just delegate a domain to the Azure’s cloud, map a wildcard DNS to the Kubernetes loadbalancer entry point… and (crucial, I just mention the painful part) do create your own cert-signing thing for let’s encrypt like this:
(the class: addon-http-application-routing is the REALLY important bit, else you don’t get the fancy loadbalancing/Ingress resource integration from Azure )
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: your@email.address
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: prod-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: addon-http-application-routing
and finally bring up the cluster of GitLab specifying 3 separate tls secrets, otherwise GitLab will assume you do have a wildcard certificate and the http01 validation of Let’sEncrypt will fail… (u need otherwise to use dns01 validation)
nginx-ingress:
enabled: false
certmanager:
install: false
global:
hosts:
domain: your.fancy.domain
ingress:
annotations:
kubernetes.io/ingress.class: addon-http-application-routing
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: true
configureCertmanager: false
gitlab:
unicorn:
ingress:
tls:
secretName: "gitlab-unicorn-tls"
registry:
ingress:
tls:
secretName: "gitlab-registry-tls"
minio:
ingress:
tls:
secretName: "gitlab-minio-tls"
ah… don’t try to use ArgoCD for this,
it is buggy -> gitlab/-/issues/2039
therefore… reiterate with:
$ helm upgrade gitlab gitlab/gitlab -n gitlab -f gitlab_values.yaml –render-subchart-notes –reset-values
UPDATE: u want git+ssh access to pull/push from ur repo, right?
well, then you need to add the following snipped in your values.yaml
gitlab:
gitlab-shell:
service:
type: LoadBalancer
global:
hosts:
ssh: ssh.your.fancy.domain
and again, accordingly, create in your dns zone a CNAME (ANAME) towards the newly created LoadBalancer IP that AKS has created you…
yes, of course you could have created a complete set of ingress-controllers, but we are not running a service that yet needs to be scaled to a broad audience