GitLab Helm chart deployment options

You can supply these configuration options to the helm install command by using the --set flags.

The source of the default values.yaml file can be found here. These contents change over releases, but you can use Helm itself to retrieve these on a per-version basis:

helm inspect values gitlab/gitlab

Basic configuration

ParameterDescriptionDefault
gitlab.migrations.initialRootPassword.keyKey pointing to the root account password in the migrations secretpassword
gitlab.migrations.initialRootPassword.secretGlobal name of the secret containing the root account password{Release.Name}-gitlab-initial-root-password
global.gitlab.license.keyKey pointing to the Enterprise license in the license secretlicense
global.gitlab.license.secretGlobal name of the secret containing the Enterprise licensenone
global.application.createCreate an Application resource for GitLabfalse
global.editionThe edition of GitLab to install. Enterprise Edition (ee) or Community Edition (ce)ee
global.gitaly.enabledGitaly enable flagtrue
global.hosts.domainDomain name that will be used for all publicly exposed servicesRequired
global.hosts.externalIPStatic IP to assign to NGINX Ingress ControllerRequired
global.hosts.sshDomain name that will be used for Git SSH accessgitlab.{global.hosts.domain}
global.imagePullPolicyDEPRECATED: Use global.image.pullPolicy insteadIfNotPresent
global.image.pullPolicySet default imagePullPolicy for all charts none (default behavior is IfNotPresent)
global.image.pullSecretsSet default imagePullSecrets for all charts (use a list of name and value pairs)none
global.minio.enabledMinIO enable flagtrue
global.psql.hostGlobal hostname of an external psql, overrides subcharts’ psql configurationUses in-cluster non-production PostgreSQL
global.psql.password.keyKey pointing to the psql password in the psql secretUses in-cluster non-production PostgreSQL
global.psql.password.secretGlobal name of the secret containing the psql passwordUses in-cluster non-production PostgreSQL
global.registry.bucketregistry bucket nameregistry
global.service.annotationsAnnotations to add to every Service {}
global.deployment.annotationsAnnotations to add to every Deployment {}
global.time_zoneGlobal time zoneUTC

TLS configuration

ParameterDescriptionDefault
certmanager-issuer.emailEmail for Let’s Encrypt accountfalse
gitlab.webservice.ingress.tls.secretNameExisting Secret containing TLS certificate and key for GitLabnone
gitlab.webservice.ingress.tls.smartcardSecretNameExisting Secret containing TLS certificate and key for the GitLab smartcard auth domainnone
global.hosts.httpsServe over httpstrue
global.ingress.configureCertmanagerConfigure cert-manager to get certificates from Let’s Encrypttrue
global.ingress.tls.secretNameExisting Secret containing wildcard TLS certificate and keynone
minio.ingress.tls.secretNameExisting Secret containing TLS certificate and key for MinIOnone
registry.ingress.tls.secretNameExisting Secret containing TLS certificate and key for registrynone

Outgoing Email configuration

ParameterDescriptionDefault
global.email.display_nameName that appears as the sender for emails from GitLabGitLab
global.email.fromEmail address that appears as the sender for emails from GitLabgitlab@example.com
global.email.reply_toReply-to email listed in emails from GitLabnoreply@example.com
global.email.smime.certNameSecret object key value for locating the S/MIME certificate filetls.crt
global.email.smime.enabledAdd the S/MIME signatures to outgoing emailfalse
global.email.smime.keyNameSecret object key value for locating the S/MIME key filetls.key
global.email.smime.secretNameKubernetes Secret object to find the X.509 certificate (S/MIME Cert for creation )””
global.email.subject_suffixSuffix on the subject of all outgoing email from GitLab””
global.smtp.addressHostname or IP of the remote mail serversmtp.mailgun.org
global.smtp.authenticationType of SMTP authentication (“plain”, “login”, “cram_md5”, or “” for no authentication)plain
global.smtp.domainOptional HELO domain for SMTP””
global.smtp.enabledEnable outgoing emailfalse
global.smtp.openssl_verify_modeTLS verification mode (“none”, “peer”, “client_once”, or “fail_if_no_peer_cert”)peer
global.smtp.password.keyKey in global.smtp.password.secret that contains the SMTP passwordpassword
global.smtp.password.secretName of a Secret containing the SMTP password””
global.smtp.portPort for SMTP2525
global.smtp.starttls_autoUse STARTTLS if enabled on the mail serverfalse
global.smtp.tlsEnables SMTP/TLS (SMTPS: SMTP over direct TLS connection)none
global.smtp.user_nameUsername for SMTP authentication https””
global.smtp.poolEnables SMTP connection poolingfalse

Incoming Email configuration

Common settings

ParameterDescriptionDefault
global.appConfig.incomingEmail.addressThe email address to reference the item being replied to (example: gitlab-incoming+%{key}@gmail.com)empty
global.appConfig.incomingEmail.enabledEnable incoming emailfalse
global.appConfig.incomingEmail.expungeDeletedWhether to expunge (permanently remove) messages from the mailbox when they are deleted after deliveryfalse
global.appConfig.incomingEmail.logger.logPathPath to write JSON structured logs to; set to “” to disable this logging/dev/stdout
global.appConfig.incomingEmail.inboxMethodRead mail with IMAP (imap) or Microsoft Graph API with OAuth2 (microsoft_graph)imap
global.appConfig.incomingEmail.deliveryMethodHow mailroom can send an email content to Rails app for processing. Either sidekiq or webhook webhook
gitlab.appConfig.incomingEmail.authToken.keyKey to incoming email token in incoming email secret. Effective when the delivery method is webhook.authToken
gitlab.appConfig.incomingEmail.authToken.secretIncoming email authentication secret. Effective when the delivery method is webhook.{Release.Name}-incoming-email-auth-token

IMAP settings

ParameterDescriptionDefault
global.appConfig.incomingEmail.hostHost for IMAPempty
global.appConfig.incomingEmail.idleTimeoutThe IDLE command timeout60
global.appConfig.incomingEmail.mailboxMailbox where incoming mail will end up.inbox
global.appConfig.incomingEmail.password.keyKey in global.appConfig.incomingEmail.password.secret that contains the IMAP passwordpassword
global.appConfig.incomingEmail.password.secretName of a Secret containing the IMAP passwordempty
global.appConfig.incomingEmail.portPort for IMAP993
global.appConfig.incomingEmail.sslWhether IMAP server uses SSLtrue
global.appConfig.incomingEmail.startTlsWhether IMAP server uses StartTLSfalse
global.appConfig.incomingEmail.userUsername for IMAP authenticationempty

Microsoft Graph settings

ParameterDescriptionDefault
global.appConfig.incomingEmail.tenantIdThe tenant ID for your Microsoft Azure Active Directoryempty
global.appConfig.incomingEmail.clientIdThe client ID for your OAuth2 appempty
global.appConfig.incomingEmail.clientSecret.keyKey in appConfig.incomingEmail.clientSecret.secret that contains the OAuth2 client secretempty
global.appConfig.incomingEmail.clientSecret.secretName of a Secret containing the OAuth2 client secretsecret
global.appConfig.incomingEmail.pollIntervalThe interval in seconds how often to poll for new mail60
global.appConfig.incomingEmail.azureAdEndpointThe URL of the Azure Active Directory endpoint (example: https://login.microsoftonline.com)empty
global.appConfig.incomingEmail.graphEndpointThe URL of the Microsoft Graph endpoint (example: https://graph.microsoft.com)empty

See the instructions for creating secrets.

Service Desk Email configuration

As a requirement for Service Desk, the Incoming Mail must be configured. Note that the email address for both Incoming Mail and Service Desk must use email sub-addressing. When setting the email addresses in each section the tag added to the username must be +%{key}.

Common settings

ParameterDescriptionDefault
global.appConfig.serviceDeskEmail.addressThe email address to reference the item being replied to (example: project_contact+%{key}@gmail.com)empty
global.appConfig.serviceDeskEmail.enabledEnable Service Desk emailfalse
global.appConfig.serviceDeskEmail.expungeDeletedWhether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after deliveryfalse
global.appConfig.serviceDeskEmail.logger.logPathPath to write JSON structured logs to; set to “” to disable this logging/dev/stdout
global.appConfig.serviceDeskEmail.inboxMethodRead mail with IMAP (imap) or Microsoft Graph API with OAuth2 (microsoft_graph)imap
global.appConfig.serviceDeskEmail.deliveryMethodHow mailroom can send an email content to Rails app for processing. Either sidekiq or webhook webhook
gitlab.appConfig.serviceDeskEmail.authToken.keyKey to Service Desk email token in Service Desk email secret. Effective when the delivery method is webhook.authToken
gitlab.appConfig.serviceDeskEmail.authToken.secretservice-desk email authentication secret. Effective when the delivery method is webhook.{Release.Name}-service-desk-email-auth-token

IMAP settings

ParameterDescriptionDefault
global.appConfig.serviceDeskEmail.hostHost for IMAPempty
global.appConfig.serviceDeskEmail.idleTimeoutThe IDLE command timeout60
global.appConfig.serviceDeskEmail.mailboxMailbox where Service Desk mail will end up.inbox
global.appConfig.serviceDeskEmail.password.keyKey in global.appConfig.serviceDeskEmail.password.secret that contains the IMAP passwordpassword
global.appConfig.serviceDeskEmail.password.secretName of a Secret containing the IMAP passwordempty
global.appConfig.serviceDeskEmail.portPort for IMAP993
global.appConfig.serviceDeskEmail.sslWhether IMAP server uses SSLtrue
global.appConfig.serviceDeskEmail.startTlsWhether IMAP server uses StartTLSfalse
global.appConfig.serviceDeskEmail.userUsername for IMAP authenticationempty

Microsoft Graph settings

ParameterDescriptionDefault
global.appConfig.serviceDeskEmail.tenantIdThe tenant ID for your Microsoft Azure Active Directoryempty
global.appConfig.serviceDeskEmail.clientIdThe client ID for your OAuth2 appempty
global.appConfig.serviceDeskEmail.clientSecret.keyKey in appConfig.serviceDeskEmail.clientSecret.secret that contains the OAuth2 client secretempty
global.appConfig.serviceDeskEmail.clientSecret.secretName of a Secret containing the OAuth2 client secretsecret
global.appConfig.serviceDeskEmail.pollIntervalThe interval in seconds how often to poll for new mail60
global.appConfig.serviceDeskEmail.azureAdEndpointThe URL of the Azure Active Directory endpoint (example: https://login.microsoftonline.com)empty
global.appConfig.serviceDeskEmail.graphEndpointThe URL of the Microsoft Graph endpoint (example: https://graph.microsoft.com)empty

See the instructions for creating secrets.

Default Project Features configuration

ParameterDescriptionDefault
global.appConfig.defaultProjectsFeatures.buildsEnable project buildstrue
global.appConfig.defaultProjectsFeatures.containerRegistryEnable container registry project featurestrue
global.appConfig.defaultProjectsFeatures.issuesEnable project issuestrue
global.appConfig.defaultProjectsFeatures.mergeRequestsEnable project merge requeststrue
global.appConfig.defaultProjectsFeatures.snippetsEnable project snippetstrue
global.appConfig.defaultProjectsFeatures.wikiEnable project wikistrue

GitLab Shell

ParameterDescriptionDefault
global.shell.authTokenSecret containing shared secret 
global.shell.hostKeysSecret containing SSH host keys 
global.shell.portPort number to expose on Ingress for SSH 
global.shell.tcp.proxyProtocolEnable ProxyProtocol in SSH Ingressfalse

RBAC Settings

ParameterDescriptionDefault
certmanager.rbac.createCreate and use RBAC resourcestrue
gitlab-runner.rbac.createCreate and use RBAC resourcestrue
nginx-ingress.rbac.createCreate and use default RBAC resourcesfalse
nginx-ingress.rbac.createClusterRoleCreate and use Cluster rolefalse
nginx-ingress.rbac.createRoleCreate and use namespaced roletrue
prometheus.rbac.createCreate and use RBAC resourcestrue

Advanced NGINX Ingress configuration

Prefix NGINX Ingress values with nginx-ingress. For example, set the controller image tag using nginx-ingress.controller.image.tag.

See nginx-ingress chart.

Advanced in-cluster Redis configuration

ParameterDescriptionDefault
redis.installInstall the bitnami/redis charttrue
redis.existingSecretSpecify the Secret for Redis servers to usegitlab-redis-secret
redis.existingSecretKeySecret key where password is storedredis-password

Any additional configuration of the Redis service should use the configuration settings from the Redis chart.

Advanced registry configuration

ParameterDescriptionDefault
registry.authEndpointAuth endpointUndefined by default
registry.enabledEnable Docker registrytrue
registry.httpSecretHttps secret 
registry.minio.bucketMinIO registry bucket nameregistry
registry.service.annotationsAnnotations to add to the Service {}
registry.securityContext.fsGroupGroup ID under which the pod should be started1000
registry.securityContext.runAsUserUser ID under which the pod should be started1000
registry.tokenIssuerJWT token issuergitlab-issuer
registry.tokenServiceJWT token servicecontainer_registry
registry.profiling.stackdriver.enabledEnable continuous profiling using Stackdriverfalse
registry.profiling.stackdriver.credentials.secretName of the secret containing credentialsgitlab-registry-profiling-creds
registry.profiling.stackdriver.credentials.keySecret key in which the credentials are storedcredentials
registry.profiling.stackdriver.serviceName of the Stackdriver service to record profiles under RELEASE-registry (templated Service name)
registry.profiling.stackdriver.projectidGCP project to report profiles toGCP project where running

Advanced MinIO configuration

ParameterDescriptionDefault
minio.defaultBucketsMinIO default buckets[{"name": "registry"}]
minio.imageMinIO imageminio/minio
minio.imagePullPolicyMinIO image pull policy 
minio.imageTagMinIO image tagRELEASE.2017-12-28T01-21-00Z
minio.minioConfig.browserMinIO browser flagon
minio.minioConfig.domainMinIO domain 
minio.minioConfig.regionMinIO regionus-east-1
minio.mountPathMinIO configuration file mount path/export
minio.persistence.accessModeMinIO persistence access modeReadWriteOnce
minio.persistence.enabledMinIO enable persistence flagtrue
minio.persistence.matchExpressionsMinIO label-expression matches to bind 
minio.persistence.matchLabelsMinIO label-value matches to bind 
minio.persistence.sizeMinIO persistence volume size10Gi
minio.persistence.storageClassMinIO storageClassName for provisioning 
minio.persistence.subPathMinIO persistence volume mount path 
minio.persistence.volumeNameMinIO existing persistent volume name 
minio.replicasMinIO number of replicas4
minio.resources.requests.cpuMinIO minimum CPU requested250m
minio.resources.requests.memoryMinIO minimum memory requested256Mi
minio.service.annotationsAnnotations to add to the Service {}
minio.servicePortMinIO service port9000
minio.serviceTypeMinIO service typeClusterIP

Advanced GitLab configuration

ParameterDescriptionDefault
gitlab-runner.checkIntervalpolling interval30s
gitlab-runner.concurrentnumber of concurrent jobs20
gitlab-runner.imagePullPolicyimage pull policyIfNotPresent
gitlab-runner.imagerunner imagegitlab/gitlab-runner:alpine-v10.5.0
gitlab-runner.gitlabUrlURL that the Runner uses to register to GitLab ServerGitLab external URL
gitlab-runner.installinstall the gitlab-runner charttrue
gitlab-runner.rbac.clusterWideAccessdeploy containers of jobs cluster-widefalse
gitlab-runner.rbac.createwhether to create RBAC service accounttrue
gitlab-runner.rbac.serviceAccountNamename of the RBAC service account to createdefault
gitlab-runner.resources.limits.cpurunner resources 
gitlab-runner.resources.limits.memoryrunner resources 
gitlab-runner.resources.requests.cpurunner resources 
gitlab-runner.resources.requests.memoryrunner resources 
gitlab-runner.runners.privilegedrun in privileged mode, needed for dind false
gitlab-runner.runners.cache.secretNamesecret to get accesskey and secretkey fromgitlab-minio
gitlab-runner.runners.configRunner configuration as stringSee Chart documentation
gitlab-runner.unregisterRunnersunregister all runners before terminationtrue
gitlab.geo-logcursor.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.geo-logcursor.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.gitaly.authToken.keyKey to Gitaly token in the secrettoken
gitlab.gitaly.authToken.secretGitaly secret name{.Release.Name}-gitaly-secret
gitlab.gitaly.image.pullPolicyGitaly image pull policy 
gitlab.gitaly.image.repositoryGitaly image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitaly
gitlab.gitaly.image.tagGitaly image tagmaster
gitlab.gitaly.persistence.accessModeGitaly persistence access modeReadWriteOnce
gitlab.gitaly.persistence.enabledGitaly enable persistence flagtrue
gitlab.gitaly.persistence.matchExpressionsLabel-expression matches to bind 
gitlab.gitaly.persistence.matchLabelsLabel-value matches to bind 
gitlab.gitaly.persistence.sizeGitaly persistence volume size50Gi
gitlab.gitaly.persistence.storageClassstorageClassName for provisioning 
gitlab.gitaly.persistence.subPathGitaly persistence volume mount path 
gitlab.gitaly.persistence.volumeNameExisting persistent volume name 
gitlab.gitaly.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.gitaly.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.gitaly.service.annotationsAnnotations to add to the Service {}
gitlab.gitaly.service.externalPortGitaly service exposed port8075
gitlab.gitaly.service.internalPortGitaly internal port8075
gitlab.gitaly.service.nameGitaly service namegitaly
gitlab.gitaly.service.typeGitaly service typeClusterIP
gitlab.gitaly.serviceNameGitaly service namegitaly
gitlab.gitaly.shell.authToken.keyShell keysecret
gitlab.gitaly.shell.authToken.secretShell secret{Release.Name}-gitlab-shell-secret
gitlab.gitlab-exporter.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.gitlab-exporter.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.gitlab-shell.authToken.keyShell auth secret keysecret
gitlab.gitlab-shell.authToken.secretShell auth secret{Release.Name}-gitlab-shell-secret
gitlab.gitlab-shell.enabledShell enable flagtrue
gitlab.gitlab-shell.image.pullPolicyShell image pull policy 
gitlab.gitlab-shell.image.repositoryShell image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-shell
gitlab.gitlab-shell.image.tagShell image tagmaster
gitlab.gitlab-shell.replicaCountShell replicas1
gitlab.gitlab-shell.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.gitlab-shell.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.gitlab-shell.service.annotationsAnnotations to add to the Service {}
gitlab.gitlab-shell.service.internalPortShell internal port2222
gitlab.gitlab-shell.service.nameShell service namegitlab-shell
gitlab.gitlab-shell.service.typeShell service typeClusterIP
gitlab.gitlab-shell.webservice.serviceNameWebservice service nameinherited from global.webservice.serviceName
gitlab.mailroom.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.mailroom.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.migrations.bootsnap.enabledMigrations Bootsnap enable flagtrue
gitlab.migrations.enabledMigrations enable flagtrue
gitlab.migrations.image.pullPolicyMigrations pull policy 
gitlab.migrations.image.repositoryMigrations image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
gitlab.migrations.image.tagMigrations image tagmaster
gitlab.migrations.psql.password.keykey to psql password in psql secretpsql-password
gitlab.migrations.psql.password.secretpsql secretgitlab-postgres
gitlab.migrations.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port  
gitlab.migrations.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.migrations.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.sidekiq.concurrencySidekiq default concurrency10
gitlab.sidekiq.enabledSidekiq enabled flagtrue
gitlab.sidekiq.gitaly.authToken.keykey to Gitaly token in Gitaly secrettoken
gitlab.sidekiq.gitaly.authToken.secretGitaly secret{.Release.Name}-gitaly-secret
gitlab.sidekiq.gitaly.serviceNameGitaly service namegitaly
gitlab.sidekiq.image.pullPolicySidekiq image pull policy 
gitlab.sidekiq.image.repositorySidekiq image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee
gitlab.sidekiq.image.tagSidekiq image tagmaster
gitlab.sidekiq.psql.password.keykey to psql password in psql secretpsql-password
gitlab.sidekiq.psql.password.secretpsql password secretgitlab-postgres
gitlab.sidekiq.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port  
gitlab.sidekiq.replicasSidekiq replicas1
gitlab.sidekiq.resources.requests.cpuSidekiq minimum needed CPU100m
gitlab.sidekiq.resources.requests.memorySidekiq minimum needed memory600M
gitlab.sidekiq.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.sidekiq.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.sidekiq.timeoutSidekiq job timeout5
gitlab.toolbox.annotationsAnnotations to add to the toolbox{}
gitlab.toolbox.backups.cron.enabledBackup CronJob enabled flagfalse
gitlab.toolbox.backups.cron.extraArgsString of arguments to pass to the backup utility 
gitlab.toolbox.backups.cron.persistence.accessModeBackup cron persistence access modeReadWriteOnce
gitlab.toolbox.backups.cron.persistence.enabledBackup cron enable persistence flagfalse
gitlab.toolbox.backups.cron.persistence.matchExpressionsLabel-expression matches to bind 
gitlab.toolbox.backups.cron.persistence.matchLabelsLabel-value matches to bind 
gitlab.toolbox.backups.cron.persistence.sizeBackup cron persistence volume size10Gi
gitlab.toolbox.backups.cron.persistence.storageClassstorageClassName for provisioning 
gitlab.toolbox.backups.cron.persistence.subPathBackup cron persistence volume mount path 
gitlab.toolbox.backups.cron.persistence.volumeNameExisting persistent volume name 
gitlab.toolbox.backups.cron.resources.requests.cpuBackup cron minimum needed CPU50m
gitlab.toolbox.backups.cron.resources.requests.memoryBackup cron minimum needed memory350M
gitlab.toolbox.backups.cron.scheduleCron style schedule string0 1 * * *
gitlab.toolbox.backups.objectStorage.backendObject storage provider to use (s3 or gcs)s3
gitlab.toolbox.backups.objectStorage.config.gcpProjectGCP Project to use when backend is gcs ””
gitlab.toolbox.backups.objectStorage.config.keykey containing credentials in secret””
gitlab.toolbox.backups.objectStorage.config.secretObject storage credentials secret””
gitlab.toolbox.backups.objectStorage.configAuthentication information for object storage{}
gitlab.toolbox.bootsnap.enabledEnable Bootsnap cache in Toolboxtrue
gitlab.toolbox.enabledToolbox enabled flagtrue
gitlab.toolbox.image.pullPolicyToolbox image pull policyIfNotPresent
gitlab.toolbox.image.repositoryToolbox image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
gitlab.toolbox.image.tagToolbox image tagmaster
gitlab.toolbox.init.image.repositoryToolbox init image repository 
gitlab.toolbox.init.image.tagToolbox init image tag 
gitlab.toolbox.init.resources.requests.cpuToolbox init minimum needed CPU50m
gitlab.toolbox.persistence.accessModeToolbox persistence access modeReadWriteOnce
gitlab.toolbox.persistence.enabledToolbox enable persistence flagfalse
gitlab.toolbox.persistence.matchExpressionsLabel-expression matches to bind 
gitlab.toolbox.persistence.matchLabelsLabel-value matches to bind 
gitlab.toolbox.persistence.sizeToolbox persistence volume size10Gi
gitlab.toolbox.persistence.storageClassstorageClassName for provisioning 
gitlab.toolbox.persistence.subPathToolbox persistence volume mount path 
gitlab.toolbox.persistence.volumeNameExisting persistent volume name 
gitlab.toolbox.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port  
gitlab.toolbox.resources.requests.cpuToolbox minimum needed CPU50m
gitlab.toolbox.resources.requests.memoryToolbox minimum needed memory350M
gitlab.toolbox.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.toolbox.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.webservice.enabledwebservice enabled flagtrue
gitlab.webservice.gitaly.authToken.keyKey to Gitaly token in Gitaly secrettoken
gitlab.webservice.gitaly.authToken.secretGitaly secret name{.Release.Name}-gitaly-secret
gitlab.webservice.gitaly.serviceNameGitaly service namegitaly
gitlab.webservice.image.pullPolicywebservice image pull policy 
gitlab.webservice.image.repositorywebservice image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee
gitlab.webservice.image.tagwebservice image tagmaster
gitlab.webservice.psql.password.keyKey to psql password in psql secretpsql-password
gitlab.webservice.psql.password.secretpsql secret namegitlab-postgres
gitlab.webservice.psql.portSet PostgreSQL server port. Takes precedence over global.psql.port  
gitlab.webservice.registry.api.portRegistry port5000
gitlab.webservice.registry.api.protocolRegistry protocolhttp
gitlab.webservice.registry.api.serviceNameRegistry service nameregistry
gitlab.webservice.registry.tokenIssuerRegistry token issuergitlab-issuer
gitlab.webservice.replicaCountwebservice number of replicas1
gitlab.webservice.resources.requests.cpuwebservice minimum CPU200m
gitlab.webservice.resources.requests.memorywebservice minimum memory1.4G
gitlab.webservice.securityContext.fsGroupGroup ID under which the pod should be started1000
gitlab.webservice.securityContext.runAsUserUser ID under which the pod should be started1000
gitlab.webservice.service.annotationsAnnotations to add to the Service {}
gitlab.webservice.http.enabledwebservice HTTP enabledtrue
gitlab.webservice.service.externalPortwebservice exposed port8080
gitlab.webservice.service.internalPortwebservice internal port8080
gitlab.webservice.tls.enabledwebservice TLS enabledfalse
gitlab.webservice.tls.secretNamewebservice secret name of TLS key{Release.Name}-webservice-tls
gitlab.webservice.service.tls.externalPortwebservice TLS exposed port8081
gitlab.webservice.service.tls.internalPortwebservice TLS internal port8081
gitlab.webservice.service.typewebservice service typeClusterIP
gitlab.webservice.service.workhorseExternalPortWorkhorse exposed port8181
gitlab.webservice.service.workhorseInternalPortWorkhorse internal port8181
gitlab.webservice.shell.authToken.keyKey to shell token in shell secretsecret
gitlab.webservice.shell.authToken.secretShell token secret{Release.Name}-gitlab-shell-secret
gitlab.webservice.workerProcesseswebservice number of workers2
gitlab.webservice.workerTimeoutwebservice worker timeout60
gitlab.webservice.workhorse.extraArgsString of extra parameters for workhorse””
gitlab.webservice.workhorse.imageWorkhorse image repositoryregistry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee
gitlab.webservice.workhorse.sentryDSNDSN for Sentry instance for error reporting””
gitlab.webservice.workhorse.tagWorkhorse image tag 

External charts

GitLab makes use of several other charts. These are treated as parent-child relationships. Ensure that any properties you wish to configure are provided as chart-name.property.

Prometheus

Prefix Prometheus values with prometheus. For example, set the persistence storage value using prometheus.server.persistentVolume.size.

Refer to the Prometheus chart documentation for the exhaustive list of configuration options.

Bringing your own images

In certain scenarios (i.e. offline environment), you may want to bring your own images rather than pulling them down from the Internet. This requires specifying your own Docker image registry/repository for each of the charts that make up the GitLab release.

Refer to the custom images documentation for more information.