More tls gitaly docs
This commit is contained in:
parent
d975074e1f
commit
907f0ce8a2
|
@ -221,9 +221,14 @@ Gitaly supports TLS credentials for GRPC authentication. To be able to communica
|
|||
with a gitaly instance that listens for secure connections you will need to use `tls://` url
|
||||
scheme in the `gitaly_address` of the corresponding storage entry in the gitlab configuration.
|
||||
|
||||
The admin needs to bring their own certificate as we do not provide that automatically.
|
||||
The certificate to be used needs to be installed on all gitaly nodes and on all client nodes that communicate with it following procedures described in [GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates)
|
||||
|
||||
### Example TLS configuration
|
||||
|
||||
Omnibus installations:
|
||||
### Omnibus installations:
|
||||
|
||||
#### On client nodes:
|
||||
|
||||
```ruby
|
||||
# /etc/gitlab/gitlab.rb
|
||||
|
@ -235,7 +240,17 @@ git_data_dirs({
|
|||
gitlab_rails['gitaly_token'] = 'abc123secret'
|
||||
```
|
||||
|
||||
Source installations:
|
||||
#### On gitaly server nodes:
|
||||
|
||||
```ruby
|
||||
gitaly['tls_listen_addr'] = "0.0.0.0:9999"
|
||||
gitaly['certificate_path'] = "path/to/cert.pem"
|
||||
gitaly['key_path'] = "path/to/key.pem"
|
||||
```
|
||||
|
||||
### Source installations:
|
||||
|
||||
#### On client nodes:
|
||||
|
||||
```yaml
|
||||
# /home/git/gitlab/config/gitlab.yml
|
||||
|
@ -253,6 +268,17 @@ gitlab:
|
|||
token: 'abc123secret'
|
||||
```
|
||||
|
||||
#### On gitaly server nodes:
|
||||
|
||||
```toml
|
||||
# /home/git/gitaly/config.toml
|
||||
tls_listen_addr = '0.0.0.0:9999'
|
||||
|
||||
[tls]
|
||||
certificate_path = '/path/to/cert.pem'
|
||||
key_path = '/path/to/key.pem'
|
||||
```
|
||||
|
||||
## Disabling or enabling the Gitaly service in a cluster environment
|
||||
|
||||
If you are running Gitaly [as a remote
|
||||
|
|
|
@ -3,6 +3,14 @@ require 'spec_helper'
|
|||
# We stub Gitaly in `spec/support/gitaly.rb` for other tests. We don't want
|
||||
# those stubs while testing the GitalyClient itself.
|
||||
describe Gitlab::GitalyClient do
|
||||
let(:sample_cert) { Rails.root.join('spec/fixtures/clusters/sample_cert.pem').to_s }
|
||||
|
||||
before do
|
||||
allow(described_class)
|
||||
.to receive(:stub_cert_paths)
|
||||
.and_return([sample_cert])
|
||||
end
|
||||
|
||||
def stub_repos_storages(address)
|
||||
allow(Gitlab.config.repositories).to receive(:storages).and_return({
|
||||
'default' => { 'gitaly_address' => address }
|
||||
|
|
Loading…
Reference in New Issue