KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Configure charts using globals

To reduce configuration duplication when installing our wrapper Helm chart, several
configuration settings are available to be set in the global section of values.yaml .
These global settings are used across several charts, while all other settings are scoped
within their chart. See the Helm documentation on globals
for more information on how the global variables work.

Hosts
Ingress
GitLab Version
PostgreSQL
Redis
Grafana
Registry
Gitaly
Praefect
MinIO
appConfig
Rails
Workhorse
GitLab Shell
Pages
Webservice
Custom Certificate Authorities
Application Resource
Busybox image
Service Accounts
Annotations
Tracing
extraEnv
extraEnvFrom
OAuth
Kerberos
Outgoing email
Platform
Affinity

Configure Host settings

The GitLab global host settings are located under the global.hosts key.

      global:
  hosts:
    domain: example.com
    hostSuffix: staging
    https: false
    externalIP:
    gitlab:
      name: gitlab.example.com
      https: false
    registry:
      name: registry.example.com
      https: false
    minio:
      name: minio.example.com
      https: false
    smartcard:
      name: smartcard.example.com
    kas:
      name: kas.example.com
    pages:
      name: pages.example.com
      https: false
    ssh: gitlab.example.com

     

Name	Type	Default	Description
`domain`	String	`example.com`	The base domain. GitLab and Registry will be exposed on the subdomain of this setting. This defaults to `example.com` , but is not used for hosts that have their `name` property configured. See the `gitlab.name` , `minio.name` , and `registry.name` sections below.
`externalIP`		`nil`	Set the external IP address that will be claimed from the provider. This will be templated into the NGINX chart, in place of the more complex `nginx.service.loadBalancerIP` .
`https`	Boolean	`true`	If set to true, you will need to ensure the NGINX chart has access to the certificates. In cases where you have TLS-termination in front of your Ingresses, you probably want to look at `global.ingress.tls.enabled` . Set to false for external URLs to use `http://` instead of `https` .
`hostSuffix`	String		See Below.
`gitlab.https`	Boolean	`false`	If `hosts.https` or `gitlab.https` are `true` , the GitLab external URL will use `https://` instead of `http://` .
`gitlab.name`	String		The hostname for GitLab. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.
`gitlab.hostnameOverride`	String		Override the hostname used in Ingress configuration of the Webservice. Useful if GitLab has to be reachable behind a WAF that rewrites the Hostname to an internal hostname (e.g.: `gitlab.example.com` –> `gitlab.cluster.local` ).
`gitlab.serviceName`	String	`webservice`	The name of the `service` which is operating the GitLab server. The chart will template the hostname of the service (and current `.Release.Name` ) to create the proper internal serviceName.
`gitlab.servicePort`	String	`workhorse`	The named port of the `service` where the GitLab server can be reached.
`minio.https`	Boolean	`false`	If `hosts.https` or `minio.https` are `true` , the MinIO external URL will use `https://` instead of `http://` .
`minio.name`	String	`minio`	The hostname for MinIO. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.
`minio.serviceName`	String	`minio`	The name of the `service` which is operating the MinIO server. The chart will template the hostname of the service (and current `.Release.Name` ) to create the proper internal serviceName.
`minio.servicePort`	String	`minio`	The named port of the `service` where the MinIO server can be reached.
`registry.https`	Boolean	`false`	If `hosts.https` or `registry.https` are `true` , the Registry external URL will use `https://` instead of `http://` .
`registry.name`	String	`registry`	The hostname for Registry. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.
`registry.serviceName`	String	`registry`	The name of the `service` which is operating the Registry server. The chart will template the hostname of the service (and current `.Release.Name` ) to create the proper internal serviceName.
`registry.servicePort`	String	`registry`	The named port of the `service` where the Registry server can be reached.
`smartcard.name`	String	`smartcard`	The hostname for smartcard authentication. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.
`kas.name`	String	`kas`	The hostname for the KAS. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.
`kas.https`	Boolean	`false`	If `hosts.https` or `kas.https` are `true` , the KAS external URL will use `wss://` instead of `ws://` .
`pages.name`	String	`pages`	The hostname for GitLab Pages. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.
`pages.https`	String		If `global.pages.https` or `global.hosts.pages.https` or `global.hosts.https` are `true` , then URL for GitLab Pages in the Project settings UI will use `https://` instead of `http://` .
`ssh`	String		The hostname for cloning repositories over SSH. If set, this hostname is used, regardless of the `global.hosts.domain` and `global.hosts.hostSuffix` settings.

hostSuffix

The hostSuffix is appended to the subdomain when assembling a hostname using the
base domain , but is not used for hosts that have their own name set.

Defaults to being unset. If set, the suffix is appended to the subdomain with a hyphen.
The example below would result in using external hostnames like gitlab-staging.example.com
and registry-staging.example.com :

      global:
  hosts:
    domain: example.com
    hostSuffix: staging

     

Configure Horizontal Pod Autoscaler settings

The GitLab global host settings for HPA are located under the global.hpa key:

Name	Type	Default	Description
`apiVersion`	String		API version to use in the HorizontalPodAutoscaler object definitions.

Configure PodDisruptionBudget settings

The GitLab global host settings for PDB are located under the global.pdb key:

Name	Type	Default	Description
`apiVersion`	String		API version to use in the PodDisruptionBudget object definitions.

Configure CronJob settings

The GitLab global host settings for CronJobs are located under the global.batch.cronJob key:

Name	Type	Default	Description
`apiVersion`	String		API version to use in the CronJob object definitions.

Configure Ingress settings

The GitLab global host settings for Ingress are located under the global.ingress key:

Name	Type	Default	Description
`apiVersion`	String		API version to use in the Ingress object definitions.
`annotations.annotation-key`	String		Where `annotation-key` is a string that will be used with the value as an annotation on every Ingress. For Example: `global.ingress.annotations."nginx\.ingress\.kubernetes\.io/enable-access-log"=true` . No global annotations are provided by default.
`configureCertmanager`	Boolean	`true`	See below.
`class`	String	`gitlab-nginx`	Global setting that controls `kubernetes.io/ingress.class` annotation or `spec.IngressClassName` in `Ingress` resources. Set to `none` to disable, or `""` for empty. Note: for `none` or `""` , set `nginx-ingress.enabled=false` to prevent the charts from deploying unnecessary Ingress resources.
`enabled`	Boolean	`true`	Global setting that controls whether to create Ingress objects for services that support them.
`tls.enabled`	Boolean	`true`	When set to `false` , this disables TLS in GitLab. This is useful for cases in which you cannot use TLS termination of Ingresses, such as when you have a TLS-terminating proxy before the Ingress Controller. If you want to disable https completely, this should be set to `false` together with `global.hosts.https` .
`tls.secretName`	String		The name of the Kubernetes TLS Secret that contains a wildcard certificate and key for the domain used in `global.hosts.domain` .
`path`	String	`/`	Default for `path` entries in Ingress objects
`pathType`	String	`Prefix`	A Path Type allows you to specify how a path should be matched. Our current default is `Prefix` but you can use `ImplementationSpecific` or `Exact` depending on your use case.
`provider`	String	`nginx`	Global setting that defines the Ingress provider to use. `nginx` is used as the default provider.

Sample configurations for various cloud providers
can be found in the examples folder.

AWS
GKE

Ingress Path

This chart employs global.ingress.path as a means to assist those users that need to alter the definition of path entries for their Ingress objects.
Many users have no need for this setting, and should not configure it .

For those users who need to have their path definitions end in /* to match their load balancer / proxy behaviors, such as when using ingress.class: gce in GCP,
ingress.class: alb in AWS, or another such provider.

This setting ensures that all path entries in Ingress resources throughout this chart are rendered with this.
The only exception is when populating the gitlab/webservice deployments settings, where path must be specified.

Cloud provider LoadBalancers

Various cloud providers’ LoadBalancer implementations have an impact on configuration of the Ingress resources and NGINX controller deployed as part of this chart. The next table provides examples.

Provider	Layer	Example snippet
AWS	4	`aws/elb-layer4-loadbalancer`
AWS	7	`aws/elb-layer7-loadbalancer`
AWS	7	`aws/alb-full`

`global.ingress.configureCertmanager`

Global setting that controls the automatic configuration of cert-manager
for Ingress objects. If true , relies on certmanager-issuer.email being set.

If false and global.ingress.tls.secretName is not set, this will activate automatic
self-signed certificate generation, which creates a wildcard certificate for all
Ingress objects.

If you wish to use an external cert-manager , you must provide the following:

gitlab.webservice.ingress.tls.secretName
registry.ingress.tls.secretName
minio.ingress.tls.secretName
global.ingress.annotations

GitLab Version

This value should only used for development purposes, or by explicit request of GitLab support. Please avoid using this value
on production environments and set the version as described
in Deploy using Helm

The GitLab version used in the default image tag for the charts can be changed using
the global.gitlabVersion key:

--set global.gitlabVersion=11.0.1

This impacts the default image tag used in the webservice , sidekiq , and migration
charts. Note that the gitaly , gitlab-shell and gitlab-runner image tags should
be separately updated to versions compatible with the GitLab version.

Adding suffix to all image tags

If you wish to add a suffix to the name of all images used in the Helm chart, you can use the global.image.tagSuffix key.
An example of this use case might be if you wish to use fips compliant container images from GitLab, which are all built
with the -fips extension to the image tag.

      --set global.image.tagSuffix="-fips"

     

Configure PostgreSQL settings

The GitLab global PostgreSQL settings are located under the global.psql key.

      global:
  psql:
    host: psql.example.com
    # serviceName: pgbouncer
    port: 5432
    database: gitlabhq_production
    username: gitlab
    applicationName:
    preparedStatements: false
    databaseTasks: true
    connectTimeout:
    keepalives:
    keepalivesIdle:
    keepalivesInterval:
    keepalivesCount:
    tcpUserTimeout:
    password:
      useSecret: true
      secret: gitlab-postgres
      key: psql-password
      file:

     

Name	Type	Default	Description
`host`	String		The hostname of the PostgreSQL server with the database to use. This can be omitted if using PostgreSQL deployed by this chart.
`serviceName`	String		The name of the `service` which is operating the PostgreSQL database. If this is present, and `host` is not, the chart will template the hostname of the service in place of the `host` value.
`database`	String	`gitlabhq_production`	The name of the database to use on the PostgreSQL server.
`password.useSecret`	Boolean	`true`	Controls whether the password for PostgreSQL is read from a secret or file.
`password.file`	String		Defines the path to the file that contains the password for PostgreSQL. Ignored if `password.useSecret` is true
`password.key`	String		The `password.key` attribute for PostgreSQL defines the name of the key in the secret (below) that contains the password. Ignored if `password.useSecret` is false.
`password.secret`	String		The `password.secret` attribute for PostgreSQL defines the name of the Kubernetes `Secret` to pull from. Ignored if `password.useSecret` is false.
`port`	Integer	`5432`	The port on which to connect to the PostgreSQL server.
`username`	String	`gitlab`	The username with which to authenticate to the database.
`preparedStatements`	Boolean	`false`	If prepared statements should be used when communicating with the PostgreSQL server.
`databaseTasks`	Boolean	`true`	If GitLab should perform database tasks for a given database. Automatically disabled when sharing host/port/database match `main` .
`connectTimeout`	Integer		The number of seconds to wait for a database connection.
`keepalives`	Integer		Controls whether client-side TCP keepalives are used (1, meaning on, 0, meaning off).
`keepalivesIdle`	Integer		The number of seconds of inactivity after which TCP should send a keepalive message to the server. A value of zero uses the system default.
`keepalivesInterval`	Integer		The number of seconds after which a TCP keepalive message that is not acknowledged by the server should be retransmitted. A value of zero uses the system default.
`keepalivesCount`	Integer		The number of TCP keepalives that can be lost before the client’s connection to the server is considered dead. A value of zero uses the system default.
`tcpUserTimeout`	Integer		The number of milliseconds that transmitted data may remain unacknowledged before a connection is forcibly closed. A value of zero uses the system default.
`applicationName`	String		The name of the application connecting to the database. Set to a blank string ( `""` ) to disable. By default, this will be set to the name of the running process (e.g. `sidekiq` , `puma` ).

PostgreSQL per chart

In some complex deployments, it may be desired to configure different parts of
this chart with different configurations for PostgreSQL. As of v4.2.0 , all
properties available within global.psql can be set on a per-chart basis,
for example gitlab.sidekiq.psql . The local settings will override global values
when supplied, inheriting any not present from global.psql , with the exception
of psql.load_balancing .

PostgreSQL load balancing will never inherit
from the global, by design.

PostgreSQL SSL

SSL support is mutual TLS only.
See issue #2034
and issue #1817.

If you want to connect GitLab with a PostgreSQL database over mutual TLS, create a secret
containing the client key, client certificate and server certificate authority as different
secret keys. Then describe the secret’s structure using the global.psql.ssl mapping.

      global:
  psql:
    ssl:
      secret: db-example-ssl-secrets # Name of the secret
      clientCertificate: cert.pem    # Secret key storing the certificate
      clientKey: key.pem             # Secret key of the certificate's key
      serverCA: server-ca.pem        # Secret key containing the CA for the database server

     

Name	Type	Description
`secret`	String	Name of the Kubernetes `Secret` containing the following keys
`clientCertificate`	String	Name of the key within the `Secret` containing the client certificate.
`clientKey`	String	Name of the key within the `Secret` containing the client certificate’s key file.
`serverCA`	String	Name of the key within the `Secret` containing the certificate authority for the server.

You may also need to set extraEnv values to export environment values to point to the correct keys.

      global:
  extraEnv:
      PGSSLCERT: '/etc/gitlab/postgres/ssl/client-certificate.pem'
      PGSSLKEY: '/etc/gitlab/postgres/ssl/client-key.pem'
      PGSSLROOTCERT: '/etc/gitlab/postgres/ssl/server-ca.pem'

     

PostgreSQL load balancing

This feature requires the use of an
external PostgreSQL, as this chart does not
deploy PostgreSQL in an HA fashion.

The Rails components in GitLab have the ability to
make use of PostgreSQL clusters to load balance read-only queries.

This feature can be configured in two fashions:

Using a static lists of hostnames for the secondaries.
Using a DNS based service discovery mechanism.

Configuration with a static list of is straight forward:

      global:
  psql:
    host: primary.database
    load_balancing:
       hosts:
       - secondary-1.database
       - secondary-2.database

     

Configuration of service discovery can be more complex. For a complete
details of this configuration, the parameters and their associated
behaviors, see Service Discovery
in the GitLab Administration documentation.

      global:
  psql:
    host: primary.database
    load_balancing:
      discover:
        record:  secondary.postgresql.service.consul
        # record_type: A
        # nameserver: localhost
        # port: 8600
        # interval: 60
        # disconnect_timeout: 120
        # use_tcp: false
        # max_replica_pools: 30

     

Further tuning is also available, in regards to the
handling of stale reads.
The GitLab Administration documentation covers these items in detail,
and those properties can be added directly under load_balancing .

      global:
  psql:
    load_balancing:
      max_replication_difference: # See documentation
      max_replication_lag_time:   # See documentation
      replica_check_interval:     # See documentation

     

Configure Redis settings

The GitLab global Redis settings are located under the global.redis key.

By default we use an single, non-replicated Redis instance. If desired, a
highly available Redis can be deployed instead. To install an HA Redis
cluster one needs to set redis.cluster.enabled=true when the GitLab
chart is installed.

You can bring an external Redis instance by setting redis.install=false , and
following our advanced documentation for
configuration.

      global:
  redis:
    host: redis.example.com
    serviceName: redis
    port: 6379
    password:
      enabled: true
      secret: gitlab-redis
      key: redis-password
    scheme:

     

Name	Type	Default	Description
`host`	String		The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName` .
`serviceName`	String	`redis`	The name of the `service` which is operating the Redis database. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name` ) in place of the `host` value. This is convenient when using Redis as a part of the overall GitLab chart.
`port`	Integer	`6379`	The port on which to connect to the Redis server.
`password.enabled`	Boolean	true	The `password.enabled` provides a toggle for using a password with the Redis instance.
`password.key`	String		The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password.
`password.secret`	String		The `password.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from.
`scheme`	String	`redis`	The URI scheme to be used to generate Redis URLs. Valid values are `redis` , `rediss` , and `tcp` . If using `rediss` (SSL encrypted connection) scheme, the certificate used by the server should be a part of the system’s trusted chains. This can be done by adding them to the custom certificate authorities list.

Configure Redis chart-specific settings

Settings to configure the Redis chart
directly are located under the redis key:

      redis:
  install: true
  image:
    registry: registry.example.com
    repository: example/redis
    tag: x.y.z

     

Refer to the full list of settings
for more information.

Redis Sentinel support

The current Redis Sentinel support only supports Sentinels that have
been deployed separately from the GitLab chart. As a result, the Redis
deployment through the GitLab chart should be disabled with redis.install=false .
The Kubernetes Secret containing the Redis password will need to be manually created
before deploying the GitLab chart.

The installation of an HA Redis cluster from the GitLab chart does not
support using sentinels. If sentinel support is desired, a Redis cluster
needs to be created separately from the GitLab chart install. This can be
done inside or outside the Kubernetes cluster.

An issue to track the
supporting of sentinels in a GitLab deployed Redis cluster has
been created for tracking purposes.

      redis:
  install: false
global:
  redis:
    host: redis.example.com
    serviceName: redis
    port: 6379
    sentinels:
      - host: sentinel1.example.com
        port: 26379
      - host: sentinel2.exeample.com
        port: 26379
    password:
      enabled: true
      secret: gitlab-redis
      key: redis-password

     

Name	Type	Default	Description
`host`	String		The `host` attribute needs to be set to the cluster name as specified in the `sentinel.conf` .
`sentinels.[].host`	String		The hostname of Redis Sentinel server for a Redis HA setup.
`sentinels.[].port`	Integer	`26379`	The port on which to connect to the Redis Sentinel server.

All the prior Redis attributes in the general configure Redis settings
continue to apply with the Sentinel support unless re-specified in the table above.

Multiple Redis support

The GitLab chart includes support for running with separate Redis instances
for different persistence classes, currently:

Instance	Purpose
`cache`	Store cached data
`queues`	Store Sidekiq background jobs
`sharedState`	Store various persistent data such as distributed locks
`actioncable`	Pub/Sub queue backend for ActionCable
`traceChunks`	Store job traces temporarily
`rateLimiting`	Store rate-limiting usage for RackAttack and Application Limits
`sessions`	Store user session data

Any number of the instances may be specified. Any instances not specified
will be handled by the primary Redis instance specified
by global.redis.host or use the deployed Redis instance from the chart.
For example:

      redis:
  install: false
global:
  redis:
    host: redis.example
    port: 6379
    password:
      enabled: true
      secret: redis-secret
      key: redis-password
    cache:
      host: cache.redis.example
      port: 6379
      password:
        enabled: true
        secret: cache-secret
        key: cache-password
    sharedState:
      host: shared.redis.example
      port: 6379
      password:
        enabled: true
        secret: shared-secret
        key: shared-password
    queues:
      host: queues.redis.example
      port: 6379
      password:
        enabled: true
        secret: queues-secret
        key: queues-password
    actioncable:
      host: cable.redis.example
      port: 6379
      password:
        enabled: true
        secret: cable-secret
        key: cable-password
    traceChunks:
      host: traceChunks.redis.example
      port: 6379
      password:
        enabled: true
        secret: traceChunks-secret
        key: traceChunks-password
    rateLimiting:
      host: rateLimiting.redis.example
      port: 6379
      password:
        enabled: true
        secret: rateLimiting-secret
        key: rateLimiting-password
    sessions:
      host: sessions.redis.example
      port: 6379
      password:
        enabled: true
        secret: sessions-secret
        key: sessions-password

     

The following table describes the attributes for each dictionary of the
Redis instances.

Name	Type	Default	Description
`.host`	String		The hostname of the Redis server with the database to use.
`.port`	Integer	`6379`	The port on which to connect to the Redis server.
`.password.enabled`	Boolean	true	The `password.enabled` provides a toggle for using a password with the Redis instance.
`.password.key`	String		The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password.
`.password.secret`	String		The `password.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from.

The primary Redis definition is required as there are additional persistence
classes that have not been separated.

Each instance definition may also use Redis Sentinel support. Sentinel
configurations are not shared and needs to be specified for each
instance that uses Sentinels. Please refer to the Sentinel configuration
for the attributes that are used to configure Sentinel servers.

Specifying secure Redis scheme (SSL)

In order to connect to Redis using SSL, the rediss (note the double s ) scheme parameter is required:

      global:
  redis:
    scheme: rediss
  --set global.redis.scheme=rediss

     

Password-less Redis Servers

Some Redis services such as Google Cloud Memorystore do not make use of passwords and the associated AUTH command. The use and requirement for a password can be disabled via the following configuration setting:

      global:
  redis:
    password:
      enabled: false
    host: ${REDIS_PRIVATE_IP}
redis:
  enabled: false

     

Configure Grafana integration

The GitLab global Grafana settings are located under global.grafana . At this time, the only setting available is global.grafana.enabled .

When set to true , the GitLab chart will deploy the grafana/grafana chart, expose it under /-/grafana of the GitLab Ingress, and pre-configure it with a secure random password. The generated password can be found in the Secret named gitlab-grafana-initial-root-password .

The GitLab chart connects to the deployed Prometheus instance.

Configure Registry settings

The global Registry settings are located under the global.registry key.

      global:
  registry:
    bucket: registry
    certificate:
    httpSecret:
    notificationSecret:
    notifications: {}

     

For more details on bucket , certificate , httpSecret , and notificationSecret settings, see the documentation within the registry chart.

notifications

This setting is used to configure
Registry notifications.
It takes in a map (following upstream specification), but with an added feature
of providing sensitive headers as Kubernetes secrets. For example, consider the
following snippet where the Authorization header contains sensitive data while
other headers contain regular data:

      global:
  registry:
    notifications:
      events:
        includereferences: true
      endpoints:
        - name: CustomListener
          url: https://mycustomlistener.com
          timeout: 500mx
          threshold: 5
          backoff: 1s
          headers:
            X-Random-Config: [plain direct]
            Authorization:
              secret: registry-authorization-header
              key: password

     

In this example, the header X-Random-Config is a regular header and its value
can be provided in plaintext in the values.yaml file or via --set flag.
However, the header Authorization is a sensitive one, so mounting it from a
Kubernetes secret is preferred. For details regarding the structure of the
secret, refer the secrets documentation

Configure Gitaly settings

The global Gitaly settings are located under the global.gitaly key.

      global:
  gitaly:
    internal:
      names:
        - default
        - default2
    external:
      - name: node1
        hostname: node1.example.com
        port: 8075
    authToken:
      secret: gitaly-secret
      key: token
    tls:
      enabled: true
      secretName: gitlab-gitaly-tls

     

Gitaly hosts

Gitaly is a service that provides high-level
RPC access to Git repositories, which handles all Git calls made by GitLab.

Administrators can chose to use Gitaly nodes in the following ways:

Internal to the chart, as part of a StatefulSet via the Gitaly chart.
External to the chart, as external pets.
Mixed environment using both internal and external nodes.

See Repository Storage Paths
documentation for details on managing which nodes will be used for new projects.

If gitaly.host is provided, gitaly.internal and gitaly.external properties will be ignored .
See the deprecated Gitaly settings.

The Gitaly authentication token is expected to be identical for
all Gitaly services at this time, internal or external. Ensure these are aligned.
See issue #1992 for further details.

Internal

The internal key currently consists of only one key, names , which is a list of
storage names
to be managed by the chart. For each listed name, in logical order , one pod will
be spawned, named ${releaseName}-gitaly-${ordinal} , where ordinal is the index
within the names list. If dynamic provisioning is enabled, the PersistentVolumeClaim
will match.

This list defaults to ['default'] , which provides for 1 pod related to one
storage path.

Manual scaling of this item is required, by adding or removing entries in
gitaly.internal.names . When scaling down, any repository that has not been moved
to another node will become unavailable. Since the Gitaly chart is a StatefulSet ,
dynamically provisioned disks will not be reclaimed. This means the data disks
will persist, and the data on them can be accessed when the set is scaled up again
by re-adding a node to the names list.

A sample configuration of multiple internal nodes
can be found in the examples folder.

External

The external key provides a configuration for Gitaly nodes external to the cluster.
Each item of this list has 3 keys:

name : The name of the storage.
An entry with name: default is required.
hostname : The host of Gitaly services.
port : (optional) The port number to reach the host on. Defaults to 8075 .
tlsEnabled : (optional) Override global.gitaly.tls.enabled for this particular entry.

We provide an advanced configuration guide for
using an external Gitaly service. You can also
find sample configuration of multiple external services
in the examples folder.

You may use an external Praefect
to provide highly available Gitaly services. Configuration of the two is
interchangeable, as from the viewpoint of the clients, there is no difference.

Mixed

It is possible to use both internal and external Gitaly nodes, but be aware that:

There must always be a node named default , which Internal provides by default.
External nodes will be populated first, then Internal.

A sample configuration of mixed internal and external nodes
can be found in the examples folder.

authToken

The authToken attribute for Gitaly has two sub keys:

secret defines the name of the Kubernetes Secret to pull from.
key defines the name of the key in the above secret that contains the authToken.

All Gitaly nodes must share the same authentication token.

Deprecated Gitaly settings

Name	Type	Default	Description
`host` (deprecated)	String		The hostname of the Gitaly server to use. This can be omitted in lieu of `serviceName` . If this setting is used, it will override any values of `internal` or `external` .
`port` (deprecated)	Integer	`8075`	The port on which to connect to the Gitaly server.
`serviceName` (deprecated)	String		The name of the `service` which is operating the Gitaly server. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name` ) in place of the `host` value. This is convenient when using Gitaly as a part of the overall GitLab chart.

TLS settings

Configuring Gitaly to serve via TLS is detailed in the Gitaly chart’s documentation.

Configure Praefect settings

The global Praefect settings are located under the global.praefect key.

Praefect is disabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will need to be manually created on the default PostgreSQL instance.

Enable Praefect

To enable Praefect with default settings, set global.praefect.enabled=true .

See the Praefect documentation for details on how to operate a Gitaly cluster using Praefect.

Global settings for Praefect

      global:
  praefect:
    enabled: false
    virtualStorages:
    - name: default
      gitalyReplicas: 3
      maxUnavailable: 1
    dbSecret: {}
    psql: {}

     

Name	Type	Default	Description
enabled	Boolean	false	Whether or not to enable Praefect
virtualStorages	List	See multiple virtual storages above.	The list of desired virtual storages (each backed by a Gitaly StatefulSet)
dbSecret.secret	String		The name of the secret to use for authenticating with the database
dbSecret.key	String		The name of the key in `dbSecret.secret` to use
psql.host	String		The hostname of the database server to use (when using an external database)
psql.port	String		The port number of the database server (when using an external database)
psql.user	String	`praefect`	The database user to use
psql.dbName	String	`praefect`	The name of the database to use

Configure MinIO settings

The GitLab global MinIO settings are located under the global.minio key. For more
details on these settings, see the documentation within the MinIO chart.

      global:
  minio:
    enabled: true
    credentials: {}

     

Configure appConfig settings

The Webservice, Sidekiq, and
Gitaly charts share multiple settings, which are configured
with the global.appConfig key.

      global:
  appConfig:
    # cdnHost:
    contentSecurityPolicy:
      enabled: false
      report_only: true
      # directives: {}
    enableUsagePing: true
    enableSeatLink: true
    enableImpersonation: true
    applicationSettingsCacheSeconds: 60
    usernameChangingEnabled: true
    issueClosingPattern:
    defaultTheme:
    defaultProjectsFeatures:
      issues: true
      mergeRequests: true
      wiki: true
      snippets: true
      builds: true
      containerRegistry: true
    webhookTimeout:
    gravatar:
      plainUrl:
      sslUrl:
    extra:
      googleAnalyticsId:
      matomoUrl:
      matomoSiteId:
      matomoDisableCookies:
      oneTrustId:
      googleTagManagerNonceId:
      bizible:
    object_store:
      enabled: false
      proxy_download: true
      storage_options: {}
      connection: {}
    lfs:
      enabled: true
      proxy_download: true
      bucket: git-lfs
      connection: {}
    artifacts:
      enabled: true
      proxy_download: true
      bucket: gitlab-artifacts
      connection: {}
    uploads:
      enabled: true
      proxy_download: true
      bucket: gitlab-uploads
      connection: {}
    packages:
      enabled: true
      proxy_download: true
      bucket: gitlab-packages
      connection: {}
    externalDiffs:
      enabled:
      when:
      proxy_download: true
      bucket: gitlab-mr-diffs
      connection: {}
    terraformState:
      enabled: false
      bucket: gitlab-terraform-state
      connection: {}
    ciSecureFiles:
      enabled: false
      bucket: gitlab-ci-secure-files
      connection: {}
    dependencyProxy:
      enabled: false
      bucket: gitlab-dependency-proxy
      connection: {}
    backups:
      bucket: gitlab-backups
    microsoft_graph_mailer:
      enabled: false
      user_id: "YOUR-USER-ID"
      tenant: "YOUR-TENANT-ID"
      client_id: "YOUR-CLIENT-ID"
      client_secret:
        secret:
        key: secret
      azure_ad_endpoint: "https://login.microsoftonline.com"
      graph_endpoint: "https://graph.microsoft.com"
    incomingEmail:
      enabled: false
      address: ""
      host: "imap.gmail.com"
      port: 993
      ssl: true
      startTls: false
      user: ""
      password:
        secret:
        key: password
      mailbox: inbox
      idleTimeout: 60
      inboxMethod: "imap"
      clientSecret:
        key: secret
      pollInterval: 60
      deliveryMethod: webhook
      authToken: {}

    serviceDeskEmail:
      enabled: false
      address: ""
      host: "imap.gmail.com"
      port: 993
      ssl: true
      startTls: false
      user: ""
      password:
        secret:
        key: password
      mailbox: inbox
      idleTimeout: 60
      inboxMethod: "imap"
      clientSecret:
        key: secret
      pollInterval: 60
      deliveryMethod: webhook
      authToken: {}

    cron_jobs: {}
    sentry:
      enabled: false
      dsn:
      clientside_dsn:
      environment:
    gitlab_docs:
      enabled: false
      host: ""
    smartcard:
      enabled: false
      CASecret:
      clientCertificateRequiredHost:
    sidekiq:
      routingRules: []

     

General application settings

The appConfig settings that can be used to tweak the general properties of the Rails
application are described below:

Name	Type	Default	Description
`cdnHost`	String	(empty)	Sets a base URL for a CDN to serve static assets (for example, `https://mycdnsubdomain.fictional-cdn.com` ).
`contentSecurityPolicy`	Struct		See below.
`enableUsagePing`	Boolean	`true`	A flag to disable the usage ping support.
`enableSeatLink`	Boolean	`true`	A flag to disable the seat link support.
`enableImpersonation`		`nil`	A flag to disable user impersonation by Administrators.
`applicationSettingsCacheSeconds`	Integer	60	An interval value (in seconds) to invalidate the application settings cache.
`usernameChangingEnabled`	Boolean	`true`	A flag to decide if users are allowed to change their username.
`issueClosingPattern`	String	(empty)	Pattern to close issues automatically.
`defaultTheme`	Integer		Numeric ID of the default theme for the GitLab instance. It takes a number, denoting the ID of the theme.
`defaultProjectsFeatures.feature`	Boolean	`true`	See below.
`webHookTimeout`	Integer		Waiting time in seconds before a hook is deemed to have failed.

Content Security Policy

Setting a Content Security Policy (CSP) can help thwart JavaScript cross-site
scripting (XSS) attacks. See GitLab documentation for configuration details. Content Security Policy Documentation

GitLab automatically provides secure default values for the CSP.

      global:
  appConfig:
    contentSecurityPolicy:
      enabled: true
      report_only: false

     

To add a custom CSP:

      global:
  appConfig:
    contentSecurityPolicy:
      enabled: true
      report_only: false
      directives:
        default_src: "'self'"
        script_src: "'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com"
        frame_ancestors: "'self'"
        frame_src: "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
        img_src: "* data: blob:"
        style_src: "'self' 'unsafe-inline'"

     

Improperly configuring the CSP rules could prevent GitLab from working properly.
Before rolling out a policy, you may also want to change report_only to true to
test the configuration.

defaultProjectsFeatures

Flags to decide if new projects should be created with the respective features by
default. All flags default to true .

      defaultProjectsFeatures:
  issues: true
  mergeRequests: true
  wiki: true
  snippets: true
  builds: true
  containerRegistry: true

     

Gravatar/Libravatar settings

By default, the charts work with Gravatar avatar service available at gravatar.com.
However, a custom Libravatar service can also be used if needed:

Name	Type	Default	Description
`gravatar.plainURL`	String	(empty)	HTTP URL to Libravatar instance (instead of using gravatar.com).
`gravatar.sslUrl`	String	(empty)	HTTPS URL to Libravatar instance (instead of using gravatar.com).

Hooking Analytics services to the GitLab instance

Settings to configure Analytics services like Google Analytics and Matomo are defined
under the extra key below appConfig :

Name	Type	Default	Description
`extra.googleAnalyticsId`	String	(empty)	Tracking ID for Google Analytics.
`extra.matomoSiteId`	String	(empty)	Matomo Site ID.
`extra.matomoUrl`	String	(empty)	Matomo URL.
`extra.matomoDisableCookies`	Boolean	(empty)	Disable Matomo cookies (corresponds to `disableCookies` in the Matomo script)
`extra.oneTrustId`	String	(empty)	OneTrust ID.
`extra.googleTagManagerNonceId`	String	(empty)	Google Tag Manager ID.
`extra.bizible`	Boolean	`false`	Set to true to enable Bizible script

Consolidated object storage

In addition to the following section that describes how to configure individual settings
for object storage, we’ve added a consolidated object storage configuration to ease the use
of shared configuration for these items. Making use of object_store , you can configure a
connection once, and it will be used for any and all object storage backed features that
are not individually configured with a connection property.

        enabled: true
  proxy_download: true
  storage_options:
  connection:
    secret:
    key:

     

Name	Type	Default	Description
`enabled`	Boolean	`false`	Enable the use of consolidated object storage.
`proxy_download`	Boolean	`true`	Enable proxy of all downloads via GitLab, in place of direct downloads from the `bucket` .
`storage_options`	String	`{}`	See below.
`connection`	String	`{}`	See below.

The property structure is shared, and all properties here can be overridden by the individual
items below. The connection property structure is identical.

Notice: The bucket , enabled , and proxy_download properties are the only properties that must be
configured on a per-item level ( global.appConfig.artifacts.bucket , …) if you wish to
deviate from the default values.

When using the AWS provider for the connection (which is any
S3 compatible provider such as the included MinIO), GitLab Workhorse can offload
all storage related uploads. This will automatically be enabled for you, when
using this consolidated configuration.

Specify buckets

Each object type should be stored in different buckets.
By default, GitLab uses these bucket names for each type:

Object type	Bucket Name
CI artifacts	`gitlab-artifacts`
Git LFS	`git-lfs`
Packages	`gitlab-packages`
Uploads	`gitlab-uploads`
External merge request diffs	`gitlab-mr-diffs`
Terraform State	`gitlab-terraform-state`
CI Secure Files	`gitlab-ci-secure-files`
Dependency Proxy	`gitlab-dependency-proxy`
Pages	`gitlab-pages`

You can use these defaults or configure the bucket names:

      --set global.appConfig.artifacts.bucket=<BUCKET NAME> \
--set global.appConfig.lfs.bucket=<BUCKET NAME> \
--set global.appConfig.packages.bucket=<BUCKET NAME> \
--set global.appConfig.uploads.bucket=<BUCKET NAME> \
--set global.appConfig.externalDiffs.bucket=<BUCKET NAME> \
--set global.appConfig.terraformState.bucket=<BUCKET NAME> \
--set global.appConfig.ciSecureFiles.bucket=<BUCKET NAME> \
--set global.appConfig.dependencyProxy.bucket=<BUCKET NAME>

     

storage_options

Introduced in GitLab 13.4.

The storage_options are used to configure
S3 Server Side Encryption.

Setting a default encryption on an S3 bucket is the easiest way to
enable encryption, but you may want to
set a bucket policy to ensure only encrypted objects are uploaded.
To do this, you must configure GitLab to send the proper encryption headers
in the storage_options configuration section:

Setting	Description
`server_side_encryption`	Encryption mode ( `AES256` or `aws:kms` )
`server_side_encryption_kms_key_id`	Amazon Resource Name. Only needed when `aws:kms` is used in `server_side_encryption` . See the Amazon documentation on using KMS encryption

Example:

        enabled: true
  proxy_download: true
  connection:
    secret: gitlab-rails-storage
    key: connection
  storage_options:
    server_side_encryption: aws:kms
    server_side_encryption_kms_key_id: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

     

LFS, Artifacts, Uploads, Packages, External MR diffs, and Dependency Proxy

Details on these settings are below. Documentation is not repeated individually,
as they are structurally identical aside from the default value of the bucket property.

        enabled: true
  proxy_download: true
  bucket:
  connection:
    secret:
    key:

     

Name	Type	Default	Description
`enabled`	Boolean	Defaults to `true` for LFS, artifacts, uploads, and packages	Enable the use of these features with object storage.
`proxy_download`	Boolean	`true`	Enable proxy of all downloads via GitLab, in place of direct downloads from the `bucket` .
`bucket`	String	Various	Name of the bucket to use from object storage provider. Default will be `git-lfs` , `gitlab-artifacts` , `gitlab-uploads` , or `gitlab-packages` , depending on the service.
`connection`	String	`{}`	See below.

connection

The connection property has been transitioned to a Kubernetes Secret. The contents
of this secret should be a YAML formatted file. Defaults to {} and will be ignored
if global.minio.enabled is true .

This property has two sub-keys: secret and key .

secret is the name of a Kubernetes Secret. This value is required to use external object storage.
key is the name of the key in the secret which houses the YAML block. Defaults to connection .

Valid configuration keys can be found in the GitLab Job Artifacts Administration
documentation. This matches to Fog, and is different between
provider modules.

Examples for AWS and Google
providers can be found in examples/objectstorage .

rails.s3.yaml
rails.gcs.yaml
rails.azurerm.yaml

Once a YAML file containing the contents of the connection has been created, use
this file to create the secret in Kubernetes.

      kubectl create secret generic gitlab-rails-storage \
    --from-file=connection=rails.yaml

when (only for External MR Diffs)

externalDiffs setting has an additional key when to
conditionally store specific diffs on object storage.
This setting is left empty by default in the charts, for a default value to be
assigned by the Rails code.

cdn (only for CI Artifacts)

artifacts setting has an additional key cdn to configure Google CDN in front of a Google Cloud Storage bucket.

Incoming email settings

The incoming email settings are explained in the command line options page.

KAS settings

Custom secret

One can optionally customize the KAS secret name as well as key , either by
using Helm’s --set variable option:

      --set global.appConfig.gitlab_kas.secret=custom-secret-name \
--set global.appConfig.gitlab_kas.key=custom-secret-key \

or by configuring your values.yaml :

      global:
  appConfig:
    gitlab_kas:
      secret: "custom-secret-name"
      key: "custom-secret-key"

     

If you’d like to customize the secret value, refer to the secrets documentation.

Custom URLs

The URLs used for KAS by the GitLab backend can be customized
using Helm’s --set variable option:

      --set global.appConfig.gitlab_kas.externalUrl="wss://custom-kas-url.example.com" \
--set global.appConfig.gitlab_kas.internalUrl="grpc://custom-internal-url" \

or by configuring your values.yaml :

      global:
  appConfig:
    gitlab_kas:
      externalUrl: "wss://custom-kas-url.example.com"
      internalUrl: "grpc://custom-internal-url"

     

External KAS

The GitLab backend can be made aware of an external KAS server (i.e. not
managed by the chart) by explicitly enabling it and configuring the required
URLs. You can do so using Helm’s --set variable option:

      --set global.appConfig.gitlab_kas.enabled=true \
--set global.appConfig.gitlab_kas.externalUrl="wss://custom-kas-url.example.com" \
--set global.appConfig.gitlab_kas.internalUrl="grpc://custom-internal-url" \

     

or by configuring your values.yaml :

      global:
  appConfig:
    gitlab_kas:
      enabled: true
      externalUrl: "wss://custom-kas-url.example.com"
      internalUrl: "grpc://custom-internal-url"

     

Suggested Reviewers settings

Custom secret

One can optionally customize the Suggested Reviewers secret name as well as
key , either by using Helm’s --set variable option:

      --set global.appConfig.suggested_reviewers.secret=custom-secret-name \
--set global.appConfig.suggested_reviewers.key=custom-secret-key \

or by configuring your values.yaml :

      global:
  appConfig:
    suggested_reviewers:
      secret: "custom-secret-name"
      key: "custom-secret-key"

     

If you’d like to customize the secret value, refer to the secrets documentation.

LDAP

The ldap.servers setting allows for the configuration of LDAP
user authentication. It is presented as a map, which will be translated into the appropriate
LDAP servers configuration in gitlab.yml , as with an installation from source.

Configuring passwords can be done by supplying a secret which holds the password.
This password will then be injected into the GitLab configuration at runtime.

An example configuration snippet:

      ldap:
  preventSignin: false
  servers:
    # 'main' is the GitLab 'provider ID' of this LDAP server
    main:
      label: 'LDAP'
      host: '_your_ldap_server'
      port: 636
      uid: 'sAMAccountName'
      bind_dn: 'cn=administrator,cn=Users,dc=domain,dc=net'
      base: 'dc=domain,dc=net'
      password:
        secret: my-ldap-password-secret
        key: the-key-containing-the-password

     

Example --set configuration items, when using the global chart:

      --set global.appConfig.ldap.servers.main.label='LDAP' \
--set global.appConfig.ldap.servers.main.host='your_ldap_server' \
--set global.appConfig.ldap.servers.main.port='636' \
--set global.appConfig.ldap.servers.main.uid='sAMAccountName' \
--set global.appConfig.ldap.servers.main.bind_dn='cn=administrator\,cn=Users\,dc=domain\,dc=net' \
--set global.appConfig.ldap.servers.main.base='dc=domain\,dc=net' \
--set global.appConfig.ldap.servers.main.password.secret='my-ldap-password-secret' \
--set global.appConfig.ldap.servers.main.password.key='the-key-containing-the-password'

     

Commas are considered special characters
within Helm


          --set

items. Be sure to escape commas in values such as


          bind_dn


          --set global.appConfig.ldap.servers.main.bind_dn='cn=administrator\,cn=Users\,dc=domain\,dc=net'

It can be useful to prevent using LDAP credentials through the web UI when an alternative such as SAML is preferred. This allows LDAP to be used for group sync, while also allowing your SAML identity provider to handle additional checks like custom 2FA.

When LDAP web sign in is disabled, users will not see a LDAP tab on the sign in page. This does not disable using LDAP credentials for Git access.

To disable the use of LDAP for web sign-in, set global.appConfig.ldap.preventSignin: true .

Using a custom CA or self signed LDAP certificates

If the LDAP server uses a custom CA or self-signed certificate, you must:

Ensure that the custom CA/Self-Signed certificate is created as a Secret or ConfigMap in the cluster/namespace:

        # Secret
kubectl -n gitlab create secret generic my-custom-ca-secret --from-file=unique_name=my-custom-ca.pem

# ConfigMap
kubectl -n gitlab create configmap my-custom-ca-configmap --from-file=unique_name=my-custom-ca.pem

Then, specify:

        # Configure a custom CA from a Secret
--set global.certificates.customCAs[0].secret=my-custom-ca-secret

# Or from a ConfigMap
--set global.certificates.customCAs[0].configMap=my-custom-ca-configmap

# Configure the LDAP integration to trust the custom CA
--set global.appConfig.ldap.servers.main.ca_file=/etc/ssl/certs/ca-cert-unique_name.pem

       

This will ensure that the CA certificate is mounted in the relevant pods at /etc/ssl/certs/ca-cert-unique_name.pem and specifies its use in the LDAP configuration.

See Custom Certificate Authorities for more info.

OmniAuth

GitLab can leverage OmniAuth to allow users to sign in using Twitter, GitHub, Google,
and other popular services. Expanded documentation can be found in the OmniAuth documentation
for GitLab.

      omniauth:
  enabled: false
  autoSignInWithProvider:
  syncProfileFromProvider: []
  syncProfileAttributes: ['email']
  allowSingleSignOn: ['saml']
  blockAutoCreatedUsers: true
  autoLinkLdapUser: false
  autoLinkSamlUser: false
  autoLinkUser: ['saml']
  externalProviders: []
  allowBypassTwoFactor: []
  providers: []
  # - secret: gitlab-google-oauth2
  #   key: provider

     

Name	Type	Default	Description
`allowBypassTwoFactor`			Allows users to log in with the specified providers without two factor authentication. Can be set to `true` , `false` , or an array of providers. See Bypassing two factor authentication.
`allowSingleSignOn`	Array	`['saml']`	Enable the automatic creation of accounts when signing in with OmniAuth. Input the name of the OmniAuth Provider.
`autoLinkLdapUser`	Boolean	`false`	Can be used if you have LDAP / ActiveDirectory integration enabled. When enabled, users automatically created through OmniAuth will be linked to their LDAP entry as well.
`autoLinkSamlUser`	Boolean	`false`	Can be used if you have SAML integration enabled. When enabled, users automatically created through OmniAuth will be linked to their SAML entry as well.
`autoLinkUser`			Allows users authenticating via an OmniAuth provider to be automatically linked to a current GitLab user if their emails match. Can be set to `true` , `false` , or an array of providers.
`autoSignInWithProvider`		`nil`	Single provider name allowed to automatically sign in. This should match the name of the provider, such as `saml` or `google_oauth2` .
`blockAutoCreatedUsers`	Boolean	`true`	If `true` auto created users will be blocked by default and will have to be unblocked by an administrator before they are able to sign in.
`enabled`	Boolean	`false`	Enable / disable the use of OmniAuth with GitLab.
`externalProviders`		`[]`	You can define which OmniAuth providers you want to be `external` , so that all users creating accounts, or logging in via these providers will be unable to access internal projects. You will need to use the full name of the provider, like `google_oauth2` for Google. See Configure OmniAuth Providers as External.
`providers`		`[]`	See below.
`syncProfileAttributes`		`['email']`	List of profile attributes to sync from the provider upon login. See Keep OmniAuth user profiles up to date for options.
`syncProfileFromProvider`		`[]`	List of provider names that GitLab should automatically sync profile information from. Entries should match the name of the provider, such as `saml` or `google_oauth2` . See Keep OmniAuth user profiles up to date.

providers

providers is presented as an array of maps that are used to populate gitlab.yml
as when installed from source. See GitLab documentation for the available selection
of Supported Providers.
Defaults to [] .

This property has two sub-keys: secret and key :

secret : (required) The name of a Kubernetes Secret containing the provider block.
key : (optional) The name of the key in the Secret containing the provider block.
Defaults to provider

The Secret for these entries contains YAML or JSON formatted blocks, as described
in OmniAuth Providers. To
create this secret, follow the appropriate instructions for retrieval of these items,
and create a YAML or JSON file.

Example of configuration of Google OAuth2:

      name: google_oauth2
label: Google
app_id: 'APP ID'
app_secret: 'APP SECRET'
args:
  access_type: offline
  approval_prompt: ''

     

SAML configuration example:

      name: saml
label: 'SAML'
args:
  assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback'
  idp_cert_fingerprint: 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
  idp_sso_target_url: 'https://SAML_IDP/app/xxxxxxxxx/xxxxxxxxx/sso/saml'
  issuer: 'https://gitlab.example.com'
  name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'

     

Group SAML configuration example:

      name: group_saml

     

This content can be saved as provider.yaml , and then a secret created from it:

      kubectl create secret generic -n NAMESPACE SECRET_NAME --from-file=provider=provider.yaml

     

Once created, the providers are enabled by providing the maps in configuration, as
shown below:

      omniauth:
  providers:
    - secret: gitlab-google-oauth2
    - secret: gitlab-azure-oauth2
    - secret: gitlab-cas3

     

Example configuration --set items, when using the global chart:

      --set global.appConfig.omniauth.providers[0].secret=gitlab-google-oauth2 \

     

Due to the complexity of using --set arguments, a user may wish to use a YAML snippet,
passed to helm with -f omniauth.yaml .

connection

Details of the Kubernetes secret that contains the connection information for the
object storage provider. The contents of this secret should be a YAML formatted file.

Defaults to {} and will be ignored if global.minio.enabled is true .

This property has two sub-keys: secret and key :

secret is the name of a Kubernetes Secret. This value is required to use external object storage.
key is the name of the key in the secret which houses the YAML block. Defaults to connection .

Examples for AWS (s3) and Google (GCS)
providers can be found in examples/objectstorage :

rails.s3.yaml
rails.gcs.yaml

Once a YAML file containing the contents of the connection has been created, create
the secret in Kubernetes:

      kubectl create secret generic gitlab-rails-storage \
    --from-file=connection=rails.yaml

Sidekiq includes maintenance jobs that can be configured to run on a periodic
basis using cron style schedules. A few examples are included below. See the
cron_jobs and ee_cron_jobs sections in the sample gitlab.yml
for more job examples.

These settings are shared between Sidekiq, Webservice (for showing tooltips in UI)
and Toolbox (for debugging purposes) pods.

      global:
  appConfig:
    cron_jobs:
      stuck_ci_jobs_worker:
        cron: "0 * * * *"
      pipeline_schedule_worker:
        cron: "19 * * * *"
      expire_build_artifacts_worker:
        cron: "*/7 * * * *"

     

Sentry settings

Use these settings to enable GitLab error reporting with Sentry.

      global:
  appConfig:
    sentry:
      enabled:
      dsn:
      clientside_dsn:
      environment:

     

Name	Type	Default	Description
`enabled`	Boolean	`false`	Enable or Disable the integration
`dsn`	String		Sentry DSN for backend errors
`clientside_dsn`	String		Sentry DSN for front-end errors
`environment`	String		See Sentry environments

gitlab_docs settings

Use these settings to enable gitlab_docs .

      global:
  appConfig:
    gitlab_docs:
      enabled:
      host:

     

Name	Type	Default	Description
`enabled`	Boolean	`false`	Enable or Disable the gitlab_docs
`host`	String	””	docs host

Smartcard Authentication settings

      global:
  appConfig:
    smartcard:
      enabled: false
      CASecret:
      clientCertificateRequiredHost:
      sanExtensions: false
      requiredForGitAccess: false

     

Name	Type	Default	Description
`enabled`	Boolean	`false`	Enable or Disable smartcard authentication
`CASecret`	String		Name of the secret containing the CA certificate
`clientCertificateRequiredHost`	String		Hostname to use for smartcard authentication. By default, the provided or computed smartcard hostname is used.
`sanExtensions`	Boolean	`false`	Enable the use of SAN extensions to match users with certificates.
`requiredForGitAccess`	Boolean	`false`	Require browser session with smartcard sign-in for Git access.

Sidekiq routing rules settings

GitLab supports routing a job from a worker to a desired queue before it is
scheduled. Sidekiq clients match a job against a configured list of routing
rules. Rules are evaluated from first to last, and as soon as a match for a
given worker is found, the processing for that worker is stopped (first match wins). If
the worker doesn’t match any rule, it falls back the queue name generated from
the worker name.

By default, the routing rules are not configured (or denoted with an empty
array), all the jobs are routed to the queue generated from the worker name.

The routing rules list is an ordered array of tuples of query and
corresponding queue:

The query is following the
worker matching query syntax.
The <queue_name> must match a valid Sidekiq queue name sidekiq.pods[].queues defined under sidekiq.pods . If the queue name
is nil , or an empty string, the worker is routed to the queue generated
by the name of the worker instead.

The query supports wildcard matching * , which matches all workers. As a
result, the wildcard query must stay at the end of the list or the later rules
are ignored:

      global:
  appConfig:
    sidekiq:
      routingRules:
      - ["resource_boundary=cpu", "cpu-boundary"]
      - ["feature_category=pages", null]
      - ["feature_category=search", "search"]
      - ["feature_category=memory|resource_boundary=memory", "memory-bound"]
      - ["*", "default"]

     

Configure Rails settings

A large portion of the GitLab suite is based upon Rails. As such, many containers within this project operate with this stack. These settings apply to all of those containers, and provide an easy access method to setting them globally versus individually.

      global:
  rails:
    bootsnap:
      enabled: true

     

Configure Workhorse settings

Several components of the GitLab suite speak to the APIs via GitLab Workhorse. This is currently a part of the Webservice chart. These settings are consumed by all charts that need to contact GitLab Workhorse, providing an easy access to set them globally vs individually.

      global:
  workhorse:
    serviceName: webservice-default
    host: api.example.com
    port: 8181

     

Name	Type	Default	Description
serviceName	String	`webservice-default`	Name of service to direct internal API traffic to. Do not include the Release name, as it will be templated in. Should match an entry in `gitlab.webservice.deployments` . See `gitlab/webservice` chart
scheme	String	`http`	Scheme of the API endpoint
host	String		Fully qualified hostname or IP address of an API endpoint. Overrides the presence of `serviceName` .
port	Integer	`8181`	Port number of associated API server.
tls.enabled	Boolean	`false`	When set to `true` , enables TLS support for Workhorse.

Bootsnap Cache

Our Rails codebase makes use of Shopify’s Bootsnap Gem. Settings here are used to configure that behavior.

bootsnap.enabled controls the activation of this feature. It defaults to true .

Testing showed that enabling Bootsnap resulted in overall application performance boost. When a pre-compiled cache is available, some application containers see gains in excess of 33%. At this time, GitLab does not ship this pre-compiled cache with their containers, resulting in a gain of “only” 14%. There is a cost to this gain without the pre-compiled cache present, resulting in an intense spike of small IO at initial startup of each Pod. Due to this, we’ve exposed a method of disabling the use of Bootsnap in environments where this would be an issue.

When possible, we recommend leaving this enabled.

Configure GitLab Shell

There are several items for the global configuration of GitLab Shell
chart.

      global:
  shell:
    port:
    authToken: {}
    hostKeys: {}
    tcp:
      proxyProtocol: false

     

Name	Type	Default	Description
`port`	Integer	`22`	See port below for specific documentation.
`authToken`			See authToken in the GitLab Shell chart specific documentation.
`hostKeys`			See hostKeys in the GitLab Shell chart specific documentation.
`tcp.proxyProtocol`	Boolean	`false`	See TCP proxy protocol below for specific documentation.

Port

You can control the port used by the Ingress to pass SSH traffic, as well as the port used
in SSH URLs provided from GitLab via global.shell.port . This is reflected in the
port on which the service listens, as well as the SSH clone URLs provided in project UI.

      global:
  shell:
    port: 32022

     

You can combine global.shell.port and nginx-ingress.controller.service.type=NodePort
to set a NodePort for the NGINX controller Service object. Note that if
nginx-ingress.controller.service.nodePorts.gitlab-shell is set, it will
override global.shell.port when setting the NodePort for NGINX.

      global:
  shell:
    port: 32022

nginx-ingress:
  controller:
    service:
      type: NodePort

     

TCP proxy protocol

You can enable handling proxy protocol on the SSH Ingress to properly handle a connection from an upstream proxy that adds the proxy protocol header.
By doing so, this will prevent SSH from receiving the additional headers and not break SSH.

One common environment where one needs to enable handling of proxy protocol is when using AWS with an ELB handling the inbound connections to the cluster. You can consult the AWS layer 4 loadbalancer example to properly set it up.

      global:
  shell:
    tcp:
      proxyProtocol: true # default false

     

Configure GitLab Pages

The global GitLab Pages settings that are used by other charts are documented
under the global.pages key.

      global:
  pages:
    enabled:
    accessControl:
    path:
    host:
    port:
    https:
    externalHttp:
    externalHttps:
    artifactsServer:
    objectStore:
      enabled:
      bucket:
      proxy_download: true
      connection: {}
        secret:
        key:
    localStore:
      enabled: false
      path:
    apiSecret: {}
      secret:
      key:

     

Name	Type	Default	Description
`enabled`	Boolean	False	Decides whether to install GitLab Pages chart in the cluster
`accessControl`	Boolean	False	Enables GitLab Pages Access Control
`path`	String	`/srv/gitlab/shared/pages`	Path where Pages deployment related files to be stored. Note: Unused by default, since object storage is used.
`host`	String		Pages root domain.
`port`	String		Port to be used to construct Pages URLs in UI. If left unset, default value of 80 or 443 is set based on HTTPS situation of Pages.
`https`	Boolean	True	Whether GitLab UI should show HTTPS URLs for Pages or not. Has precedence over `global.hosts.pages.https` and `global.hosts.https` . Set to True by default.
`externalHttp`	List	`[]`	List of IP addresses through which HTTP requests reach Pages daemon. For supporting custom domains.
`externalHttps`	List	`[]`	List of IP addresses through which HTTPS requests reach Pages daemon. For supporting custom domains.
`artifactsServer`	Boolean	True	Enable viewing artifacts in GitLab Pages.
`objectStore.enabled`	Boolean	True	Enable using object storage for Pages.
`objectStore.bucket`	String	`gitlab-pages`	Bucket to be used to store content related to Pages
`objectStore.connection.secret`	String		Secret containing connection details for object storage.
`objectStore.connection.key`	String		Key within the connection secret where connection details are stored.
`localStore.enabled`	Boolean	False	Enable using local storage for content related to Pages (as opposed to objectStore)
`localStore.path`	String	`/srv/gitlab/shared/pages`	Path where pages files will be stored; only used if localStore is set to true.
`apiSecret.secret`	String		Secret containing 32 bit API key in Base64 encoded form.
`apiSecret.key`	String		Key within the API key secret where the API key is stored.

Configure Webservice

The global Webservice settings (that are used by other charts also) are located
under the global.webservice key.

      global:
  webservice:
    workerTimeout: 60

     

workerTimeout

Configure the request timeout (in seconds) after which a Webservice worker process
is killed by the Webservice master process. The default value is 60 seconds.

Custom Certificate Authorities

These settings do not affect charts from outside of this repository, via


          requirements.yaml

Some users may need to add custom certificate authorities, such as when using internally
issued SSL certificates for TLS services. To provide this functionality, we provide
a mechanism for injecting these custom root certificate authorities into the application through Secrets or ConfigMaps.

To create a Secret or ConfigMap:

      # Create a Secret from a certificate file
kubectl create secret generic secret-custom-ca --from-file=unique_name=/path/to/cert

# Create a ConfigMap from a certificate file
kubectl create configmap cm-custom-ca --from-file=unique_name=/path/to/cert

To configure a Secret or ConfigMap, or both, specify them in globals:

      global:
  certificates:
    customCAs:
      - secret: secret-custom-CAs           # Mount all keys of a Secret
      - secret: secret-custom-CAs           # Mount only the specified keys of a Secret
        keys:
          - unique_name
      - configMap: cm-custom-CAs            # Mount all keys of a ConfigMap
      - configMap: cm-custom-CAs            # Mount only the specified keys of a ConfigMap
        keys:
          - unique_name_1
          - unique_name_2

     

You can provide any number of Secrets or ConfigMaps, each containing any number of keys that hold
PEM-encoded CA certificates. These are configured as entries under global.certificates.customCAs .
All keys are mounted unless keys: is provided with a list of specific keys to be mounted. All mounted keys across all Secrets and ConfigMaps must be unique.
The Secrets and ConfigMaps can be named in any fashion, but they must not contain key names that collide.

Application Resource

GitLab can optionally include an Application resource,
which can be created to identify the GitLab application within the cluster. Requires the
Application CRD,
version v1beta1 , to already be deployed to the cluster.

To enable, set global.application.create to true :

      global:
  application:
    create: true

     

Some environments, such as Google GKE Marketplace, do not allow the creation
of ClusterRole resources. Set the following values to disable ClusterRole
components in the Application Custom Resource Definition as well as the
relevant charts packaged with Cloud Native GitLab.

      global:
  application:
    allowClusterRoles: false
nginx:
  controller:
    scope:
      enabled: true
gitlab-runner:
  rbac:
    clusterWideAccess: false
certmanager:
  install: false

     

Busybox image

By default, GitLab Helm charts use busybox:latest for booting up various
initContainers. This is controlled by the following settings

      global:
  busybox:
    image:
      repository: busybox
      tag: latest

     

Many charts also provide init.image.repository and init.image.tag settings
locally that can be used to override this global setting for that specific
chart.

Service Accounts

GitLab Helm charts allow for the pods to run using custom Service Accounts.
This is configured with the following settings in global.serviceAccount :

      global:
  serviceAccount:
    enabled: false
    create: true
    annotations: {}
    ## Name to be used for serviceAccount, otherwise defaults to chart fullname
    # name:

     

Setting global.serviceAccount.enabled to true will create a custom service account for each deployment.
Setting global.serviceAccount.create to false will disable automatic service account creation.
Setting global.serviceAccount.name will use that name in the deployment for either auto-generated or manually created service accounts.

Annotations

Custom annotations can be applied to Deployment, Service, and Ingress objects.

      global:
  deployment:
    annotations:
      environment: production

  service:
    annotations:
      environment: production

  ingress:
    annotations:
      environment: production

     

Node Selector

Custom nodeSelector s can be applied to all components globally. Any global defaults
can also be overridden on each subchart individually.

      global:
  nodeSelector:
    disktype: ssd

     

Note : charts that are maintained externally do not respect the global.nodeSelector
at this time and may need to be configured separately based on available chart values.
This includes Prometheus, cert-manager, Redis, etc.

Labels

Common Labels

Labels can be applied to nearly all objects that are created by various objects
by using the configuration common.labels . This can be applied under the
global key, or under a specific charts’ configuration. Example:

      global:
  common:
    labels:
      environment: production
gitlab:
  gitlab-shell:
    common:
      labels:
        foo: bar

     

With the above example configuration, nearly all components deployed by the Helm
chart will be provided the label set environment: production . All components
of the GitLab Shell chart will receive the label set foo: bar . Some charts
allow for additional nesting. For example, the Sidekiq and Webservices charts
allow for additional deployments depending on your configuration needs:

      gitlab:
  sidekiq:
    pods:
      - name: pod-0
        common:
          labels:
            baz: bat

     

In the above example, all components associated with the pod-0 Sidekiq
deployment will also recieve the label set baz: bat . Refer to the Sidekiq and
Webservice charts for additional details.

Some charts that we depend on are excluded from this label configuration. Only
the GitLab component sub-charts will receive these
extra labels.

Pod

Custom labels can be applied to various Deployments and Jobs. These labels are
supplementary to existing or preconfigured labels constructed by this Helm
chart. These supplementary labels will not be utilized for matchSelectors .

      global:
  pod:
    labels:
      environment: production

     

Service

Custom labels can be applied to services. These labels are
supplementary to existing or preconfigured labels constructed by this Helm
chart.

      global:
  service:
    labels:
      environment: production

     

Tracing

GitLab Helm charts support tracing, and you can configure it with:

      global:
  tracing:
    connection:
      string: 'opentracing://jaeger?http_endpoint=http%3A%2F%2Fjaeger.example.com%3A14268%2Fapi%2Ftraces&sampler=const&sampler_param=1'
    urlTemplate: 'http://jaeger-ui.example.com/search?service={{ service }}&tags=%7B"correlation_id"%3A"{{ correlation_id }}"%7D'

     

global.tracing.connection.string is used to configure where tracing spans would be sent. You can read more about that in GitLab tracing documentation
global.tracing.urlTemplate is used as a template for tracing info URL rendering in GitLab performance bar.

extraEnv

extraEnv allows you to expose additional environment variables in all containers in the pods
that are deployed via GitLab charts ( charts/gitlab/charts ). Extra environment variables set at
the global level will be merged into those provided at the chart level, with precedence given
to those provided at the chart level.

Below is an example use of extraEnv :

      global:
  extraEnv:
    SOME_KEY: some_value
    SOME_OTHER_KEY: some_other_value

     

extraEnvFrom

extraEnvFrom allows you to expose additional environment variables from other data sources in all containers in the pods. Extra environment variables can be set up at global level ( global.extraEnvFrom ), GitLab chart top level ( extraEnvFrom ) or sub-chart level ( <subchart_name>.extraEnvFrom ).

Below is an example use of extraEnvFrom :

      global:
  extraEnvFrom:
    MY_NODE_NAME:
      fieldRef:
        fieldPath: spec.nodeName
    MY_CPU_REQUEST:
      resourceFieldRef:
        containerName: test-container
        resource: requests.cpu
extraEnvFrom:
  SECRET_THING:
    secretKeyRef:
      name: special-secret
      key: special_token
webservice:
  extraEnvFrom:
    CONFIG_STRING:
      configMapKeyRef:
        name: useful-config
        key: some-string
        # optional: boolean

     

The implementation does not support re-using a value name with different content types. You can override the same name with similar content, but no not mix sources like


          secretKeyRef


          configMapKeyRef

, etc.

Configure OAuth settings

OAuth integration is configured out-of-the box for services which support it.
The services specified in global.oauth are automatically registered as OAuth
client applications in GitLab during deployment. By default this list includes
GitLab Pages, if access control is enabled.

      global:
  oauth:
    gitlab-pages: {}
    # secret
    # appid
    # appsecret
    # redirectUri
    # authScope

     

Name	Type	Default	Description
`secret`	String		Name of the secret with OAuth credentials for the service.
`appIdKey`	String		Key in the secret under which App ID of service is stored. Default value being set is `appid` .
`appSecretKey`	String		Key in the secret under which App Secret of service is stored. Default value being set is `appsecret` .
`redirectUri`	String		URI to which user should be redirected after successful authorization.
`authScope`	String	`api`	Scope used for authentication with GitLab API.

Check the secrets documentation for more details on the secret.

Kerberos

To configure the Kerberos integration in the GitLab Helm chart, you must provide a secret in the global.appConfig.kerberos.keytab.secret setting containing a Kerberos keytab with a service principal for your GitLab host. Your Kerberos administrators can help with creating a keytab file if you don’t have one.

You can create a secret using the following snippet (assuming that you are installing the chart in the gitlab namespace and gitlab.keytab is the keytab file containing the service principal):

      kubectl create secret generic gitlab-kerberos-keytab --namespace=gitlab --from-file=keytab=./gitlab.keytab

     

Kerberos integration for Git is enabled by setting global.appConfig.kerberos.enabled=true . This will also add the kerberos provider to the list of enabled OmniAuth providers for ticket-based authentication in the browser.

If left as false the Helm chart will still mount the keytab in the toolbox, Sidekiq, and webservice Pods, which can be used with manually configured OmniAuth settings for Kerberos.

You can provide a Kerberos client configuration in global.appConfig.kerberos.krb5Config .

      global:
  appConfig:
    kerberos:
      enabled: true
      keytab:
        secret: gitlab-kerberos-keytab
        key: keytab
      servicePrincipalName: ""
      krb5Config: |
        [libdefaults]
            default_realm = EXAMPLE.COM
      dedicatedPort:
        enabled: false
        port: 8443
        https: true
      simpleLdapLinkingAllowedRealms:
        - example.com

     

Check the Kerberos documentation for more details.

Dedicated port for Kerberos

GitLab supports the use of a dedicated port for Kerberos negotiation when using the HTTP protocol for Git operations to workaround a limitation in Git falling back to Basic Authentication when presented with the negotiate headers in the authentication exchange.

Use of the dedicated port is currently required when using GitLab CI/CD - as the GitLab Runner helper relies on in-URL credentials to clone from GitLab.

This can be enabled with the global.appConfig.kerberos.dedicatedPort settings:

      global:
  appConfig:
    kerberos:
      [...]
      dedicatedPort:
        enabled: true
        port: 8443
        https: true

     

This enables an additional clone URL in the GitLab UI that is dedicated for Kerberos negotiation. The https: true setting is for URL generation only, and doesn’t expose any additional TLS configuration. TLS is terminated and configured in the Ingress for GitLab.

Due to a current limitation with our fork of the


          nginx-ingress

Helm chart - specifying a


          dedicatedPort

will not currently expose the port for use in the chart’s


          nginx-ingress

controller. Cluster operators will need to expose this port themselves. Follow this charts issue for more details and potential workarounds.

LDAP custom allowed realms

The global.appConfig.kerberos.simpleLdapLinkingAllowedRealms can be used to specify a set of domains used to link LDAP and Kerberos identities together when a user’s LDAP DN does not match the user’s Kerberos realm. See the Custom allowed realms section in the Kerberos integration documentation for additional details.

Outgoing email

Outgoing email configuration is available via global.smtp.* , global.appConfig.microsoft_graph_mailer.* and global.email.* .

      global:
  email:
    display_name: 'GitLab'
    from: 'gitlab@example.com'
    reply_to: 'noreply@example.com'
  smtp:
    enabled: true
    address: 'smtp.example.com'
    tls: true
    authentication: 'plain'
    user_name: 'example'
    password:
      secret: 'smtp-password'
      key: 'password'
  appConfig:
    microsoft_graph_mailer:
      enabled: false
      user_id: "YOUR-USER-ID"
      tenant: "YOUR-TENANT-ID"
      client_id: "YOUR-CLIENT-ID"
      client_secret:
        secret:
        key: secret
      azure_ad_endpoint: "https://login.microsoftonline.com"
      graph_endpoint: "https://graph.microsoft.com"

     

More information on the available configuration options is available in the
outgoing email documentation.

More detailed examples can be found in the
Omnibus SMTP settings documentation.

Platform

The platform key is reserved for specific features targeting a specific
platform like GKE or EKS.

Affinity

Affinity configuration is available via global.antiAffinity and global.affinity .
Affinity allows you to constrain which nodes your pod is eligible to be scheduled on, based on node labels or labels of pods that are already running on a node. This allow spread pods across the cluster or select specific nodes, ensuring more resilience in case of a failing node.

      global:
  antiAffinity: soft
  affinity:
    podAntiAffinity:
      topologyKey: "kubernetes.io/hostname"

     

Name	Type	Default	Description
`antiAffinity`	String	`soft`	Pod anti-affinity to apply on pods.
`affinity.podAntiAffinity.topologyKey`	String	`kubernetes.io/hostname`	Pod anti-affinity topology key.

global.antiAffinity can take two values:
- soft : Define a preferredDuringSchedulingIgnoredDuringExecution anti-affinity where the Kubernetes scheduler will try to enforce the rule but will not guarantee the result.
- hard : Defined a requiredDuringSchedulingIgnoredDuringExecution anti-affinity where the rule must be met for a pod to be scheduled onto a node.
global.affinity.podAntiAffinity.topologyKey define a node attribute used two divide them into logical zone. Most common topologyKey values are :
- kubernetes.io/hostname
- topology.kubernetes.io/zone
- topology.kubernetes.io/region

Kubernetes references on Inter-pod affinity and anti-affinity

Pod Priority and Preemption

Pod priorities can be configured either via global.priorityClassName or per sub-chart via priorityClassName .
Setting pod priority allows you to tell the scheduler to evict lower priority pods to make scheduling of pendings pods possible.

      global:
  priorityClassName: system-cluster-critical

Name	Type	Default	Description
`priorityClassName`	String		Priority class assigned to pods.

Configure the GitLab Helm charts | GitLab

Configure the GitLab Helm charts

The GitLab Helm chart is made up of multiple subcharts.

To configure any of the charts, use globals.

You can also do advanced configuration.

Read article

Using MinIO for Object storage | GitLab

Design Choices
Configuration
- Installation command line options
Chart configuration examples
- pullSecrets
- tolerations
Enable the sub-chart
Configure the initContainer
- initContainer image
- initContainer script
Configuring the Ingress
Configuring the image
Persistence
defaultBuckets
Security Context
Service Type and Port
Upstream items

Using MinIO for Object storage

This chart is based on stable/minio
version 0.4.3 ,
and inherits most settings from there.

Design Choices

Design choices related to the upstream chart
can be found in the project’s README.

GitLab chose to alter that chart in order to simplify configuration of the secrets,
and to remove all use of secrets in environment variables. GitLab added initContainer s
to control the population of secrets into the config.json , and a chart-wide enabled flag.

This chart makes use of only one secret:

global.minio.credentials.secret : A global secret containing the accesskey and
secretkey values that will be used for authentication to the bucket(s).

Configuration

We will describe all the major sections of the configuration below. When configuring
from the parent chart, these values will be:

      minio:
  init:
  ingress:
    enabled:
    apiVersion:
    tls:
      enabled:
      secretName:
    annotations:
    configureCertmanager:
    proxyReadTimeout:
    proxyBodySize:
    proxyBuffering:
  tolerations:
  persistence:  # Upstream
    volumeName:
    matchLabels:
    matchExpressions:
  serviceType:  # Upstream
  servicePort:  # Upstream
  defaultBuckets:
  minioConfig:  # Upstream

     

Installation command line options

The table below contains all the possible charts configurations that can be supplied
to the helm install command using the --set flags:

Parameter	Default	Description
`common.labels`	`{}`	Supplemental labels that are applied to all objects created by this chart.
`defaultBuckets`	`[{"name": "registry"}]`	MinIO default buckets
`deployment.strategy`	{ `type` : `Recreate` }	Allows one to configure the update strategy utilized by the deployment
`image`	`minio/minio`	MinIO image
`imagePullPolicy`	`Always`	MinIO image pull policy
`imageTag`	`RELEASE.2017-12-28T01-21-00Z`	MinIO image tag
`minioConfig.browser`	`on`	MinIO browser flag
`minioConfig.domain`		MinIO domain
`minioConfig.region`	`us-east-1`	MinIO region
`minioMc.image`	`minio/mc`	MinIO mc image
`minioMc.tag`	`latest`	MinIO mc image tag
`mountPath`	`/export`	MinIO configuration file mount path
`persistence.accessMode`	`ReadWriteOnce`	MinIO persistence access mode
`persistence.enabled`	`true`	MinIO enable persistence flag
`persistence.matchExpressions`		MinIO label-expression matches to bind
`persistence.matchLabels`		MinIO label-value matches to bind
`persistence.size`	`10Gi`	MinIO persistence volume size
`persistence.storageClass`		MinIO storageClassName for provisioning
`persistence.subPath`		MinIO persistence volume mount path
`persistence.volumeName`		MinIO existing persistent volume name
`priorityClassName`		Priority class assigned to pods.
`pullSecrets`		Secrets for the image repository
`replicas`	`4`	MinIO number of replicas
`resources.requests.cpu`	`250m`	MinIO minimum CPU requested
`resources.requests.memory`	`256Mi`	MinIO minimum memory requested
`securityContext.fsGroup`	`1000`	Group ID to start the pod with
`securityContext.runAsUser`	`1000`	User ID to start the pod with
`servicePort`	`9000`	MinIO service port
`serviceType`	`ClusterIP`	MinIO service type
`tolerations`	`[]`	Toleration labels for pod assignment
`jobAnnotations`	`{}`	Annotations for the job spec

Chart configuration examples

pullSecrets

pullSecrets allows you to authenticate to a private registry to pull images for a pod.

Additional details about private registries and their authentication methods can be
found in the Kubernetes documentation.

Below is an example use of pullSecrets :

      image: my.minio.repository
imageTag: latest
imagePullPolicy: Always
pullSecrets:
- name: my-secret-name
- name: my-secondary-secret-name

     

tolerations

tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations :

      tolerations:
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"

     

Enable the sub-chart

They way we’ve chosen to implement compartmentalized sub-charts includes the ability
to disable the components that you may not want in a given deployment. For this reason,
the first setting you should decide on is enabled: .

By default, MinIO is enabled out of the box, but is not recommended for production use.
When you are ready to disable it, run --set global.minio.enabled: false .

Configure the initContainer

While rarely altered, the initContainer behaviors can be changed via the following items:

      init:
  image:
    repository:
    tag:
    pullPolicy: IfNotPresent
  script:

     

initContainer image

The initContainer image settings are just as with a normal image configuration.
By default, chart-local values are left empty, and the global settings
global.busybox.image.repository and global.busybox.image.tag will be used to
populate initContainer image. If chart-local values are specified, they get
used instead of the global setting’s values.

initContainer script

The initContainer is passed the following items:

The secret containing authentication items mounted in /config , usually accesskey
and secretkey .
The ConfigMap containing the config.json template, and configure containing a
script to be executed with sh , mounted in /config .
An emptyDir mounted at /minio that will be passed to the daemon’s container.

The initContainer is expected to populate /minio/config.json with a completed configuration,
using /config/configure script. When the minio-config container has completed
that task, the /minio directory will be passed to the minio container, and used
to provide the config.json to the MinIO server.

Configuring the Ingress

These settings control the MinIO Ingress.

Name	Type	Default	Description
`apiVersion`	String		Value to use in the `apiVersion` field.
`annotations`	String		This field is an exact match to the standard `annotations` for Kubernetes Ingress.
`enabled`	Boolean	`false`	Setting that controls whether to create Ingress objects for services that support them. When `false` the `global.ingress.enabled` setting is used.
`configureCertmanager`	Boolean		Toggles Ingress annotation `cert-manager.io/issuer` . For more information see the TLS requirement for GitLab Pages.
`tls.enabled`	Boolean	`true`	When set to `false` , you disable TLS for MinIO. This is mainly useful when you cannot use TLS termination at Ingress-level, like when you have a TLS-terminating proxy before the Ingress Controller.
`tls.secretName`	String		The name of the Kubernetes TLS Secret that contains a valid certificate and key for the MinIO URL. When not set, the `global.ingress.tls.secretName` is used instead.

Configuring the image

The image , imageTag and imagePullPolicy defaults are
documented upstream.

Persistence

This chart provisions a PersistentVolumeClaim and mounts a corresponding persistent
volume to default location /export . You’ll need physical storage available in the
Kubernetes cluster for this to work. If you’d rather use emptyDir , disable PersistentVolumeClaim
by: persistence.enabled: false .

The behaviors for persistence
are documented upstream.

GitLab has added a few items:

      persistence:
  volumeName:
  matchLabels:
  matchExpressions:

     

Name	Type	Default	Description
`volumeName`	String	`false`	When `volumeName` is provided, the `PersistentVolumeClaim` will use the provided `PersistentVolume` by name, in place of creating a `PersistentVolume` dynamically. This overrides the upstream behavior.
`matchLabels`	Map	`true`	Accepts a Map of label names and label values to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the volumes documentation.
`matchExpressions`	Array		Accepts an array of label condition objects to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the volumes documentation.

defaultBuckets

defaultBuckets provides a mechanism to automatically create buckets on the MinIO
pod at installation . This property contains an array of items, each with up to three
properties: name , policy , and purge .

      defaultBuckets:
  - name: public
    policy: public
    purge: true
  - name: private
  - name: public-read
    policy: download

     

Name	Type	Default	Description
`name`	String		The name of the bucket that is created. The provided value should conform to AWS bucket naming rules, meaning that it should be compliant with DNS and contain only the characters a-z, 0-9, and – (hyphen) in strings between 3 and 63 characters in length. The `name` property is required for all entries.
`policy`		`none`	The value of `policy` controls the access policy of the bucket on MinIO. The `policy` property is not required, and the default value is `none` . In regards to anonymous access, possible values are: `none` (no anonymous access), `download` (anonymous read-only access), `upload` (anonymous write-only access) or `public` (anonymous read/write access).
`purge`	Boolean		The `purge` property is provided as a means to cause any existing bucket to be removed with force, at installation time. This only comes into play when using a pre-existing `PersistentVolume` for the volumeName property of persistence. If you make use of a dynamically created `PersistentVolume` , this will have no valuable effect as it only happens at chart installation and there will be no data in the `PersistentVolume` that was just created. This property is not required, but you may specify this property with a value of `true` in order to cause a bucket to purged with force `mc rm -r --force` .

Security Context

These options allow control over which user and/or group is used to start the pod.

For in-depth information about security context, please refer to the official
Kubernetes documentation.

Service Type and Port

These are documented upstream,
and the key summary is:

      ## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
## ref: http://kubernetes.io/docs/user-guide/services/
##
serviceType: LoadBalancer
servicePort: 9000

     

The chart does not expect to be of the type: NodePort , so do not set it as such.

Upstream items

The upstream documentation
for the following also applies completely to this chart:

resources
nodeSelector
minioConfig

Further explanation of the minioConfig settings can be found in the
MinIO notify documentation.
This includes details on publishing notifications when Bucket Objects are accessed or changed.

Read article

Our NGINX fork | GitLab

Adjustments to the NGINX fork

Our NGINX fork

Our fork of the NGINX chart was pulled from GitHub.

Adjustments to the NGINX fork

The following adjustments were made to the NGINX fork:

tcp-configmap.yaml : is optional depending on new tcpExternalConfig setting
Ability to use a templated TCP ConfigMap name from another chart
- controller-configmap-tcp.yaml : .metadata.name is a template ingress-nginx.tcp-configmap
- controller-deployment.yaml : .spec.template.spec.containers[0].args uses ingress-nginx.tcp-configmap template for ConfigMap name
- GitLab chart overrides ingress-nginx.tcp-configmap so that gitlab/gitlab-org/charts/gitlab-shell can configure its TCP service
Ability to use a templated Ingress name based on the release name
Replace controller.service.loadBalancerIP with global.hosts.externalIP
Added support to add common labels through common.labels configuration option
controller-deployment.yaml :
- Add podlabels and global.pod.labels to .spec.template.metadata.labels
default-backend-deployment.yaml :
- Add podlabels and global.pod.labels to .spec.template.metadata.labels
Disable NGINX’s default nodeSelectors.
Added support for PDB maxUnavailable .
Remove NGINX’s isControllerTagValid helper in charts/nginx-ingress/templates/_helpers.tpl
- The check had not been updated since it was implemented in 2020.
- As part of #3383, we need to refer to a tag that will contain ubi ,
  meaning that the semverCompare would not work as expected anyway.
Added support for autoscaling/v2beta2 and autoscaling/v2 APIs in HPAs and
extended HPA settings to support memory and custom metrics, as well as
behavior configuration.
Added conditional support for API version of PodDisruptionBudget.
Add the following booleans to enable/disable GitLab Shell (SSH access) independently for the external and internal (if enabled with controller.service.internal.enabled ) services:
- controller.service.enableShell .
- controller.service.internal.enableShell .
  (follows the exisiting chart pattern of controller.service.enableHttp(s) )

Read article

Using NGINX | GitLab

Configuring NGINX
- Global settings
Configure hosts using the Global settings

Using NGINX

We provide a complete NGINX deployment to be used as an Ingress Controller. Not all
Kubernetes providers natively support the NGINX Ingress,
to ensure compatibility.

Our fork of the NGINX chart was pulled from
GitHub. See Our NGINX fork for details on what was modified in our fork.

The version of the NGINX Ingress Helm chart bundled with the GitLab Helm charts
has been updated to support Kubernetes 1.22. As a result, the GitLab Helm
chart can not longer support Kubernetes versions prior to 1.19.

Configuring NGINX

See NGINX chart documentation
for configuration details.

Global settings

We share some common global settings among our charts. See the Globals Documentation
for common configuration options, such as GitLab and Registry hostnames.

Configure hosts using the Global settings

The hostnames for the GitLab Server and the Registry Server can be configured using
our Global settings chart.

Read article

Using the Container Registry | GitLab

Design Choices
- Required
- Optional
Configuration
Installation parameters
Chart configuration examples
- pullSecrets
- tolerations
- annotations
Enable the sub-chart
Configuring the image
Configuring the service
Configuring the ingress
Configuring TLS
- Configuring TLS for the debug port
Configuring the networkpolicy
- Example policy for preventing connections to all internal endpoints
Defining the Registry Configuration
- httpSecret
- Notification Secret
- Redis cache Secret
- authEndpoint
- certificate
- compatibility
- readiness and liveness probe
  - schema1
- validation
  - manifests
- notifications
- hpa
- storage
- middleware.storage
  - keypairid variants
- debug
- health
- reporting
- profiling
- database
  - Creating the database
- migration
- gc
- Redis cache
  - Sentinels
Garbage Collection
- Manual Garbage Collection
- Running administrative commands against the Container Registry

Using the Container Registry

The registry sub-chart provides the Registry component to a complete cloud-native
GitLab deployment on Kubernetes. This sub-chart makes use of the upstream
registry container
containing Docker Distribution. This chart
is composed of 3 primary parts: Service,
Deployment,
and ConfigMap.

All configuration is handled according to the official Registry configuration documentation
using /etc/docker/registry/config.yml variables provided to the Deployment populated
from the ConfigMap . The ConfigMap overrides the upstream defaults, but is
based on them.
See below for more details:

distribution/cmd/registry/config-example.yml
distribution-library-image/config-example.yml

Design Choices

A Kubernetes Deployment was chosen as the deployment method for this chart to allow
for simple scaling of instances, while allowing for
rolling updates.

This chart makes use of two required secrets and one optional:

Required

global.registry.certificate.secret : A global secret that will contain the public
certificate bundle to verify the authentication tokens provided by the associated
GitLab instance(s). See documentation
on using GitLab as an auth endpoint.
global.registry.httpSecret.secret : A global secret that will contain the
shared secret between registry pods.

Optional

profiling.stackdriver.credentials.secret : If Stackdriver profiling is enabled and
you need to provide explicit service account credentials, then the value in this secret
(in the credentials key by default) is the GCP service account JSON credentials.
If you are using GKE and are providing service accounts to your workloads using
Workload Identity
(or node service accounts, although this is not recommended), then this secret is not required
and should not be supplied. In either case, the service account requires the role
roles/cloudprofiler.agent or equivalent manual permissions

Configuration

We will describe all the major sections of the configuration below. When configuring
from the parent chart, these values will be:

      registry:
  enabled:
  maintenance:
    readonly:
      enabled: false
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
  image:
    tag: 'v3.63.0-gitlab'
    pullPolicy: IfNotPresent
  annotations:
  service:
    type: ClusterIP
    name: registry
  httpSecret:
    secret:
    key:
  authEndpoint:
  tokenIssuer:
  certificate:
    secret: gitlab-registry
    key: registry-auth.crt
  deployment:
    terminationGracePeriodSeconds: 30
  draintimeout: '0'
  hpa:
    minReplicas: 2
    maxReplicas: 10
    cpu:
      targetAverageUtilization: 75
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
  storage:
    secret:
    key: storage
    extraKey:
  compatibility:
    schema1:
      enabled: false
  validation:
    disabled: true
    manifests:
      referencelimit: 0
      payloadsizelimit: 0
      urls:
        allow: []
        deny: []
  notifications: {}
  tolerations: []
  ingress:
    enabled: false
    tls:
      enabled: true
      secretName: redis
    annotations:
    configureCertmanager:
    proxyReadTimeout:
    proxyBodySize:
    proxyBuffering:
  networkpolicy:
    enabled: false
    egress:
      enabled: false
      rules: []
    ingress:
      enabled: false
      rules: []
  tls:
    enabled: false
    secretName:
    verify: true
    caSecretName:

     

If you chose to deploy this chart as a standalone, remove the registry at the top level.

Installation parameters

Parameter	Default	Description
`annotations`		Pod annotations
`podLabels`		Supplemental Pod labels. Will not be used for selectors.
`common.labels`		Supplemental labels that are applied to all objects created by this chart.
`authAutoRedirect`	`true`	Auth auto-redirect (must be true for Windows clients to work)
`authEndpoint`	`global.hosts.gitlab.name`	Auth endpoint (only host and port)
`certificate.secret`	`gitlab-registry`	JWT certificate
`compatiblity`		Configuration of compatibility settings
`debug.addr.port`	`5001`	Debug port
`debug.tls.enabled`	false	Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled)
`debug.tls.secretName`		The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry’s TLS certificate.
`debug.prometheus.enabled`	`false`	DEPRECATED Use `metrics.enabled`
`debug.prometheus.path`	`""`	DEPRECATED Use `metrics.path`
`metrics.enabled`	`false`	If a metrics endpoint should be made available for scraping
`metrics.path`	`/metrics`	Metrics endpoint path
`metrics.serviceMonitor.enabled`	`false`	If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations
`metrics.serviceMonitor.additionalLabels`	`{}`	Additional labels to add to the ServiceMonitor
`metrics.serviceMonitor.endpointConfig`	`{}`	Additional endpoint configuration for the ServiceMonitor
`deployment.terminationGracePeriodSeconds`	`30`	Optional duration in seconds the pod needs to terminate gracefully.
`deployment.strategy`	`{}`	Allows one to configure the update strategy utilized by the deployment
`draintimeout`	`'0'`	Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'` )
`relativeurls`	`false`	Enable the registry to return relative URLs in Location headers.
`enabled`	`true`	Enable registry flag
`hpa.behavior`	`{scaleDown: {stabilizationWindowSeconds: 300 }}`	Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher)
`hpa.customMetrics`	`[]`	Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization` )
`hpa.cpu.targetType`	`Utilization`	Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`
`hpa.cpu.targetAverageValue`		Set the autoscaling CPU target value
`hpa.cpu.targetAverageUtilization`	`75`	Set the autoscaling CPU target utilization
`hpa.memory.targetType`		Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`
`hpa.memory.targetAverageValue`		Set the autoscaling memory target value
`hpa.memory.targetAverageUtilization`		Set the autoscaling memory target utilization
`hpa.minReplicas`	`2`	Minimum number of replicas
`hpa.maxReplicas`	`10`	Maximum number of replicas
`httpSecret`		Https secret
`extraEnvFrom`		List of extra environment variables from other data sources to expose
`image.pullPolicy`		Pull policy for the registry image
`image.pullSecrets`		Secrets to use for image repository
`image.repository`	`registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry`	Registry image
`image.tag`	`v3.63.0-gitlab`	Version of the image to use
`init.image.repository`		initContainer image
`init.image.tag`		initContainer image tag
`log`	`{level: info, fields: {service: registry}}`	Configure the logging options
`minio.bucket`	`global.registry.bucket`	Legacy registry bucket name
`maintenance.readonly.enabled`	`false`	Enable registry’s read-only mode
`maintenance.uploadpurging.enabled`	`true`	Enable upload purging
`maintenance.uploadpurging.age`	`168h`	Purge uploads older than the specified age
`maintenance.uploadpurging.interval`	`24h`	Frequency at which upload purging is performed
`maintenance.uploadpurging.dryrun`	`false`	Only list which uploads will be purged without deleting
`priorityClassName`		Priority class assigned to pods.
`reporting.sentry.enabled`	`false`	Enable reporting using Sentry
`reporting.sentry.dsn`		The Sentry DSN (Data Source Name)
`reporting.sentry.environment`		The Sentry environment
`profiling.stackdriver.enabled`	`false`	Enable continuous profiling using Stackdriver
`profiling.stackdriver.credentials.secret`	`gitlab-registry-profiling-creds`	Name of the secret containing credentials
`profiling.stackdriver.credentials.key`	`credentials`	Secret key in which the credentials are stored
`profiling.stackdriver.service`	`RELEASE-registry` (templated Service name)	Name of the Stackdriver service to record profiles under
`profiling.stackdriver.projectid`	GCP project where running	GCP project to report profiles to
`database.enabled`	`false`	Enable metadata database. This is an experimental feature and must not be used in production environments.
`database.host`	`global.psql.host`	The database server hostname.
`database.port`	`global.psql.port`	The database server port.
`database.user`		The database username.
`database.password.secret`	`RELEASE-registry-database-password`	Name of the secret containing the database password.
`database.password.key`	`password`	Secret key in which the database password is stored.
`database.name`		The database name.
`database.sslmode`		The SSL mode. Can be one of `disable` , `allow` , `prefer` , `require` , `verify-ca` or `verify-full` .
`database.ssl.secret`	`global.psql.ssl.secret`	A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret.
`database.ssl.clientCertificate`	`global.psql.ssl.clientCertificate`	The key inside the secret referring the client certificate.
`database.ssl.clientKey`	`global.psql.ssl.clientKey`	The key inside the secret referring the client key.
`database.ssl.serverCA`	`global.psql.ssl.serverCA`	The key inside the secret referring the certificate authority (CA).
`database.connecttimeout`	`0`	Maximum time to wait for a connection. Zero or not specified means waiting indefinitely.
`database.draintimeout`	`0`	Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely.
`database.preparedstatements`	`false`	Enable prepared statements. Disabled by default for compatibility with PgBouncer.
`database.pool.maxidle`	`0`	The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle` , then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections.
`database.pool.maxopen`	`0`	The maximum number of open connections to the database. If `maxopen` is less than `maxidle` , then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections.
`database.pool.maxlifetime`	`0`	The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse.
`database.pool.maxidletime`	`0`	The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration.
`database.migrations.enabled`	`true`	Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods.
`database.migrations.activeDeadlineSeconds`	`3600`	Set the activeDeadlineSeconds on the migrations job.
`database.migrations.backoffLimit`	`6`	Set the backoffLimit on the migrations job.
`gc.disabled`	`true`	When set to `true` , the online GC workers are disabled.
`gc.maxbackoff`	`24h`	The maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless `gc.noidlebackoff` is `true` . Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added.
`gc.noidlebackoff`	`false`	When set to `true` , disables exponential backoffs between worker runs when there are no tasks to be processed.
`gc.transactiontimeout`	`10s`	The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions.
`gc.blobs.disabled`	`false`	When set to `true` , the GC worker for blobs is disabled.
`gc.blobs.interval`	`5s`	The initial sleep interval between each worker run.
`gc.blobs.storagetimeout`	`5s`	The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend.
`gc.manifests.disabled`	`false`	When set to `true` , the GC worker for manifests is disabled.
`gc.manifests.interval`	`5s`	The initial sleep interval between each worker run.
`gc.reviewafter`	`24h`	The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait.
`migration.enabled`	`false`	When set to `true` , migration mode is enabled. New repositories will be added to the database, while existing repositories will continue to use the filesystem. This is an experimental feature and must not be used in production environments.
`migration.disablemirrorfs`	`false`	When set to `true` , the registry does not write metadata to the filesystem. Must be used in combination with the metadata database. This is an experimental feature and must not be used in production environments.
`migration.rootdirectory`		Allows repositories that have been migrated to the database to use separate storage paths. Using a distinct root directory from the main storage driver configuration allows online migrations. This is an experimental feature and must not be used in production environments.
`migration.importtimeout`	`5m`	The maximum duration that an import job may take to complete before it is aborted. This is an experimental feature and must not be used in production environments.
`migration.preimporttimeout`	`1h`	The maximum duration that a pre import job may take to complete before it is aborted. This is an experimental feature and must not be used in production environments.
`migration.tagconcurrency`	`1`	This parameter determines the number of concurrent tag details requests to the filesystem backend. This can greatly reduce the time spent importing a repository after a successful pre import has completed. Pre import is not affected by this parameter. This is an experimental feature and must not be used in production environments.
`migration.maxconcurrentimports`	`1`	This parameter determines the maximum number of concurrent imports allowed per instance of the registry. This can help reduce the number of resources that the registry needs when the migration mode is enabled. This is an experimental feature and must not be used in production environments.
`migration.importnotification.enabled`	`false`	When set to `true` , the import notification feature will be enabled. This requires the following parameters to be configured. This is an experimental feature and must not be used in production environments.
`migration.importnotification.url`	`'<GitLab URL>/api/v4/internal/registry/repositories/{path}/migration/status'`	The URL endpoint where the notification will be sent to. Required when `importnotification` is enabled. Must be a valid URL, including scheme. A placeholder can be defined as `{path}` to add the repository path in the URL.
`migration.importnotification.timeout`	`5s`	A value for the HTTP timeout for the import notification. This is an experimental feature and must not be used in production environments.
`migration.importnotification.secret`	`''`	This will be automatically created if
not provided, when the `shared-secrets` feature is enabled. This is an experimental feature and must not be used in production environments.
`securityContext.fsGroup`	`1000`	Group ID under which the pod should be started
`securityContext.runAsUser`	`1000`	User ID under which the pod should be started
`serviceLabels`	`{}`	Supplemental service labels
`tokenService`	`container_registry`	JWT token service
`tokenIssuer`	`gitlab-issuer`	JWT token issuer
`tolerations`	`[]`	Toleration labels for pod assignment
`middleware.storage`		configuration layer for midleware storage (s3 for instance)
`redis.cache.enabled`	`false`	When set to `true` , the Redis cache is enabled. This feature is dependent on the metadata database being enabled. Repository metadata will be cached on the configured Redis instance.
`redis.cache.host`	`<Redis URL>`	The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port` .
`redis.cache.port`	`6379`	The port of the Redis instance.
`redis.cache.sentinels`	`[]`	List sentinels with host and port.
`redis.cache.mainname`		The main server name. Only applicable for Sentinel.
`redis.cache.password.enabled`	`false`	Indicates whether the Redis cache used by the Registry is password protected.
`redis.cache.password.secret`	`gitlab-redis-secret`	Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled.
`redis.cache.password.key`	`redis-password`	Secret key in which the Redis password is stored.
`redis.cache.db`	`0`	The name of the database to use for each connection.
`redis.cache.dialtimeout`	`0s`	The timeout for connecting to the Redis instance. Defaults to no timeout.
`redis.cache.readtimeout`	`0s`	The timeout for reading from the Redis instance. Defaults to no timeout.
`redis.cache.writetimeout`	`0s`	The timeout for writing to the Redis instance. Defaults to no timeout.
`redis.cache.tls.enabled`	`false`	Set to `true` to enable TLS.
`redis.cache.tls.insecure`	`false`	Set to `true` to disable server name verification when connecting over TLS.
`redis.cache.pool.size`	`10`	The maximum number of socket connections. Default is 10 connections.
`redis.cache.pool.maxlifetime`	`1h`	The connection age at which client retires a connection. Default is to not close aged connections.
`redis.cache.pool.idletimeout`	`300s`	How long to wait before closing inactive connections.

Chart configuration examples

pullSecrets

pullSecrets allows you to authenticate to a private registry to pull images for a pod.

Additional details about private registries and their authentication methods can be
found in the Kubernetes documentation.

Below is an example use of pullSecrets :

      image:
  repository: my.registry.repository
  tag: latest
  pullPolicy: Always
  pullSecrets:
  - name: my-secret-name
  - name: my-secondary-secret-name

     

tolerations

tolerations allow you schedule pods on tainted worker nodes

Below is an example use of tolerations :

      tolerations:
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoSchedule"
- key: "node_label"
  operator: "Equal"
  value: "true"
  effect: "NoExecute"

     

annotations

annotations allows you to add annotations to the registry pods.

Below is an example use of annotations

      annotations:
  kubernetes.io/example-annotation: annotation-value

Enable the sub-chart

The way we’ve chosen to implement compartmentalized sub-charts includes the ability
to disable the components that you may not want in a given deployment. For this reason,
the first setting you should decide on is enabled .

By default, Registry is enabled out of the box. Should you wish to disable it, set enabled: false .

Configuring the `image`

This section details the settings for the container image used by this sub-chart’s
Deployment.
You can change the included version of the Registry and pullPolicy .

Default settings:

tag: 'v3.63.0-gitlab'
pullPolicy: 'IfNotPresent'

Configuring the `service`

This section controls the name and type of the Service.
These settings will be populated by values.yaml .

By default, the Service is configured as:

Name	Type	Default	Description
`name`	String	`registry`	Configures the name of the service
`type`	String	`ClusterIP`	Configures the type of the service
`externalPort`	Int	`5000`	Port exposed by the Service
`internalPort`	Int	`5000`	Port utilized by the Pod to accept request from the service
`clusterIP`	String	`null`	Allows one to configure a custom Cluster IP as necessary
`loadBalancerIP`	String	`null`	Allows one to configure a custom LoadBalancer IP address as necessary

Configuring the `ingress`

This section controls the registry Ingress.

Name	Type	Default	Description
`apiVersion`	String		Value to use in the `apiVersion` field.
`annotations`	String		This field is an exact match to the standard `annotations` for Kubernetes Ingress.
`configureCertmanager`	Boolean		Toggles Ingress annotation `cert-manager.io/issuer` . For more information see the TLS requirement for GitLab Pages.
`enabled`	Boolean	`false`	Setting that controls whether to create Ingress objects for services that support them. When `false` the `global.ingress.enabled` setting is used.
`tls.enabled`	Boolean	`true`	When set to `false` , you disable TLS for the Registry subchart. This is mainly useful for cases in which you cannot use TLS termination at `ingress-level` , like when you have a TLS-terminating proxy before the Ingress Controller.
`tls.secretName`	String		The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry URL. When not set, the `global.ingress.tls.secretName` is used instead. Defaults to not being set.

Configuring TLS

Container Registry supports TLS which secures its communication with other components,
including nginx-ingress .

Prerequisites to configure TLS:

The TLS certificate must include the Registry Service host name
(for example, RELEASE-registry.default.svc ) in the Common
Name (CN) or Subject Alternate Name (SAN).
After the TLS certificate generates:
- Create a Kubernetes TLS Secret
- Create another Secret that only contains the CA certificate of the TLS certificate with ca.crt key.

To enable TLS:

Set registry.tls.enabled to true .
Set global.hosts.registry.protocol to https .
Pass the Secret names to registry.tls.secretName and global.certificates.customCAs accordingly.

When registry.tls.verify is true , you must pass the CA certificate Secret
name to registry.tls.caSecretName . This is necessary for self-signed
certificates and custom Certificate Authorities. This Secret is used by NGINX to verify the TLS
certificate of Registry.

For example:

      global:
  certificates:
    customCAs:
    - secret: registry-tls-ca
  hosts:
    registry:
      protocol: https

registry:
  tls:
    enabled: true
    secretName: registry-tls
    verify: true
    caSecretName: registry-tls-ca

     

Configuring TLS for the debug port

The Registry debug port also supports TLS. The debug port is used for the
Kubernetes liveness and readiness checks as well as exposing a /metrics
endpoint for Prometheus (if enabled).

TLS can be enabled for by setting registry.debug.tls.enabled to true .
A Kubernetes TLS Secret
can be provided in registry.debug.tls.secretName dedicated for use in
the debug port’s TLS configuration. If a dedicated secret is not specified,
the debug configuration will fall back to sharing registry.tls.secretName with
the registry’s regular TLS configuration.

For Prometheus to scrape the /metrics/ endpoint using https - additional
configuration is required for the certificate’s CommonName attribute or
a SubjectAlternativeName entry. See
Configuring Prometheus to scrape TLS-enabled endpoints
for those requirements.

Configuring the `networkpolicy`

This section controls the registry
NetworkPolicy.
This configuration is optional and is used to limit egress and Ingress of the registry to specific endpoints.
and Ingress to specific endpoints.

Name	Type	Default	Description
`enabled`	Boolean	`false`	This setting enables the `NetworkPolicy` for registry
`ingress.enabled`	Boolean	`false`	When set to `true` , the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified.
`ingress.rules`	Array	`[]`	Rules for the Ingress policy, for details see https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource and the example below
`egress.enabled`	Boolean	`false`	When set to `true` , the `Egress` network policy will be activated. This will block all egress connections unless rules are specified.
`egress.rules`	Array	`[]`	Rules for the egress policy, these for details see https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource and the example below

Example policy for preventing connections to all internal endpoints

The Registry service normally requires egress connections to object storage,
Ingress connections from Docker clients, and kube-dns for DNS lookups. This
adds the following network restrictions to the Registry service:

All egress requests to the local network on 10.0.0.0/8 port 53 are allowed (for kubeDNS)
Other egress requests to the local network on 10.0.0.0/8 are restricted
Egress requests outside of the 10.0.0.0/8 are allowed

Note that the registry service requires outbound connectivity to the public
internet for images on external object storage

      networkpolicy:
  enabled: true
  egress:
    enabled: true
    # The following rules enable traffic to all external
    # endpoints, except the local
    # network (except DNS requests)
    rules:
      - to:
        - ipBlock:
            cidr: 10.0.0.0/8
        ports:
        - port: 53
          protocol: UDP
      - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
            - 10.0.0.0/8

     

Defining the Registry Configuration

The following properties of this chart pertain to the configuration of the underlying
registry container. Only the most critical values
for integration with GitLab are exposed. For this integration, we make use of the auth.token.x
settings of Docker Distribution, controlling
authentication to the registry via JWT authentication tokens.

httpSecret

Field httpSecret is a map that contains two items: secret and key .

The content of the key this references correlates to the http.secret value of
registry. This value should be populated with
a cryptographically generated random string.

The shared-secrets job will automatically create this secret if not provided. It will be
filled with a securely generated 128 character alpha-numeric string that is base64 encoded.

To create this secret manually:

      kubectl create secret generic gitlab-registry-httpsecret --from-literal=secret=strongrandomstring

     

Notification Secret

Notification Secret is utilized for calling back to the GitLab application in various ways,
such as for Geo to help manage syncing Container Registry data between primary and secondary sites.
It is also used to send import notifications if the migration is enabled and the endpoint is configured.

The notificationSecret secret object will be automatically created if
not provided, when the shared-secrets feature is enabled.

To create this secret manually:

      kubectl create secret generic gitlab-registry-notification --from-literal=secret=[\"strongrandomstring\"]

     

Then proceed to set

      global:
  # To provide your own secret
  registry:
    notificationSecret:
        secret: gitlab-registry-notification
        key: secret

  # If utilising Geo, and wishing to sync the container registry
  geo:
    registry:
      replication:
        enabled: true
        primaryApiUrl: <URL to primary registry>

     

Ensuring the secret value is set to the name of the secret created above

Redis cache Secret

The Redis cache Secret is used when global.redis.password.enabled is set to true .

When the shared-secrets feature is enabled, the gitlab-redis-secret secret object
is automatically created if not provided.

To create this secret manually, see the Redis password instructions.

authEndpoint

The authEndpoint field is a string, providing the URL to the GitLab instance(s) that
the registry will authenticate to.

The value should include the protocol and hostname only. The chart template will automatically
append the necessary request path. The resulting value will be populated to auth.token.realm
inside the container. For example: authEndpoint: "https://gitlab.example.com"

By default this field is populated with the GitLab hostname configuration set by the
Global Settings.

certificate

The certificate field is a map containing two items: secret and key .

secret is a string containing the name of the Kubernetes Secret
that houses the certificate bundle to be used to verify the tokens created by the GitLab instance(s).

key is the name of the key in the Secret which houses the certificate
bundle that will be provided to the registry
container as auth.token.rootcertbundle .

Default Example:

      certificate:
  secret: gitlab-registry
  key: registry-auth.crt

     

compatibility

The compatibility field is a map relating directly to the configuration file’s
compatibility
section.

Default contents:

      compatibility:
  schema1:
    enabled: false

     

readiness and liveness probe

By default there is a readiness and liveness probe configured to
check /debug/health on port 5001 which is the debug port.

schema1

The schema1 section controls the compatibility of the service with version 1
of the Docker manifest schema. This setting is provide as a means of supporting
Docker clients earlier than 1.10 , after which schema v2 is used by default.

If you must support older versions of Docker clients, you can do so by setting
registry.compatbility.schema1.enabled: true .

validation

The validation field is a map that controls the Docker image validation
process in the registry. When image validation is enabled the registry rejects
windows images with foreign layers, unless the manifests.urls.allow field
within the validation stanza is explicitly set to allow those layer urls.

Validation only happens during manifest push, so images already present in the
registry are not affected by changes to the values in this section.

The image validation is turned off by default.

To enable image validation you need to explicitly set registry.validation.disabled: false .

manifests

The manifests field allows configuration of validation policies particular to
manifests.

The urls section contains both allow and deny fields. For manifest layers
which contain URLs to pass validation, that layer must match one of the regular
expressions in the allow field, while not matching any regular expression in
the deny field.

Name	Type	Default	Description
`referencelimit`	Int	`0`	The maximum number of references, such as layers, image configurations, and other manifests, that a single manifest may have. When set to `0` (default) this validation is disabled.
`payloadsizelimit`	Int	`0`	The maximum data size in bytes of manifest payloads. When set to `0` (default) this validation is disabled.
`urls.allow`	Array	`[]`	List of regular expressions that enables URLs in the layers of manifests. When left empty (default), layers with any URLs will be rejected.
`urls.deny`	Array	`[]`	List of regular expressions that restricts the URLs in the layers of manifests. When left empty (default), no layer with URLs which passed the `urls.allow` list will be rejected

notifications

The notifications field is used to configure Registry notifications.
It has an empty hash as default value.

Name	Type	Default	Description
`endpoints`	Array	`[]`	List of items where each item correspond to an endpoint
`events`	Hash	`{}`	Information provided in event notifications

An example setting will look like the following:

      notifications:
  endpoints:
    - name: FooListener
      url: https://foolistener.com/event
      timeout: 500ms
      threshold: 10
      backoff: 1s
    - name: BarListener
      url: https://barlistener.com/event
      timeout: 100ms
      threshold: 3
      backoff: 1s
  events:
    includereferences: true

     

hpa

The hpa field is an object, controlling the number of registry
instances to create as a part of the set. This defaults to a minReplicas value
of 2 , a maxReplicas value of 10, and configures the
cpu.targetAverageUtilization to 75%.

storage

      storage:
  secret:
  key: config
  extraKey:

     

The storage field is a reference to a Kubernetes Secret and associated key. The content
of this secret is taken directly from Registry Configuration: storage .
Please refer to that documentation for more details.

Examples for AWS s3 and
Google GCS drivers can be
found in examples/objectstorage :

registry.s3.yaml
registry.gcs.yaml

For S3, make sure you give the correct
permissions for registry storage. For more information about storage configuration, see
Container Registry storage driver in the administration documentation.

Place the contents of the storage block into the secret, and provide the following
as items to the storage map:

secret : name of the Kubernetes Secret housing the YAML block.
key : name of the key in the secret to use. Defaults to config .
extraKey : (optional) name of an extra key in the secret, which will be mounted
to /etc/docker/registry/storage/${extraKey} within the container. This can be
used to provide the keyfile for the gcs driver.

      # Example using S3
kubectl create secret generic registry-storage \
    --from-file=config=registry-storage.yaml

# Example using GCS with JSON key
# - Note: `registry.storage.extraKey=gcs.json`
kubectl create secret generic registry-storage \
    --from-file=config=registry-storage.yaml \
    --from-file=gcs.json=example-project-382839-gcs-bucket.json

     

You can disable the redirect for the storage driver,
ensuring that all traffic flows through the Registry service instead of redirecting to another backend:

      storage:
  secret: example-secret
  key: config
  redirect:
    disable: true

     

If you chose to use the filesystem driver:

You will need to provide persistent volumes for this data.
hpa.minReplicas should be set to 1
hpa.maxReplicas should be set to 1

For the sake of resiliency and simplicity, it is recommended to make use of an
external service, such as s3 , gcs , azure or other compatible Object Storage.

The chart will populate


          delete.enabled: true

into this configuration
by default if not specified by the user. This keeps expected behavior in line with
the default use of MinIO, as well as the Omnibus GitLab. Any user provided value
will supersede this default.

middleware.storage

Configuration of middleware.storage follows upstream convention:

Configuration is fairly generic and follows similar pattern:

      middleware:
  # See https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#middleware
  storage:
    - name: cloudfront
      options:
        baseurl: https://abcdefghijklmn.cloudfront.net/
        # `privatekey` is auto-populated with the content from the privatekey Secret.
        privatekeySecret:
          secret: cloudfront-secret-name
          # "key" value is going to be used to generate file name for PEM storage:
          #   /etc/docker/registry/middleware.storage/<index>/<key>
          key: private-key-ABC.pem
        keypairid: ABCEDFGHIJKLMNOPQRST

     

Within above code options.privatekeySecret is a generic Kubernetes secret contents of which corresponds to PEM file contents:

      kubectl create secret generic cloudfront-secret-name --type=kubernetes.io/ssh-auth --from-file=private-key-ABC.pem=pk-ABCEDFGHIJKLMNOPQRST.pem

     

privatekey used upstream is being auto-populated by chart from the privatekey Secret and will be ignored if specified.

`keypairid` variants

Various vendors use different field names for the same construct:

Vendor	field name
Google CDN	`keyname`
CloudFront	`keypairid`

Only configuration of


          middleware.storage

section is supported at this time.

debug

The debug port is enabled by default and is used for the liveness/readiness
probe. Additionally, Prometheus metrics can be enabled via the metrics values.

      debug:
  addr:
    port: 5001

metrics:
  enabled: true

     

health

The health property is optional, and contains preferences for
a periodic health check on the storage driver’s backend storage.
For more details, see Docker’s configuration documentation.

      health:
  storagedriver:
    enabled: false
    interval: 10s
    threshold: 3

     

reporting

The reporting property is optional and enables reporting

      reporting:
  sentry:
    enabled: true
    dsn: 'https://<key>@sentry.io/<project>'
    environment: 'production'

     

profiling

The profiling property is optional and enables continuous profiling

      profiling:
  stackdriver:
    enabled: true
    credentials:
      secret: gitlab-registry-profiling-creds
      key: credentials
    service: gitlab-registry

     

database

The database property is optional and enables the metadata database.

The metadata database is an experimental feature and must not be used in production.

This feature requires PostgreSQL 12 or newer.

      database:
  enabled: true
  host: registry.db.example.com
  port: 5432
  user: registry
  password:
    secret: gitlab-postgresql-password
    key: postgresql-registry-password
  dbname: registry
  sslmode: verify-full
  ssl:
    secret: gitlab-registry-postgresql-ssl
    clientKey: client-key.pem
    clientCertificate: client-cert.pem
    serverCA: server-ca.pem
  connecttimeout: 5s
  draintimeout: 2m
  preparedstatements: false
  pool:
    maxidle: 25
    maxopen: 25
    maxlifetime: 5m
    maxidletime: 5m
  migrations:
    enabled: true
    activeDeadlineSeconds: 3600
    backoffLimit: 6

     

Creating the database

If the Registry database is enabled, Registry will use its own database to track its state.

Follow the steps below to manually create the database and role.

These instructions assume you are using the bundled PostgreSQL server. If you are using your own server,
there will be some variation in how you connect.

Create the secret with the database password:

        kubectl create secret generic RELEASE_NAME-registry-database-password --from-literal=password=randomstring

       

Log into your database instance:

        kubectl exec -it $(kubectl get pods -l app=postgresql -o custom-columns=NAME:.metadata.name --no-headers) -- bash

       

        PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1

       

Create the database user:
```
CREATE ROLE registry WITH LOGIN;
```

Set the database user password.

Fetch the password:

          kubectl get secret RELEASE_NAME-registry-database-password -o jsonpath="{.data.password}" | base64 --decode

         

Set the password in the psql prompt:
```
\password registry
```

Create the database:

        CREATE DATABASE registry WITH OWNER registry;

       

Safely exit from the PostgreSQL command line and then from the container using exit :
```
template1=# exit
...@gitlab-postgresql-0/$ exit
```

migration

The migration property is optional and provides options related to the
migration
of metadata from the filesystem to the metadata database.

This is an experimental feature and must not be used in production.

This feature requires the metadata database to be enabled.

      migration:
  enabled: true
  disablemirrorfs: true
  rootdirectory: gitlab
  importtimeout: 5m
  preimporttimeout: 1h
  tagconcurrency: 10
  maxconcurrentimports: 10
  importnotification:
    enabled: true
    url: 'https://example.com/notification/{path}/status'
    timeout: 5s
    secret:
        secret: gitlab-registry-notification
        key: secret

     

gc

The gc property is optional and provides options related to
online garbage collection.

This is an experimental feature and must not be used in production.

This feature requires the metadata database to be enabled.

      gc:
  disabled: false
  maxbackoff: 24h
  noidlebackoff: false
  transactiontimeout: 10s
  reviewafter: 24h
  manifests:
    disabled: false
    interval: 5s
  blobs:
    disabled: false
    interval: 5s
    storagetimeout: 5s

     

Redis cache

This is an experimental feature and must not be used in production.

The redis.cache property is optional and provides options related to the
Redis cache.
To use redis.cache with the registry, the metadata database must be enabled.

For example:

      redis:
  cache:
    enabled: true
    host: localhost
    port: 16379
    password:
      secret: gitlab-redis-secret
      key: redis-password
    db: 0
    dialtimeout: 10ms
    readtimeout: 10ms
    writetimeout: 10ms
    tls:
      enabled: true
      insecure: true
    pool:
      size: 10
      maxlifetime: 1h
      idletimeout: 300s

     

Sentinels

The redis.cache can use the global.redis.sentinels configuration. Local values can be provided and
will take precedence over the global values. For example:

      redis:
  cache:
    enabled: true
    host: redis.example.com
    sentinels:
      - host: sentinel1.example.com
        port: 16379
      - host: sentinel2.example.com
        port: 16379

     

Garbage Collection

The Docker Registry will build up extraneous data over time which can be freed using
garbage collection.
As of now there is no
fully automated or scheduled way to run the garbage collection with this Chart.

Manual Garbage Collection

Manual garbage collection requires the registry to be in read-only mode first. Let’s assume that you’ve already
installed the GitLab chart by using Helm, named it mygitlab , and installed it in the namespace gitlabns .
Replace these values in the commands below according to your actual configuration.

      # Because of https://github.com/helm/helm/issues/2948 we can't rely on --reuse-values, so let's get our current config.
helm get values mygitlab > mygitlab.yml
# Upgrade Helm installation and configure the registry to be read-only.
# The --wait parameter makes Helm wait until all ressources are in ready state, so we are safe to continue.
helm upgrade mygitlab gitlab/gitlab -f mygitlab.yml --set registry.maintenance.readOnly.enabled=true --wait
# Our registry is in r/o mode now, so let's get the name of one of the registry Pods.
# Note down the Pod name and replace the '<registry-pod>' placeholder below with that value.
# Replace the single quotes to double quotes (' => ") if you are using this with Windows' cmd.exe.
kubectl get pods -n gitlabns -l app=registry -o jsonpath='{.items[0].metadata.name}'
# Run the actual garbage collection. Check the registry's manual if you really want the '-m' parameter.
kubectl exec -n gitlabns <registry-pod> -- /bin/registry garbage-collect -m /etc/docker/registry/config.yml
# Reset registry back to original state.
helm upgrade mygitlab gitlab/gitlab -f mygitlab.yml --wait
# All done :)

     

Running administrative commands against the Container Registry

The administrative commands can be run against the Container Registry
only from a Registry pod, where both the registry binary as well as necessary
configuration is available. Issue #2629
is open to discuss how to provide this functionality from the toolbox pod.

To run administrative commands:

Connect to a Registry pod:
```
kubectl exec -it <registry-pod> -- bash
```
Once inside the Registry pod, the registry binary is available in PATH and
can be used directly. The configuration file is available at
/etc/docker/registry/config.yml . The following example checks the status
of the database migration:
```
registry database migrate status /etc/docker/registry/config.yml
```

For further details and other available commands, refer to the relevant
documentation:

General Registry documentation
GitLab-specific Registry documentation

Read article

Welcome to Knowledge Base!

KB at your finger tips

Configure charts using globals

Configure Host settings

hostSuffix

Configure Horizontal Pod Autoscaler settings

Configure PodDisruptionBudget settings

Configure CronJob settings

Configure Ingress settings

Ingress Path

Cloud provider LoadBalancers

global.ingress.configureCertmanager

GitLab Version

Adding suffix to all image tags

Configure PostgreSQL settings

PostgreSQL per chart

PostgreSQL SSL

PostgreSQL load balancing

Configure Redis settings

Configure Redis chart-specific settings

Redis Sentinel support

Multiple Redis support

Specifying secure Redis scheme (SSL)

Password-less Redis Servers

Configure Grafana integration

Configure Registry settings

notifications

Configure Gitaly settings

Gitaly hosts

Internal

External

Mixed

authToken

Deprecated Gitaly settings

TLS settings

Configure Praefect settings

Enable Praefect

Global settings for Praefect

Configure MinIO settings

Configure appConfig settings

General application settings

Content Security Policy

defaultProjectsFeatures

Gravatar/Libravatar settings

Hooking Analytics services to the GitLab instance

Consolidated object storage

Specify buckets

storage_options

LFS, Artifacts, Uploads, Packages, External MR diffs, and Dependency Proxy

connection

when (only for External MR Diffs)

cdn (only for CI Artifacts)

Incoming email settings

KAS settings

Custom secret

Custom URLs

External KAS

Suggested Reviewers settings

Custom secret

LDAP

Disable LDAP web sign in

Using a custom CA or self signed LDAP certificates

OmniAuth

providers

connection

Cron jobs related settings

Sentry settings

gitlab_docs settings

Smartcard Authentication settings

Sidekiq routing rules settings

Configure Rails settings

Configure Workhorse settings

Bootsnap Cache

Configure GitLab Shell

Port

TCP proxy protocol

Configure GitLab Pages

Configure Webservice

workerTimeout

Custom Certificate Authorities

`global.ingress.configureCertmanager`

Configuring the `image`

Configuring the `service`

Configuring the `ingress`

Configuring the `networkpolicy`