diff options
author | Jacob Vosmaer <jacob@gitlab.com> | 2019-03-26 15:52:16 +0000 |
---|---|---|
committer | Achilleas Pipinellis <axil@gitlab.com> | 2019-03-26 15:52:16 +0000 |
commit | bcfa9446ecad78d8c8510cef0d7b35a63fd3bbb4 (patch) | |
tree | 58cc2da4b5a8f06ffd7fadb4b5044da66f021bf8 /doc | |
parent | 2f61f65765ed96dad5c8b42f930d6feb77a37da1 (diff) | |
download | gitlab-ce-bcfa9446ecad78d8c8510cef0d7b35a63fd3bbb4.tar.gz |
Fix and improve Gitaly TLS documentation
Diffstat (limited to 'doc')
-rw-r--r-- | doc/administration/gitaly/index.md | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md index 2d4b5c65c46..02a352b1f3f 100644 --- a/doc/administration/gitaly/index.md +++ b/doc/administration/gitaly/index.md @@ -241,12 +241,24 @@ repository from your GitLab server over HTTP. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22602) in GitLab 11.8. -Gitaly supports TLS credentials for GRPC authentication. To be able to communicate +Gitaly supports TLS encryption. To be able to communicate with a Gitaly instance that listens for secure connections you will need to use `tls://` url scheme in the `gitaly_address` of the corresponding storage entry in the gitlab configuration. The admin needs to bring their own certificate as we do not provide that automatically. -The certificate to be used needs to be installed on all Gitaly nodes and on all client nodes that communicate with it following procedures described in [GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates) +The certificate to be used needs to be installed on all Gitaly nodes and on all client nodes that communicate with it following procedures described in [GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates). + +Note that it is possible to configure Gitaly servers with both an +unencrypted listening address `listen_addr` and an encrypted listening +address `tls_listen_addr` at the same time. This allows you to do a +gradual transition from unencrypted to encrypted traffic, if necessary. + +To observe what type of connections are actually being used in a +production environment you can use the following Prometheus query: + +``` +sum(rate(gitaly_connections_total[5m])) by (type) +``` ### Example TLS configuration |