diff options
| author | Ahmad Hassan <ahmad.hassan612@gmail.com> | 2018-12-21 11:43:45 +0200 |
|---|---|---|
| committer | Ahmad Hassan <ahmad.hassan612@gmail.com> | 2018-12-21 18:06:46 +0200 |
| commit | 907f0ce8a2c3f79fb389abec6d6315cd5b711ed8 (patch) | |
| tree | 8c8396020dc667b4efda496a764f9e32ae0e07a1 | |
| parent | d975074e1fc0d8c28da5a9ddb9ccfbd319e39046 (diff) | |
| download | gitlab-ce-907f0ce8a2c3f79fb389abec6d6315cd5b711ed8.tar.gz | |
More tls gitaly docs
| -rw-r--r-- | doc/administration/gitaly/index.md | 30 | ||||
| -rw-r--r-- | spec/lib/gitlab/gitaly_client_spec.rb | 8 |
2 files changed, 36 insertions, 2 deletions
diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md index bcb6a11cd85..cf37eaa0b61 100644 --- a/doc/administration/gitaly/index.md +++ b/doc/administration/gitaly/index.md @@ -221,9 +221,14 @@ Gitaly supports TLS credentials for GRPC authentication. To be able to communica with a gitaly instance that listens for secure connections you will need to use `tls://` url scheme in the `gitaly_address` of the corresponding storage entry in the gitlab configuration. +The admin needs to bring their own certificate as we do not provide that automatically. +The certificate to be used needs to be installed on all gitaly nodes and on all client nodes that communicate with it following procedures described in [GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates) + ### Example TLS configuration -Omnibus installations: +### Omnibus installations: + +#### On client nodes: ```ruby # /etc/gitlab/gitlab.rb @@ -235,7 +240,17 @@ git_data_dirs({ gitlab_rails['gitaly_token'] = 'abc123secret' ``` -Source installations: +#### On gitaly server nodes: + +```ruby +gitaly['tls_listen_addr'] = "0.0.0.0:9999" +gitaly['certificate_path'] = "path/to/cert.pem" +gitaly['key_path'] = "path/to/key.pem" +``` + +### Source installations: + +#### On client nodes: ```yaml # /home/git/gitlab/config/gitlab.yml @@ -253,6 +268,17 @@ gitlab: token: 'abc123secret' ``` +#### On gitaly server nodes: + +```toml +# /home/git/gitaly/config.toml +tls_listen_addr = '0.0.0.0:9999' + +[tls] +certificate_path = '/path/to/cert.pem' +key_path = '/path/to/key.pem' +``` + ## Disabling or enabling the Gitaly service in a cluster environment If you are running Gitaly [as a remote diff --git a/spec/lib/gitlab/gitaly_client_spec.rb b/spec/lib/gitlab/gitaly_client_spec.rb index d9ae73223c6..e41a75c37a7 100644 --- a/spec/lib/gitlab/gitaly_client_spec.rb +++ b/spec/lib/gitlab/gitaly_client_spec.rb @@ -3,6 +3,14 @@ require 'spec_helper' # We stub Gitaly in `spec/support/gitaly.rb` for other tests. We don't want # those stubs while testing the GitalyClient itself. describe Gitlab::GitalyClient do + let(:sample_cert) { Rails.root.join('spec/fixtures/clusters/sample_cert.pem').to_s } + + before do + allow(described_class) + .to receive(:stub_cert_paths) + .and_return([sample_cert]) + end + def stub_repos_storages(address) allow(Gitlab.config.repositories).to receive(:storages).and_return({ 'default' => { 'gitaly_address' => address } |