using external nginx ingress controller with default-ssl-certificate
Summary
Installing Gitlab helm chart into a cluster with existing nginx ingress controller with default-ssl-certificate
configured. In the cluster, if an ingress object has tls
enabled and secretName
not provided then the nginx ingress will work with the default-ssl-certificate
set in the nginx ingress controller. default-ssl-certificate
is used because the secret is in another namespace and nginx controller allows the "namespace_name/secret_name"
format for it. But this Gitlab helm chart generates certificates for ingresses if the secretName
is empty, this is the case for webservice
, registry
and minio
. So now i do not see any way to prevent this chart from keeping the secretName
s empty for the nginx-controller
to work with the default-ssl-certificate
.
Steps to reproduce
Install this helm chart with:
nginx-ingress.enabled=false
global.ingress.tls.enabled=true
global.ingress.tls.secretName=''
global.ingress.tls.configureCertmanager=false
Configuration used
---
# https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/values.yaml
global:
edition: ce
## https://docs.gitlab.com/charts/charts/globals#configure-host-settings
hosts:
domain: ex.org
hostSuffix: git
https: true
externalIP:
ssh: gitssh.ex.org
gitlab:
name: git.ex.org
https: true
registry:
name: registry.ex.org
https: true
shell:
port: 5922
## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings
ingress:
enabled: true
tls:
enabled: true
secretName: ''
configureCertmanager: false
provider: nginx
# class:
annotations: {}
path: /
pathType: Prefix
initialRootPassword:
secret: gitlab-infra-server-gitlab-root-password
key: password
## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings
## Rails based portions of this chart share many settings
appConfig:
## https://docs.gitlab.com/charts/charts/globals#general-application-settings
# cdnHost:
enableUsagePing: true
enableSeatLink: true
enableImpersonation:
applicationSettingsCacheSeconds: 60
usernameChangingEnabled: true
issueClosingPattern:
defaultTheme:
defaultProjectsFeatures:
issues: true
mergeRequests: true
wiki: true
snippets: true
builds: true
graphQlTimeout:
webhookTimeout:
maxRequestDurationSeconds:
## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings
cron_jobs: {}
## https://docs.gitlab.com/charts/charts/globals#content-security-policy
contentSecurityPolicy:
enabled: false
report_only: true
# directives: {}
backups:
bucket: gitlab-backups
tmpBucket: tmp
gitlab_kas:
enabled: false
initialDefaults:
signupEnabled: false
kas:
enabled: false
rails:
bootsnap: # Enable / disable Shopify/Bootsnap cache
enabled: true
## https://docs.gitlab.com/charts/charts/globals#configure-registry-settings
registry:
bucket: registry
tls:
enabled: false
# secretName:
# Settings utilized by other services referencing registry:
enabled: true
host:
# port: 443
api:
protocol: http
serviceName: registry
port: 5000
tokenIssuer: gitlab-issuer
## https://docs.gitlab.com/charts/charts/globals#service-accounts
serviceAccount:
enabled: false
create: true
annotations: {}
## Name to be used for serviceAccount, otherwise defaults to chart fullname
# name:
prometheus:
install: false
certmanager:
install: false
nginx-ingress: &nginx-ingress
enabled: false
registry:
enabled: true
gitlab-runner:
install: false
Current behavior
The helm chart get installed successfully giving this message:
...
=== WARNING
Automatic TLS certificate generation with cert-manager is disabled.
One or more of the components does not have a TLS certificate Secret configured.
As a result, Self-signed certificates were generated for these components.
...
If you do not wish to use self-signed certificates, please set the following properties:
- global.ingress.tls.secretName
OR all of:
- global.ingress.tls.enabled (set to true)
- gitlab.webservice.ingress.tls.secretName
- registry.ingress.tls.secretName
- minio.ingress.tls.secretName
Expected behavior
Some way to disable generation of the self-signed certificates and keep the secretName's empty for the external nginx ingress controller to deal with it.
Versions
- Chart: gitlab-7.5.1
- Platform:
- Self-hosted: k0s
- Kubernetes: (
kubectl version
)- Client: v1.28.2
- Server: v1.28.2+k0s
- Helm: (
helm version
)- Client: v3.13.1
Relevant logs
NAME READY STATUS RESTARTS AGE
pod/gitlab-infra-server-gitaly-0 0/1 Pending 0 108m
pod/gitlab-infra-server-gitlab-exporter-5455bb7fc7-zlgtq 1/1 Running 0 108m
pod/gitlab-infra-server-gitlab-shell-d9d644df5-sld6n 1/1 Running 0 108m
pod/gitlab-infra-server-gitlab-shell-d9d644df5-wh4n4 1/1 Running 0 107m
pod/gitlab-infra-server-migrations-4-6sctk 1/1 Running 0 35m
pod/gitlab-infra-server-minio-5ccdcfd7c9-hwscw 0/1 Pending 0 108m
pod/gitlab-infra-server-postgresql-0 0/2 Pending 0 108m
pod/gitlab-infra-server-redis-master-0 0/2 Pending 0 108m
pod/gitlab-infra-server-registry-58dd5bc649-ngrfg 1/1 Running 0 108m
pod/gitlab-infra-server-registry-58dd5bc649-rbmhd 1/1 Running 0 107m
pod/gitlab-infra-server-sidekiq-all-in-1-v2-6b79dd9bb7-lzh9m 0/1 Init:2/3 1 (44m ago) 108m
pod/gitlab-infra-server-toolbox-5679575759-k6r7g 1/1 Running 0 108m
pod/gitlab-infra-server-webservice-default-65fd8b5d98-shpqd 0/2 Init:2/3 1 (44m ago) 108m
pod/gitlab-infra-server-webservice-default-65fd8b5d98-xcw9z 0/2 Init:2/3 1 (44m ago) 107m
NAME READY AGE
statefulset.apps/gitlab-infra-server-gitaly 0/1 108m
statefulset.apps/gitlab-infra-server-postgresql 0/1 108m
statefulset.apps/gitlab-infra-server-redis-master 0/1 108m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/gitlab-infra-server-gitlab-exporter 1/1 1 1 108m
deployment.apps/gitlab-infra-server-gitlab-shell 2/2 2 2 108m
deployment.apps/gitlab-infra-server-minio 0/1 1 0 108m
deployment.apps/gitlab-infra-server-registry 2/2 2 2 108m
deployment.apps/gitlab-infra-server-sidekiq-all-in-1-v2 0/1 1 0 108m
deployment.apps/gitlab-infra-server-toolbox 1/1 1 1 108m
deployment.apps/gitlab-infra-server-webservice-default 0/2 2 0 108m
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/gitlab-infra-server-minio gitlab-infra-server-nginx minio-git.zzlogistics.ru 80 72m
ingress.networking.k8s.io/gitlab-infra-server-registry gitlab-infra-server-nginx registry.zzlogistics.ru 80 72m
ingress.networking.k8s.io/gitlab-infra-server-webservice-default gitlab-infra-server-nginx git.zzlogistics.ru 80 72m