正式なドキュメントは英語版であり、この日本語訳はAI支援翻訳により作成された参考用のものです。日本語訳の一部の内容は人間によるレビューがまだ行われていないため、翻訳のタイミングにより英語版との間に差異が生じることがあります。最新かつ正確な情報については、英語版をご参照ください。

TLS Configuration for Cells Components (Development Only)

一貫した開発プロセスとドキュメントを確保するため、GitLabへのすべての貢献は英語で提出する必要があります。そのため、GitLabへの貢献に関するドキュメント(https://docs.gitlab.com/development/に掲載)も英語でのみ提供されています。

以下を希望される場合:

  • コードの貢献を提出する
  • バグの報告または修正
  • 機能や改善の提案
  • ドキュメントへの貢献

これらのページの英語版のガイドラインに従ってください。

このページの英語版にアクセスしてください。

Context

As part of the ongoing development of Cells architecture, TLS configuration has been introduced to support secure communication between the monolith and cell services (e.g., the Topology Service).

At present, TLS-related settings for Cells are placed under:

global:
  appConfig:
    cell:
      topologyServiceClient:
        tls:
          enabled: true
          secret: topology-service-tls

This aligns with how other sensitive settings (e.g., client_secret, suggested_reviewers) are stored under appConfig.

Design Discussion & Known Deviation

While placing TLS config under appConfig.cell is functional, it’s worth noting that:

  • Most GitLab components follow the pattern: global.{component}.tls
    • Examples: global.gitaly.tls, global.praefect.tls, global.kas.tls, global.ingress.tls
  • The current approach mixes TLS configuration (an operational concern) with appConfig (intended primarily for application runtime settings).

This decision was made for speed and simplicity during the experimental phase but may warrant refactoring in the future.

Naming Note

Another known inconsistency is that the top-level key uses cell (singular), while the feature itself is referred to as Cells across documentation and architecture discussions. Future cleanup may involve renaming to global.cells.

Future Considerations

  • Refactor the config structure:
    • Move tls to global.cell.topologyServiceClient.tls or
    • Rename appConfig.cell to cells entirely
  • Add tests to prevent regressions when restructuring
  • Create a user-facing doc once Cells become an officially supported feature
  • Review all settings implemented under the experimental appConfig.cell structure

Summary

For now, TLS secrets used by Cells-related components (like the Topology Service) live under global.appConfig.cell. This is subject to change, and any future consumer-facing exposure will be preceded by a cleanup and proper documentation pass.

Developers: When adding new Cells-related configuration, consider documenting your additions under doc/development/cells/ to avoid future gaps.