Encrypt (internal) Gitaly traffic with TLS
Since GitLab 11.8 it is possible to use TLS for the network traffic between Gitaly clients (gitlab-rails, gitlab-shell, gitlab-workhorse, gitlab-elasticsearch-indexer and gitaly itself) and Gitaly servers.
For various reasons, such as "leading by example" and "improving gitlab.com's security posture", it would be good for us to roll out this feature in production.
https://docs.gitlab.com/ee/administration/gitaly/#tls-support
Note there currently is an error in the opening paragraph of the documentation linked above, where it says "Gitaly supports TLS credentials for GRPC authentication". We only support TLS for encryption; authentication is based on bearer tokens. This is being fixed in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26488/diffs
-
chef-repo MR for pre and gstg: https://ops.gitlab.net/gitlab-cookbooks/chef-repo/-/merge_requests/3146 -
chef-repo MRs for gprd: -
Production change issue: production#1939 (closed)