[go: up one dir, main page]
Skip to content

using external nginx ingress controller with default-ssl-certificate

Summary

Installing Gitlab helm chart into a cluster with existing nginx ingress controller with default-ssl-certificate configured. In the cluster, if an ingress object has tls enabled and secretName not provided then the nginx ingress will work with the default-ssl-certificate set in the nginx ingress controller. default-ssl-certificate is used because the secret is in another namespace and nginx controller allows the "namespace_name/secret_name" format for it. But this Gitlab helm chart generates certificates for ingresses if the secretName is empty, this is the case for webservice, registry and minio. So now i do not see any way to prevent this chart from keeping the secretNames empty for the nginx-controller to work with the default-ssl-certificate.

Steps to reproduce

Install this helm chart with:

nginx-ingress.enabled=false
global.ingress.tls.enabled=true
global.ingress.tls.secretName=''
global.ingress.tls.configureCertmanager=false

Configuration used

---

# https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/values.yaml

global:
  edition: ce

  ## https://docs.gitlab.com/charts/charts/globals#configure-host-settings
  hosts:
    domain: ex.org
    hostSuffix: git
    https: true
    externalIP:
    ssh: gitssh.ex.org
    gitlab:
      name: git.ex.org
      https: true
    registry:
      name: registry.ex.org
      https: true

  shell:
    port: 5922

  ## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings
  ingress:
    enabled: true
    tls:
      enabled: true
      secretName: ''
    configureCertmanager: false
    provider: nginx
    # class:
    annotations: {}
    path: /
    pathType: Prefix

  initialRootPassword:
    secret: gitlab-infra-server-gitlab-root-password
    key: password

  ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings
  ## Rails based portions of this chart share many settings
  appConfig:
    ## https://docs.gitlab.com/charts/charts/globals#general-application-settings
    # cdnHost:
    enableUsagePing: true
    enableSeatLink: true
    enableImpersonation:
    applicationSettingsCacheSeconds: 60
    usernameChangingEnabled: true
    issueClosingPattern:
    defaultTheme:
    defaultProjectsFeatures:
      issues: true
      mergeRequests: true
      wiki: true
      snippets: true
      builds: true
    graphQlTimeout:
    webhookTimeout:
    maxRequestDurationSeconds:

    ## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings
    cron_jobs: {}

    ## https://docs.gitlab.com/charts/charts/globals#content-security-policy
    contentSecurityPolicy:
      enabled: false
      report_only: true
      # directives: {}

    backups:
      bucket: gitlab-backups
      tmpBucket: tmp

    gitlab_kas:
      enabled: false

    initialDefaults:
      signupEnabled: false

  kas:
    enabled: false

  rails:
    bootsnap: # Enable / disable Shopify/Bootsnap cache
      enabled: true

  ## https://docs.gitlab.com/charts/charts/globals#configure-registry-settings
  registry:
    bucket: registry

    tls:
      enabled: false
      # secretName:

    # Settings utilized by other services referencing registry:
    enabled: true
    host:
    # port: 443
    api:
      protocol: http
      serviceName: registry
      port: 5000
    tokenIssuer: gitlab-issuer

  ## https://docs.gitlab.com/charts/charts/globals#service-accounts
  serviceAccount:
    enabled: false
    create: true
    annotations: {}
    ## Name to be used for serviceAccount, otherwise defaults to chart fullname
    # name:

prometheus:
  install: false

certmanager:
  install: false

nginx-ingress: &nginx-ingress
  enabled: false

registry:
  enabled: true

gitlab-runner:
  install: false

Current behavior

The helm chart get installed successfully giving this message:

...
=== WARNING
Automatic TLS certificate generation with cert-manager is disabled.
One or more of the components does not have a TLS certificate Secret configured.
As a result, Self-signed certificates were generated for these components.
...

If you do not wish to use self-signed certificates, please set the following properties:
- global.ingress.tls.secretName
OR all of:
- global.ingress.tls.enabled (set to true)
- gitlab.webservice.ingress.tls.secretName
- registry.ingress.tls.secretName
- minio.ingress.tls.secretName

Expected behavior

Some way to disable generation of the self-signed certificates and keep the secretName's empty for the external nginx ingress controller to deal with it.

Versions

  • Chart: gitlab-7.5.1
  • Platform:
    • Self-hosted: k0s
  • Kubernetes: (kubectl version)
    • Client: v1.28.2
    • Server: v1.28.2+k0s
  • Helm: (helm version)
    • Client: v3.13.1

Relevant logs

NAME                                                           READY   STATUS     RESTARTS      AGE
pod/gitlab-infra-server-gitaly-0                               0/1     Pending    0             108m
pod/gitlab-infra-server-gitlab-exporter-5455bb7fc7-zlgtq       1/1     Running    0             108m
pod/gitlab-infra-server-gitlab-shell-d9d644df5-sld6n           1/1     Running    0             108m
pod/gitlab-infra-server-gitlab-shell-d9d644df5-wh4n4           1/1     Running    0             107m
pod/gitlab-infra-server-migrations-4-6sctk                     1/1     Running    0             35m
pod/gitlab-infra-server-minio-5ccdcfd7c9-hwscw                 0/1     Pending    0             108m
pod/gitlab-infra-server-postgresql-0                           0/2     Pending    0             108m
pod/gitlab-infra-server-redis-master-0                         0/2     Pending    0             108m
pod/gitlab-infra-server-registry-58dd5bc649-ngrfg              1/1     Running    0             108m
pod/gitlab-infra-server-registry-58dd5bc649-rbmhd              1/1     Running    0             107m
pod/gitlab-infra-server-sidekiq-all-in-1-v2-6b79dd9bb7-lzh9m   0/1     Init:2/3   1 (44m ago)   108m
pod/gitlab-infra-server-toolbox-5679575759-k6r7g               1/1     Running    0             108m
pod/gitlab-infra-server-webservice-default-65fd8b5d98-shpqd    0/2     Init:2/3   1 (44m ago)   108m
pod/gitlab-infra-server-webservice-default-65fd8b5d98-xcw9z    0/2     Init:2/3   1 (44m ago)   107m

NAME                                                READY   AGE
statefulset.apps/gitlab-infra-server-gitaly         0/1     108m
statefulset.apps/gitlab-infra-server-postgresql     0/1     108m
statefulset.apps/gitlab-infra-server-redis-master   0/1     108m

NAME                                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/gitlab-infra-server-gitlab-exporter       1/1     1            1           108m
deployment.apps/gitlab-infra-server-gitlab-shell          2/2     2            2           108m
deployment.apps/gitlab-infra-server-minio                 0/1     1            0           108m
deployment.apps/gitlab-infra-server-registry              2/2     2            2           108m
deployment.apps/gitlab-infra-server-sidekiq-all-in-1-v2   0/1     1            0           108m
deployment.apps/gitlab-infra-server-toolbox               1/1     1            1           108m
deployment.apps/gitlab-infra-server-webservice-default    0/2     2            0           108m

NAME                                                               CLASS                       HOSTS                      ADDRESS   PORTS   AGE
ingress.networking.k8s.io/gitlab-infra-server-minio                gitlab-infra-server-nginx   minio-git.zzlogistics.ru             80      72m
ingress.networking.k8s.io/gitlab-infra-server-registry             gitlab-infra-server-nginx   registry.zzlogistics.ru              80      72m
ingress.networking.k8s.io/gitlab-infra-server-webservice-default   gitlab-infra-server-nginx   git.zzlogistics.ru                   80      72m
Edited by Czai Kun