Enterprise-Ready GitLab Configuration: From Community to Production Scale
GitLab serves as a complete DevOps platform, but transitioning from a basic Community Edition deployment to an enterprise-ready configuration requires careful planning and implementation. This guide provides comprehensive recommendations for creating a robust, scalable, and secure GitLab deployment suitable for enterprise environments.
Current State Assessment
Based on your shared configuration, you’re running GitLab Community Edition with basic settings. While this works for small teams, enterprise deployments require significant enhancements in several areas:
- Edition: Community Edition (CE) → Enterprise Edition (EE)
- Architecture: Single instance → High Availability
- Storage: Local → External object storage
- Database: Internal → External managed database
- Security: Basic → Enterprise-grade with SSO, audit logging
- Monitoring: Limited → Comprehensive observability
Key Enterprise Enhancements
1. Upgrade to Enterprise Edition
GitLab Enterprise Edition provides critical features for enterprise deployments:
global:
edition: ee # Change from 'ce' to 'ee'
# Enterprise features configuration
appConfig:
seatLink:
enabled: true # License compliance tracking
serviceDeskEmail:
enabled: true # IT service desk integration
incomingEmail:
enabled: true # Email-based issue creation
Enterprise Edition Benefits:
- Advanced authentication (SAML, Kerberos, Smart Card)
- Compliance management (audit events, compliance dashboard)
- Advanced CI/CD features (multi-project pipelines, security scanning)
- Enterprise-grade support options
2. High Availability Configuration
For enterprise reliability, implement a highly available architecture:
global:
# Enable Praefect for Gitaly clustering
praefect:
enabled: true
replaceInternalGitaly: true
virtualStorages:
- name: default
gitalyReplicas: 3 # Multiple Gitaly replicas
maxUnavailable: 1 # Tolerate 1 node failure
postgres:
sslMode: require
# GitLab application replicas
gitlab:
webservice:
minReplicas: 3
maxReplicas: 10
hpa:
targetAverageValue: 1 # CPU-based autoscaling
sidekiq:
minReplicas: 2
maxReplicas: 5
gitlab-shell:
minReplicas: 2
maxReplicas: 5
# Registry high availability
registry:
hpa:
minReplicas: 2
maxReplicas: 5
3. External Database and Redis (Production)
Use managed services for critical data stores:
global:
psql:
host: your-managed-postgresql.example.com
port: 5432
username: gitlab
database: gitlabhq_production
password:
secret: gitlab-postgresql-password
key: postgresql-password
ssl:
secret: gitlab-postgresql-ssl
clientCertificate: cert.pem
clientKey: key.pem
serverCA: ca.pem
redis:
host: your-managed-redis.example.com
port: 6379
password:
enabled: true
secret: gitlab-redis-password
key: redis-password
sentinels:
- host: redis-sentinel-1.example.com
port: 26379
- host: redis-sentinel-2.example.com
port: 26379
- host: redis-sentinel-3.example.com
port: 26379
# Disable internal PostgreSQL and Redis
postgresql:
install: false
redis:
install: false
4. Security Enhancements
Implement comprehensive security measures:
global:
appConfig:
# Smart card authentication
smartcard:
enabled: true
CASecret: smartcard-ca-certs
clientCertificateRequiredHost: smartcard.gitlab.example.com
# SAML/SSO configuration
omniauth:
enabled: true
allowSingleSignOn: ["saml"]
autoSignInWithProvider: saml
syncProfileFromProvider: ["saml"]
syncProfileAttributes: ["email"]
blockAutoCreatedUsers: false
providers:
- secret: gitlab-saml
key: provider
# LDAP configuration
ldap:
enabled: true
preventSignin: false
servers:
main:
label: "Company LDAP"
host: "ldap.company.com"
port: 636
uid: "sAMAccountName"
bind_dn: "CN=gitlab,OU=Service Accounts,DC=company,DC=com"
password:
secret: gitlab-ldap-password
key: password
encryption: "simple_tls"
verify_certificates: true
smartcard_auth: true
active_directory: true
base: "DC=company,DC=com"
user_filter: "(memberOf=CN=GitLab Users,OU=Groups,DC=company,DC=com)"
# Content Security Policy
contentSecurityPolicy:
enabled: true
report_only: false
directives:
default_src: "'self'"
script_src: "'self' 'unsafe-inline' 'unsafe-eval'"
style_src: "'self' 'unsafe-inline'"
5. External Object Storage
Configure object storage for scalability:
global:
appConfig:
object_store:
enabled: true
proxy_download: true
connection:
secret: gitlab-object-storage
key: connection
artifacts:
enabled: true
proxy_download: true
bucket: gitlab-artifacts
connection:
secret: gitlab-artifacts-storage
key: connection
lfs:
enabled: true
proxy_download: true
bucket: gitlab-lfs-objects
connection:
secret: gitlab-lfs-storage
key: connection
uploads:
enabled: true
proxy_download: true
bucket: gitlab-uploads
connection:
secret: gitlab-uploads-storage
key: connection
packages:
enabled: true
proxy_download: true
bucket: gitlab-packages
connection:
secret: gitlab-packages-storage
key: connection
# Object storage connection secret example
# kubectl create secret generic gitlab-object-storage --from-literal=connection="provider: AWS
# region: us-east-1
# aws_access_key_id: YOUR_ACCESS_KEY
# aws_secret_access_key: YOUR_SECRET_KEY"
6. Backup and Disaster Recovery
Implement comprehensive backup strategies:
gitlab:
toolbox:
enabled: true
backups:
cron:
enabled: true
schedule: "0 1 * * *" # Daily at 1 AM
extraArgs: "--skip registry" # Customize backup scope
objectStorage:
config:
secret: gitlab-backup-storage
key: config
# Backup storage configuration
global:
appConfig:
backups:
bucket: gitlab-backups
tmpBucket: gitlab-tmp
# GitLab Geo for disaster recovery (EE feature)
global:
geo:
enabled: true
role: primary # or 'secondary' for secondary sites
nodeName: primary-site
psql:
main:
host: primary-postgresql.example.com
ci:
host: primary-postgresql-ci.example.com
7. Monitoring and Observability
Enhance monitoring capabilities:
# Prometheus configuration
prometheus:
install: true
alertmanager:
enabled: true
pushgateway:
enabled: true
nodeExporter:
enabled: true
serverFiles:
alerting_rules.yml:
groups:
- name: GitLab
rules:
- alert: GitLabHighErrorRate
expr: |
rate(gitlab_transaction_failures_total[5m]) > 0.1
for: 5m
annotations:
summary: "High error rate detected"
# Grafana for visualization
grafana:
enabled: true
adminPassword: your-secure-password
# Enable GitLab monitoring features
global:
monitoring:
enabled: true
gitlab:
gitlab-exporter:
enabled: true
metrics:
enabled: true
8. SSL/TLS Configuration
Ensure end-to-end encryption:
global:
ingress:
enabled: true
configureCertmanager: true
class: nginx
tls:
enabled: true
secretName: gitlab-tls
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "900"
# Registry TLS
registry:
ingress:
tls:
enabled: true
secretName: registry-tls
# Enforce HTTPS for all services
global:
hosts:
https: true
gitlab:
name: gitlab.company.com
https: true
registry:
name: registry.company.com
https: true
minio:
name: minio.company.com
https: true
9. Advanced Authentication
Configure enterprise authentication methods:
global:
appConfig:
# Kerberos authentication
kerberos:
enabled: true
keytab:
secret: gitlab-kerberos-keytab
key: keytab
servicePrincipalName: HTTP/gitlab.company.com@COMPANY.COM
dedicatedPort:
enabled: true
port: 8443
https: true
# JWT authentication for API access
jwtAuthentication:
enabled: true
secret: gitlab-jwt-secret
issuer: gitlab.company.com
# Enforce 2FA for all users
twoFactorAuthentication:
enabled: true
gracePeriod: 48
10. Geo Replication (Enterprise Feature)
For multi-site deployments:
# Primary site configuration
global:
geo:
enabled: true
role: primary
nodeName: us-east-primary
psql:
main:
host: primary-db.us-east.example.com
# Secondary site configuration (separate deployment)
global:
geo:
enabled: true
role: secondary
nodeName: eu-west-secondary
primaryUrl: https://gitlab-primary.company.com
primaryApiUrl: https://gitlab-primary.company.com/api/v4
psql:
main:
host: secondary-db.eu-west.example.com
Additional Enterprise Considerations
Resource Allocation
Adjust resources based on expected load:
gitlab:
webservice:
resources:
requests:
cpu: 4
memory: 8Gi
limits:
cpu: 8
memory: 16Gi
sidekiq:
resources:
requests:
cpu: 2
memory: 4Gi
limits:
cpu: 4
memory: 8Gi
gitaly:
resources:
requests:
cpu: 4
memory: 8Gi
limits:
cpu: 8
memory: 16Gi
Network Policies
Implement network security:
gitlab:
networkpolicy:
enabled: true
egress:
enabled: true
rules:
- to:
- namespaceSelector:
matchLabels:
name: gitlab
ingress:
enabled: true
rules:
- from:
- namespaceSelector:
matchLabels:
name: ingress
Audit Logging
Enable comprehensive audit logs:
global:
appConfig:
auditEvents:
enabled: true
# Stream audit events to external system
auditEventStreaming:
enabled: true
externalDestinations:
- name: splunk
destinationUrl: https://splunk.company.com:8088/services/collector
headers:
Authorization: "Splunk YOUR-HEC-TOKEN"
verifySSL: true
Rate Limiting
Prevent abuse:
global:
appConfig:
rateLimit:
enabled: true
requests_per_period: 10
period: 60
throttle:
unauthenticated:
enabled: true
requests_per_period: 10
period: 60
authenticated_api:
enabled: true
requests_per_period: 60
period: 60
authenticated_web:
enabled: true
requests_per_period: 60
period: 60
SecurityContext Settings
Implement pod security:
global:
pod:
securityContext:
runAsUser: 1000
fsGroup: 1000
runAsNonRoot: true
gitlab:
webservice:
containerSecurityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Migration Strategy
-
Assessment Phase:
- Audit current usage patterns
- Identify required enterprise features
- Plan resource requirements
-
Preparation Phase:
- Set up external databases and object storage
- Configure authentication providers
- Prepare monitoring infrastructure
-
Migration Phase:
- Backup existing data
- Test migration in staging environment
- Perform rolling upgrade to EE
- Enable enterprise features incrementally
-
Validation Phase:
- Verify all services are operational
- Test authentication flows
- Validate backup and restore procedures
- Performance testing
Conclusion
Transforming GitLab from a basic Community Edition deployment to an enterprise-ready platform requires careful planning and implementation across multiple dimensions. The configurations provided here address:
- Reliability: High availability, automated failover, disaster recovery
- Security: Enterprise authentication, audit logging, network policies
- Scalability: External storage, horizontal scaling, performance optimization
- Compliance: Audit trails, access controls, data residency
- Operations: Comprehensive monitoring, automated backups, maintenance windows
These recommendations create a robust foundation for enterprise GitLab deployments, ensuring your DevOps platform can support organizational growth while maintaining security and compliance requirements.