Gitlab on Kubernetes behind Traefk IngressRoutes, external cert-manager

urbaman · January 9, 2024, 10:31pm

Hi,

I’m studying the different settings to deploy GitLab on Kubernetes via helm chart.
My architecture will have external Redis, Postgresql, Minio and Ingress (Traefik).

I’m pretty sure I understood how to set Redis, Postgresql, Minio.

For Traefik, I’d really like to use custom ingressroute manifests (Traefik CRDs) as I’m used to to it for everything, without using the ones from the helm chart, to have more customability on them.

Is there a sample of the needed middlewares, ingressroutes, and other Traefilk stuff to deploy?
Is cert-manager only needed for ingress TLS?

Thank you very much.

urbaman · January 9, 2024, 11:11pm

I would try using these settings I found in the guides (without installing the internal traefik):

certmanager.install=false
global.ingress.configureCertmanager=false
gitlab.webservice.ingress.tls.secretName=RELEASE-gitlab-tls
registry.ingress.tls.secretName=RELEASE-registry-tls
minio.ingress.tls.secretName=RELEASE-minio-tls
gitlab.kas.ingress.tls.secretName=RELEASE-kas-tls

global:
  ingress:
    # Default, present here to be explicit.
    enabled: true
    # Toggle the TCP configuration and annotations to Traefik.
    provider: traefik
    # Alter the `kubernetes.io/ingress.class` annotation or
    # `spec.ingressClassName` value chart-wide.
    class: traefik
    annotations:
      # Tell Traefik that we've configured TLS
      # NOTE: disable this if `global.ingress.tls.enabled=false`.
      traefik.ingress.kubernetes.io/router.tls: "true"
      # Ensure the HTTP Routes only listen on 443, rather than all entrypoints.
      # NOTE: set the value to `web` if `global.ingress.tls.enabled=false`.
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
  # Tell the gitlab-shell chart which traefik entrypoint to use
  # Default, present here to be explicit. 
  gitlab-shell:
    traefik:
      entrypoint: "gitlab-shell"

nginx-ingress:
  # Disable the deployment of the in-chart NGINX Ingress provider.
  enabled: false

If they are enough, I’m only missing if I need, and the specifics, to enable the gitlab-shell endpoint on my external traefik.

Thank you.

urbaman · January 15, 2024, 2:35am

Ok, I found out it works like this:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: gitlab-shell
  namespace: gitlab
spec:
  entryPoints:
    - gitlab-shell
  routes:
  - match: HostSNI(`*`)
    services:
    - name: gitlab-gitlab-shell # Put the gitlab-shell service name
      namespace: gitlab
      port: 2232 # Put gitlab.shell.port
      proxyProtocol: # Only if global.shell.tcp.proxyProtocol
        version: 2  # Only if global.shell.tcp.proxyProtocol
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: gitlab-https-redirect
  namespace: gitlab
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: gitlab-security
  namespace: gitlab
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    browserXssFilter: true
    contentTypeNosniff: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: gitlab-transport
  namespace: gitlab
spec:
  serverName: gitlab
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: gitlab-tlsoptions
  namespace: gitlab
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: false
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: gitlab-websecure
  namespace: gitlab
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`gitlab.domain.com`)
      services:
        - name: gitlab-webservice-default
          port: 8181
          serversTransport: gitlab-transport
      middlewares:
        - name: gitlab-security
  tls:
    secretName: gitlab-urbaman
    options:
      name: gitlab-tlsoptions
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: gitlab-web
  namespace: gitlab
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`gitlab.domain.com`)
      services:
        - name: gitlab-webservice-default
          port: 8181
      middlewares:
        - name: gitlab-https-redirect

Is there any other service/port to expose, like 8080 for webservice, some of the KAS ports?

Thank you very much.