Update Gitaly docs to mention TLS client certificate support

d5633fbb · Paul Okstad · Evan Read · e6ab0561 · d5633fbb
Commit d5633fbb authored Nov 18, 2020 by Paul Okstad Committed by Evan Read Nov 18, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

doc/administration/gitaly/index.md doc/administration/gitaly/index.md +7 -1

No files found.
--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -529,12 +529,18 @@ To disable Gitaly on a GitLab server:

 ## Enable TLS support

-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22602) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22602) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/3160) in GitLab 13.6, outgoing TLS connections to GitLab provide client certificates if configured.

 Gitaly supports TLS encryption. To communicate with a Gitaly instance that listens for secure
 connections, you must use `tls://` URL scheme in the `gitaly_address` of the corresponding
 storage entry in the GitLab configuration.

+Gitaly provides the same server certificates as client certificates in TLS
+connections to GitLab. This can be used as part of a mutual TLS authentication strategy
+when combined with reverse proxies (for example, NGINX) that validate client certificate
+to grant access to GitLab.
+
 You must supply your own certificates as this isn't provided automatically. The certificate
 corresponding to each Gitaly server must be installed on that Gitaly server.