How to Integrate GitLab with External MinIO and CertManager for Secure Cloud‑Native Storage
This guide walks you through configuring GitLab to use an external MinIO object store and CertManager for TLS certificates, covering credential setup, bucket creation, Helm chart adjustments, secret management, and verification steps to achieve a secure, efficient cloud‑native deployment.
In modern digital software development, GitLab serves as a powerful DevOps platform for project management and code collaboration, while MinIO provides high‑performance object storage and CertManager simplifies TLS certificate management. Integrating GitLab with external MinIO and CertManager enhances storage efficiency and security.
GitLab Integration with MinIO
1. Create MinIO Access Key (AK) and Secret Key (SK) and record them for later use.
2. Create the required 11 buckets in MinIO.
3. Configure GitLab to connect to the external MinIO.
<code>global:
# Disable internal MinIO installation
minio:
enabled: false
# If external MinIO lacks a self‑signed certificate, ignore certificates configuration
certificates:
customCAs:
- secret: conn-s3-ca-cert
registry:
bucket: gitlab-registry
appConfig:
artifacts:
bucket: gitlab-artifacts
connection:
key: connection
secret: gitlab-s3-storage
backups:
bucket: gitlab-backups
tmpBucket: gitlab-tmp
connection:
key: connection
secret: gitlab-s3-storage
lfs:
bucket: gitlab-lfs
connection:
key: connection
secret: gitlab-s3-storage
packages:
bucket: gitlab-packages
connection:
key: connection
secret: gitlab-s3-storage
uploads:
bucket: gitlab-uploads
connection:
key: connection
secret: gitlab-s3-storage
externalDiffs:
bucket: gitlab-mr-diffs
connection:
key: connection
secret: gitlab-s3-storage
ciSecureFiles:
bucket: gitlab-ci-secure-files
connection:
key: connection
secret: gitlab-s3-storage
dependencyProxy:
bucket: gitlab-dependency-proxy
connection:
key: connection
secret: gitlab-s3-storage
terraformState:
bucket: gitlab-terraform-state
connection:
key: connection
secret: gitlab-s3-storage
gitlab:
toolbox:
backups:
objectStorage:
backend: s3
config:
key: connection
secret: gitlab-s3-storage
registry:
storage:
secret: registry-storage
key: config</code>4. Create the S3 connection configuration.
<code># GitLab MinIO connection configuration
cat <<'EOF' | tee /tmp/gitlab_conn_s3.yaml > /dev/null
provider: AWS
aws_access_key_id: xxxx # Access Key from step 1
aws_secret_access_key: xxxx # Secret Key from step 1
endpoint: "https://s3.jiaxzeng.com:443"
path_style: true
EOF
kubectl -n gitlab create secret generic gitlab-s3-storage --from-file=connection=/tmp/gitlab_conn_s3.yaml
# Registry MinIO connection configuration
cat <<'EOF' | tee /tmp/registry.s3.yaml > /dev/null
s3:
bucket: gitlab-registry
accesskey: xxxx # Access Key from step 1
secretkey: xxxx # Secret Key from step 1
regionendpoint: https://s3.jiaxzeng.com:443
region: us-east-1
v4auth: true
EOF
kubectl -n gitlab create secret generic registry-storage --from-file=config=/home/ops/registry.s3.yaml
# Create secret for MinIO CA certificate (skip if using HTTP)
kubectl -n gitlab create secret generic conn-s3-ca-cert --from-file=s3.crt=/home/ops/s3.crt</code>5. Upgrade the GitLab Helm release to apply the new configuration.
<code>helm -n gitlab upgrade gitlab -f /etc/kubernetes/addons/gitlab-values.yaml /etc/kubernetes/addons/gitlab
Release "gitlab" has been upgraded. Happy Helming!
NAME: gitlab
LAST DEPLOYED: Sun Jan 19 19:59:21 2025
NAMESPACE: gitlab
STATUS: deployed
REVISION: 2
=== CRITICAL
The following charts are included for evaluation purposes only. They will not be supported by GitLab Support for production workloads. Use Cloud Native Hybrid deployments for production. See https://docs.gitlab.com/charts/installation/index.html#use-the-reference-architectures.
=== NOTICE
The minimum required version of PostgreSQL is now 13. See https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/installation/upgrade.md for more details.</code>GitLab Integration with CertManager
1. Ensure CertManager is running and can automatically issue certificates.
2. Configure GitLab to use the external CertManager.
<code>global:
ingress:
# External CertManager
configureCertmanager: false
# Configure ClusterIssuer or Issuer
annotations:
cert-manager.io/cluster-issuer: ca-cluster-issuer
class: nginx
gitlab:
kas:
ingress:
tls:
secretName: kas-tls-cert-secret
webservice:
ingress:
tls:
secretName: gitlab-tls-cert-secret
registry:
ingress:
tls:
secretName: registry-tls-cert-secret
certmanager:
install: false</code>Tip: Even though the configuration does not explicitly set a GitLab CA certificate, this parameter is mandatory; omission will cause startup errors.
3. Create the GitLab CA certificate secret.
<code>kubectl -n gitlab create secret generic gitlab-wildcard-tls-ca --from-file=gitlab-wildcard-tls-ca.crt=/tmp/gitlab-wildcard-tls-ca.crt</code>Tip: Do not change the secret name; the file is the CA certificate generated by CertManager for the TLS secrets.
Verification
Set a user avatar in GitLab; the image is stored in the
gitlab-uploadsbucket. Re‑login to verify the avatar appears and confirm that data is present in MinIO.
Conclusion
By following these steps, GitLab is successfully connected to external MinIO for object storage and to CertManager for TLS certificates, improving storage efficiency, reliability, and data transmission security. Adjust configurations further based on specific business needs and environment characteristics.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.