Encrypt (internal) Gitaly traffic with TLS

Since GitLab 11.8 it is possible to use TLS for the network traffic between Gitaly clients (gitlab-rails, gitlab-shell, gitlab-workhorse, gitlab-elasticsearch-indexer and gitaly itself) and Gitaly servers.

For various reasons, such as "leading by example" and "improving gitlab.com's security posture", it would be good for us to roll out this feature in production.

https://docs.gitlab.com/ee/administration/gitaly/#tls-support

Note there currently is an error in the opening paragraph of the documentation linked above, where it says "Gitaly supports TLS credentials for GRPC authentication". We only support TLS for encryption; authentication is based on bearer tokens. This is being fixed in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26488/diffs

chef-repo MR for pre and gstg: https://ops.gitlab.net/gitlab-cookbooks/chef-repo/-/merge_requests/3146
chef-repo MRs for gprd:
- https://ops.gitlab.net/gitlab-cookbooks/chef-repo/-/merge_requests/3147
- https://ops.gitlab.net/gitlab-cookbooks/chef-repo/-/merge_requests/3148
Production change issue: production#1939 (closed)

Edited Jul 27, 2020 by Alberto Ramos