enabledfalseEnable outgoing email via Microsoft Graph API
global.appConfig.microsoft_graph_mailer.user_id""The unique identifier for the user that uses the Microsoft Graph API
global.appConfig.microsoft_graph_mailer.tenant""The directory tenant the application plans to operate against, in GUID or domain-name format
global.appConfig.microsoft_graph_mailer.client_id""The application ID that’s assigned to your app. You can find this information in the portal where you registered your app
global.appConfig.microsoft_graph_mailer.client_secret.keysecretKey in global.appConfig.microsoft_graph_mailer.client_secret.secret that contains the client secret that you generated for your app in the app registration portal
global.appConfig.microsoft_graph_mailer.client_secret.secret""Name of a Secret containing the client secret that you generated for your app in the app registration portal
global.appConfig.microsoft_graph_mailer.azure_ad_endpointhttps://login.microsoftonline.comThe URL of the Azure Active Directory endpoint
global.appConfig.microsoft_graph_mailer.graph_endpointhttps://graph.microsoft.comThe URL of the Microsoft Graph endpoint

Incoming Email configuration

Common settings

See incoming email configuration examples documentation for more information.

ParameterDefaultDescription
global.appConfig.incomingEmail.addressemptyThe email address to reference the item being replied to (example: gitlab-incoming+%{key}@gmail.com). Note that the +%{key} suffix should be included in its entirety within the email address and not replaced by another value.
global.appConfig.incomingEmail.enabledfalseEnable incoming email
global.appConfig.incomingEmail.deleteAfterDeliverytrueWhether to mark messages as deleted. For IMAP, messages that are marked as deleted are expunged if expungedDeleted is set to true. For Microsoft Graph, set this to false to retain messages in the inbox because deleted messages are auto-expunged after some time.
global.appConfig.incomingEmail.expungeDeletedfalseWhether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery. Only relevant to IMAP because Microsoft Graph will auto-expunge deleted messages.
global.appConfig.incomingEmail.logger.logPath/dev/stdoutPath to write JSON structured logs to; set to "" to disable this logging
global.appConfig.incomingEmail.inboxMethodimapRead mail with IMAP (imap) or Microsoft Graph API with OAuth2 (microsoft_graph)
global.appConfig.incomingEmail.deliveryMethodwebhookHow mailroom can send an email content to Rails app for processing. Either sidekiq or webhook
gitlab.appConfig.incomingEmail.authToken.keyauthTokenKey to incoming email token in incoming email secret. Effective when the delivery method is webhook.
gitlab.appConfig.incomingEmail.authToken.secret{Release.Name}-incoming-email-auth-tokenIncoming email authentication secret. Effective when the delivery method is webhook.

IMAP settings

ParameterDefaultDescription
global.appConfig.incomingEmail.hostemptyHost for IMAP
global.appConfig.incomingEmail.idleTimeout60The IDLE command timeout
global.appConfig.incomingEmail.mailboxinboxMailbox where incoming mail will end up.
global.appConfig.incomingEmail.password.keypasswordKey in global.appConfig.incomingEmail.password.secret that contains the IMAP password
global.appConfig.incomingEmail.password.secretemptyName of a Secret containing the IMAP password
global.appConfig.incomingEmail.port993Port for IMAP
global.appConfig.incomingEmail.ssltrueWhether IMAP server uses SSL
global.appConfig.incomingEmail.startTlsfalseWhether IMAP server uses StartTLS
global.appConfig.incomingEmail.useremptyUsername for IMAP authentication

Microsoft Graph settings

ParameterDefaultDescription
global.appConfig.incomingEmail.tenantIdemptyThe tenant ID for your Microsoft Azure Active Directory
global.appConfig.incomingEmail.clientIdemptyThe client ID for your OAuth2 app
global.appConfig.incomingEmail.clientSecret.keyemptyKey in appConfig.incomingEmail.clientSecret.secret that contains the OAuth2 client secret
global.appConfig.incomingEmail.clientSecret.secretsecretName of a Secret containing the OAuth2 client secret
global.appConfig.incomingEmail.pollInterval60The interval in seconds how often to poll for new mail
global.appConfig.incomingEmail.azureAdEndpointemptyThe URL of the Azure Active Directory endpoint (example: https://login.microsoftonline.com)
global.appConfig.incomingEmail.graphEndpointemptyThe URL of the Microsoft Graph endpoint (example: https://graph.microsoft.com)

See the instructions for creating secrets.

Service Desk Email configuration

As a requirement for Service Desk, the Incoming Mail must be configured. Note that the email address for both Incoming Mail and Service Desk must use email sub-addressing. When setting the email addresses in each section the tag added to the username must be +%{key}.

Common settings

ParameterDefaultDescription
global.appConfig.serviceDeskEmail.addressemptyThe email address to reference the item being replied to (example: project_contact+%{key}@gmail.com)
global.appConfig.serviceDeskEmail.enabledfalseEnable Service Desk email
global.appConfig.serviceDeskEmail.deleteAfterDeliverytrueWhether to mark messages as deleted. For IMAP, messages that are marked as deleted are expunged if expungedDeleted is set to true. For Microsoft Graph, set this to false to retain messages in the inbox because deleted messages are auto-expunged after some time.
global.appConfig.serviceDeskEmail.expungeDeletedfalseWhether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery. Only relevant to IMAP because Microsoft Graph auto-expunges deleted messages.
global.appConfig.serviceDeskEmail.logger.logPath/dev/stdoutPath to write JSON structured logs to; set to "" to disable this logging
global.appConfig.serviceDeskEmail.inboxMethodimapRead mail with IMAP (imap) or Microsoft Graph API with OAuth2 (microsoft_graph)
global.appConfig.serviceDeskEmail.deliveryMethodwebhookHow mailroom can send an email content to Rails app for processing. Either sidekiq or webhook
gitlab.appConfig.serviceDeskEmail.authToken.keyauthTokenKey to Service Desk email token in Service Desk email secret. Effective when the delivery method is webhook.
gitlab.appConfig.serviceDeskEmail.authToken.secret{Release.Name}-service-desk-email-auth-tokenservice-desk email authentication secret. Effective when the delivery method is webhook.

IMAP settings

ParameterDefaultDescription
global.appConfig.serviceDeskEmail.hostemptyHost for IMAP
global.appConfig.serviceDeskEmail.idleTimeout60The IDLE command timeout
global.appConfig.serviceDeskEmail.mailboxinboxMailbox where Service Desk mail will end up.
global.appConfig.serviceDeskEmail.password.keypasswordKey in global.appConfig.serviceDeskEmail.password.secret that contains the IMAP password
global.appConfig.serviceDeskEmail.password.secretemptyName of a Secret containing the IMAP password
global.appConfig.serviceDeskEmail.port993Port for IMAP
global.appConfig.serviceDeskEmail.ssltrueWhether IMAP server uses SSL
global.appConfig.serviceDeskEmail.startTlsfalseWhether IMAP server uses StartTLS
global.appConfig.serviceDeskEmail.useremptyUsername for IMAP authentication

Microsoft Graph settings

ParameterDefaultDescription
global.appConfig.serviceDeskEmail.tenantIdemptyThe tenant ID for your Microsoft Azure Active Directory
global.appConfig.serviceDeskEmail.clientIdemptyThe client ID for your OAuth2 app
global.appConfig.serviceDeskEmail.clientSecret.keyemptyKey in appConfig.serviceDeskEmail.clientSecret.secret that contains the OAuth2 client secret
global.appConfig.serviceDeskEmail.clientSecret.secretsecretName of a Secret containing the OAuth2 client secret
global.appConfig.serviceDeskEmail.pollInterval60The interval in seconds how often to poll for new mail
global.appConfig.serviceDeskEmail.azureAdEndpointemptyThe URL of the Azure Active Directory endpoint (example: https://login.microsoftonline.com)
global.appConfig.serviceDeskEmail.graphEndpointemptyThe URL of the Microsoft Graph endpoint (example: https://graph.microsoft.com)

See the instructions for creating secrets.

Default Project Features configuration

ParameterDefaultDescription
global.appConfig.defaultProjectsFeatures.buildstrueEnable project builds
global.appConfig.defaultProjectsFeatures.containerRegistrytrueEnable container registry project features
global.appConfig.defaultProjectsFeatures.issuestrueEnable project issues
global.appConfig.defaultProjectsFeatures.mergeRequeststrueEnable project merge requests
global.appConfig.defaultProjectsFeatures.snippetstrueEnable project snippets
global.appConfig.defaultProjectsFeatures.wikitrueEnable project wikis

GitLab Shell

ParameterDefaultDescription
global.shell.authTokenSecret containing shared secret
global.shell.hostKeysSecret containing SSH host keys
global.shell.portPort number to expose on Ingress for SSH
global.shell.tcp.proxyProtocolfalseEnable ProxyProtocol in SSH Ingress

RBAC Settings

ParameterDefaultDescription
certmanager.rbac.createtrueCreate and use RBAC resources
gitlab-runner.rbac.createtrueCreate and use RBAC resources
nginx-ingress.rbac.createfalseCreate and use default RBAC resources
nginx-ingress.rbac.createClusterRolefalseCreate and use Cluster role
nginx-ingress.rbac.createRoletrueCreate and use namespaced role
prometheus.rbac.createtrueCreate and use RBAC resources

If you’re setting nginx-ingress.rbac.create to false to configure the RBAC rules by yourself, you might need to add specific RBAC rules depending on your chart version.

Advanced NGINX Ingress configuration

Prefix NGINX Ingress values with nginx-ingress. For example, set the controller image tag using nginx-ingress.controller.image.tag.

See nginx-ingress chart.

Advanced in-cluster Redis configuration

ParameterDefaultDescription
redis.installtrueInstall the bitnami/redis chart
redis.existingSecretgitlab-redis-secretSpecify the Secret for Redis servers to use
redis.existingSecretKeyredis-passwordSecret key where password is stored

Any additional configuration of the Redis service should use the configuration settings from the Redis chart.

Advanced registry configuration

ParameterDefaultDescription
registry.authEndpointUndefined by defaultAuth endpoint
registry.enabledtrueEnable Docker registry
registry.httpSecretHttps secret
registry.minio.bucketregistryMinIO registry bucket name
registry.service.annotations{}Annotations to add to the Service
registry.securityContext.fsGroup1000Group ID under which the pod should be started
registry.securityContext.runAsUser1000User ID under which the pod should be started
registry.tokenIssuergitlab-issuerJWT token issuer
registry.tokenServicecontainer_registryJWT token service
registry.profiling.stackdriver.enabledfalseEnable continuous profiling using Stackdriver
registry.profiling.stackdriver.credentials.secretgitlab-registry-profiling-credsName of the secret containing credentials
registry.profiling.stackdriver.credentials.keycredentialsSecret key in which the credentials are stored
registry.profiling.stackdriver.serviceRELEASE-registry (templated Service name)Name of the Stackdriver service to record profiles under
registry.profiling.stackdriver.projectidGCP project where runningGCP project to report profiles to

Advanced MinIO configuration

ParameterDefaultDescription
minio.defaultBuckets[{"name": "registry"}]MinIO default buckets
minio.imageminio/minioMinIO image
minio.imagePullPolicyMinIO image pull policy
minio.imageTagRELEASE.2017-12-28T01-21-00ZMinIO image tag
minio.minioConfig.browseronMinIO browser flag
minio.minioConfig.domainMinIO domain
minio.minioConfig.regionus-east-1MinIO region
minio.mountPath/exportMinIO configuration file mount path
minio.persistence.accessModeReadWriteOnceMinIO persistence access mode
minio.persistence.enabledtrueMinIO enable persistence flag
minio.persistence.matchExpressionsMinIO label-expression matches to bind
minio.persistence.matchLabelsMinIO label-value matches to bind
minio.persistence.size10GiMinIO persistence volume size
minio.persistence.storageClassMinIO storageClassName for provisioning
minio.persistence.subPathMinIO persistence volume mount path
minio.persistence.volumeNameMinIO existing persistent volume name
minio.resources.requests.cpu250mMinIO minimum CPU requested
minio.resources.requests.memory256MiMinIO minimum memory requested
minio.service.annotations{}Annotations to add to the Service
minio.servicePort9000MinIO service port
minio.serviceTypeClusterIPMinIO service type

Advanced GitLab configuration

ParameterDefaultDescription
gitlab-runner.checkInterval30spolling interval
gitlab-runner.concurrent20number of concurrent jobs
gitlab-runner.imagePullPolicyIfNotPresentimage pull policy
gitlab-runner.imagegitlab/gitlab-runner:alpine-v10.5.0runner image
gitlab-runner.gitlabUrlGitLab external URLURL that the Runner uses to register to GitLab Server
gitlab-runner.installtrueinstall the gitlab-runner chart
gitlab-runner.rbac.clusterWideAccessfalsedeploy containers of jobs cluster-wide
gitlab-runner.rbac.createtruewhether to create RBAC service account
gitlab-runner.rbac.serviceAccountNamedefaultname of the RBAC service account to create
gitlab-runner.resources.limits.cpurunner resources
gitlab-runner.resources.limits.memoryrunner resources
gitlab-runner.resources.requests.cpurunner resources
gitlab-runner.resources.requests.memoryrunner resources
gitlab-runner.runners.privilegedfalserun in privileged mode, needed for dind
gitlab-runner.runners.cache.secretNamegitlab-miniosecret to get accesskey and secretkey from
gitlab-runner.runners.configSee Chart documentationRunner configuration as string
gitlab-runner.unregisterRunnerstrueUnregisters all runners in the local config.toml when the chart is installed. If the token is prefixed with glrt-, the runner manager is deleted, not the runner. The runner manager is identified by the runner and the machine that contains the config.toml. If the runner was registered with a registration token, the runner is deleted.
gitlab.geo-logcursor.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.geo-logcursor.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.gitaly.authToken.keytokenKey to Gitaly token in the secret
gitlab.gitaly.authToken.secret{.Release.Name}-gitaly-secretGitaly secret name
gitlab.gitaly.image.pullPolicyGitaly image pull policy
gitlab.gitaly.image.repositoryregistry.gitlab.com/gitlab-org/build/cng/gitalyGitaly image repository
gitlab.gitaly.image.tagmasterGitaly image tag
gitlab.gitaly.persistence.accessModeReadWriteOnceGitaly persistence access mode
gitlab.gitaly.persistence.enabledtrueGitaly enable persistence flag
gitlab.gitaly.persistence.matchExpressionsLabel-expression matches to bind
gitlab.gitaly.persistence.matchLabelsLabel-value matches to bind
gitlab.gitaly.persistence.size50GiGitaly persistence volume size
gitlab.gitaly.persistence.storageClassstorageClassName for provisioning
gitlab.gitaly.persistence.subPathGitaly persistence volume mount path
gitlab.gitaly.persistence.volumeNameExisting persistent volume name
gitlab.gitaly.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.gitaly.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.gitaly.service.annotations{}Annotations to add to the Service
gitlab.gitaly.service.externalPort8075Gitaly service exposed port
gitlab.gitaly.service.internalPort8075Gitaly internal port
gitlab.gitaly.service.namegitalyGitaly service name
gitlab.gitaly.service.typeClusterIPGitaly service type
gitlab.gitaly.serviceNamegitalyGitaly service name
gitlab.gitaly.shell.authToken.keysecretShell key
gitlab.gitaly.shell.authToken.secret{Release.Name}-gitlab-shell-secretShell secret
gitlab.gitlab-exporter.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.gitlab-exporter.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.gitlab-shell.authToken.keysecretShell auth secret key
gitlab.gitlab-shell.authToken.secret{Release.Name}-gitlab-shell-secretShell auth secret
gitlab.gitlab-shell.enabledtrueShell enable flag
gitlab.gitlab-shell.image.pullPolicyShell image pull policy
gitlab.gitlab-shell.image.repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-shellShell image repository
gitlab.gitlab-shell.image.tagmasterShell image tag
gitlab.gitlab-shell.replicaCount1Shell replicas
gitlab.gitlab-shell.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.gitlab-shell.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.gitlab-shell.service.annotations{}Annotations to add to the Service
gitlab.gitlab-shell.service.internalPort2222Shell internal port
gitlab.gitlab-shell.service.namegitlab-shellShell service name
gitlab.gitlab-shell.service.typeClusterIPShell service type
gitlab.gitlab-shell.webservice.serviceNameinherited from global.webservice.serviceNameWebservice service name
gitlab.mailroom.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.mailroom.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.migrations.bootsnap.enabledtrueMigrations Bootsnap enable flag
gitlab.migrations.enabledtrueMigrations enable flag
gitlab.migrations.image.pullPolicyMigrations pull policy
gitlab.migrations.image.repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-eeMigrations image repository
gitlab.migrations.image.tagmasterMigrations image tag
gitlab.migrations.psql.password.keypsql-passwordkey to psql password in psql secret
gitlab.migrations.psql.password.secretgitlab-postgrespsql secret
gitlab.migrations.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port
gitlab.migrations.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.migrations.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.sidekiq.concurrency20Sidekiq default concurrency
gitlab.sidekiq.enabledtrueSidekiq enabled flag
gitlab.sidekiq.gitaly.authToken.keytokenkey to Gitaly token in Gitaly secret
gitlab.sidekiq.gitaly.authToken.secret{.Release.Name}-gitaly-secretGitaly secret
gitlab.sidekiq.gitaly.serviceNamegitalyGitaly service name
gitlab.sidekiq.image.pullPolicySidekiq image pull policy
gitlab.sidekiq.image.repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-eeSidekiq image repository
gitlab.sidekiq.image.tagmasterSidekiq image tag
gitlab.sidekiq.psql.password.keypsql-passwordkey to psql password in psql secret
gitlab.sidekiq.psql.password.secretgitlab-postgrespsql password secret
gitlab.sidekiq.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port
gitlab.sidekiq.replicas1Sidekiq replicas
gitlab.sidekiq.resources.requests.cpu100mSidekiq minimum needed CPU
gitlab.sidekiq.resources.requests.memory600MSidekiq minimum needed memory
gitlab.sidekiq.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.sidekiq.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.sidekiq.timeout5Sidekiq job timeout
gitlab.toolbox.annotations{}Annotations to add to the toolbox
gitlab.toolbox.backups.cron.enabledfalseBackup CronJob enabled flag
gitlab.toolbox.backups.cron.extraArgsString of arguments to pass to the backup utility
gitlab.toolbox.backups.cron.persistence.accessModeReadWriteOnceBackup cron persistence access mode
gitlab.toolbox.backups.cron.persistence.enabledfalseBackup cron enable persistence flag
gitlab.toolbox.backups.cron.persistence.matchExpressionsLabel-expression matches to bind
gitlab.toolbox.backups.cron.persistence.matchLabelsLabel-value matches to bind
gitlab.toolbox.backups.cron.persistence.size10GiBackup cron persistence volume size
gitlab.toolbox.backups.cron.persistence.storageClassstorageClassName for provisioning
gitlab.toolbox.backups.cron.persistence.subPathBackup cron persistence volume mount path
gitlab.toolbox.backups.cron.persistence.volumeNameExisting persistent volume name
gitlab.toolbox.backups.cron.resources.requests.cpu50mBackup cron minimum needed CPU
gitlab.toolbox.backups.cron.resources.requests.memory350MBackup cron minimum needed memory
gitlab.toolbox.backups.cron.schedule0 1 * * *Cron style schedule string
gitlab.toolbox.backups.objectStorage.backends3Object storage provider to use (s3, gcs, or azure)
gitlab.toolbox.backups.objectStorage.config.gcpProject""GCP Project to use when backend is gcs
gitlab.toolbox.backups.objectStorage.config.key""key containing credentials in secret
gitlab.toolbox.backups.objectStorage.config.secret""Object storage credentials secret
gitlab.toolbox.backups.objectStorage.config{}Authentication information for object storage
gitlab.toolbox.bootsnap.enabledtrueEnable Bootsnap cache in Toolbox
gitlab.toolbox.enabledtrueToolbox enabled flag
gitlab.toolbox.image.pullPolicyIfNotPresentToolbox image pull policy
gitlab.toolbox.image.repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-eeToolbox image repository
gitlab.toolbox.image.tagmasterToolbox image tag
gitlab.toolbox.init.image.repositoryToolbox init image repository
gitlab.toolbox.init.image.tagToolbox init image tag
gitlab.toolbox.init.resources.requests.cpu50mToolbox init minimum needed CPU
gitlab.toolbox.persistence.accessModeReadWriteOnceToolbox persistence access mode
gitlab.toolbox.persistence.enabledfalseToolbox enable persistence flag
gitlab.toolbox.persistence.matchExpressionsLabel-expression matches to bind
gitlab.toolbox.persistence.matchLabelsLabel-value matches to bind
gitlab.toolbox.persistence.size10GiToolbox persistence volume size
gitlab.toolbox.persistence.storageClassstorageClassName for provisioning
gitlab.toolbox.persistence.subPathToolbox persistence volume mount path
gitlab.toolbox.persistence.volumeNameExisting persistent volume name
gitlab.toolbox.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port
gitlab.toolbox.resources.requests.cpu50mToolbox minimum needed CPU
gitlab.toolbox.resources.requests.memory350MToolbox minimum needed memory
gitlab.toolbox.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.toolbox.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.webservice.enabledtruewebservice enabled flag
gitlab.webservice.gitaly.authToken.keytokenKey to Gitaly token in Gitaly secret
gitlab.webservice.gitaly.authToken.secret{.Release.Name}-gitaly-secretGitaly secret name
gitlab.webservice.gitaly.serviceNamegitalyGitaly service name
gitlab.webservice.image.pullPolicywebservice image pull policy
gitlab.webservice.image.repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-eewebservice image repository
gitlab.webservice.image.tagmasterwebservice image tag
gitlab.webservice.psql.password.keypsql-passwordKey to psql password in psql secret
gitlab.webservice.psql.password.secretgitlab-postgrespsql secret name
gitlab.webservice.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port
global.registry.enabledtrueEnable registry. Mirrors registry.enabled
global.registry.api.port5000Registry port
global.registry.api.protocolhttpRegistry protocol
global.registry.api.serviceNameregistryRegistry service name
global.registry.tokenIssuergitlab-issuerRegistry token issuer
gitlab.webservice.replicaCount1webservice number of replicas
gitlab.webservice.resources.requests.cpu200mwebservice minimum CPU
gitlab.webservice.resources.requests.memory1.4Gwebservice minimum memory
gitlab.webservice.securityContext.fsGroup1000Group ID under which the pod should be started
gitlab.webservice.securityContext.runAsUser1000User ID under which the pod should be started
gitlab.webservice.service.annotations{}Annotations to add to the Service
gitlab.webservice.http.enabledtruewebservice HTTP enabled
gitlab.webservice.service.externalPort8080webservice exposed port
gitlab.webservice.service.internalPort8080webservice internal port
gitlab.webservice.tls.enabledfalsewebservice TLS enabled
gitlab.webservice.tls.secretName{Release.Name}-webservice-tlswebservice secret name of TLS key
gitlab.webservice.service.tls.externalPort8081webservice TLS exposed port
gitlab.webservice.service.tls.internalPort8081webservice TLS internal port
gitlab.webservice.service.typeClusterIPwebservice service type
gitlab.webservice.service.workhorseExternalPort8181Workhorse exposed port
gitlab.webservice.service.workhorseInternalPort8181Workhorse internal port
gitlab.webservice.shell.authToken.keysecretKey to shell token in shell secret
gitlab.webservice.shell.authToken.secret{Release.Name}-gitlab-shell-secretShell token secret
gitlab.webservice.workerProcesses2webservice number of workers
gitlab.webservice.workerTimeout60webservice worker timeout
gitlab.webservice.workhorse.extraArgs""String of extra parameters for workhorse
gitlab.webservice.workhorse.imageregistry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-eeWorkhorse image repository
gitlab.webservice.workhorse.sentryDSN""DSN for Sentry instance for error reporting
gitlab.webservice.workhorse.tagWorkhorse image tag

External charts

GitLab makes use of several other charts. These are treated as parent-child relationships. Ensure that any properties you wish to configure are provided as chart-name.property.

Prometheus

Prefix Prometheus values with prometheus. For example, set the persistence storage value using prometheus.server.persistentVolume.size. To disable Prometheus set prometheus.install=false.

Refer to the Prometheus chart documentation for the exhaustive list of configuration options.

PostgreSQL

Prefix PostgreSQL values with postgresql. For example, set the storage class of the primary by using postgresql.primary.persistence.storageClass.

Refer to the Bitnami PostgreSQL chart documentation for the exhaustive list of configuration options.

Bringing your own images

In certain scenarios (i.e. offline environment), you may want to bring your own images rather than pulling them down from the Internet. This requires specifying your own Docker image registry/repository for each of the charts that make up the GitLab release.

Refer to the custom images documentation for more information.