Alauda Build of Gitlab Docs

Configuring Redis, PostgreSQL, and Account Credentials

This document describes how to configure the credentials required for GitLab instances.

TOC

Prerequisites

  • This document applies to GitLab 17 and above versions provided by the platform. It is decoupled from the platform based on technologies such as Operator.

Redis Credentials

Requirements

GitLab has the following requirements for Redis deployment mode and version:

  • Deployment modes support both Standalone and Sentinel modes, but Redis Cluster mode is not supported
  • Redis version 6.2 or above is required

Credential Format

Create a Secret in the namespace where the GitLab instance is planned to be deployed, select the Opaque type, and add and fill in the following fields in the configuration:

FieldDescriptionArchExample Value
hostRedis connection address. Ensure that the GitLab service can connect to it.standalone192.168.1.1
portRedis connection port. Ensure that the GitLab service can connect to this port.standalone6379
passwordRedis instance account password. Required when Redis authentication is enabled.standalone,sentinelpassword111
addressSentinel node connection address.sentinel192.168.1.1:26379,192.168.1.2:26379,192.168.1.3:26379
masterNameThe name of the instance group monitored by Sentinel in the sentinel.conf.sentinelmymaster
sentinelPasswordSentinel password for Sentinel instances. Required when Sentinel authentication is enabled.sentinelpassword111
WARNING
  1. When both sentinel and standalone configurations are present, the sentinel configuration will take precedence.
  2. When deploying with high availability templates, if standalone Redis is configured, it is the user's responsibility to ensure the high availability of the Redis instance.

Standalone Example

apiVersion: v1
data:
  host: <base64 encode host>
  password: <base64 encode password>
  port: <base64 encode port>
kind: Secret
metadata:
  name: gitlab-redis
  namespace: <ns-of-gitlab-instance>
type: Opaque

Sentinel Example

apiVersion: v1
data:
  password: <base64 encode password>
  address: <base64 encode address>
  masterName: <base64 encode masterName>
  sentinelPassword: <base64 encode sentinelPassword>
kind: Secret
metadata:
  name: gitlab-redis
  namespace: <ns-of-gitlab-instance>
type: Opaque

Updating Credentials

If you want to modify Redis connection information after deploying a GitLab instance, you need to directly update the GitLab instance resource, rather than modifying the credential content. For specific operations, please refer to Configuring Redis Access Credentials.

Using Alauda Cache Service for Redis OSS

Redis service can be provided through Alauda Cache Service for Redis OSS, please consider the following important requirements:

  • Choose Redis version 7.2 or above
  • Select sentinel mode for architecture type
  • Choose RDB persistence template for parameter template, such as system-rdb-redis-7.2-sentinel
  • Enable data persistence with storage quota not less than 2G
  • In multi-network card scenarios, Redis sentinel will select the default IP of the node to initialize the access address of each Redis node, therefore it does not support accessing nodes with non-default IP + exposed port. In this case, it is recommended to use the LoadBalancer access method to create Redis instances. For more details, please refer to the Alauda Cache Service for Redis OSS feature description documentation.

When creating a Redis instance, a Secret containing connection information is automatically generated, which can be used directly to deploy GitLab. This Secret resource can be filtered using the label middleware.instance/type: Redis.

kubectl get secret -n <ns-of-redis-instance> -l middleware.instance/type=Redis
INFO

If the Redis instance and GitLab instance are not in the same namespace, you need to copy the Secret resource to the namespace where the GitLab instance is located.

For more Redis deployment parameters and high availability deployment requirements, please refer to the .

Using Alauda Cache Service for Redis OSS

Redis service can be provided by Alauda Cache Service for Redis OSS. In some special scenarios, some restrictions need to be noted.

  • In multi-nic scenarios, Redis sentinels will choose the default IP of the node to initialize the access address of each Redis node, so it does not support accessing the node's non-default IP + exposed port. In this case, it is recommended to use LoadBalancer access method to create Redis instances. For more details, please refer to the Alauda Cache Service for Redis OSS feature description document.

PostgreSQL Credentials

Requirements

GitLab has the following requirements for PostgreSQL versions:

  • GitLab 17.x requires PostgreSQL version 14.x
  • GitLab 18.x requires PostgreSQL version 16.x

Credential Format

Create a Secret in the namespace where the GitLab instance is planned to be deployed, select the Opaque type, and add and fill in the following fields in the configuration:

FieldDescriptionExample Value
hostDatabase connection address. Ensure that the GitLab service can connect to this database address.192.168.1.1
portDatabase connection port. Ensure that the GitLab service can connect to this database port.5432
usernameDatabase account usernamegitlab
passwordDatabase account passwordpassword111
databaseDatabase name. This database must already exist and be empty. You can use the command create database <database name> to create itgitlab_db
sslmodeWhether to enable SSL for the database connection. Available options:
- enable: Enable SSL connection
- disable: Disable SSL connection, more about sslmode		enable

YAML example:

apiVersion: v1
data:
  database: <base64 encode database name>
  host: <base64 encode host>
  password: <base64 encode password>
  port: <base64 encode port>
  username: <base64 encode username>
  sslmode: <base64 encode sslmode>
kind: Secret
metadata:
  name: gitlab-pg
  namespace: <ns-of-gitlab-instance>
type: Opaque

How to create a database on a PG instance

Connect to the PG instance using the psql cli and execute the following command to create a database

create database <database name>;

Creating a separate database for gitaly cluster

In high availability mode, the gitaly component needs to be configured in cluster mode and requires a separate database to store gitaly metadata. You need to create another Secret to store the database connection information, with fields consistent with those described above.

sslmode

sslmode is a parameter that controls the security of the connection between the Gitlab service and the PostgreSQL database. Available options:

  • enable: Enable SSL connection
  • disable: Disable SSL connection

When you use Alauda support for PostgreSQL, the sslmode should be set to enable.
When you use external PostgreSQL, the sslmode is depends on your PostgreSQL configuration.

Updating Credentials

If you want to modify PostgreSQL connection information after deploying a GitLab instance, you need to directly update the GitLab instance resource, rather than modifying the credential content. For specific operations, please refer to Configure PostgreSQL Credentials.

Using PostgreSQL Provided by Data Services

Data Services supports deploying PostgreSQL instances that can be used for GitLab deployment. When creating a PostgreSQL instance, please consider the following important requirements:

  1. Choose a PostgreSQL version that matches your GitLab version, for example, when deploying GitLab 17.x, you need to select PostgreSQL 14.x
  2. Storage quota should not be less than 5Gi

When creating a PostgreSQL instance, a Secret containing connection information is automatically generated. This Secret resource can be filtered using the label middleware.instance/type: PostgreSQL.

kubectl get secret -n <ns-of-postgresql-instance> -l middleware.instance/type=PostgreSQL | grep -E '^postgres'
INFO

This Secret contains host, port, username, password information. You need to supplement database and sslmode (set to enable) information based on this Secret, and create a new secret in the namespace where the GitLab instance is located.

For more PostgreSQL deployment parameters and requirements, please refer to .

GitLab Account Credentials

Create a Secret in the namespace where the GitLab instance is planned to be deployed, select the Opaque type, and add and fill in the following fields in the configuration:

FieldDescriptionExample Value
passwordSet the password for the default root account, which must contain letters, numbers, and special characters, be at least 8 characters long, and common weak passwords cannot be usedpassword111@
namespaceSet the same namespace as the gitlab instancetools
apiVersion: v1
data:
  password: <base64 encode password>
kind: Secret
metadata:
  name: gitlab-root-password
  namespace: <ns-of-gitlab-instance>
type: Opaque