Merge branch 'pokstad1-docs-gitaly-tls-client-cert-support' into 'master'

Update Gitaly docs to mention TLS client certificate support See merge request gitlab-org/gitlab!47954

Merge branch 'pokstad1-docs-gitaly-tls-client-cert-support' into 'master'
Update Gitaly docs to mention TLS client certificate support See merge request gitlab-org/gitlab!47954
488df6e0 · Evan Read · 478c1c41 · d5633fbb · 488df6e0
Commit 488df6e0 authored Nov 18, 2020 by Evan Read
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

doc/administration/gitaly/index.md doc/administration/gitaly/index.md +7 -1

No files found.
--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -529,12 +529,18 @@ To disable Gitaly on a GitLab server:

 ## Enable TLS support

-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22602) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22602) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/3160) in GitLab 13.6, outgoing TLS connections to GitLab provide client certificates if configured.

 Gitaly supports TLS encryption. To communicate with a Gitaly instance that listens for secure
 connections, you must use `tls://` URL scheme in the `gitaly_address` of the corresponding
 storage entry in the GitLab configuration.

+Gitaly provides the same server certificates as client certificates in TLS
+connections to GitLab. This can be used as part of a mutual TLS authentication strategy
+when combined with reverse proxies (for example, NGINX) that validate client certificate
+to grant access to GitLab.
+
 You must supply your own certificates as this isn't provided automatically. The certificate
 corresponding to each Gitaly server must be installed on that Gitaly server.