Support running Gitaly over TLS
Summary
Spinoff from !939 (merged)
Gitaly supports functioning over TLS, and it is currently supported in omnibus-gitlab. We should support doing this in Charts also.
Jason's comment follows
I'm still a bit tossed on tls_listen_addr
vs listen_addr
simultaneously. If you have TLS, why not enforce using it?
My thoughts:
global:
gitaly:
tls:
enabled: true
The tricky part here, is that we don't want to enforce the use of a tls
Secret in globals
, as it is possible that Gitaly will reside outside Kubernetes, and thus the clients have no need for the key. For the sake of a full deployment with the chart, and self-signed certificates, we can handle that fact by setting the mounts in clients to only pull the certificate.
When using only as a client, without Gitaly internally, we don't need the secret at all because this certificate can and should be added to the global.certificates.customCAs[] behavior.