technotes

GitLab on Azure

just delegate a domain to the Azure’s cloud, map a wildcard DNS to the Kubernetes loadbalancer entry point… and (crucial, I just mention the painful part) do create your own cert-signing thing for let’s encrypt like this:

(the class: addon-http-application-routing is the REALLY important bit, else you don’t get the fancy loadbalancing/Ingress resource integration from Azure )

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: your@email.address
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: prod-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: addon-http-application-routing

and finally bring up the cluster of GitLab specifying 3 separate tls secrets, otherwise GitLab will assume you do have a wildcard certificate and the http01 validation of Let’sEncrypt will fail… (u need otherwise to use dns01 validation)

nginx-ingress:
  enabled: false
certmanager:
  install: false
global:
  hosts:
    domain: your.fancy.domain
  ingress:
    annotations:
      kubernetes.io/ingress.class: addon-http-application-routing
      cert-manager.io/cluster-issuer: letsencrypt-prod
      kubernetes.io/tls-acme: true
    configureCertmanager: false
gitlab:
  unicorn:
    ingress:
      tls:
        secretName: "gitlab-unicorn-tls"
registry:
  ingress:
    tls:
      secretName: "gitlab-registry-tls"
minio:
  ingress:
    tls:
      secretName: "gitlab-minio-tls"

ah… don’t try to use ArgoCD for this,
it is buggy -> gitlab/-/issues/2039

therefore… reiterate with:

$ helm upgrade gitlab gitlab/gitlab -n gitlab -f gitlab_values.yaml –render-subchart-notes –reset-values

UPDATE: u want git+ssh access to pull/push from ur repo, right?

well, then you need to add the following snipped in your values.yaml

gitlab:
  gitlab-shell:
    service:
      type: LoadBalancer
global:
  hosts:
    ssh: ssh.your.fancy.domain

and again, accordingly, create in your dns zone a CNAME (ANAME) towards the newly created LoadBalancer IP that AKS has created you…

yes, of course you could have created a complete set of ingress-controllers, but we are not running a service that yet needs to be scaled to a broad audience

Published by Guido Maria Serra aka Zeph

Sviluppatore, sistemista, analista di sicurezza, freesoftware evangelist.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s