Using NGINX
We provide a complete NGINX deployment to be used as an Ingress Controller. Not all Kubernetes providers natively support the NGINX Ingress, to ensure compatibility.
Configuring NGINX
See NGINX chart documentation for configuration details.
Global settings
We share some common global settings among our charts. See the Globals Documentation for common configuration options, such as GitLab and Registry hostnames.
Configure hosts using the Global settings
The hostnames for the GitLab Server and the Registry Server can be configured using our Global settings chart.
Annotation value word blocklist
Introduced in GitLab Helm chart 6.6.
In situations where cluster operators need greater control over the generated NGINX configuration, the NGINX Ingress allows for configuration snippets which inserts “snippets” of raw NGINX configuration not addressed by the standard annotations and ConfigMap entries.
The drawback of these configuration snippets is that it allows cluster operators to deploy Ingress objects that include LUA scripting and similar configurations that can compromise the security of your GitLab installation and the cluster itself, including exposing serviceaccount tokens and secrets.
See CVE-2021-25742 and
this upstream ingress-nginx issue
for additional details.
In order to mitigate CVE-2021-25742 in Helm chart deployments of GitLab - we
set an annotation-value-word-blocklist
using the suggested settings from the nginx-ingress community
If you are making use of configuration snippets in your GitLab Ingress
configuration, or are using GitLab NGINX Ingress Controller with third-party
Ingress objects that use configuration snippets, you may experience 404
errors when trying to visit your GitLab third-party domains and “invalid word”
errors in your nginx-controller logs. In that case, review and adjust your
nginx-ingress.controller.config.annotation-value-word-blocklist setting.
See also “Invalid Word” errors in the nginx-controller logs and 404 errors in our chart troubleshooting docs.