Enterprise-Ready GitLab Configuration: From Community to Production Scale#

GitLab serves as a complete DevOps platform, but transitioning from a basic Community Edition deployment to an enterprise-ready configuration requires careful planning and implementation. This guide provides comprehensive recommendations for creating a robust, scalable, and secure GitLab deployment suitable for enterprise environments.

Current State Assessment#

Based on your shared configuration, you’re running GitLab Community Edition with basic settings. While this works for small teams, enterprise deployments require significant enhancements in several areas:

Edition: Community Edition (CE) → Enterprise Edition (EE)
Architecture: Single instance → High Availability
Storage: Local → External object storage
Database: Internal → External managed database
Security: Basic → Enterprise-grade with SSO, audit logging
Monitoring: Limited → Comprehensive observability

Key Enterprise Enhancements#

1. Upgrade to Enterprise Edition#

GitLab Enterprise Edition provides critical features for enterprise deployments:

1
global:
2
  edition: ee # Change from 'ce' to 'ee'
3

4
  # Enterprise features configuration
5
  appConfig:
6
    seatLink:
7
      enabled: true # License compliance tracking
8

9
    serviceDeskEmail:
10
      enabled: true # IT service desk integration
11

12
    incomingEmail:
13
      enabled: true # Email-based issue creation

Enterprise Edition Benefits:

Advanced authentication (SAML, Kerberos, Smart Card)
Compliance management (audit events, compliance dashboard)
Advanced CI/CD features (multi-project pipelines, security scanning)
Enterprise-grade support options

2. High Availability Configuration#

For enterprise reliability, implement a highly available architecture:

1
global:
2
  # Enable Praefect for Gitaly clustering
3
  praefect:
4
    enabled: true
5
    replaceInternalGitaly: true
6
    virtualStorages:
7
      - name: default
8
        gitalyReplicas: 3 # Multiple Gitaly replicas
9
        maxUnavailable: 1 # Tolerate 1 node failure
10

11
    postgres:
12
      sslMode: require
13

14
# GitLab application replicas
15
gitlab:
16
  webservice:
17
    minReplicas: 3
18
    maxReplicas: 10
19
    hpa:
20
      targetAverageValue: 1 # CPU-based autoscaling
21

22
  sidekiq:
23
    minReplicas: 2
24
    maxReplicas: 5
25

26
  gitlab-shell:
27
    minReplicas: 2
28
    maxReplicas: 5
29

30
# Registry high availability
31
registry:
32
  hpa:
33
    minReplicas: 2
34
    maxReplicas: 5

3. External Database and Redis (Production)#

Use managed services for critical data stores:

1
global:
2
  psql:
3
    host: your-managed-postgresql.example.com
4
    port: 5432
5
    username: gitlab
6
    database: gitlabhq_production
7
    password:
8
      secret: gitlab-postgresql-password
9
      key: postgresql-password
10
    ssl:
11
      secret: gitlab-postgresql-ssl
12
      clientCertificate: cert.pem
13
      clientKey: key.pem
14
      serverCA: ca.pem
15

16
  redis:
17
    host: your-managed-redis.example.com
18
    port: 6379
19
    password:
20
      enabled: true
21
      secret: gitlab-redis-password
22
      key: redis-password
23
    sentinels:
24
      - host: redis-sentinel-1.example.com
25
        port: 26379
26
      - host: redis-sentinel-2.example.com
27
        port: 26379
28
      - host: redis-sentinel-3.example.com
29
        port: 26379
30

31
# Disable internal PostgreSQL and Redis
32
postgresql:
33
  install: false
34

35
redis:
36
  install: false

4. Security Enhancements#

Implement comprehensive security measures:

1
global:
2
  appConfig:
3
    # Smart card authentication
4
    smartcard:
5
      enabled: true
6
      CASecret: smartcard-ca-certs
7
      clientCertificateRequiredHost: smartcard.gitlab.example.com
8

9
    # SAML/SSO configuration
10
    omniauth:
11
      enabled: true
12
      allowSingleSignOn: ["saml"]
13
      autoSignInWithProvider: saml
14
      syncProfileFromProvider: ["saml"]
15
      syncProfileAttributes: ["email"]
16
      blockAutoCreatedUsers: false
17
      providers:
18
        - secret: gitlab-saml
19
          key: provider
20

21
    # LDAP configuration
22
    ldap:
23
      enabled: true
24
      preventSignin: false
25
      servers:
26
        main:
27
          label: "Company LDAP"
28
          host: "ldap.company.com"
29
          port: 636
30
          uid: "sAMAccountName"
31
          bind_dn: "CN=gitlab,OU=Service Accounts,DC=company,DC=com"
32
          password:
33
            secret: gitlab-ldap-password
34
            key: password
35
          encryption: "simple_tls"
36
          verify_certificates: true
37
          smartcard_auth: true
38
          active_directory: true
39
          base: "DC=company,DC=com"
40
          user_filter: "(memberOf=CN=GitLab Users,OU=Groups,DC=company,DC=com)"
41

42
    # Content Security Policy
43
    contentSecurityPolicy:
44
      enabled: true
45
      report_only: false
46
      directives:
47
        default_src: "'self'"
48
        script_src: "'self' 'unsafe-inline' 'unsafe-eval'"
49
        style_src: "'self' 'unsafe-inline'"

5. External Object Storage#

Configure object storage for scalability:

1
global:
2
  appConfig:
3
    object_store:
4
      enabled: true
5
      proxy_download: true
6
      connection:
7
        secret: gitlab-object-storage
8
        key: connection
9

10
    artifacts:
11
      enabled: true
12
      proxy_download: true
13
      bucket: gitlab-artifacts
14
      connection:
15
        secret: gitlab-artifacts-storage
16
        key: connection
17

18
    lfs:
19
      enabled: true
20
      proxy_download: true
21
      bucket: gitlab-lfs-objects
22
      connection:
23
        secret: gitlab-lfs-storage
24
        key: connection
25

26
    uploads:
27
      enabled: true
28
      proxy_download: true
29
      bucket: gitlab-uploads
30
      connection:
31
        secret: gitlab-uploads-storage
32
        key: connection
33

34
    packages:
35
      enabled: true
36
      proxy_download: true
37
      bucket: gitlab-packages
38
      connection:
39
        secret: gitlab-packages-storage
40
        key: connection
41
# Object storage connection secret example
42
# kubectl create secret generic gitlab-object-storage --from-literal=connection="provider: AWS
43
# region: us-east-1
44
# aws_access_key_id: YOUR_ACCESS_KEY
45
# aws_secret_access_key: YOUR_SECRET_KEY"

6. Backup and Disaster Recovery#

Implement comprehensive backup strategies:

1
gitlab:
2
  toolbox:
3
    enabled: true
4
    backups:
5
      cron:
6
        enabled: true
7
        schedule: "0 1 * * *"  # Daily at 1 AM
8
        extraArgs: "--skip registry"  # Customize backup scope
9
      objectStorage:
10
        config:
11
          secret: gitlab-backup-storage
12
          key: config
13

14
# Backup storage configuration
15
global:
16
  appConfig:
17
    backups:
18
      bucket: gitlab-backups
19
      tmpBucket: gitlab-tmp
20

21
# GitLab Geo for disaster recovery (EE feature)
22
global:
23
  geo:
24
    enabled: true
25
    role: primary  # or 'secondary' for secondary sites
26
    nodeName: primary-site
27

28
  psql:
29
    main:
30
      host: primary-postgresql.example.com
31
    ci:
32
      host: primary-postgresql-ci.example.com

7. Monitoring and Observability#

Enhance monitoring capabilities:

1
# Prometheus configuration
2
prometheus:
3
  install: true
4
  alertmanager:
5
    enabled: true
6
  pushgateway:
7
    enabled: true
8
  nodeExporter:
9
    enabled: true
10

11
  serverFiles:
12
    alerting_rules.yml:
13
      groups:
14
        - name: GitLab
15
          rules:
16
            - alert: GitLabHighErrorRate
17
              expr: |
18
                rate(gitlab_transaction_failures_total[5m]) > 0.1
19
              for: 5m
20
              annotations:
21
                summary: "High error rate detected"
22

23
# Grafana for visualization
24
grafana:
25
  enabled: true
26
  adminPassword: your-secure-password
27

28
# Enable GitLab monitoring features
29
global:
30
  monitoring:
31
    enabled: true
32

33
gitlab:
34
  gitlab-exporter:
35
    enabled: true
36
    metrics:
37
      enabled: true

8. SSL/TLS Configuration#

Ensure end-to-end encryption:

1
global:
2
  ingress:
3
    enabled: true
4
    configureCertmanager: true
5
    class: nginx
6
    tls:
7
      enabled: true
8
      secretName: gitlab-tls
9
    annotations:
10
      cert-manager.io/cluster-issuer: letsencrypt-prod
11
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
12
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
13
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
14
      nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
15
      nginx.ingress.kubernetes.io/proxy-connect-timeout: "900"
16

17
# Registry TLS
18
registry:
19
  ingress:
20
    tls:
21
      enabled: true
22
      secretName: registry-tls
23

24
# Enforce HTTPS for all services
25
global:
26
  hosts:
27
    https: true
28
    gitlab:
29
      name: gitlab.company.com
30
      https: true
31
    registry:
32
      name: registry.company.com
33
      https: true
34
    minio:
35
      name: minio.company.com
36
      https: true

9. Advanced Authentication#

Configure enterprise authentication methods:

1
global:
2
  appConfig:
3
    # Kerberos authentication
4
    kerberos:
5
      enabled: true
6
      keytab:
7
        secret: gitlab-kerberos-keytab
8
        key: keytab
9
      servicePrincipalName: HTTP/gitlab.company.com@COMPANY.COM
10
      dedicatedPort:
11
        enabled: true
12
        port: 8443
13
        https: true
14

15
    # JWT authentication for API access
16
    jwtAuthentication:
17
      enabled: true
18
      secret: gitlab-jwt-secret
19
      issuer: gitlab.company.com
20

21
    # Enforce 2FA for all users
22
    twoFactorAuthentication:
23
      enabled: true
24
      gracePeriod: 48

10. Geo Replication (Enterprise Feature)#

For multi-site deployments:

1
# Primary site configuration
2
global:
3
  geo:
4
    enabled: true
5
    role: primary
6
    nodeName: us-east-primary
7

8
  psql:
9
    main:
10
      host: primary-db.us-east.example.com
11

12
# Secondary site configuration (separate deployment)
13
global:
14
  geo:
15
    enabled: true
16
    role: secondary
17
    nodeName: eu-west-secondary
18
    primaryUrl: https://gitlab-primary.company.com
19
    primaryApiUrl: https://gitlab-primary.company.com/api/v4
20

21
  psql:
22
    main:
23
      host: secondary-db.eu-west.example.com

Additional Enterprise Considerations#

Resource Allocation#

Adjust resources based on expected load:

1
gitlab:
2
  webservice:
3
    resources:
4
      requests:
5
        cpu: 4
6
        memory: 8Gi
7
      limits:
8
        cpu: 8
9
        memory: 16Gi
10

11
  sidekiq:
12
    resources:
13
      requests:
14
        cpu: 2
15
        memory: 4Gi
16
      limits:
17
        cpu: 4
18
        memory: 8Gi
19

20
  gitaly:
21
    resources:
22
      requests:
23
        cpu: 4
24
        memory: 8Gi
25
      limits:
26
        cpu: 8
27
        memory: 16Gi

Network Policies#

Implement network security:

1
gitlab:
2
  networkpolicy:
3
    enabled: true
4
    egress:
5
      enabled: true
6
      rules:
7
        - to:
8
            - namespaceSelector:
9
                matchLabels:
10
                  name: gitlab
11
    ingress:
12
      enabled: true
13
      rules:
14
        - from:
15
            - namespaceSelector:
16
                matchLabels:
17
                  name: ingress

Audit Logging#

Enable comprehensive audit logs:

1
global:
2
  appConfig:
3
    auditEvents:
4
      enabled: true
5

6
    # Stream audit events to external system
7
    auditEventStreaming:
8
      enabled: true
9
      externalDestinations:
10
        - name: splunk
11
          destinationUrl: https://splunk.company.com:8088/services/collector
12
          headers:
13
            Authorization: "Splunk YOUR-HEC-TOKEN"
14
          verifySSL: true

Rate Limiting#

Prevent abuse:

1
global:
2
  appConfig:
3
    rateLimit:
4
      enabled: true
5
      requests_per_period: 10
6
      period: 60
7

8
    throttle:
9
      unauthenticated:
10
        enabled: true
11
        requests_per_period: 10
12
        period: 60
13
      authenticated_api:
14
        enabled: true
15
        requests_per_period: 60
16
        period: 60
17
      authenticated_web:
18
        enabled: true
19
        requests_per_period: 60
20
        period: 60

SecurityContext Settings#

Implement pod security:

1
global:
2
  pod:
3
    securityContext:
4
      runAsUser: 1000
5
      fsGroup: 1000
6
      runAsNonRoot: true
7

8
gitlab:
9
  webservice:
10
    containerSecurityContext:
11
      runAsUser: 1000
12
      allowPrivilegeEscalation: false
13
      readOnlyRootFilesystem: true
14
      capabilities:
15
        drop:
16
          - ALL

Migration Strategy#

Assessment Phase:
- Audit current usage patterns
- Identify required enterprise features
- Plan resource requirements
Preparation Phase:
- Set up external databases and object storage
- Configure authentication providers
- Prepare monitoring infrastructure
Migration Phase:
- Backup existing data
- Test migration in staging environment
- Perform rolling upgrade to EE
- Enable enterprise features incrementally
Validation Phase:
- Verify all services are operational
- Test authentication flows
- Validate backup and restore procedures
- Performance testing

Conclusion#

Transforming GitLab from a basic Community Edition deployment to an enterprise-ready platform requires careful planning and implementation across multiple dimensions. The configurations provided here address:

Reliability: High availability, automated failover, disaster recovery
Security: Enterprise authentication, audit logging, network policies
Scalability: External storage, horizontal scaling, performance optimization
Compliance: Audit trails, access controls, data residency
Operations: Comprehensive monitoring, automated backups, maintenance windows

These recommendations create a robust foundation for enterprise GitLab deployments, ensuring your DevOps platform can support organizational growth while maintaining security and compliance requirements.