English

Configuring Redis, PostgreSQL, and Account Credentials

This document describes how to configure the credentials required for GitLab instances.

Prerequisites

This document applies to GitLab 17 and above versions provided by the platform. It is decoupled from the platform based on technologies such as Operator.

Redis Credentials

Requirements

GitLab has the following requirements for Redis deployment mode and version:

Deployment modes support both Standalone and Sentinel modes, but Redis Cluster mode is not supported
Redis version 6.2 or above is required

Credential Format

Create a Secret in the namespace where the GitLab instance is planned to be deployed, select the Opaque type, and add and fill in the following fields in the configuration:

Field	Description	Arch	Example Value
host	Redis connection address. Ensure that the GitLab service can connect to it.	standalone	`192.168.1.1`
port	Redis connection port. Ensure that the GitLab service can connect to this port.	standalone	`6379`
password	Redis instance account password. Required when Redis authentication is enabled.	standalone,sentinel	`password111`
address	Sentinel node connection address.	sentinel	`192.168.1.1:26379,192.168.1.2:26379,192.168.1.3:26379`
masterName	The name of the instance group monitored by Sentinel in the sentinel.conf.	sentinel	`mymaster`
sentinelPassword	Sentinel password for Sentinel instances. Required when Sentinel authentication is enabled.	sentinel	`password111`

WARNING

When both sentinel and standalone configurations are present, the sentinel configuration will take precedence.
When deploying with high availability templates, if standalone Redis is configured, it is the user's responsibility to ensure the high availability of the Redis instance.

Standalone Example

apiVersion: v1
data:
  host: <base64 encode host>
  password: <base64 encode password>
  port: <base64 encode port>
kind: Secret
metadata:
  name: gitlab-redis
  namespace: <ns-of-gitlab-instance>
type: Opaque

Sentinel Example

apiVersion: v1
data:
  password: <base64 encode password>
  address: <base64 encode address>
  masterName: <base64 encode masterName>
  sentinelPassword: <base64 encode sentinelPassword>
kind: Secret
metadata:
  name: gitlab-redis
  namespace: <ns-of-gitlab-instance>
type: Opaque

Updating Credentials

If you want to modify Redis connection information after deploying a GitLab instance, you need to directly update the GitLab instance resource, rather than modifying the credential content. For specific operations, please refer to Configuring Redis Access Credentials.

Using Alauda Cache Service for Redis OSS

Redis service can be provided through Alauda Cache Service for Redis OSS, please consider the following important requirements:

Choose Redis version 7.2 or above
Select sentinel mode for architecture type
Choose RDB persistence template for parameter template, such as system-rdb-redis-7.2-sentinel
Enable data persistence with storage quota not less than 2G
In multi-network card scenarios, Redis sentinel will select the default IP of the node to initialize the access address of each Redis node, therefore it does not support accessing nodes with non-default IP + exposed port. In this case, it is recommended to use the LoadBalancer access method to create Redis instances. For more details, please refer to the Alauda Cache Service for Redis OSS feature description documentation.

When creating a Redis instance, a Secret containing connection information is automatically generated, which can be used directly to deploy GitLab. This Secret resource can be filtered using the label middleware.instance/type: Redis.

kubectl get secret -n <ns-of-redis-instance> -l middleware.instance/type=Redis

INFO

If the Redis instance and GitLab instance are not in the same namespace, you need to copy the Secret resource to the namespace where the GitLab instance is located.

For more Redis deployment parameters and high availability deployment requirements, please refer to the .

Using Alauda Cache Service for Redis OSS

Redis service can be provided by Alauda Cache Service for Redis OSS. In some special scenarios, some restrictions need to be noted.

In multi-nic scenarios, Redis sentinels will choose the default IP of the node to initialize the access address of each Redis node, so it does not support accessing the node's non-default IP + exposed port. In this case, it is recommended to use LoadBalancer access method to create Redis instances. For more details, please refer to the Alauda Cache Service for Redis OSS feature description document.

PostgreSQL Credentials

Requirements

GitLab has the following requirements for PostgreSQL versions:

GitLab 17.x requires PostgreSQL version 14.x
GitLab 18.x requires PostgreSQL version 16.x

Credential Format

Create a Secret in the namespace where the GitLab instance is planned to be deployed, select the Opaque type, and add and fill in the following fields in the configuration:

Field	Description	Example Value
host	Database connection address. Ensure that the GitLab service can connect to this database address.	`192.168.1.1`
port	Database connection port. Ensure that the GitLab service can connect to this database port.	`5432`
username	Database account username	`gitlab`
password	Database account password	`password111`
database	Database name. This database must already exist and be empty. You can use the command `create database <database name>` to create it	`gitlab_db`
sslmode	Whether to enable SSL for the database connection. Available options: - `enable`: Enable SSL connection - `disable`: Disable SSL connection, more about sslmode	`enable`

YAML example:

apiVersion: v1
data:
  database: <base64 encode database name>
  host: <base64 encode host>
  password: <base64 encode password>
  port: <base64 encode port>
  username: <base64 encode username>
  sslmode: <base64 encode sslmode>
kind: Secret
metadata:
  name: gitlab-pg
  namespace: <ns-of-gitlab-instance>
type: Opaque

How to create a database on a PG instance

Connect to the PG instance using the psql cli and execute the following command to create a database

create database <database name>;

Creating a separate database for gitaly cluster

In high availability mode, the gitaly component needs to be configured in cluster mode and requires a separate database to store gitaly metadata. You need to create another Secret to store the database connection information, with fields consistent with those described above.

sslmode

sslmode is a parameter that controls the security of the connection between the Gitlab service and the PostgreSQL database. Available options:

enable: Enable SSL connection
disable: Disable SSL connection

When you use Alauda support for PostgreSQL, the sslmode should be set to enable.
When you use external PostgreSQL, the sslmode is depends on your PostgreSQL configuration.

Updating Credentials

If you want to modify PostgreSQL connection information after deploying a GitLab instance, you need to directly update the GitLab instance resource, rather than modifying the credential content. For specific operations, please refer to Configure PostgreSQL Credentials.

Using PostgreSQL Provided by Data Services

Data Services supports deploying PostgreSQL instances that can be used for GitLab deployment. When creating a PostgreSQL instance, please consider the following important requirements:

Choose a PostgreSQL version that matches your GitLab version, for example, when deploying GitLab 17.x, you need to select PostgreSQL 14.x
Storage quota should not be less than 5Gi

When creating a PostgreSQL instance, a Secret containing connection information is automatically generated. This Secret resource can be filtered using the label middleware.instance/type: PostgreSQL.

kubectl get secret -n <ns-of-postgresql-instance> -l middleware.instance/type=PostgreSQL | grep -E '^postgres'

INFO

This Secret contains host, port, username, password information. You need to supplement database and sslmode (set to enable) information based on this Secret, and create a new secret in the namespace where the GitLab instance is located.

For more PostgreSQL deployment parameters and requirements, please refer to .

GitLab Account Credentials

Create a Secret in the namespace where the GitLab instance is planned to be deployed, select the Opaque type, and add and fill in the following fields in the configuration:

Field	Description	Example Value
password	Set the password for the default root account, which must contain letters, numbers, and special characters, be at least 8 characters long, and common weak passwords cannot be used	`password111@`
namespace	Set the same namespace as the gitlab instance	`tools`

apiVersion: v1
data:
  password: <base64 encode password>
kind: Secret
metadata:
  name: gitlab-root-password
  namespace: <ns-of-gitlab-instance>
type: Opaque

Configuring Redis, PostgreSQL, and Account Credentials#

#TOC

#Prerequisites

#Redis Credentials

#Requirements

#Credential Format

#Updating Credentials

#Using Alauda Cache Service for Redis OSS

#PostgreSQL Credentials

#Requirements

#Credential Format

#sslmode

#Updating Credentials

#Using PostgreSQL Provided by Data Services

#GitLab Account Credentials

Configuring Redis, PostgreSQL, and Account Credentials

TOC

Prerequisites

Redis Credentials

Requirements

Credential Format

Updating Credentials

Using Alauda Cache Service for Redis OSS

PostgreSQL Credentials

Requirements

Credential Format

sslmode

Updating Credentials

Using PostgreSQL Provided by Data Services

GitLab Account Credentials