Using the Shared-Secrets Job
The shared-secrets
job is responsible for provisioning a variety of secrets
used across the installation, unless otherwise manually specified. This includes:
- Initial root password
- Self-signed TLS certificates for all public services: GitLab, MinIO, and Registry
- Registry authentication certificates
- MinIO, Registry, GitLab Shell, and Gitaly secrets
- Redis and PostgreSQL passwords
- SSH host keys
- GitLab Rails secret for encrypted credentials
Installation command line options
The table below contains all the possible configurations that can be supplied to
the helm install
command using the --set
flag:
Parameter | Default | Description |
---|---|---|
enabled |
true |
See Below |
env |
production |
Rails environment |
podLabels |
Supplemental Pod labels. Will not be used for selectors. | |
annotations |
Supplemental Pod annotations. | |
image.pullPolicy |
Always |
Gitaly image pull policy |
image.pullSecrets |
Secrets for the image repository | |
image.repository |
registry.gitlab.com/gitlab-org/build/cng/kubectl |
Gitaly image repository |
image.tag |
1f8690f03f7aeef27e727396927ab3cc96ac89e7 |
Gitaly image tag |
priorityClassName |
Priority class assigned to pods | |
rbac.create |
true |
Create RBAC roles and bindings |
resources |
resource requests, limits | |
securitContext.fsGroup |
65534 |
User ID to mount filesystems as |
securitContext.runAsUser |
65534 |
User ID to run the container as |
selfsign.caSubject |
GitLab Helm Chart |
selfsign CA Subject |
selfsign.image.repository |
registry.gitlab.com/gitlab-org/build/cnf/cfssl-self-sign |
selfsign image repository |
selfsign.image.pullSecrets |
Secrets for the image repository | |
selfsign.image.tag |
selfsign image tag | |
selfsign.keyAlgorithm |
rsa |
selfsign cert key algorithm |
selfsign.keySize |
4096 |
selfsign cert key size |
serviceAccount.enabled |
true |
Define serviceAccountName on job(s) |
serviceAccount.create |
true |
Create ServiceAccount |
serviceAccount.name |
RELEASE_NAME-shared-secrets |
Service account name to specify on job(s) (and on the serviceAccount itself if serviceAccount.create=true ) |
tolerations |
[] |
Toleration labels for pod assignment |
Job configuration examples
tolerations
tolerations
allow you schedule pods on tainted worker nodes
Below is an example use of tolerations
:
tolerations:
- key: "node_label"
operator: "Equal"
value: "true"
effect: "NoSchedule"
- key: "node_label"
operator: "Equal"
value: "true"
effect: "NoExecute"
Disable functionality
Some users may wish to explicitly disable the functionality provided by this job.
To do this, we have provided the enabled
flag as a boolean, defaulting to true
.
To disable the job, pass --set shared-secrets.enabled=false
, or pass the following
in a YAML via the -f
flag to helm
:
shared-secrets:
enabled: false