From 68d730ee1510fcbf977efa611d1633cfa86c1029 Mon Sep 17 00:00:00 2001 From: Hunter Stewart Date: Wed, 11 Jan 2023 16:21:20 +0000 Subject: [PATCH 1/9] Remove stray command line option --- doc/charts/globals.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 47f98aafec..b2e90ed7eb 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -593,7 +593,6 @@ In order to connect to Redis using SSL, the `rediss` (note the double `s`) schem global: redis: scheme: rediss - --set global.redis.scheme=rediss ``` ### Password-less Redis Servers -- GitLab From d72195594b256d2989c3cb3a86c398a87a785452 Mon Sep 17 00:00:00 2001 From: Hunter Stewart Date: Wed, 11 Jan 2023 16:42:16 +0000 Subject: [PATCH 2/9] Add necessary configuration information --- doc/charts/globals.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index b2e90ed7eb..9208ee4aec 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -587,14 +587,20 @@ for the attributes that are used to configure Sentinel servers. ### Specifying secure Redis scheme (SSL) -In order to connect to Redis using SSL, the `rediss` (note the double `s`) scheme parameter is required: +In order to connect to Redis using SSL, the `rediss` (note the double `s`) scheme parameter is required. Additionally, `authClients` key must be set to false `false` because [Redis defaults to mutual TLS](https://redis.io/docs/management/security/encryption/#client-certificate-authentication): ```yaml global: redis: scheme: rediss +redis: + tls: + enabled: true + authClients: false ``` +Note that the steps to enable TLS provided by Bitnami Redis must also be followed: https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/ + ### Password-less Redis Servers Some Redis services such as Google Cloud Memorystore do not make use of passwords and the associated `AUTH` command. The use and requirement for a password can be disabled via the following configuration setting: -- GitLab From 7c3df16715025975aca71ecdd729cf4ae24ee32e Mon Sep 17 00:00:00 2001 From: Hunter Stewart Date: Wed, 11 Jan 2023 16:51:45 +0000 Subject: [PATCH 3/9] Add note about Redis TLS to KAS docs --- doc/charts/gitlab/kas/index.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index cf52f7b354..a56416d4be 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -140,6 +140,10 @@ The `gitlab.kas.privateApi.tls.enabled` and `gitlab.kas.privateApi.tls.secretNam [deprecated](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3843) in GitLab 15.8, and will be removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals.md#tls-settings-1) instead. +1. Create the certificate authority and certificates that your `kas` pods will trust. +1. Configure your chart to use the trusted certificates. +1. Configure (Redis for TLS][https://docs.gitlab.com/charts/charts/globals.html#specifying-secure-redis-scheme-ssl] + Prerequisites: - Use [GitLab 15.5.1 or later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/101571#note_1146419137). @@ -172,7 +176,7 @@ For example, you could use this `values.yaml` file to deploy your chart: domain: gitlab.example.com # Your gitlab domain appConfig: gitlab_kas: - internalUrl: "grpcs://RELEASE-kas.NAMESPACE.svc:8153" # Replace RELEASE and NAMESPACE with your chart's release and namespace + internalUrl: "grpcs://RELEASE-kas.NAMESPACE.svc:8153" # Replace RELEASE and NAMESPACE with your chart's release and namespace gitlab: kas: -- GitLab From 9445059627fadcdf0e82600a40dc06f1cb412289 Mon Sep 17 00:00:00 2001 From: Hunter Stewart Date: Wed, 11 Jan 2023 16:55:09 +0000 Subject: [PATCH 4/9] Fix bad syntax --- doc/charts/gitlab/kas/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index a56416d4be..16edf7c76c 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -142,7 +142,7 @@ removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals. 1. Create the certificate authority and certificates that your `kas` pods will trust. 1. Configure your chart to use the trusted certificates. -1. Configure (Redis for TLS][https://docs.gitlab.com/charts/charts/globals.html#specifying-secure-redis-scheme-ssl] +1. Configure [Redis for TLS](https://docs.gitlab.com/charts/charts/globals.html#specifying-secure-redis-scheme-ssl) Prerequisites: -- GitLab From e9dffeb643e787461abbb746fdeebee4b10408e8 Mon Sep 17 00:00:00 2001 From: Hunter Stewart Date: Wed, 11 Jan 2023 17:44:17 +0000 Subject: [PATCH 5/9] Use relative link --- doc/charts/gitlab/kas/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index 16edf7c76c..ccfac94f5b 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -142,7 +142,7 @@ removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals. 1. Create the certificate authority and certificates that your `kas` pods will trust. 1. Configure your chart to use the trusted certificates. -1. Configure [Redis for TLS](https://docs.gitlab.com/charts/charts/globals.html#specifying-secure-redis-scheme-ssl) +1. Configure [Redis for TLS](../../globals.md#specifying-secure-redis-scheme-ssl) Prerequisites: -- GitLab From f17da7cc4fa700f60cdbaa1cb83bd80e5acd0872 Mon Sep 17 00:00:00 2001 From: Hunter Stewart Date: Wed, 11 Jan 2023 17:49:20 +0000 Subject: [PATCH 6/9] Fix bare url --- doc/charts/globals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 9208ee4aec..72cc9ad9e3 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -599,7 +599,7 @@ redis: authClients: false ``` -Note that the steps to enable TLS provided by Bitnami Redis must also be followed: https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/ +Note that you must follow Bitnami's [steps to enable TLS](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/) as well. ### Password-less Redis Servers -- GitLab From 552320fae352d5675186d34a99ec1c36e5f50f25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Alexandre=20Cunha?= Date: Thu, 12 Jan 2023 01:03:01 +0000 Subject: [PATCH 7/9] Clarify what is optional and required --- doc/charts/gitlab/kas/index.md | 3 ++- doc/charts/globals.md | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index ccfac94f5b..3a837d97fd 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -142,7 +142,8 @@ removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals. 1. Create the certificate authority and certificates that your `kas` pods will trust. 1. Configure your chart to use the trusted certificates. -1. Configure [Redis for TLS](../../globals.md#specifying-secure-redis-scheme-ssl) + +Optionally, you can also configure [Redis for TLS](../../globals.md#specifying-secure-redis-scheme-ssl). Prerequisites: diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 72cc9ad9e3..9732caf901 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -587,7 +587,7 @@ for the attributes that are used to configure Sentinel servers. ### Specifying secure Redis scheme (SSL) -In order to connect to Redis using SSL, the `rediss` (note the double `s`) scheme parameter is required. Additionally, `authClients` key must be set to false `false` because [Redis defaults to mutual TLS](https://redis.io/docs/management/security/encryption/#client-certificate-authentication): +In order to connect to Redis using SSL, the `rediss` (note the double `s`) scheme parameter is required. Additionally, `authClients` key must be set to `false` because [Redis defaults to mutual TLS](https://redis.io/docs/management/security/encryption/#client-certificate-authentication), which not all chart components support: ```yaml global: @@ -599,7 +599,9 @@ redis: authClients: false ``` -Note that you must follow Bitnami's [steps to enable TLS](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/) as well. +Note that you must follow Bitnami's [steps to enable TLS](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/), and that the certificate authority used to create Redis certificates must to be trusted by the chart components. + +If you used a custom certificate authority, refer to the [Custom Certificate Authorities](#custom-certificate-authorities) global config. ### Password-less Redis Servers -- GitLab From c4d6c631a0a8433d5920ea4fa67fdeaac8e0806b Mon Sep 17 00:00:00 2001 From: Phillip Wells Date: Thu, 12 Jan 2023 22:04:32 +0000 Subject: [PATCH 8/9] Apply suggestions to align with our style guide --- doc/charts/gitlab/kas/index.md | 3 +-- doc/charts/globals.md | 30 +++++++++++++++++------------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index 3a837d97fd..32d298cd64 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -142,8 +142,7 @@ removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals. 1. Create the certificate authority and certificates that your `kas` pods will trust. 1. Configure your chart to use the trusted certificates. - -Optionally, you can also configure [Redis for TLS](../../globals.md#specifying-secure-redis-scheme-ssl). +1. Optional. Configure [Redis for TLS](../../globals.md#specifying-secure-redis-scheme-ssl). Prerequisites: diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 9732caf901..c3f0678369 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -585,23 +585,27 @@ configurations **are not shared** and needs to be specified for each instance that uses Sentinels. Please refer to the [Sentinel configuration](#redis-sentinel-support) for the attributes that are used to configure Sentinel servers. -### Specifying secure Redis scheme (SSL) +### Specify secure Redis scheme (SSL) -In order to connect to Redis using SSL, the `rediss` (note the double `s`) scheme parameter is required. Additionally, `authClients` key must be set to `false` because [Redis defaults to mutual TLS](https://redis.io/docs/management/security/encryption/#client-certificate-authentication), which not all chart components support: +To connect to Redis with SSL: -```yaml -global: - redis: - scheme: rediss -redis: - tls: - enabled: true - authClients: false -``` +1. Update your configuration to use the `rediss` (double `s`) scheme parameter. +2. In your configuration, set `authClients` to `false`: + + ```yaml + global: + redis: + scheme: rediss + redis: + tls: + enabled: true + authClients: false + ``` -Note that you must follow Bitnami's [steps to enable TLS](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/), and that the certificate authority used to create Redis certificates must to be trusted by the chart components. + This configuration is required because [Redis defaults to mutual TLS](https://redis.io/docs/management/security/encryption/#client-certificate-authentication), which not all chart components support. -If you used a custom certificate authority, refer to the [Custom Certificate Authorities](#custom-certificate-authorities) global config. +1. Follow Bitnami's [steps to enable TLS](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/). Make sure the chart components trust the certificate authority used to create Redis certificates. +1. Optional. If you use a custom certificate authority, see the [Custom Certificate Authorities](#custom-certificate-authorities) global configuration. ### Password-less Redis Servers -- GitLab From 9cacac3e93ccc20882a7121483b8b9cff7d4350b Mon Sep 17 00:00:00 2001 From: Phillip Wells Date: Fri, 13 Jan 2023 12:39:52 +0000 Subject: [PATCH 9/9] Apply suggestions to fix linting --- doc/charts/gitlab/kas/index.md | 2 +- doc/charts/globals.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index 32d298cd64..7c1f1f5890 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -142,7 +142,7 @@ removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals. 1. Create the certificate authority and certificates that your `kas` pods will trust. 1. Configure your chart to use the trusted certificates. -1. Optional. Configure [Redis for TLS](../../globals.md#specifying-secure-redis-scheme-ssl). +1. Optional. Configure [Redis for TLS](../../globals.md#specify-secure-redis-scheme-ssl). Prerequisites: diff --git a/doc/charts/globals.md b/doc/charts/globals.md index c3f0678369..2832426e4e 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -590,7 +590,7 @@ for the attributes that are used to configure Sentinel servers. To connect to Redis with SSL: 1. Update your configuration to use the `rediss` (double `s`) scheme parameter. -2. In your configuration, set `authClients` to `false`: +1. In your configuration, set `authClients` to `false`: ```yaml global: -- GitLab