Docs feedback: using the Gitlab Cloud Native Helm Chart
I created a quick terraform project around this chart. Overall, I thought it worked great.
Unfortunately, even the Gitlab Implementation Engineering team seemed to not understand it. Some of the hiccups around using it included misunderstandings around GCP, but there was also a significant problem in understanding how the LetsEncrypt/certmanager process worked.
It might be worth stressing that users will have to wait for the certmanager process to complete. The easiest way to monitor this on first-time installs is to look for services with ACME or
well-known paths - they seem to live until the challenge is completed and then disappear. Once that happens you should have working automatic certificates! :)
If you complete this process and then later reinstall the chart you will end up at an HSTS error (enabled by the nginx ingress controller) and will not be able to visit the new installation until this process completes. Even a Gitlab engineer got confused here - they argued you could "just push proceed" or "visit the installation on port 80" but that simply isn't how HSTS works! The job of the browser is to stop you from being subject to a downgrade attack and/or an attacker playing man-in-the-middle with a different configuration.