just delegate a domain to the Azure’s cloud, map a wildcard DNS to the Kubernetes loadbalancer entry point… and (crucial, I just mention the painful part) do create your own cert-signing thing for let’s encrypt like this:
(the class: addon-http-application-routing is the REALLY important bit, else you don’t get the fancy loadbalancing/Ingress resource integration from Azure )
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: # You must replace this email address with your own. # Let's Encrypt will use this to contact you about expiring # certificates, and issues related to your account. email: firstname.lastname@example.org server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource that will be used to store the account's private key. name: prod-issuer-account-key # Add a single challenge solver, HTTP01 using nginx solvers: - http01: ingress: class: addon-http-application-routing
and finally bring up the cluster of GitLab specifying 3 separate tls secrets, otherwise GitLab will assume you do have a wildcard certificate and the http01 validation of Let’sEncrypt will fail… (u need otherwise to use dns01 validation)
nginx-ingress: enabled: false certmanager: install: false global: hosts: domain: your.fancy.domain ingress: annotations: kubernetes.io/ingress.class: addon-http-application-routing cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/tls-acme: true configureCertmanager: false gitlab: unicorn: ingress: tls: secretName: "gitlab-unicorn-tls" registry: ingress: tls: secretName: "gitlab-registry-tls" minio: ingress: tls: secretName: "gitlab-minio-tls"
ah… don’t try to use ArgoCD for this,
it is buggy -> gitlab/-/issues/2039
therefore… reiterate with:
$ helm upgrade gitlab gitlab/gitlab -n gitlab -f gitlab_values.yaml –render-subchart-notes –reset-values
UPDATE: u want git+ssh access to pull/push from ur repo, right?
well, then you need to add the following snipped in your values.yaml
gitlab: gitlab-shell: service: type: LoadBalancer global: hosts: ssh: ssh.your.fancy.domain
and again, accordingly, create in your dns zone a CNAME (ANAME) towards the newly created LoadBalancer IP that AKS has created you…
yes, of course you could have created a complete set of ingress-controllers, but we are not running a service that yet needs to be scaled to a broad audience