diff options
| author | Ahmad Hassan <ahmad.hassan612@gmail.com> | 2018-11-02 10:37:46 +0200 |
|---|---|---|
| committer | Ahmad Hassan <ahmad.hassan612@gmail.com> | 2018-11-02 10:37:46 +0200 |
| commit | ebc174e968ece65110aa722a18cdf437cfa75eeb (patch) | |
| tree | 282923fe26c75087e486061f07304fb040947478 /doc/administration/gitaly | |
| parent | 08a57fe8280ddef66f9c78860a97bf332ceea8d1 (diff) | |
| download | gitlab-ce-ebc174e968ece65110aa722a18cdf437cfa75eeb.tar.gz | |
Add documentation for tls gitaly
Diffstat (limited to 'doc/administration/gitaly')
| -rw-r--r-- | doc/administration/gitaly/index.md | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md index e1b2a0a24eb..2eec0e30e62 100644 --- a/doc/administration/gitaly/index.md +++ b/doc/administration/gitaly/index.md @@ -25,7 +25,7 @@ gitaly['prometheus_listen_addr'] = 'localhost:9236' ``` To change a Gitaly setting in installations from source you can edit -`/home/git/gitaly/config.toml`. Changes will be applied when you run +`/home/git/gitaly/config.toml`. Changes will be applied when you run `service gitlab restart`. ```toml @@ -99,13 +99,13 @@ documentation on configuring Gitaly authentication](https://gitlab.com/gitlab-org/gitaly/blob/master/doc/configuration/README.md#authentication) . -Gitaly must trigger some callbacks to GitLab via GitLab Shell. As a result, +Gitaly must trigger some callbacks to GitLab via GitLab Shell. As a result, the GitLab Shell secret must be the same between the other GitLab servers and the Gitaly server. The easiest way to accomplish this is to copy `/etc/gitlab/gitlab-secrets.json` from an existing GitLab server to the Gitaly server. Without this shared secret, -Git operations in GitLab will result in an API error. +Git operations in GitLab will result in an API error. -> **NOTE:** In most or all cases the storage paths below end in `/repositories` which is +> **NOTE:** In most or all cases the storage paths below end in `/repositories` which is different than `path` in `git_data_dirs` of Omnibus installations. Check the directory layout on your Gitaly server to be sure. @@ -213,6 +213,44 @@ Gitaly logs on your Gitaly server (`sudo gitlab-ctl tail gitaly` or coming in. One sure way to trigger a Gitaly request is to clone a repository from your GitLab server over HTTP. +## TLS support + +Gitaly supports TLS credentials for GRPC authentication. To be able to communicate +with a gitaly instance that listens for secure connections you will need to use `tls://` url +scheme in the `gitaly_address` of the corresponding storage entry in the gitlab configuration. + +### Example TLS configuration + +Omnibus installations: + +```ruby +# /etc/gitlab/gitlab.rb +git_data_dirs({ + 'default' => { 'path' => '/mnt/gitlab/default', 'gitaly_address' => 'tls://gitaly.internal:8075' }, + 'storage1' => { 'path' => '/mnt/gitlab/storage1', 'gitaly_address' => 'tls://gitaly.internal:8075' }, +}) + +gitlab_rails['gitaly_token'] = 'abc123secret' +``` + +Source installations: + +```yaml +# /home/git/gitlab/config/gitlab.yml +gitlab: + repositories: + storages: + default: + path: /mnt/gitlab/default/repositories + gitaly_address: tls://gitaly.internal:8075 + storage1: + path: /mnt/gitlab/storage1/repositories + gitaly_address: tls://gitaly.internal:8075 + + gitaly: + token: 'abc123secret' +``` + ## Disabling or enabling the Gitaly service in a cluster environment If you are running Gitaly [as a remote |