diff options
author | Ahmad Hassan <ahmad.hassan612@gmail.com> | 2018-11-02 10:37:46 +0200 |
---|---|---|
committer | Ahmad Hassan <ahmad.hassan612@gmail.com> | 2018-11-02 10:37:46 +0200 |
commit | ebc174e968ece65110aa722a18cdf437cfa75eeb (patch) | |
tree | 282923fe26c75087e486061f07304fb040947478 | |
parent | 08a57fe8280ddef66f9c78860a97bf332ceea8d1 (diff) | |
download | gitlab-ce-ebc174e968ece65110aa722a18cdf437cfa75eeb.tar.gz |
Add documentation for tls gitaly
-rw-r--r-- | config/gitlab.yml.example | 2 | ||||
-rw-r--r-- | doc/administration/gitaly/index.md | 46 |
2 files changed, 43 insertions, 5 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index a4db125f831..5390ea78e62 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -605,7 +605,7 @@ production: &base storages: # You must have at least a `default` storage path. default: path: /home/git/repositories/ - gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port) + gitaly_address: unix:/home/git/gitlab/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. ## Backup settings diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md index e1b2a0a24eb..2eec0e30e62 100644 --- a/doc/administration/gitaly/index.md +++ b/doc/administration/gitaly/index.md @@ -25,7 +25,7 @@ gitaly['prometheus_listen_addr'] = 'localhost:9236' ``` To change a Gitaly setting in installations from source you can edit -`/home/git/gitaly/config.toml`. Changes will be applied when you run +`/home/git/gitaly/config.toml`. Changes will be applied when you run `service gitlab restart`. ```toml @@ -99,13 +99,13 @@ documentation on configuring Gitaly authentication](https://gitlab.com/gitlab-org/gitaly/blob/master/doc/configuration/README.md#authentication) . -Gitaly must trigger some callbacks to GitLab via GitLab Shell. As a result, +Gitaly must trigger some callbacks to GitLab via GitLab Shell. As a result, the GitLab Shell secret must be the same between the other GitLab servers and the Gitaly server. The easiest way to accomplish this is to copy `/etc/gitlab/gitlab-secrets.json` from an existing GitLab server to the Gitaly server. Without this shared secret, -Git operations in GitLab will result in an API error. +Git operations in GitLab will result in an API error. -> **NOTE:** In most or all cases the storage paths below end in `/repositories` which is +> **NOTE:** In most or all cases the storage paths below end in `/repositories` which is different than `path` in `git_data_dirs` of Omnibus installations. Check the directory layout on your Gitaly server to be sure. @@ -213,6 +213,44 @@ Gitaly logs on your Gitaly server (`sudo gitlab-ctl tail gitaly` or coming in. One sure way to trigger a Gitaly request is to clone a repository from your GitLab server over HTTP. +## TLS support + +Gitaly supports TLS credentials for GRPC authentication. To be able to communicate +with a gitaly instance that listens for secure connections you will need to use `tls://` url +scheme in the `gitaly_address` of the corresponding storage entry in the gitlab configuration. + +### Example TLS configuration + +Omnibus installations: + +```ruby +# /etc/gitlab/gitlab.rb +git_data_dirs({ + 'default' => { 'path' => '/mnt/gitlab/default', 'gitaly_address' => 'tls://gitaly.internal:8075' }, + 'storage1' => { 'path' => '/mnt/gitlab/storage1', 'gitaly_address' => 'tls://gitaly.internal:8075' }, +}) + +gitlab_rails['gitaly_token'] = 'abc123secret' +``` + +Source installations: + +```yaml +# /home/git/gitlab/config/gitlab.yml +gitlab: + repositories: + storages: + default: + path: /mnt/gitlab/default/repositories + gitaly_address: tls://gitaly.internal:8075 + storage1: + path: /mnt/gitlab/storage1/repositories + gitaly_address: tls://gitaly.internal:8075 + + gitaly: + token: 'abc123secret' +``` + ## Disabling or enabling the Gitaly service in a cluster environment If you are running Gitaly [as a remote |