AWS HA Documentation is badly out of date, incorrect
We have a guided walkthrough we have for AWS HA at https://docs.gitlab.com/ee/install/aws/. In spirit it is great, and it is really the only "guided HA" install document that we have.
Unfortunately it has become badly out of date, and has a number of major problems that people will stumble on.
HA
-
Add to requirements an HTTPS certificate, or the ability to get one. It can take a few hours for ACM to validate, so putting this up front is a good idea. -
Links to external content (like VPC page) don't actually spawn new windows. -
On VPC subnet creation examples, we should add /24
to CIDR blocks as that is what AWS expects and then you can simply cut and paste -
We tell you to create a custom VPC - but not to check enabling host name resolution, otherwise you will get strange dns errors -
There is a blank named route table that seemed to be created by default in my VPC? Not present in instructions. We should provide guidance to delete this, as otherwise it will trip you up later as it is the default. -
Consider having a default security group description? -
Doesn’t say to hit create on security group creation -
On RDS Subnet - mention to create a subnet group -
Consider updating HA docs to mention a more recent database than 9.6 -
When creating RDS, there is big new dialog asking about "Easy vs Standard" options. We should specify which one since its so prominent.  -
Update instance types - no more t2’s for RDS -
For Redis - maybe recommend an instance size? We do elsewhere. -
We tell you an example name in Elasticache, but we don’t tell you that name when creating the SG. -
We tell you to create an ALB, but ALB's don't support SSH. We need to tell people to use a Classic Load Balancer, or figure out how to get an NLB to work. -
Mention which LB security policy to pick -
In the docs we mention a 'primary instance' - but there is such thing as primary as they don’t have public IP’s and the LB’s will round-robin -
The guidance to edit gitlab.rb
simply won't work, as all of this is stored on ephemeral storage -
We tell you to create an separate EBS volume, but for what? Content will be either stored on a separate gitaly instance or Object Storage -
The guidance on git_data_dirs
is actually incorrect since we are using gitaly -
We then totally punt to the gitaly docs on how to set it up, without any additional information, or context about it being a SPOF -
Security group for RDS and security group for instances are incorrect. RDS says to allow from gitlab
, Instance config says to use LB settings’ -
Redis security group won’t work unless you add to gitlab -
Why is there no “#sidekiq['enable'] = true” in default in the template? -
No `gitlab_rails['internal_api_url'] = 'https://gitlab.example.com'’ in the template -
We don't configure any way for the nodes to get out to the internet on their own, say for updating a package or contacting the secondary. We need to include this, if you want Geo, or ability to update package and capture a new AMI. -
Recommend setting up an internal load balancers - otherwise no way for gitaly node to talk back out to public LB -
Doesn’t include configuring DNS to match LB -
AWS HA instructions don’t cover setting up http proxy with external https -
HA instructions also don’t reference x-forwarded for stuff from here: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl -
We should update the screenshot of the AMI to show a more recent version of GitLab
Edited by Collen