diff --git a/README.md b/README.md index 7ba71d8..3a81787 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ 6. [ДЗ № 18 - Введение в Kubernetes #1](#hw18) 7. [ДЗ № 19 - Основные модели безопасности и контроллеры в Kubernetes](#hw19) 8. [ДЗ № 20 - Ingress-контроллеры и сервисы в Kubernetes](#hw20) +9. [ДЗ № 21 - Интеграция Kubernetes в GitlabCI](#hw21) --- @@ -646,5 +647,89 @@ type: kubernetes.io/tls ## Как проверить работоспособность: +--- + +# Выполнено ДЗ № 21 - Интеграция Kubernetes в GitlabCI + + - [x] Основное ДЗ + - [x] Задание с ⭐ Свяжите пайплайны сборки образов и пайплайн деплоя на staging и production так, чтобы после релиза образа из ветки мастер запускался деплой уже новой версии приложения на production + +## В процессе сделано: + +1. Подготовил и задеплоил Helm-чарты приложения + +2. Запустил GitLab в Kubernetes (Helm Chart) +![GitLab pods](/images/hw31-gitlab-pods.png) + +3. Интегрировал GitLab CI с Kubernetes (GitLab Agent) +![GitLab Agent](/images/hw31-gitlab-k8s-agent.png) + +Helm-чарт задеплоен из пайплайна: +```shell +$ helm ls -A +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +gitlab default 1 2023-11-27 14:49:36.856534818 +0200 EET deployed gitlab-7.6.0 v16.6.0 +review-voitenkov-k4huzk review 1 2023-11-28 22:41:07.468403722 +0000 UTC deployed reddit-0.1.0 +yc-k8s gitlab-agent-yc-k8s 1 2023-11-28 00:42:39.056428334 +0200 EET deployed gitlab-agent-1.21.0 v16.6.0 +``` + +Приложение работает: +```shell +$ k get all -n review +NAME READY STATUS RESTARTS AGE +pod/review-voitenkov-k4huzk-comment-6c59bb66cf-2d89s 1/1 Running 0 78s +pod/review-voitenkov-k4huzk-mongodb-8597c77cf5-hl96h 1/1 Running 0 78s +pod/review-voitenkov-k4huzk-post-84b7df8b67-zwq4j 1/1 Running 0 78s +pod/review-voitenkov-k4huzk-ui-77c68d7898-672ps 1/1 Running 0 78s +pod/review-voitenkov-k4huzk-ui-77c68d7898-w25lg 1/1 Running 0 78s +pod/review-voitenkov-k4huzk-ui-77c68d7898-xbj72 1/1 Running 0 78s + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/mongodb ClusterIP 10.112.187.88 27017/TCP 79s +service/review-voitenkov-k4huzk-comment ClusterIP 10.112.132.27 9292/TCP 79s +service/review-voitenkov-k4huzk-post ClusterIP 10.112.170.77 5000/TCP 79s +service/ui NodePort 10.112.177.3 80:32092/TCP 79s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/review-voitenkov-k4huzk-comment 1/1 1 1 79s +deployment.apps/review-voitenkov-k4huzk-mongodb 1/1 1 1 79s +deployment.apps/review-voitenkov-k4huzk-post 1/1 1 1 79s +deployment.apps/review-voitenkov-k4huzk-ui 3/3 3 3 79s + +NAME DESIRED CURRENT READY AGE +replicaset.apps/review-voitenkov-k4huzk-comment-6c59bb66cf 1 1 1 79s +replicaset.apps/review-voitenkov-k4huzk-mongodb-8597c77cf5 1 1 1 79s +replicaset.apps/review-voitenkov-k4huzk-post-84b7df8b67 1 1 1 79s +replicaset.apps/review-voitenkov-k4huzk-ui-77c68d7898 3 3 3 79s +``` + +4. Настроил пайплайн для динамических окружений +![GitLab pipeline](/images/hw31-gitlab-pipeline.png) +![GitLab dynamic environments](/images/hw31-gitlab-env-dyn.png) + +5. Настроил пайплайн для cтатических окружений +![GitLab pipeline](/images/hw31-gitlab-env-static.png) + +Staging и Production приложения запущены: +```shell +$ helm ls -A +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +gitlab default 1 2023-11-27 14:49:36.856534818 +0200 EET deployed gitlab-7.6.0 v16.6.0 +production production 1 2023-11-29 20:38:39.97173519 +0000 UTC deployed reddit-0.1.0 +staging staging 2 2023-11-29 20:35:39.543122209 +0000 UTC deployed reddit-0.1.0 +yc-k8s gitlab-agent-yc-k8s 1 2023-11-28 00:42:39.056428334 +0200 EET deployed gitlab-agent-1.21.0 v16.6.0 +``` +![GitLab pipeline](/images/hw31-gitlab-pods-prod.png) + +6. Изучил auto-devops стиль пайплайнов, перевел их в "пайплайн здорового человека". Если скрипты огромные, то auto-devops будет лучше имхо. + +### Задание с ⭐ Свяжите пайплайны сборки образов и пайплайн деплоя на staging и production так, чтобы после релиза образа из ветки мастер запускался деплой уже новой версии приложения на production +см. [kubernetes/Charts/gitlabci/.gitlab-ci-auto-deploy-to-prod.yml](kubernetes/Charts/gitlabci/.gitlab-ci-auto-deploy-to-prod.yml) + +## Как запустить проект: + +## Как проверить работоспособность: + + ## PR checklist: - [x] Выставлен label с темой домашнего задания diff --git a/docker-monolith/db_config b/docker-monolith/db_config deleted file mode 100644 index 237d4cf..0000000 --- a/docker-monolith/db_config +++ /dev/null @@ -1 +0,0 @@ -DATABASE_URL=127.0.0.1 diff --git a/docker-monolith/docker-1.log b/docker-monolith/docker-1.log deleted file mode 100644 index a63cbaf..0000000 --- a/docker-monolith/docker-1.log +++ /dev/null @@ -1,23 +0,0 @@ -REPOSITORY TAG IMAGE ID CREATED SIZE -kube-iptables-tailer v0.1.0 52b58985c629 9 days ago 50.5MB - ea5e2b0f5d8a 9 days ago 1.07GB -alpine latest 8ca4688f4f35 2 weeks ago 7.34MB -voitenkov/k8s-mysql-operator 0.0.8 93e2505fb3fe 5 weeks ago 1.05GB -voitenkov/k8s-mysql-operator latest 93e2505fb3fe 5 weeks ago 1.05GB -voitenkov/k8s-mysql-operator 0.0.7 018e088b507b 5 weeks ago 1.05GB -voitenkov/k8s-mysql-operator 0.0.6 45a89d352495 5 weeks ago 1.05GB -voitenkov/k8s-mysql-operator 0.0.5 59cfca21b131 5 weeks ago 1.05GB -voitenkov/k8s-mysql-operator 0.0.4 ceed383e6cb4 5 weeks ago 1.05GB -python 3.7 513ca0003f15 2 months ago 994MB -gcr.io/k8s-minikube/kicbase v0.0.39 67a4b1138d2d 6 months ago 1.05GB -golang 1.15 40349a2425ef 2 years ago 840MB -hashicorp/packer 1.6.4 e86103eea021 3 years ago 181MB - -Образ - базовый образ плюс совокупность дополнительных слоев, созданных при сборке образа с использованием Dockerfile. -Исходный образ при запуске контейнера не изменяется, но на его основе формируется файловая система контейнера. -Хранится на диске или в репозитории. -docker inspect выводит список слоев с их идентификаторами (hash) - -Контейнер создается из образа, содержит все слои образа, из которого он построен плюс новый слой, изменяемыей процессами, запущенными в контейнере. -Контейнер может быть запущен, остановлен. Во время запуска контейнера в нем запускаются процессы, процессы изменяют слой исполнения. -docker inspect также показывает много дополнительной информации, хранящейся в контейнере: статус контейнера, сетевые настройки, запущенные процессы, прочая конфигурация среды контейнера. diff --git a/docker-monolith/infra/.gitignore b/docker-monolith/infra/.gitignore deleted file mode 100755 index 1af13f4..0000000 --- a/docker-monolith/infra/.gitignore +++ /dev/null @@ -1,46 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# terraform lock files -.terraform.lock.hcl - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc - -# keys -.secrets/* -secrets.* - -# ansible -*.retry -key.json -vault.key diff --git a/docker-monolith/infra/ansible.cfg b/docker-monolith/infra/ansible.cfg deleted file mode 100644 index dc2556e..0000000 --- a/docker-monolith/infra/ansible.cfg +++ /dev/null @@ -1,18 +0,0 @@ -[defaults] -# Настройки для Dynamic Inventory -inventory = yc_compute.yaml -enable_plugins = community.general.yc_compute -remote_user = ubuntu -private_key_file = ~/.ssh/yc -# Отключим проверку SSH Host-keys (поскольку они всегда разные для новых инстансов) -host_key_checking = False -# Отключим создание *.retry-файлов (они нечасто нужны, но мешаются под руками) -retry_files_enabled = False -# Явно укажем расположение ролей (можно задать несколько путей через ; ) -# roles_path = ./roles -# vault_password_file = vault.key - -[diff] -# Включим обязательный вывод diff при наличии изменений и вывод 5 строк контекста -always = True -context = 5 diff --git a/docker-monolith/infra/app_ansible.json b/docker-monolith/infra/app_ansible.json deleted file mode 100644 index 0f23381..0000000 --- a/docker-monolith/infra/app_ansible.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "builders": [ - { - "type": "yandex", - "service_account_key_file": "{{user `service_account_key_file`}}", - "folder_id": "{{user `folder_id`}}", - "source_image_family": "{{user `source_image_family`}}", - "image_name": "{{user `app_name`}}-app-docker-{{timestamp}}", - "image_family": "{{user `app_name`}}-app-docker", - "ssh_username": "{{user `ssh_username`}}", - "platform_id": "standard-v3", - "use_ipv4_nat": true - } - ], - "provisioners": [ - { - "type": "ansible", - "user": "ubuntu", - "ansible_ssh_extra_args": "-o HostkeyAlgorithms=ssh-rsa", - "playbook_file": "docker.yml", - "ansible_env_vars": [ "ANSIBLE_HOST_KEY_CHECKING=False", "ANSIBLE_PRIVATE_KEY_FILE=~/.ssh/yc" ], - "extra_arguments": [ "-vvvv" ] - } - ] -} diff --git a/docker-monolith/infra/config.pkr.hcl b/docker-monolith/infra/config.pkr.hcl deleted file mode 100644 index 521b167..0000000 --- a/docker-monolith/infra/config.pkr.hcl +++ /dev/null @@ -1,8 +0,0 @@ -packer { - required_plugins { - yandex = { - version = ">= 1.1.2" - source = "github.com/hashicorp/yandex" - } - } -} diff --git a/docker-monolith/infra/docker.yml b/docker-monolith/infra/docker.yml deleted file mode 100644 index 02105f2..0000000 --- a/docker-monolith/infra/docker.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: Install Docker - hosts: app - become: true - tasks: - - name: Update and upgrade apt packages - apt: - # upgrade: yes - update_cache: yes - cache_valid_time: 86400 #One day - # state: fixed - - - name: Install Docker dependencies - apt: - name: - - apt-transport-https - - ca-certificates - - curl - - gnupg - state: present - - - name: Add Docker repo key - apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - keyring: /usr/share/keyrings/docker-archive-keyring.gpg - state: present - - - name: Add Docker repository - apt_repository: - repo: deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable - state: present - - - name: Update and upgrade apt packages - apt: - # upgrade: yes - update_cache: yes - cache_valid_time: 86400 #One day - # state: fixed - - - name: Docker install - apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - state: present - - - name: Add user to docker group - user: - name: "{{ ansible_user }}" - groups: docker - append: yes diff --git a/docker-monolith/infra/lb.tf b/docker-monolith/infra/lb.tf deleted file mode 100644 index 12fcc55..0000000 --- a/docker-monolith/infra/lb.tf +++ /dev/null @@ -1,48 +0,0 @@ -resource "yandex_lb_network_load_balancer" "app-lb" { - name = "reddit-app-lb" - - listener { - name = "reddit-app-listener" - port = 80 - target_port = 9292 - protocol = "tcp" - external_address_spec { - ip_version = "ipv4" - } - } - attached_target_group { - target_group_id = yandex_lb_target_group.app-target-group.id - healthcheck { - name = "http-healthcheck" - interval = 2 - timeout = 1 - unhealthy_threshold = 2 - healthy_threshold = 2 - http_options { - port = 9292 - path = "/" - } - } - } - depends_on = [ - yandex_lb_target_group.app-target-group - ] -} - -resource "yandex_lb_target_group" "app-target-group" { - name = "reddit-app-target-group" - - dynamic "target" { - for_each = yandex_compute_instance.app - - content { - subnet_id = var.subnet_id - address = target.value.network_interface.0.ip_address - } - - } - - depends_on = [ - yandex_compute_instance.app - ] -} diff --git a/docker-monolith/infra/main.tf b/docker-monolith/infra/main.tf deleted file mode 100644 index 7ed2a66..0000000 --- a/docker-monolith/infra/main.tf +++ /dev/null @@ -1,29 +0,0 @@ -resource "yandex_compute_instance" "app" { - count = var.instances_count - name = "reddit-app-${count.index}" - - labels = { - tags = "reddit-app" - } - - resources { - cores = 2 - memory = 2 - } - - boot_disk { - initialize_params { - image_id = var.image_id - } - } - - network_interface { - # Указан id подсети default-ru-central1-a - subnet_id = var.subnet_id - nat = true - } - - metadata = { - ssh-keys = "ubuntu:${file("${var.public_key_path}")}" - } -} diff --git a/docker-monolith/infra/outputs.tf b/docker-monolith/infra/outputs.tf deleted file mode 100644 index 955407a..0000000 --- a/docker-monolith/infra/outputs.tf +++ /dev/null @@ -1,18 +0,0 @@ -output "external_ip_address_app" { - value = [ - for instance in yandex_compute_instance.app : - instance.network_interface.0.nat_ip_address - ] -} - -output "load_balancer_ip_address_variant1" { - value = yandex_lb_network_load_balancer.app-lb.listener.*.external_address_spec[0].*.address[0] -} - -#Вывод адреса балансировщика через цикл -output "load_balancer_ip_address_variant2" { - value = [ - for listener in yandex_lb_network_load_balancer.app-lb.listener : - listener.external_address_spec.*.address[0] - ] -} diff --git a/docker-monolith/infra/provider.tf b/docker-monolith/infra/provider.tf deleted file mode 100755 index 81166cc..0000000 --- a/docker-monolith/infra/provider.tf +++ /dev/null @@ -1,10 +0,0 @@ -provider "yandex" { - version = ">= 0.35.0" - service_account_key_file = var.service_account_key_file - cloud_id = var.cloud_id - folder_id = var.folder_id - zone = var.zone - - # Not used here: - # token = "" -} diff --git a/docker-monolith/infra/run_container.yml b/docker-monolith/infra/run_container.yml deleted file mode 100644 index 67518c3..0000000 --- a/docker-monolith/infra/run_container.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Run Reddit-app container - hosts: app - become: true - tasks: - - name: Container run - docker_container: - name: reddit - image: voitenkov/otus-reddit:1.0 - network_mode: host diff --git a/docker-monolith/infra/site.yml b/docker-monolith/infra/site.yml deleted file mode 100644 index 73ce1ee..0000000 --- a/docker-monolith/infra/site.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- import_playbook: docker.yml -- import_playbook: run_container.yml diff --git a/docker-monolith/infra/terraform.tfvars.example b/docker-monolith/infra/terraform.tfvars.example deleted file mode 100755 index 1063141..0000000 --- a/docker-monolith/infra/terraform.tfvars.example +++ /dev/null @@ -1,7 +0,0 @@ -cloud_id = "b1xxxxxxxxxxxxxxxxfo" -folder_id = "b1xxxxxxxxxxxxxxxx1r" -service_account_key_file = "./.secrets/key.json" -public_key_path = "~/.ssh/yc.pub" -private_key_path = "~/.ssh/yc" -image_id = "fdxxxxxxxxxxxxxxxxcj" -subnet_id = "e9xxxxxxxxxxxxxxxxiv" diff --git a/docker-monolith/infra/variables.json b/docker-monolith/infra/variables.json deleted file mode 100644 index 7bbedfc..0000000 --- a/docker-monolith/infra/variables.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "service_account_key_file": "./.secrets/key.json", - "folder_id": "b1g6gdahohoa366go44m", - "source_image_id": "fd84kolpdaqobtlpkfpc", - "source_image_family": "ubuntu-1804-lts", - "app_name": "reddit", - "ssh_username": "ubuntu" - } diff --git a/docker-monolith/infra/variables.json.example b/docker-monolith/infra/variables.json.example deleted file mode 100644 index a4a42ff..0000000 --- a/docker-monolith/infra/variables.json.example +++ /dev/null @@ -1,8 +0,0 @@ -{ - "service_account_key_file": "packer/files/key.json", - "folder_id": "b1xxxxxxxxxxxxxxx1r", - "source_image_id": "fdxxxxxxxxxxxxxx4a7", - "source_image_family": "ubuntu-1604-lts", - "app_name": "reddit", - "ssh_username": "ubuntu" - } diff --git a/docker-monolith/infra/variables.tf b/docker-monolith/infra/variables.tf deleted file mode 100644 index d3c727c..0000000 --- a/docker-monolith/infra/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -variable "cloud_id" { - description = "Cloud ID" -} - -variable "folder_id" { - description = "Folder ID" -} - -variable "zone" { - description = "Zone" - # Значение по умолчанию - default = "ru-central1-a" -} - -variable "public_key_path" { - # Описание переменной - description = "Path to the public key used for ssh access" -} - -variable "private_key_path" { - # Описание переменной - description = "Path to the public key used for ssh access" -} - -variable "image_id" { - description = "Disk image" -} - -variable "subnet_id" { - description = "Subnet" -} - -variable "service_account_key_file" { - description = "key.json" -} - -variable "instances_count" { - description = "Instances count" -} diff --git a/docker-monolith/infra/versions.tf b/docker-monolith/infra/versions.tf deleted file mode 100755 index 75b09ab..0000000 --- a/docker-monolith/infra/versions.tf +++ /dev/null @@ -1,19 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } - - backend "s3" { - endpoint = "storage.yandexcloud.net" - bucket = "s3-otus-devops-microservices-tfstate" - region = "ru-central1-a" - key = "terraform/otus-devops-microservices.tfstate" - skip_region_validation = true - skip_credentials_validation = true - } -} diff --git a/docker-monolith/infra/yc_compute.yaml b/docker-monolith/infra/yc_compute.yaml deleted file mode 100644 index 70e5cd6..0000000 --- a/docker-monolith/infra/yc_compute.yaml +++ /dev/null @@ -1,30 +0,0 @@ -plugin: community.general.yc_compute -folders: # List inventory hosts from these folders. - - b1g6gdahohoa366go44m -filters: - - status == 'RUNNING' -# - labels['role'] == 'reddit-app' -auth_kind: serviceaccountfile -service_account_file: key.json -hostnames: - - fqdn # Use FQDN for inventory hostnames. -# You can also format hostnames with jinja2 expressions like this -# - "{{id}}_{{name}}" - -compose: - # Set ansible_host to the Public IP address to connect to the host. - # For Private IP use "network_interfaces[0].primary_v4_address.address". - ansible_host: network_interfaces[0].primary_v4_address.one_to_one_nat.address - -keyed_groups: - # Place hosts in groups named by folder_id. - - key: folder_id - prefix: '' - separator: '' - # Place hosts in groups named by value of labels['group']. - - key: labels['group'] - -groups: - # Place hosts in 'ssd' group if they have appropriate disk_type label. - app: labels['tags'] == 'reddit-app' - db: labels['tags'] == 'reddit-db' diff --git a/docker-monolith/mongod.conf b/docker-monolith/mongod.conf deleted file mode 100644 index 8fa86c0..0000000 --- a/docker-monolith/mongod.conf +++ /dev/null @@ -1,16 +0,0 @@ -# Where and how to store data. -storage: - dbPath: /var/lib/mongodb - journal: - enabled: true - -# where to write logging data. -systemLog: - destination: file - logAppend: true - path: /var/log/mongodb/mongod.log - -# network interfaces -net: - port: 27017 - bindIp: 127.0.0.1 diff --git a/reddit/.gitignore b/docker/reddit/.gitignore similarity index 100% rename from reddit/.gitignore rename to docker/reddit/.gitignore diff --git a/reddit/Capfile b/docker/reddit/Capfile similarity index 100% rename from reddit/Capfile rename to docker/reddit/Capfile diff --git a/docker-monolith/Dockerfile b/docker/reddit/Dockerfile similarity index 100% rename from docker-monolith/Dockerfile rename to docker/reddit/Dockerfile diff --git a/reddit/Gemfile b/docker/reddit/Gemfile similarity index 100% rename from reddit/Gemfile rename to docker/reddit/Gemfile diff --git a/reddit/Gemfile.lock b/docker/reddit/Gemfile.lock similarity index 100% rename from reddit/Gemfile.lock rename to docker/reddit/Gemfile.lock diff --git a/reddit/README.md b/docker/reddit/README.md similarity index 100% rename from reddit/README.md rename to docker/reddit/README.md diff --git a/reddit/app.rb b/docker/reddit/app.rb similarity index 100% rename from reddit/app.rb rename to docker/reddit/app.rb diff --git a/reddit/config.ru b/docker/reddit/config.ru similarity index 100% rename from reddit/config.ru rename to docker/reddit/config.ru diff --git a/reddit/config/deploy.rb b/docker/reddit/config/deploy.rb similarity index 100% rename from reddit/config/deploy.rb rename to docker/reddit/config/deploy.rb diff --git a/reddit/config/deploy/production.rb b/docker/reddit/config/deploy/production.rb similarity index 100% rename from reddit/config/deploy/production.rb rename to docker/reddit/config/deploy/production.rb diff --git a/reddit/config/deploy/staging.rb b/docker/reddit/config/deploy/staging.rb similarity index 100% rename from reddit/config/deploy/staging.rb rename to docker/reddit/config/deploy/staging.rb diff --git a/reddit/deploy.sh b/docker/reddit/deploy.sh similarity index 100% rename from reddit/deploy.sh rename to docker/reddit/deploy.sh diff --git a/reddit/helpers.rb b/docker/reddit/helpers.rb similarity index 100% rename from reddit/helpers.rb rename to docker/reddit/helpers.rb diff --git a/reddit/simpletest.rb b/docker/reddit/simpletest.rb similarity index 100% rename from reddit/simpletest.rb rename to docker/reddit/simpletest.rb diff --git a/docker-monolith/start.sh b/docker/reddit/start.sh similarity index 100% rename from docker-monolith/start.sh rename to docker/reddit/start.sh diff --git a/reddit/views/create.haml b/docker/reddit/views/create.haml similarity index 100% rename from reddit/views/create.haml rename to docker/reddit/views/create.haml diff --git a/reddit/views/index.haml b/docker/reddit/views/index.haml similarity index 100% rename from reddit/views/index.haml rename to docker/reddit/views/index.haml diff --git a/reddit/views/layout.haml b/docker/reddit/views/layout.haml similarity index 100% rename from reddit/views/layout.haml rename to docker/reddit/views/layout.haml diff --git a/reddit/views/login.haml b/docker/reddit/views/login.haml similarity index 100% rename from reddit/views/login.haml rename to docker/reddit/views/login.haml diff --git a/reddit/views/show.haml b/docker/reddit/views/show.haml similarity index 100% rename from reddit/views/show.haml rename to docker/reddit/views/show.haml diff --git a/reddit/views/signup.haml b/docker/reddit/views/signup.haml similarity index 100% rename from reddit/views/signup.haml rename to docker/reddit/views/signup.haml diff --git a/gitlab-ci/modules/bucket/main.tf b/gitlab-ci/modules/bucket/main.tf deleted file mode 100644 index 1f2e414..0000000 --- a/gitlab-ci/modules/bucket/main.tf +++ /dev/null @@ -1,16 +0,0 @@ -locals { - bucket = "s3-${var.bucket_project}-${var.bucket_environment}-${var.bucket_name}" -} - -resource "yandex_storage_bucket" "bucket" { - folder_id = var.bucket_folder_id - bucket = local.bucket - access_key = var.bucket_access_key - secret_key = var.bucket_secret_key - - anonymous_access_flags { - read = true - list = false - config_read = false - } -} diff --git a/gitlab-ci/modules/bucket/outputs.tf b/gitlab-ci/modules/bucket/outputs.tf deleted file mode 100644 index 6cc6cd5..0000000 --- a/gitlab-ci/modules/bucket/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "name" { - value = yandex_storage_bucket.bucket.bucket -} diff --git a/gitlab-ci/modules/bucket/variables.tf b/gitlab-ci/modules/bucket/variables.tf deleted file mode 100644 index f5de558..0000000 --- a/gitlab-ci/modules/bucket/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "bucket_folder_id" { - type = string - description = "Bucket folder ID" - nullable = false -} - -variable "bucket_project" { - type = string - description = "Bucket project (cloud)" - nullable = false -} - -variable "bucket_environment" { - type = string - description = "Bucket environment" - nullable = false -} - -variable "bucket_name" { - type = string - description = "Bucket name" - nullable = false -} - -variable "bucket_access_key" { - description = "Bucket static access key" - type = string -} - -variable "bucket_secret_key" { - description = "Bucket secret for static access key" - type = string -} diff --git a/gitlab-ci/modules/bucket/versions.tf b/gitlab-ci/modules/bucket/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/bucket/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/cloud/main.tf b/gitlab-ci/modules/cloud/main.tf deleted file mode 100644 index 5832f3b..0000000 --- a/gitlab-ci/modules/cloud/main.tf +++ /dev/null @@ -1,66 +0,0 @@ -locals { - cloud_id = yandex_resourcemanager_cloud.cloud.id - folder_id = yandex_resourcemanager_folder.folder.id - folder_name = "adm-folder" - folder_description = "Folder for S3 backend for ${var.cloud_project} cloud Terraform state and administrative entities" - sa_tfstate_name = "sa-${var.cloud_project}-adm-tfstate" - sa_tfstate_description = "Service account for S3 backend for ${var.cloud_project} cloud Terraform state" - sa_tfstate_static_key_description = "Static access key for S3 backend for ${var.cloud_project} cloud Terraform state" - s3_tfstate_bucket = "s3-${var.cloud_project}-adm-tfstate" -} - -resource "yandex_resourcemanager_cloud" "cloud" { - name = var.cloud_project - organization_id = var.cloud_organization_id -} - -resource "yandex_billing_cloud_binding" "cloud_binding" { - billing_account_id = var.cloud_billing_account_id - cloud_id = local.cloud_id - - depends_on = [yandex_resourcemanager_cloud.cloud] -} - -resource "yandex_resourcemanager_folder" "folder" { - cloud_id = local.cloud_id - name = local.folder_name - description = local.folder_description - - depends_on = [yandex_billing_cloud_binding.cloud_binding] -} - -resource "yandex_iam_service_account" "sa-tfstate" { - folder_id = local.folder_id - name = local.sa_tfstate_name - description = local.sa_tfstate_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_member" "sa-tfstate-storage-admin" { - folder_id = local.folder_id - role = "storage.admin" # admin role is need for bucket versioning - member = "serviceAccount:${yandex_iam_service_account.sa-tfstate.id}" - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_iam_service_account_static_access_key" "sa-tfstate-static-key" { - service_account_id = yandex_iam_service_account.sa-tfstate.id - description = local.sa_tfstate_static_key_description - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_storage_bucket" "s3-tfstate" { - folder_id = local.folder_id - bucket = local.s3_tfstate_bucket - access_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - secret_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - - versioning { - enabled = true - } - - depends_on = [yandex_iam_service_account_static_access_key.sa-tfstate-static-key] -} diff --git a/gitlab-ci/modules/cloud/otputs.tf b/gitlab-ci/modules/cloud/otputs.tf deleted file mode 100644 index 13cd3ab..0000000 --- a/gitlab-ci/modules/cloud/otputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "tfstate_access_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - sensitive = true -} - -output "tfstate_secret_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - sensitive = true -} diff --git a/gitlab-ci/modules/cloud/variables.tf b/gitlab-ci/modules/cloud/variables.tf deleted file mode 100644 index 6538f22..0000000 --- a/gitlab-ci/modules/cloud/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "cloud_project" { - type = string - description = "Name of project (cloud)" -} - -variable "cloud_organization_id" { - type = string - description = "YC Organization ID" -} - -variable "cloud_billing_account_id" { - type = string - description = "YC billing account ID" -} diff --git a/gitlab-ci/modules/cloud/versions.tf b/gitlab-ci/modules/cloud/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/cloud/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/folder/main.tf b/gitlab-ci/modules/folder/main.tf deleted file mode 100644 index 1484a2e..0000000 --- a/gitlab-ci/modules/folder/main.tf +++ /dev/null @@ -1,79 +0,0 @@ -locals { - project_environment = "${var.folder_project} ${var.folder_environment}" - cloud_id = "${data.yandex_resourcemanager_cloud.cloud.cloud_id}" - cloud_name = var.folder_project - folder_id = "${yandex_resourcemanager_folder.folder.id}" - folder_name = "${var.folder_environment}-folder" - folder_description = "Folder for ${local.project_environment} environment" - sa_tf_name = "sa-${var.folder_project}-${var.folder_environment}-tf" - sa_tf_description = "Service account for Terraform deploy in ${local.project_environment} environment" - sa_tfstate_name = "sa-${var.folder_project}-${var.folder_environment}-tfstate" - sa_tfstate_description = "Service account for S3 backend for Terraform state in ${local.project_environment} environment" - sa_tfstate_static_key_description = "Static access key for S3 backend for Terraform state in ${local.project_environment} environment" - s3_tfstate_bucket = "s3-${var.folder_project}-${var.folder_environment}-tfstate" -} - -data "yandex_resourcemanager_cloud" "cloud" { - name = local.cloud_name -} - -resource "yandex_resourcemanager_folder" "folder" { - cloud_id = local.cloud_id - name = local.folder_name - description = local.folder_description -} - -resource "yandex_iam_service_account" "sa-tf" { - folder_id = local.folder_id - name = local.sa_tf_name - description = local.sa_tf_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_binding" "folder-admin" { - folder_id = local.folder_id - role = "admin" - members = [ - "serviceAccount:${yandex_iam_service_account.sa-tf.id}" - ] - - depends_on = [yandex_iam_service_account.sa-tf] -} - -resource "yandex_iam_service_account" "sa-tfstate" { - folder_id = local.folder_id - name = local.sa_tfstate_name - description = local.sa_tfstate_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_member" "sa-tfstate-storage-admin" { - folder_id = local.folder_id - role = "storage.admin" # admin role is need for bucket versioning - member = "serviceAccount:${yandex_iam_service_account.sa-tfstate.id}" - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_iam_service_account_static_access_key" "sa-tfstate-static-key" { - service_account_id = yandex_iam_service_account.sa-tfstate.id - description = local.sa_tfstate_static_key_description - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_storage_bucket" "s3-tfstate" { - folder_id = local.folder_id - bucket = local.s3_tfstate_bucket - access_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - secret_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - - versioning { - enabled = true - } - - depends_on = [ - yandex_iam_service_account_static_access_key.sa-tfstate-static-key] -} diff --git a/gitlab-ci/modules/folder/otputs.tf b/gitlab-ci/modules/folder/otputs.tf deleted file mode 100644 index 13cd3ab..0000000 --- a/gitlab-ci/modules/folder/otputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "tfstate_access_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - sensitive = true -} - -output "tfstate_secret_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - sensitive = true -} diff --git a/gitlab-ci/modules/folder/variables.tf b/gitlab-ci/modules/folder/variables.tf deleted file mode 100644 index 7e41198..0000000 --- a/gitlab-ci/modules/folder/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "folder_project" { - type = string - description = "Name of project (cloud) folder belongs to" -} - -variable "folder_environment" { - type = string - description = "Name of environment related to folder" -} diff --git a/gitlab-ci/modules/folder/versions.tf b/gitlab-ci/modules/folder/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/folder/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/instance/main.tf b/gitlab-ci/modules/instance/main.tf deleted file mode 100644 index d2b39e9..0000000 --- a/gitlab-ci/modules/instance/main.tf +++ /dev/null @@ -1,61 +0,0 @@ -locals { - instance_name = "vm-${var.instance_project}-${var.instance_environment}-${var.instance_name}" - instance_description = "DevOps workstation No. ${var.instance_no} in ${var.instance_project} ${var.instance_environment} environment" - instance_ssh_public_key = file("./.secrets/${var.instance_name}/${var.instance_public_key}") -} - -data "yandex_iam_service_account" "service_account" { - name = var.instance_service_account_name -} - -data "template_file" "user_data" { - template = file("../templates/${var.instance_user_data_file}.yml.tftpl") - - vars = { - username = var.instance_name - ssh_public_key = local.instance_ssh_public_key - } -} - -resource "yandex_compute_instance" "instance" { - allow_stopping_for_update = true - name = local.instance_name - description = local.instance_description - hostname = var.instance_name - zone = var.instance_zone - platform_id = var.instance_platform_id - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - - labels = { - tags = var.instance_name - } - - scheduling_policy { - preemptible = var.instance_preemptible - } - - resources { - cores = var.instance_cores - core_fraction = var.instance_core_fraction - memory = var.instance_memory - } - - boot_disk { - initialize_params { - image_id = var.instance_image_id - size = var.instance_disk_size - } - } - - network_interface { - subnet_id = var.instance_subnet_id - nat = var.instance_nat - security_group_ids = var.instance_security_group_ids - nat_ip_address = var.instance_nat_ip_address - } - - metadata = { - user-data = data.template_file.user_data.rendered - serial-port-enable = var.instance_serial_port_enable - } -} diff --git a/gitlab-ci/modules/instance/outputs.tf b/gitlab-ci/modules/instance/outputs.tf deleted file mode 100644 index e7db1f1..0000000 --- a/gitlab-ci/modules/instance/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "internal_ip_address" { - value = yandex_compute_instance.instance.network_interface.0.ip_address -} - -output "external_ip_address" { - value = yandex_compute_instance.instance.network_interface.0.nat_ip_address -} diff --git a/gitlab-ci/modules/instance/variables.tf b/gitlab-ci/modules/instance/variables.tf deleted file mode 100644 index 88c92fa..0000000 --- a/gitlab-ci/modules/instance/variables.tf +++ /dev/null @@ -1,129 +0,0 @@ -variable "instance_project" { - type = string - description = "Instance project (cloud)" - nullable = false -} - -variable "instance_environment" { - type = string - description = "Instance environment" - nullable = false -} - -variable "instance_no" { - type = number - default = 1 - description = "Instance No." - nullable = false -} - -variable "instance_name" { - type = string - description = "Instance name" - nullable = false -} - -variable "instance_user_data_file" { - type = string - description = "Instance user data file" - nullable = false -} - -variable "instance_public_key" { - type = string - description = "Instance public key" - default = "id_rsa.pub" - nullable = false -} - -variable "instance_zone" { - type = string - description = "Yandex Cloud compute default zone" - default = "ru-central1-a" -} - -variable "instance_platform_id" { - default = "standard-v3" - type = string - description = "Platform ID for instance" - nullable = false -} - -variable "instance_service_account_name" { - type = string - description = "Instance service account name" - nullable = false -} - -variable "instance_preemptible" { - default = false - type = bool - description = "Instance scheduling policy" - nullable = false -} - -variable "instance_cores" { - default = 2 - type = number - description = "Instance cores quantity" - nullable = false -} - -variable "instance_core_fraction" { - default = 100 - type = number - description = "Instance core fraction" - nullable = false -} - -variable "instance_memory" { - default = 2 - type = number - description = "Instance memory amount" - nullable = false -} - -variable "instance_image_id" { - type = string - default = "fd8emvfmfoaordspe1jr" # ubuntu-22-04-lts-v20230130 - description = "Image ID for boot disk" -} - -variable "instance_disk_size" { - default = 30 - type = number - description = "Instance disk size" - nullable = false -} - -variable "instance_subnet_id" { - type = string - description = "Instance network interface subnet" - nullable = false -} - -variable "instance_nat" { - default = false - type = bool - description = "Instance NAT enable/disable" - nullable = false -} - -variable "instance_security_group_ids" { - type = list - description = "Instance security group IDs" -} - -variable "instance_nat_ip_address" { - type = string - description = "Instance public ip address" - nullable = false - default = "" -} - -variable "instance_serial_port_enable" { - default = 0 - type = number - description = "Instance serial port enable/disable" - nullable = false -} diff --git a/gitlab-ci/modules/instance/versions.tf b/gitlab-ci/modules/instance/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/instance/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/k8s-cluster/main.tf b/gitlab-ci/modules/k8s-cluster/main.tf deleted file mode 100644 index 96ffd55..0000000 --- a/gitlab-ci/modules/k8s-cluster/main.tf +++ /dev/null @@ -1,38 +0,0 @@ -locals { - k8s_cluster_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_description = "Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" - k8s_cluster_node_group_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" -} - -data "yandex_iam_service_account" "service_account" { - name = var.k8s_cluster_service_account_name -} - -data "yandex_iam_service_account" "node_service_account" { - name = var.k8s_cluster_node_service_account_name -} - -resource "yandex_kubernetes_cluster" "k8s-cluster" { - name = local.k8s_cluster_name - description = local.k8s_cluster_description - network_id = var.k8s_cluster_network_id - - master { - version = var.k8s_cluster_version - - zonal { - zone = var.k8s_cluster_zone - subnet_id = var.k8s_cluster_subnet_id - } - - public_ip = var.k8s_cluster_public_ip - security_group_ids = var.k8s_cluster_security_group_ids - } - - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - node_service_account_id = data.yandex_iam_service_account.node_service_account.service_account_id - cluster_ipv4_range = var.k8s_cluster_cluster_ipv4_range - service_ipv4_range = var.k8s_cluster_service_ipv4_range - -} diff --git a/gitlab-ci/modules/k8s-cluster/outputs.tf b/gitlab-ci/modules/k8s-cluster/outputs.tf deleted file mode 100644 index 35f5f30..0000000 --- a/gitlab-ci/modules/k8s-cluster/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "K8s cluster ID" - value = yandex_kubernetes_cluster.k8s-cluster.id -} diff --git a/gitlab-ci/modules/k8s-cluster/variables.tf b/gitlab-ci/modules/k8s-cluster/variables.tf deleted file mode 100644 index 33d3fbc..0000000 --- a/gitlab-ci/modules/k8s-cluster/variables.tf +++ /dev/null @@ -1,84 +0,0 @@ -variable "k8s_cluster_project" { - type = string - description = "K8s cluster project (cloud)" - nullable = false -} - -variable "k8s_cluster_environment" { - type = string - description = "K8s cluster environment" - nullable = false -} - -variable "k8s_cluster_name" { - type = string - description = "K8s cluster name" - nullable = false -} - -variable "k8s_cluster_network_id" { - type = string - description = "K8s_cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_version" { - type = string - description = "K8s cluster version" -} - -variable "k8s_cluster_release_channel" { - type = string - description = "K8s cluster release channel" - default = "STABLE" -} - -variable "k8s_cluster_zone" { - type = string - description = "K8s cluster zone" - default = "ru-central1-a" -} - -variable "k8s_cluster_subnet_id" { - type = string - description = "K8s cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_public_ip" { - type = bool - description = "K8s cluster public IP" - default = false - nullable = false -} - -variable "k8s_cluster_security_group_ids" { - type = list - description = "K8s cluster security group IDs" -} - -variable "k8s_cluster_service_account_name" { - type = string - description = "K8s cluster service account name" - nullable = false -} - -variable "k8s_cluster_node_service_account_name" { - type = string - description = "K8s cluster node service account name" - nullable = false -} - -variable "k8s_cluster_cluster_ipv4_range" { - default = "10.96.0.0/16" - type = string - description = "K8s cluster ipv4 CIDR" - nullable = false -} - -variable "k8s_cluster_service_ipv4_range" { - default = "10.112.0.0/16" - type = string - description = "K8s service ipv4 CIDR" - nullable = false -} diff --git a/gitlab-ci/modules/k8s-cluster/versions.tf b/gitlab-ci/modules/k8s-cluster/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/k8s-cluster/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/k8s-node-group/main.tf b/gitlab-ci/modules/k8s-node-group/main.tf deleted file mode 100644 index 85930bd..0000000 --- a/gitlab-ci/modules/k8s-node-group/main.tf +++ /dev/null @@ -1,60 +0,0 @@ -locals { - k8s_node_group_name = "k8s-${var.k8s_node_group_project}-${var.k8s_node_group_environment}-${var.k8s_node_group_cluster}-${var.k8s_node_group_name}" - k8s_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_node_group_project} ${var.k8s_node_group_environment} environment (${var.k8s_node_group_cluster}/${var.k8s_node_group_name})" - k8s_node_group_ssh_keys = "${var.k8s_node_group_username}:${var.k8s_node_group_ssh_public_key}" -} - -resource "yandex_kubernetes_node_group" "k8s-node-group" { - name = local.k8s_node_group_name - description = local.k8s_node_group_description - cluster_id = var.k8s_node_group_cluster_id - version = var.k8s_node_group_version - - node_labels = { - "node-group" = var.k8s_node_group_name - } - - node_taints = var.k8s_node_group_node_taints - - scale_policy { - auto_scale { - initial = var.k8s_node_group_auto_scale_initial - min = var.k8s_node_group_auto_scale_min - max = var.k8s_node_group_auto_scale_max - } - } - - allocation_policy { - location { - zone = var.k8s_node_group_zone - } - } - - instance_template { - platform_id = var.k8s_node_group_platform_id - - scheduling_policy { - preemptible = var.k8s_node_group_preemptible - } - - resources { - memory = var.k8s_node_group_memory - cores = var.k8s_node_group_cores - } - - boot_disk { - type = var.k8s_node_group_disk_type - size = var.k8s_node_group_disk_size - } - - network_interface { - nat = var.k8s_node_group_nat - subnet_ids = var.k8s_node_group_subnet_ids - security_group_ids = var.k8s_node_group_security_group_ids - } - - metadata = { - ssh-keys = local.k8s_node_group_ssh_keys - } - } -} diff --git a/gitlab-ci/modules/k8s-node-group/variables.tf b/gitlab-ci/modules/k8s-node-group/variables.tf deleted file mode 100644 index ab51b20..0000000 --- a/gitlab-ci/modules/k8s-node-group/variables.tf +++ /dev/null @@ -1,137 +0,0 @@ -variable "k8s_node_group_project" { - type = string - description = "K8s node group project (cloud)" - nullable = false -} - -variable "k8s_node_group_environment" { - type = string - description = "K8s node group environment" - nullable = false -} - -variable "k8s_node_group_name" { - type = string - description = "K8s node group name" - nullable = false -} - -variable "k8s_node_group_cluster" { - type = string - description = "K8s node group cluster name" - nullable = false -} - -variable "k8s_node_group_cluster_id" { - type = string - description = "K8s node group cluster ID" - nullable = false -} - -variable "k8s_node_group_version" { - type = string - description = "K8s node group version" -} - -variable "k8s_node_group_auto_scale_initial" { - type = number - description = "K8s node auto scale initial number of instances" - default = 0 -} - -variable "k8s_node_group_auto_scale_min" { - type = number - description = "K8s node auto scale minimum number of instances" - default = 0 -} - -variable "k8s_node_group_auto_scale_max" { - type = number - description = "K8s node auto scale maximum number of instances" - default = 1 -} - -variable "k8s_node_group_zone" { - type = string - description = "K8s node group zone" - default = "ru-central1-a" -} - -variable "k8s_node_group_platform_id" { - default = "standard-v3" - type = string - description = "Platform ID for node group" - nullable = false -} - -variable "k8s_node_group_node_taints" { - default = [] - type = list - description = "K8s node group node taints" - nullable = false -} - -variable "k8s_node_group_preemptible" { - default = false - type = bool - description = "K8s node group scheduling policy" - nullable = false -} - -variable "k8s_node_group_cores" { - default = 2 - type = number - description = "K8s node group cores quantity" - nullable = false -} - -variable "k8s_node_group_memory" { - default = 4 - type = number - description = "K8s node group memory amount" - nullable = false -} - -variable "k8s_node_group_disk_type" { - default = "network-hdd" - type = string - description = "K8s node group disk type" - nullable = false -} - -variable "k8s_node_group_disk_size" { - default = 64 - type = number - description = "K8s node group disk size" - nullable = false -} - -variable "k8s_node_group_nat" { - type = bool - description = "K8s_node_group NAT" - default = false - nullable = false -} - -variable "k8s_node_group_subnet_ids" { - type = list - description = "K8s node group network interface subnet IDs" - nullable = false -} - -variable "k8s_node_group_security_group_ids" { - type = list - description = "K8s node group security group IDs" -} - -variable "k8s_node_group_username" { - type = string - description = "K8s node group username" - nullable = false -} - -variable "k8s_node_group_ssh_public_key" { - type = string - description = "K8s node ssh public key" - nullable = false -} diff --git a/gitlab-ci/modules/k8s-node-group/versions.tf b/gitlab-ci/modules/k8s-node-group/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/k8s-node-group/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/sa/main.tf b/gitlab-ci/modules/sa/main.tf deleted file mode 100644 index 8149017..0000000 --- a/gitlab-ci/modules/sa/main.tf +++ /dev/null @@ -1,18 +0,0 @@ -data "yandex_iam_service_account" "service_account" { - name = var.sa_name - - depends_on = [yandex_iam_service_account.service_account] -} - -resource "yandex_iam_service_account" "service_account" { - name = var.sa_name - description = var.sa_description -} - -resource "yandex_resourcemanager_folder_iam_member" "folder_iam_member" { - folder_id = var.sa_folder_id - role = var.sa_role - member = "serviceAccount:${yandex_iam_service_account.service_account.id}" - - depends_on = [yandex_iam_service_account.service_account] -} diff --git a/gitlab-ci/modules/sa/outputs.tf b/gitlab-ci/modules/sa/outputs.tf deleted file mode 100644 index e9ed564..0000000 --- a/gitlab-ci/modules/sa/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "name" { - value = yandex_iam_service_account.service_account.name -} - -output "id" { - value = data.yandex_iam_service_account.service_account.service_account_id -} diff --git a/gitlab-ci/modules/sa/variables.tf b/gitlab-ci/modules/sa/variables.tf deleted file mode 100644 index 7b69cd4..0000000 --- a/gitlab-ci/modules/sa/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "sa_name" { - type = string - description = "Service account name" -} - -variable "sa_description" { - type = string - description = "Service account description" -} - -variable "sa_folder_id" { - type = string - description = "Service account folder ID" -} - -variable "sa_role" { - type = string - description = "Service account role" -} diff --git a/gitlab-ci/modules/sa/versions.tf b/gitlab-ci/modules/sa/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/sa/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/gitlab-ci/modules/subnet/main.tf b/gitlab-ci/modules/subnet/main.tf deleted file mode 100644 index 4dbf8d3..0000000 --- a/gitlab-ci/modules/subnet/main.tf +++ /dev/null @@ -1,13 +0,0 @@ -data "yandex_vpc_subnet" "subnet" { - name = var.subnet_name - - depends_on = [yandex_vpc_subnet.subnet] -} - - -resource "yandex_vpc_subnet" "subnet" { - name = var.subnet_name - zone = var.subnet_zone - network_id = var.subnet_network_id - v4_cidr_blocks = var.subnet_v4_cidr_blocks -} diff --git a/gitlab-ci/modules/subnet/outputs.tf b/gitlab-ci/modules/subnet/outputs.tf deleted file mode 100644 index 901b86f..0000000 --- a/gitlab-ci/modules/subnet/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "VPC subnet ID" - value = data.yandex_vpc_subnet.subnet.subnet_id -} diff --git a/gitlab-ci/modules/subnet/variables.tf b/gitlab-ci/modules/subnet/variables.tf deleted file mode 100644 index 083b336..0000000 --- a/gitlab-ci/modules/subnet/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -variable "subnet_name" { - type = string - description = "Subnet name" -} - -variable "subnet_zone" { - type = string - description = "Subnet availability zone" - default = "ru-central1-a" -} - -variable "subnet_network_id" { - type = string - description = "Subnet network ID" -} - -variable "subnet_v4_cidr_blocks" { - type = list - description = "Subnet v4 CIDR blocks" -} diff --git a/gitlab-ci/modules/subnet/versions.tf b/gitlab-ci/modules/subnet/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/gitlab-ci/modules/subnet/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/images/hw31-gitlab-env-dyn.png b/images/hw31-gitlab-env-dyn.png new file mode 100755 index 0000000..cbc7587 Binary files /dev/null and b/images/hw31-gitlab-env-dyn.png differ diff --git a/images/hw31-gitlab-env-static.png b/images/hw31-gitlab-env-static.png new file mode 100755 index 0000000..03ddad4 Binary files /dev/null and b/images/hw31-gitlab-env-static.png differ diff --git a/images/hw31-gitlab-k8s-agent.png b/images/hw31-gitlab-k8s-agent.png new file mode 100755 index 0000000..02eeceb Binary files /dev/null and b/images/hw31-gitlab-k8s-agent.png differ diff --git a/images/hw31-gitlab-pipeline.png b/images/hw31-gitlab-pipeline.png new file mode 100755 index 0000000..700438f Binary files /dev/null and b/images/hw31-gitlab-pipeline.png differ diff --git a/images/hw31-gitlab-pods-prod.png b/images/hw31-gitlab-pods-prod.png new file mode 100755 index 0000000..28217ff Binary files /dev/null and b/images/hw31-gitlab-pods-prod.png differ diff --git a/images/hw31-gitlab-pods.png b/images/hw31-gitlab-pods.png new file mode 100755 index 0000000..bb3026e Binary files /dev/null and b/images/hw31-gitlab-pods.png differ diff --git a/kubernetes/Charts/comment/Chart.yaml b/kubernetes/Charts/comment/Chart.yaml new file mode 100644 index 0000000..844d02f --- /dev/null +++ b/kubernetes/Charts/comment/Chart.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +appVersion: 1.0.0 +name: comment +version: 1.0.0 +description: OTUS reddit application Comment +maintainers: + - name: Someone diff --git a/kubernetes/Charts/comment/templates/_helpers.tpl b/kubernetes/Charts/comment/templates/_helpers.tpl new file mode 100644 index 0000000..9b3d4c8 --- /dev/null +++ b/kubernetes/Charts/comment/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "comment.fullname" -}} +{{- printf "%s-%s" .Release.Name .Chart.Name }} +{{- end -}} diff --git a/kubernetes/Charts/comment/templates/deployment.yaml b/kubernetes/Charts/comment/templates/deployment.yaml new file mode 100644 index 0000000..fe07ac5 --- /dev/null +++ b/kubernetes/Charts/comment/templates/deployment.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "comment.fullname" . }} + labels: + app: reddit + component: comment + release: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app: reddit + component: comment + release: {{ .Release.Name }} + template: + metadata: + name: comment + labels: + app: reddit + component: comment + release: {{ .Release.Name }} + spec: + containers: + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + name: comment + ports: + - containerPort: {{ .Values.service.internalPort }} + protocol: TCP + env: + - name: COMMENT_DATABASE_HOST + value: {{ .Values.databaseHost | default (printf "%s-mongodb" .Release.Name) }} diff --git a/kubernetes/Charts/comment/templates/service.yaml b/kubernetes/Charts/comment/templates/service.yaml new file mode 100644 index 0000000..105b8bc --- /dev/null +++ b/kubernetes/Charts/comment/templates/service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "comment.fullname" . }} + labels: + app: reddit + component: comment + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: {{ .Values.service.internalPort }} + selector: + app: reddit + component: comment + release: {{ .Release.Name }} diff --git a/kubernetes/Charts/comment/values.yaml b/kubernetes/Charts/comment/values.yaml new file mode 100644 index 0000000..a1f0dc9 --- /dev/null +++ b/kubernetes/Charts/comment/values.yaml @@ -0,0 +1,10 @@ +--- +service: + internalPort: 9292 + externalPort: 9292 + +image: + repository: voitenkov/comment + tag: latest + +databaseHost: diff --git a/kubernetes/Charts/gitlab-omnibus/.gitlab-ci.yml b/kubernetes/Charts/gitlab-omnibus/.gitlab-ci.yml new file mode 100644 index 0000000..c0e9a6b --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/.gitlab-ci.yml @@ -0,0 +1,19 @@ +image: registry.gitlab.com/charts/alpine-helm + +stages: + - test + - release + +lint: + stage: test + script: + - helm lint . + except: + - master + +release-chart: + stage: release + script: + - curl --request POST --form "token=$CI_JOB_TOKEN" --form ref=master https://gitlab.com/api/v4/projects/2860651/trigger/pipeline + only: + - master diff --git a/kubernetes/Charts/gitlab-omnibus/.helmignore b/kubernetes/Charts/gitlab-omnibus/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/Charts/gitlab-omnibus/CHANGELOG.md b/kubernetes/Charts/gitlab-omnibus/CHANGELOG.md new file mode 100644 index 0000000..ed5f142 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/CHANGELOG.md @@ -0,0 +1,11 @@ +**0.1.35** +> Upgrade note: +* Due to the change in default access mode, existing users will have to specify `ReadWriteMany` as the access mode. For example: +``` +gitlabDataAccessMode=ReadWriteMany +gitlabRegistryAccessMode=ReadWriteMany +gitlabConfigAccessMode=ReadWriteMany +``` + +* Sets the default access mode for `gitlab-storage`, `gitlab-registry-storage`, and `gitlab-config-storage` to be `ReadWriteOnce` to be compatible with Kubernetes 1.7.0+. +* The parameter name to configure the size of the `gitlab-storage` PVC has changed from `gitlabRailsStorageSize` to `gitlabDataStorageSize`. For backwards compatability, `gitlabRailsStorageSize` will still apply provided `gitlabDataStorageSize` is undefined. diff --git a/kubernetes/Charts/gitlab-omnibus/Chart.yaml b/kubernetes/Charts/gitlab-omnibus/Chart.yaml new file mode 100644 index 0000000..aefe028 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +deprecated: true +description: GitLab Omnibus all-in-one bundle +home: https://about.gitlab.com +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png +keywords: +- git +- ci +- cd +- deploy +- issue tracker +- code review +- wiki +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +- name: Mark Pundsack +- name: Jason Plum +- name: DJ Mountney +- name: Joshua Lambert +name: gitlab-omnibus +sources: +- http://docs.gitlab.com/ce/install/kubernetes/ +- https://gitlab.com/charts/charts.gitlab.io +tillerVersion: '>=2.5.0' +version: 0.1.37 diff --git a/kubernetes/Charts/gitlab-omnibus/README.md b/kubernetes/Charts/gitlab-omnibus/README.md new file mode 100644 index 0000000..9c0562a --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/README.md @@ -0,0 +1,23 @@ +# DEPRECATION NOTICE + +This chart is **DEPRECATED**. + +### Replacement + +We have built a set of fully cloud native charts in [gitlab/gitlab](https://gitlab.com/charts/gitlab). +These new charts are designed from the ground up to be performant, flexible, scalable, and resilient. + +We _very strongly_ recommend transitioning, if you are currently using these charts. If you have +never used these charts, _do not now_. + +### Availability + +This project remains visible as an example of how to convert a full monolith application to Kubernetes capable. +[Monolith to Microservice: Pitchforks not included](https://youtu.be/rIUth_KrJdw?list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU) (video) +details the work done to break this monolithic container into component parts. + +# GitLab-Omnibus Helm Chart + +This chart is an easy way to get started with GitLab on Kubernetes. It includes everything needed to run GitLab, including: a Runner, Container Registry, automatic SSL, and an Ingress. + +For more information, please review [our documentation](http://docs.gitlab.com/ee/install/kubernetes/gitlab_omnibus.html). diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/.gitlab-ci.yml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/.gitlab-ci.yml new file mode 100644 index 0000000..c0e9a6b --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/.gitlab-ci.yml @@ -0,0 +1,19 @@ +image: registry.gitlab.com/charts/alpine-helm + +stages: + - test + - release + +lint: + stage: test + script: + - helm lint . + except: + - master + +release-chart: + stage: release + script: + - curl --request POST --form "token=$CI_JOB_TOKEN" --form ref=master https://gitlab.com/api/v4/projects/2860651/trigger/pipeline + only: + - master diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/.helmignore b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/Chart.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/Chart.yaml new file mode 100644 index 0000000..6c54279 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/Chart.yaml @@ -0,0 +1,16 @@ +description: GitLab Runner +icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png +keywords: +- git +- ci +- deploy +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +- email: dj@gitlab.com + name: DJ Mountney +name: gitlab-runner +sources: +- https://hub.docker.com/r/gitlab/gitlab-runner/ +- https://docs.gitlab.com/runner/ +version: 0.1.13 diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/README.md b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/README.md new file mode 100644 index 0000000..46e848a --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/README.md @@ -0,0 +1,3 @@ +# GitLab Runner Helm Chart + +This chart deploys a GitLab Runner instance into your Kubernetes cluster. For more information, please review [our documentation](http://docs.gitlab.com/ee/install/kubernetes/gitlab_runner_chart.html). diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/NOTES.txt b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/NOTES.txt new file mode 100644 index 0000000..af5a074 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/NOTES.txt @@ -0,0 +1,27 @@ +{{- if include "gitlabUrl" . }} +{{- if or (default "" .Values.runnerRegistrationToken) (default "" .Values.runnerToken) }} +Your GitLab Runner should now be registered against the GitLab instance reachable at: {{ template "gitlabUrl" . }} +{{- else -}} +############################################################################## +## WARNING: You did not specify an runnerRegistrationToken in your 'helm install' call. ## +############################################################################## + +This deployment will be incomplete until you provide the Registration Token for your +GitLab instance: + + helm upgrade {{ .Release.Name }} \ + --set gitlabUrl=http://gitlab.your-domain.com,runnerRegistrationToken=your-registration-token \ + stable/gitlab-runner +{{- end -}} +{{- else -}} +############################################################################## +## WARNING: You did not specify an gitlabUrl in your 'helm install' call. ## +############################################################################## + +This deployment will be incomplete until you provide the URL that your +GitLab instance is reachable at: + + helm upgrade {{ .Release.Name }} \ + --set gitlabUrl=http://gitlab.your-domain.com,runnerRegistrationToken=your-registration-token \ + stable/gitlab-runner +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/_cache_s3.tpl b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/_cache_s3.tpl new file mode 100644 index 0000000..4641b02 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/_cache_s3.tpl @@ -0,0 +1,26 @@ +{{- define "cache_s3" }} +- name: CACHE_TYPE + value: {{ default "" .Values.runners.cache.cacheType | quote }} +- name: S3_SERVER_ADDRESS + value: {{ default "" .Values.runners.cache.s3ServerAddress | quote }} +- name: S3_ACCESS_KEY + valueFrom: + secretKeyRef: + name: s3access + key: accessKey +- name: S3_SECRET_KEY + valueFrom: + secretKeyRef: + name: s3access + key: secretKey +- name: S3_BUCKET_NAME + value: {{ default "" .Values.runners.cache.s3BucketName | quote }} +- name: S3_BUCKET_LOCATION + value: {{ default "" .Values.runners.cache.s3BucketLocation | quote }} +- name: S3_CACHE_INSECURE + value: {{ default "" .Values.runners.cache.s3CacheInsecure | quote }} +- name: S3_CACHE_PATH + value: {{ default "" .Values.runners.cache.s3CachePath | quote }} +- name: CACHE_SHARED + value: {{ default "" .Values.runners.cache.cacheShared | quote }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/_helpers.tpl b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/_helpers.tpl new file mode 100644 index 0000000..ec4c5bd --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Template for outputing the gitlabUrl +*/}} +{{- define "gitlabUrl" -}} +{{- .Values.gitlabUrl | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/configmap.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/configmap.yaml new file mode 100644 index 0000000..059f2d6 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/configmap.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + entrypoint: | + #!/bin/bash + + set -xe + + cp /scripts/config.toml /etc/gitlab-runner/ + + # Register the runner + /entrypoint register --non-interactive \ + --executor kubernetes \ + {{- range .Values.runners.imagePullSecrets }} + --kubernetes-image-pull-secrets {{ . | quote }} \ + {{- end }} + + # Start the runner + /entrypoint run --user=gitlab-runner \ + --working-directory=/home/gitlab-runner + config.toml: | + concurrent = {{ .Values.concurrent }} + check_interval = {{ .Values.checkInterval }} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/deployment.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/deployment.yaml new file mode 100644 index 0000000..53985af --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/deployment.yaml @@ -0,0 +1,122 @@ +{{- if and (include "gitlabUrl" .) (or (default "" .Values.runnerRegistrationToken) (default "" .Values.runnerToken)) }} +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: 1 + template: + metadata: + labels: + app: {{ template "fullname" . }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + spec: + serviceAccountName: {{ if .Values.rbac.create }}{{ template "fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} + containers: + - name: {{ template "fullname" . }} + image: {{ .Values.image }} + {{- if and .Values.unregisterRunners .Values.runnerRegistrationToken }} + lifecycle: + preStop: + exec: + command: ["gitlab-runner", "unregister", "--all-runners"] + {{- end }} + imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} + command: ["/bin/bash", "/scripts/entrypoint"] + env: + - name: CI_SERVER_URL + value: {{ template "gitlabUrl" . }} + - name: CI_SERVER_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }} + key: runner-token + - name: REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }} + key: runner-registration-token + - name: KUBERNETES_IMAGE + value: {{ .Values.runners.image | quote }} + {{ if .Values.runners.privileged }} + - name: KUBERNETES_PRIVILEGED + value: "true" + {{ end }} + - name: KUBERNETES_NAMESPACE + value: {{ default .Release.Namespace .Values.runners.namespace | quote }} + - name: KUBERNETES_CPU_LIMIT + value: {{ default "" .Values.runners.builds.cpuLimit | quote }} + - name: KUBERNETES_MEMORY_LIMIT + value: {{ default "" .Values.runners.builds.memoryLimit | quote }} + - name: KUBERNETES_CPU_REQUEST + value: {{ default "" .Values.runners.builds.cpuRequests | quote }} + - name: KUBERNETES_MEMORY_REQUEST + value: {{ default "" .Values.runners.builds.memoryRequests| quote }} + - name: KUBERNETES_SERVICE_CPU_LIMIT + value: {{ default "" .Values.runners.services.cpuLimit | quote }} + - name: KUBERNETES_SERVICE_MEMORY_LIMIT + value: {{ default "" .Values.runners.services.memoryLimit | quote }} + - name: KUBERNETES_SERVICE_CPU_REQUEST + value: {{ default "" .Values.runners.services.cpuRequests | quote }} + - name: KUBERNETES_SERVICE_MEMORY_REQUEST + value: {{ default "" .Values.runners.services.memoryRequests | quote }} + - name: KUBERNETES_HELPERS_CPU_LIMIT + value: {{ default "" .Values.runners.helpers.cpuLimit | quote }} + - name: KUBERNETES_HELPERS_MEMORY_LIMIT + value: {{ default "" .Values.runners.helpers.memoryLimit | quote }} + - name: KUBERNETES_HELPERS_CPU_REQUEST + value: {{ default "" .Values.runners.helpers.cpuRequests | quote }} + - name: KUBERNETES_HELPERS_MEMORY_REQUEST + value: {{ default "" .Values.runners.helpers.memoryRequests | quote }} + {{- if .Values.runners.cache -}} + {{ include "cache_s3" . | indent 8 }} + {{- end }} + livenessProbe: + exec: + command: ["/usr/bin/pgrep","gitlab.*runner"] + initialDelaySeconds: 60 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: ["/usr/bin/pgrep","gitlab.*runner"] + initialDelaySeconds: 10 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + volumeMounts: + - name: scripts + mountPath: /scripts + {{- if .Values.certsSecretName }} + - name: custom-certs + readOnly: true + mountPath: /etc/gitlab-runner/certs/ + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumes: + {{ if .Values.runners.privileged }} + - name: var-run-docker-sock + hostPath: + path: /var/run/docker.sock + {{ end }} + {{- if .Values.certsSecretName }} + - name: custom-certs + secret: + secretName: {{ .Values.certsSecretName }} + {{- end }} + - name: scripts + configMap: + name: {{ template "fullname" . }} +{{ else }} +{{ end }} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/role-binding.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/role-binding.yaml new file mode 100644 index 0000000..c1044eb --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/role-binding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRoleBinding"{{ else }}"RoleBinding"{{ end }} +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }} + name: {{ template "fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: "{{ .Release.Namespace }}" +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/role.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/role.yaml new file mode 100644 index 0000000..ecb0ba2 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/role.yaml @@ -0,0 +1,15 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }} +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["*"] +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/secrets.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..de1adec --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + runner-registration-token: {{ default "" .Values.runnerRegistrationToken | b64enc | quote }} + runner-token: {{ default "" .Values.runnerToken | b64enc | quote }} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/service-account.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/service-account.yaml new file mode 100644 index 0000000..1d049fd --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/templates/service-account.yaml @@ -0,0 +1,11 @@ +{{- if .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/values.yaml b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/values.yaml new file mode 100644 index 0000000..d6fac7e --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/charts/gitlab-runner/values.yaml @@ -0,0 +1,144 @@ +## GitLab Runner Image +## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/ +## +image: gitlab/gitlab-runner:alpine-v10.3.0 + +## Specify a imagePullPolicy +## 'Always' if imageTag is 'latest', else set to 'IfNotPresent' +## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images +## +# imagePullPolicy: + +## The GitLab Server URL (with protocol) that want to register the runner against +## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register +## +# gitlabUrl: http://gitlab.your-domain.com/ + +## The Registration Token for adding new Runners to the GitLab Server. This must +## be retreived from your GitLab Instance. +## ref: https://docs.gitlab.com/ce/ci/runners/README.html#creating-and-registering-a-runner +## +# runnerRegistrationToken: "" + +## The Runner Token for adding new Runners to the GitLab Server. This must +## be retreived from your GitLab Instance. It is token of already registered runner. +## ref: (we don't yet have docs for that, but we want to use existing token) +## +# runnerToken: "" + +## Unregister all runners before termination +## +## Updating the runner's chart version or configuration will cause the runner container +## to be terminated and created again. This may cause your Gitlab instance to reference +## non-existant runners. Un-registering the runner before termination mitigates this issue. +## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister +## +unregisterRunners: true + +## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use +## Provide resource name for a Kubernetes Secret Object in the same namespace, +## this is used to populate the /etc/gitlab-runner/certs directory +## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates +## +# certsSecretName: + +## Configure the maximum number of concurrent jobs +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +concurrent: 10 + +## Defines in seconds how often to check GitLab for a new builds +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +checkInterval: 30 + +## For RBAC support: +rbac: + create: false + + ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs + ## cluster-wide or only within namespace + clusterWideAccess: false + + ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create) + ## + # serviceAccountName: default + +## Configuration for the Pods that that the runner launches for each new job +## +runners: + ## Default container image to use for builds when none is specified + ## + image: ubuntu:16.04 + + ## Specify one or more imagePullSecrets + ## + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # imagePullSecrets: [] + + ## Run all containers with the privileged flag enabled + ## This will allow the docker:dind image to run if you need to run Docker + ## commands. Please read the docs before turning this on: + ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-docker-dind + ## + privileged: false + + ## Namespace to run Kubernetes jobs in (defaults to the same namespace of this release) + ## + # namespace: + + ## Distributed runners caching + ## ref: https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs/configuration/autoscale.md#distributed-runners-caching + ## + ## Create a secret 's3access' containing 'accessKey' & 'secretKey' + ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/ + ## + ## $ kubectl create secret generic s3access --\ + ## --from-literal=accessKey="YourAccessKey" \ + ## --from-literal=secretKey="YourSecretKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + cache: {} + # cacheType: s3 + # s3ServerAddress: s3.amazonaws.com + # s3BucketName: + # s3BucketLocation: + # s3CacheInsecure: false + # s3CachePath: "gitlab_runner" + # cacheShared: true + + ## Build Container specific configuration + ## + builds: {} + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + + ## Service Container specific configuration + ## + services: {} + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + + ## Helper Container specific configuration + ## + helpers: {} + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: {} + # limits: + # memory: 256Mi + # cpu: 200m + # requests: + # memory: 128Mi + # cpu: 100m diff --git a/kubernetes/Charts/gitlab-omnibus/requirements.lock b/kubernetes/Charts/gitlab-omnibus/requirements.lock new file mode 100644 index 0000000..8e8f4d7 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: gitlab-runner + repository: https://charts.gitlab.io/ + version: 0.1.13 +digest: sha256:0aee2695db7d33f0d894372aedde81e5675c72ac058393f3c0f29182b15b5065 +generated: "2020-09-14T21:18:20.37876832Z" diff --git a/kubernetes/Charts/gitlab-omnibus/requirements.yaml b/kubernetes/Charts/gitlab-omnibus/requirements.yaml new file mode 100644 index 0000000..a13ac14 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- name: gitlab-runner + version: 0.1.13 + repository: https://charts.gitlab.io/ diff --git a/kubernetes/Charts/gitlab-omnibus/templates/NOTES.txt b/kubernetes/Charts/gitlab-omnibus/templates/NOTES.txt new file mode 100644 index 0000000..410e5fc --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/NOTES.txt @@ -0,0 +1,28 @@ +{{- if and (default "" .Values.baseDomain) (default "" .Values.legoEmail) }} + It may take several minutes for GitLab to reconfigure. + You can watch the status by running `kubectl get deployment -w {{ template "fullname" . }} --namespace {{ .Release.Namespace }} + + {{- if .Values.baseIP }} + Make sure to configure DNS with something like: + *.{{ .Values.baseDomain }} 300 IN A {{ .Values.baseIP }} + {{- else }} + You did not specify a baseIP so one will be assigned for you. + It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc -w --namespace nginx-ingress nginx', then: + + export SERVICE_IP=$(kubectl get svc --namespace nginx-ingress nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + + Then make sure to configure DNS with something like: + *.{{ .Values.baseDomain }} 300 IN A $SERVICE_IP + {{- end }} +{{- else }} +#################################################################################################### +## WARNING: You did not specify an baseDomain, gitlab-runner.gitlabUrl, and legoEmail in your 'helm install' call. ## +#################################################################################################### + +This deployment will be incomplete until you provide these variables: + +$ helm upgrade {{ .Release.Name }} \ + --set baseDomain=example.com,gitlab-runner.gitlabUrl=https://gitlab.example.com,legoEmail=you@example.com \ + gitlab/kubernetes-gitlab-demo +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/_helpers.tpl b/kubernetes/Charts/gitlab-omnibus/templates/_helpers.tpl new file mode 100644 index 0000000..5dfb005 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified postgresql name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.fullname" -}} +{{- $appName := (include "fullname" .) | trunc 54 | trimSuffix "-" -}} +{{- printf "%s-%s" $appName "postgresql" -}} +{{- end -}} + +{{/* +Create a default fully qualified redis name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "redis.fullname" -}} +{{- $appName := (include "fullname" .) | trunc 57 | trimSuffix "-" -}} +{{- printf "%s-%s" $appName "redis" -}} +{{- end -}} + +{{/* +Template for outputing the gitlabUrl +*/}} +{{- define "gitlabUrl" -}} +{{- if .Values.gitlabUrl -}} +{{- .Values.gitlabUrl | quote -}} +{{- else -}} +{{- printf "http://%s-gitlab.%s:8005/" .Release.Name .Release.Namespace | quote -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/fast-storage/storage.yaml b/kubernetes/Charts/gitlab-omnibus/templates/fast-storage/storage.yaml new file mode 100644 index 0000000..b692811 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/fast-storage/storage.yaml @@ -0,0 +1,20 @@ +{{- if (eq .Values.provider "gke") }} +kind: StorageClass +apiVersion: {{ if .Capabilities.APIVersions.Has "storage.k8s.io/v1" }}storage.k8s.io/v1{{ else }}storage.k8s.io/v1beta1{{ end }} +metadata: + name: {{ template "fullname" . }}-fast + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + storageclass.beta.kubernetes.io/is-default-class: "false" + labels: + kubernetes.io/cluster-service: "true" +{{- if eq .Values.provider "gke" }} +provisioner: kubernetes.io/gce-pd +parameters: + type: pd-ssd +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab-config.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab-config.yaml new file mode 100644 index 0000000..8d83a47 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab-config.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-config + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + external_scheme: https + external_hostname: gitlab.{{ .Values.baseDomain }} + registry_external_scheme: https + registry_external_hostname: registry.{{ .Values.baseDomain }} + mattermost_external_scheme: https + mattermost_external_hostname: mattermost.{{ .Values.baseDomain }} + mattermost_app_uid: {{ .Values.mattermostAppUID }} + postgres_user: gitlab + postgres_db: gitlab_production + pages_external_scheme: {{ .Values.pagesExternalScheme }} + pages_external_domain: {{ .Values.pagesExternalDomain }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "fullname" . }}-secrets + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + postgres_password: {{ .Values.postgresPassword }} + initial_shared_runners_registration_token: {{ default "" .Values.initialSharedRunnersRegistrationToken | b64enc | quote }} + mattermost_app_secret: {{ .Values.mattermostAppSecret | b64enc | quote }} +{{- if .Values.gitlabEELicense }} + gitlab_ee_license: {{ .Values.gitlabEELicense | b64enc | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-config-storage.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-config-storage.yaml new file mode 100644 index 0000000..1ec6c38 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-config-storage.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "fullname" . }}-config-storage + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if .Values.gitlabConfigStorageClass }} + volume.beta.kubernetes.io/storage-class: {{ .Values.gitlabConfigStorageClass | quote }} + {{- else if (eq .Values.provider "gke") }} + volume.beta.kubernetes.io/storage-class: {{ template "fullname" . }}-fast + {{- else }} + volume.alpha.kubernetes.io/storage-class: default + {{- end }} +spec: + accessModes: + - {{ default "ReadWriteOnce" .Values.gitlabConfigAccessMode | quote }} + resources: + requests: + storage: {{ default "1Gi" .Values.gitlabConfigStorageSize }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-deployment.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-deployment.yaml new file mode 100644 index 0000000..606656f --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-deployment.yaml @@ -0,0 +1,246 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: 1 + template: + metadata: + labels: + app: {{ template "fullname" . }} + name: {{ template "fullname" . }} + spec: + containers: + - name: gitlab + {{- if eq .Values.gitlab "ee" }} + image: {{ .Values.gitlabEEImage }} + {{- else }} + image: {{ .Values.gitlabCEImage }} + {{- end }} + imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-c", + "sed -i \"s/environment ({'GITLAB_ROOT_PASSWORD' => initial_root_password }) if initial_root_password/environment ({'GITLAB_ROOT_PASSWORD' => initial_root_password, 'GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN' => node['gitlab']['gitlab-rails']['initial_shared_runners_registration_token'] })/g\" /opt/gitlab/embedded/cookbooks/gitlab/recipes/database_migrations.rb && echo 'gitlab-omnibus-helm-chart' > /opt/gitlab/embedded/service/gitlab-rails/INSTALLATION_TYPE && exec /assets/wrapper"] + env: + - name: GITLAB_EXTERNAL_SCHEME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: external_scheme + - name: GITLAB_EXTERNAL_HOSTNAME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: external_hostname + - name: GITLAB_REGISTRY_EXTERNAL_SCHEME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: registry_external_scheme + - name: GITLAB_REGISTRY_EXTERNAL_HOSTNAME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: registry_external_hostname + - name: GITLAB_MATTERMOST_EXTERNAL_SCHEME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: mattermost_external_scheme + - name: GITLAB_MATTERMOST_EXTERNAL_HOSTNAME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: mattermost_external_hostname + - name: POSTGRES_USER + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: postgres_user + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }}-secrets + key: postgres_password + - name: POSTGRES_DB + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: postgres_db + - name: GITLAB_INITIAL_SHARED_RUNNERS_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }}-secrets + key: initial_shared_runners_registration_token + - name: MATTERMOST_APP_UID + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: mattermost_app_uid + - name: MATTERMOST_APP_SECRET + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }}-secrets + key: mattermost_app_secret + {{- if .Values.gitlabEELicense }} + - name: GITLAB_EE_LICENSE + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }}-secrets + key: gitlab_ee_license + {{- end }} + {{- if and .Values.pagesExternalScheme .Values.pagesExternalDomain }} + - name: PAGES_EXTERNAL_SCHEME + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: pages_external_scheme + - name: PAGES_EXTERNAL_DOMAIN + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: pages_external_domain + {{- end }} + - name: GITLAB_OMNIBUS_CONFIG + value: | + external_url "#{ENV['GITLAB_EXTERNAL_SCHEME']}://#{ENV['GITLAB_EXTERNAL_HOSTNAME']}" + registry_external_url "#{ENV['GITLAB_REGISTRY_EXTERNAL_SCHEME']}://#{ENV['GITLAB_REGISTRY_EXTERNAL_HOSTNAME']}" + mattermost_external_url "#{ENV['GITLAB_MATTERMOST_EXTERNAL_SCHEME']}://#{ENV['GITLAB_MATTERMOST_EXTERNAL_HOSTNAME']}" + + gitlab_rails['initial_shared_runners_registration_token'] = ENV['GITLAB_INITIAL_SHARED_RUNNERS_REGISTRATION_TOKEN'] + + nginx['enable'] = false + registry_nginx['enable'] = false + mattermost_nginx['enable'] = false + + gitlab_workhorse['listen_network'] = 'tcp' + gitlab_workhorse['listen_addr'] = '0.0.0.0:8005' + + mattermost['service_address'] = '0.0.0.0' + mattermost['service_port'] = '8065' + + registry['registry_http_addr'] = '0.0.0.0:8105' + + postgresql['enable'] = false + gitlab_rails['db_host'] = '{{ template "postgresql.fullname" . }}' + gitlab_rails['db_password'] = ENV['POSTGRES_PASSWORD'] + gitlab_rails['db_username'] = ENV['POSTGRES_USER'] + gitlab_rails['db_database'] = ENV['POSTGRES_DB'] + + redis['enable'] = false + gitlab_rails['redis_host'] = '{{ template "redis.fullname" . }}' + + mattermost['file_directory'] = '/gitlab-data/mattermost'; + mattermost['sql_driver_name'] = 'postgres'; + mattermost['sql_data_source'] = "user=#{ENV['POSTGRES_USER']} host={{ template "postgresql.fullname" . }} port=5432 dbname=mattermost_production password=#{ENV['POSTGRES_PASSWORD']} sslmode=disable"; + mattermost['gitlab_enable'] = true; + mattermost['gitlab_secret'] = ENV['MATTERMOST_APP_SECRET']; + mattermost['gitlab_id'] = ENV['MATTERMOST_APP_UID']; + mattermost['gitlab_scope'] = ''; + mattermost['gitlab_auth_endpoint'] = "#{ENV['GITLAB_EXTERNAL_SCHEME']}://#{ENV['GITLAB_EXTERNAL_HOSTNAME']}/oauth/authorize"; + mattermost['gitlab_token_endpoint'] = "#{ENV['GITLAB_EXTERNAL_SCHEME']}://#{ENV['GITLAB_EXTERNAL_HOSTNAME']}/oauth/token"; + mattermost['gitlab_user_api_endpoint'] = "#{ENV['GITLAB_EXTERNAL_SCHEME']}://#{ENV['GITLAB_EXTERNAL_HOSTNAME']}/api/v4/user" + + manage_accounts['enable'] = true + manage_storage_directories['manage_etc'] = false + + if ENV['PAGES_EXTERNAL_SCHEME'] && ENV['PAGES_EXTERNAL_DOMAIN'] + pages_external_url "#{ENV['PAGES_EXTERNAL_SCHEME']}://#{ENV['PAGES_EXTERNAL_DOMAIN']}/" + gitlab_pages['enable'] = true + gitlab_pages['listen_proxy'] = "0.0.0.0:8090" + end + + gitlab_shell['auth_file'] = '/gitlab-data/ssh/authorized_keys' + git_data_dirs({ "default" => { "path" => "/gitlab-data/git-data" } }) + gitlab_rails['shared_path'] = '/gitlab-data/shared' + gitlab_rails['uploads_directory'] = '/gitlab-data/uploads' + gitlab_ci['builds_directory'] = '/gitlab-data/builds' + gitlab_rails['registry_path'] = '/gitlab-registry' + gitlab_rails['trusted_proxies'] = ["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"] + + prometheus['listen_address'] = '0.0.0.0:9090' + postgres_exporter['enable'] = true + postgres_exporter['env'] = { + 'DATA_SOURCE_NAME' => "user=#{ENV['POSTGRES_USER']} host={{ template "postgresql.fullname" . }} port=5432 dbname=#{ENV['POSTGRES_DB']} password=#{ENV['POSTGRES_PASSWORD']} sslmode=disable" + } + redis_exporter['enable'] = true + redis_exporter['flags'] = { + 'redis.addr' => "{{ template "redis.fullname" . }}:6379", + } + +{{ .Values.omnibusConfigRuby | default "" | indent 12 }} + - name: GITLAB_POST_RECONFIGURE_CODE + value: | + include Gitlab::CurrentSettings + + Doorkeeper::Application.where(uid: ENV["MATTERMOST_APP_UID"]).first_or_create( + name: "GitLab Mattermost", + secret: ENV["MATTERMOST_APP_SECRET"], + redirect_uri: "#{ENV["GITLAB_MATTERMOST_EXTERNAL_SCHEME"]}://#{ENV["GITLAB_MATTERMOST_EXTERNAL_HOSTNAME"]}/signup/gitlab/complete\r\n#{ENV["GITLAB_MATTERMOST_EXTERNAL_SCHEME"]}://#{ENV["GITLAB_MATTERMOST_EXTERNAL_HOSTNAME"]}/login/gitlab/complete") + + PrometheusService.where(template: true).first_or_create( + active: true, api_url: "http://localhost:9090") + + KubernetesService.where(template: true).first_or_create( + active: true, + api_url: "https://#{ENV["KUBERNETES_SERVICE_HOST"]}:#{ENV["KUBERNETES_SERVICE_PORT"]}", + token: File.read("/var/run/secrets/kubernetes.io/serviceaccount/token"), + ca_pem: File.read("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")) + + Gitlab::CurrentSettings.current_application_settings.update_attribute(:health_check_access_token, '{{.Values.healthCheckToken}}') + + {{- if .Values.gitlabEELicense }} + License.first_or_create(data: "#{ENV["GITLAB_EE_LICENSE"]}") + {{- end }} + - name: GITLAB_POST_RECONFIGURE_SCRIPT + value: | + /opt/gitlab/bin/gitlab-rails runner -e production "$GITLAB_POST_RECONFIGURE_CODE" + ports: + - name: registry + containerPort: 8105 + - name: mattermost + containerPort: 8065 + - name: workhorse + containerPort: 8005 + - name: ssh + containerPort: 22 + - name: prometheus + containerPort: 9090 + {{- if and .Values.pagesExternalScheme .Values.pagesExternalDomain }} + - name: pages + containerPort: 8090 + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/gitlab + - name: data + mountPath: /gitlab-data + subPath: gitlab-data + - name: registry + mountPath: /gitlab-registry + livenessProbe: + httpGet: + path: /health_check?token={{.Values.healthCheckToken}} + port: 8005 + initialDelaySeconds: 180 + timeoutSeconds: 15 + readinessProbe: + httpGet: + path: /health_check?token={{.Values.healthCheckToken}} + port: 8005 + initialDelaySeconds: 15 + timeoutSeconds: 1 + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ template "fullname" . }}-storage + - name: registry + persistentVolumeClaim: + claimName: {{ template "fullname" . }}-registry-storage + - name: config + persistentVolumeClaim: + claimName: {{ template "fullname" . }}-config-storage diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-storage.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-storage.yaml new file mode 100644 index 0000000..45fd8eb --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-storage.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "fullname" . }}-storage + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if .Values.gitlabDataStorageClass }} + volume.beta.kubernetes.io/storage-class: {{ .Values.gitlabDataStorageClass | quote }} + {{- else if (eq .Values.provider "gke") }} + volume.beta.kubernetes.io/storage-class: {{ template "fullname" . }}-fast + {{- else }} + volume.alpha.kubernetes.io/storage-class: default + {{- end }} +spec: + accessModes: + - {{ default "ReadWriteOnce" .Values.gitlabDataAccessMode | quote }} + resources: + requests: + # Fallback to supporting older value: gitlabRailsStorageSize when the new one is not set + storage: {{ coalesce .Values.gitlabDataStorageSize .Values.gitlabRailsStorageSize "30Gi" }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "fullname" . }}-registry-storage + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if .Values.gitlabRegistryStorageClass }} + volume.beta.kubernetes.io/storage-class: {{ .Values.gitlabRegistryStorageClass | quote }} + {{- else if (eq .Values.provider "gke") }} + volume.beta.kubernetes.io/storage-class: {{ template "fullname" . }}-fast + {{- else }} + volume.alpha.kubernetes.io/storage-class: default + {{- end }} +spec: + accessModes: + - {{ default "ReadWriteOnce" .Values.gitlabRegistryAccessMode | quote }} + resources: + requests: + storage: {{ default "30Gi" .Values.gitlabRegistryStorageSize }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-svc.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-svc.yaml new file mode 100644 index 0000000..a273157 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/gitlab-svc.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + name: {{ template "fullname" . }} + ports: + - name: ssh + port: 22 + targetPort: ssh + - name: mattermost + port: 8065 + targetPort: mattermost + - name: registry + port: 8105 + targetPort: registry + - name: workhorse + port: 8005 + targetPort: workhorse + - name: prometheus + port: 9090 + targetPort: prometheus + {{- if and .Values.pagesExternalScheme .Values.pagesExternalDomain}} + - name: pages + port: 8090 + targetPort: pages + {{- end }} + - name: web + port: 80 + targetPort: workhorse diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-configmap.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-configmap.yaml new file mode 100644 index 0000000..a965a0e --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-initdb + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + 01_create_mattermost_production.sql: | + CREATE DATABASE mattermost_production WITH OWNER gitlab; diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-deployment.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-deployment.yaml new file mode 100644 index 0000000..5ddd4ba --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: 1 + template: + metadata: + labels: + app: {{ template "fullname" . }} + name: {{ template "postgresql.fullname" . }} + spec: + containers: + - name: postgresql + image: {{ .Values.postgresImage }} + imagePullPolicy: IfNotPresent + env: + - name: POSTGRES_USER + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: postgres_user + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }}-secrets + key: postgres_password + - name: POSTGRES_DB + valueFrom: + configMapKeyRef: + name: {{ template "fullname" . }}-config + key: postgres_db + - name: DB_EXTENSION + value: pg_trgm + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + ports: + - name: postgres + containerPort: 5432 + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: data + subPath: postgres + - mountPath: /docker-entrypoint-initdb.d + name: initdb + readOnly: true + livenessProbe: + exec: + command: + - pg_isready + - -h + - localhost + - -U + - postgres + initialDelaySeconds: 30 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - pg_isready + - -h + - localhost + - -U + - postgres + initialDelaySeconds: 5 + timeoutSeconds: 1 + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ if .Values.postgresDedicatedStorage }} {{ template "postgresql.fullname" . }}-storage {{ else }} {{ template "fullname" . }}-storage {{ end }} + - name: initdb + configMap: + name: {{ template "postgresql.fullname" . }}-initdb diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-storage.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-storage.yaml new file mode 100644 index 0000000..71ce994 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-storage.yaml @@ -0,0 +1,25 @@ +{{- if .Values.postgresDedicatedStorage }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "postgresql.fullname" . }}-storage + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if .Values.postgresStorageClass }} + volume.beta.kubernetes.io/storage-class: {{ .Values.postgresStorageClass | quote }} + {{- else if (eq .Values.provider "gke") }} + volume.beta.kubernetes.io/storage-class: {{ template "fullname" . }}-fast + {{- else }} + volume.alpha.kubernetes.io/storage-class: default + {{- end }} +spec: + accessModes: + - {{ default "ReadWriteOnce" .Values.postgresAccessMode | quote }} + resources: + requests: + storage: {{ default "30Gi" .Values.postgresStorageSize }} +{{- end }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-svc.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-svc.yaml new file mode 100644 index 0000000..b9d3171 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/postgresql-svc.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + ports: + - name: postgres + port: 5432 + targetPort: postgres + selector: + name: {{ template "postgresql.fullname" . }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-deployment.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-deployment.yaml new file mode 100644 index 0000000..c3c8dd5 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "redis.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: 1 + template: + metadata: + labels: + name: {{ template "redis.fullname" . }} + app: {{ template "fullname" . }} + spec: + containers: + - name: redis + image: {{ .Values.redisImage }} + imagePullPolicy: IfNotPresent + ports: + - name: redis + containerPort: 6379 + volumeMounts: + - mountPath: /var/lib/redis + name: data + subPath: redis + livenessProbe: + exec: + command: + - redis-cli + - ping + initialDelaySeconds: 30 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - redis-cli + - ping + initialDelaySeconds: 5 + timeoutSeconds: 1 + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ if .Values.redisDedicatedStorage }} {{ template "redis.fullname" . }}-storage {{ else }} {{ template "fullname" . }}-storage {{ end }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-storage.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-storage.yaml new file mode 100644 index 0000000..6c1cbdc --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-storage.yaml @@ -0,0 +1,25 @@ +{{- if .Values.redisDedicatedStorage }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "redis.fullname" . }}-storage + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + {{- if .Values.redisStorageClass }} + volume.beta.kubernetes.io/storage-class: {{ .Values.redisStorageClass | quote }} + {{- else if (eq .Values.provider "gke") }} + volume.beta.kubernetes.io/storage-class: {{ template "fullname" . }}-fast + {{- else }} + volume.alpha.kubernetes.io/storage-class: default + {{- end }} +spec: + accessModes: + - {{ default "ReadWriteOnce" .Values.redisAccessMode | quote }} + resources: + requests: + storage: {{ default "5Gi" .Values.redisStorageSize }} +{{- end }} diff --git a/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-svc.yaml b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-svc.yaml new file mode 100644 index 0000000..a039c7d --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/gitlab/redis-svc.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + name: {{ template "redis.fullname" . }} + ports: + - name: redis + port: 6379 + targetPort: redis diff --git a/kubernetes/Charts/gitlab-omnibus/templates/ingress/gitlab-ingress.yaml b/kubernetes/Charts/gitlab-omnibus/templates/ingress/gitlab-ingress.yaml new file mode 100644 index 0000000..57e4984 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/ingress/gitlab-ingress.yaml @@ -0,0 +1,50 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: "nginx" +spec: + tls: + - hosts: + - gitlab.{{ .Values.baseDomain }} + - registry.{{ .Values.baseDomain }} + - mattermost.{{ .Values.baseDomain }} + - prometheus.{{ .Values.baseDomain }} + secretName: gitlab-tls + rules: + - host: gitlab.{{ .Values.baseDomain }} + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: 8005 + - host: registry.{{ .Values.baseDomain }} + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: 8105 + - host: mattermost.{{ .Values.baseDomain }} + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: 8065 + - host: prometheus.{{ .Values.baseDomain }} + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: 9090 +--- diff --git a/kubernetes/Charts/gitlab-omnibus/templates/ingress/gitlab-pages-ingress.yaml b/kubernetes/Charts/gitlab-omnibus/templates/ingress/gitlab-pages-ingress.yaml new file mode 100644 index 0000000..34cbf75 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/ingress/gitlab-pages-ingress.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.pagesExternalScheme .Values.pagesExternalDomain}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "fullname" . }}-pages + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: + kubernetes.io/ingress.class: "nginx" +spec: + {{- if .Values.pagesTlsSecret }} + tls: + - hosts: + - "*.{{ .Values.pagesExternalDomain }}" + secretName: {{ .Values.pagesTlsSecret }} + {{- end }} + rules: + - host: "*.{{ .Values.pagesExternalDomain }}" + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: 8090 +{{- end }} +--- diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/00-namespace.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/00-namespace.yaml new file mode 100644 index 0000000..be95521 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/00-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kube-lego diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/configmap.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/configmap.yaml new file mode 100644 index 0000000..0b8c74e --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +metadata: + name: kube-lego + namespace: kube-lego +data: + # modify this to specify your address + lego.email: "{{ .Values.legoEmail }}" + # configure letencrypt's production api + lego.url: "https://acme-v01.api.letsencrypt.org/directory" +kind: ConfigMap diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/deployment.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/deployment.yaml new file mode 100644 index 0000000..eb623a8 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/lego/deployment.yaml @@ -0,0 +1,43 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kube-lego + namespace: kube-lego +spec: + replicas: 1 + template: + metadata: + labels: + app: kube-lego + spec: + containers: + - name: kube-lego + image: jetstack/kube-lego:0.1.6 + imagePullPolicy: Always + ports: + - containerPort: 8080 + env: + - name: LEGO_EMAIL + valueFrom: + configMapKeyRef: + name: kube-lego + key: lego.email + - name: LEGO_URL + valueFrom: + configMapKeyRef: + name: kube-lego + key: lego.url + - name: LEGO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LEGO_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 1 diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/00-namespace.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/00-namespace.yaml new file mode 100644 index 0000000..4b60fec --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/00-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-ingress diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/configmap.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/configmap.yaml new file mode 100644 index 0000000..e85a70f --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + proxy-connect-timeout: "15" + proxy-read-timeout: "600" + proxy-send-timeout: "600" + hsts-include-subdomains: "false" + proxy-body-size: "1024m" + server-name-hash-bucket-size: "256" + enable-vts-status: "true" +kind: ConfigMap +metadata: + namespace: nginx-ingress + name: nginx diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/daemonset.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/daemonset.yaml new file mode 100644 index 0000000..0e6a356 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/daemonset.yaml @@ -0,0 +1,45 @@ +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: nginx + namespace: nginx-ingress +spec: + template: + metadata: + labels: + app: nginx + annotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + spec: + containers: + - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11 + name: nginx + imagePullPolicy: Always + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + livenessProbe: + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 22 + - containerPort: 18080 + - containerPort: 10254 + args: + - /nginx-ingress-controller + - --default-backend-service=nginx-ingress/default-http-backend + - --configmap=nginx-ingress/nginx + - --tcp-services-configmap=nginx-ingress/tcp-ports diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/default-deployment.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/default-deployment.yaml new file mode 100644 index 0000000..ab92454 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/default-deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: default-http-backend + namespace: nginx-ingress +spec: + replicas: 1 + template: + metadata: + labels: + app: default-http-backend + spec: + containers: + - name: default-http-backend + # Any image is permissable as long as: + # 1. It serves a 404 page at / + # 2. It serves 200 on a /healthz endpoint + image: gcr.io/google_containers/defaultbackend:1.0 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 10m + memory: 20Mi diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/default-service.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/default-service.yaml new file mode 100644 index 0000000..d9db408 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/default-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: default-http-backend + namespace: nginx-ingress +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + selector: + app: default-http-backend diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/service.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/service.yaml new file mode 100644 index 0000000..41644e1 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx + namespace: nginx-ingress + annotations: + service.beta.kubernetes.io/external-traffic: "OnlyLocal" +spec: + type: LoadBalancer +{{- if .Values.baseIP }} + loadBalancerIP: {{ .Values.baseIP }} +{{- end }} + ports: + - port: 80 + name: http + - port: 443 + name: https + - port: 22 + name: git + selector: + app: nginx +apiVersion: v1 diff --git a/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/tcp-configmap.yaml b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/tcp-configmap.yaml new file mode 100644 index 0000000..af26e5b --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/templates/load-balancer/nginx/tcp-configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: tcp-ports + namespace: nginx-ingress +data: + 22: "{{ .Release.Namespace }}/{{ template "fullname" . }}:22" diff --git a/kubernetes/Charts/gitlab-omnibus/values.yaml b/kubernetes/Charts/gitlab-omnibus/values.yaml new file mode 100644 index 0000000..f22d008 --- /dev/null +++ b/kubernetes/Charts/gitlab-omnibus/values.yaml @@ -0,0 +1,110 @@ +# Default values for kubernetes-gitlab-demo. +# This is a YAML-formatted file. + +# Required variables + +# baseDomain is the top-most part of the domain. Subdomains will be generated +# for gitlab, mattermost, registry, and prometheus. +# Recommended to set up an A record on the DNS to *.your-domain.com to point to +# the baseIP +# e.g. *.your-domain.com. A 300 baseIP +#baseDomain: your-domain.com + +# legoEmail is a valid email address used by Let's Encrypt. It does not have to +# be at the baseDomain. +#legoEmail: you@example.com + +# Optional variables +# baseIP is an externally provisioned static IP address to use instead of the provisioned one. +#baseIP: 1.1.1.1 +nameOverride: gitlab +# `ce` or `ee` +gitlab: ce +gitlabCEImage: gitlab/gitlab-ce:10.6.2-ce.0 +gitlabEEImage: gitlab/gitlab-ee:10.6.2-ee.0 +postgresPassword: NDl1ZjNtenMxcWR6NXZnbw== +initialSharedRunnersRegistrationToken: "tQtCbx5UZy_ByS7FyzUH" +mattermostAppSecret: NDl1ZjNtenMxcWR6NXZnbw== +mattermostAppUID: aadas +redisImage: redis:3.2.10 +redisDedicatedStorage: true +#redisStorageSize: 5Gi +redisAccessMode: ReadWriteOnce +postgresImage: postgres:9.6.5 +# If you disable postgresDedicatedStorage, you should consider bumping up gitlabRailsStorageSize +postgresDedicatedStorage: true +postgresAccessMode: ReadWriteOnce +#postgresStorageSize: 30Gi +gitlabDataAccessMode: ReadWriteOnce +#gitlabDataStorageSize: 30Gi +gitlabRegistryAccessMode: ReadWriteOnce +#gitlabRegistryStorageSize: 30Gi +gitlabConfigAccessMode: ReadWriteOnce +#gitlabConfigStorageSize: 1Gi +gitlabRunnerImage: gitlab/gitlab-runner:alpine-v10.6.0 +# Valid values for provider are `gke` for Google Container Engine. Leaving it blank (or any othervalue) will disable fast disk options. +provider: gke + +# Gitlab pages +# The following 3 lines are needed to enable gitlab pages. +# pagesExternalScheme: http +# pagesExternalDomain: your-pages-domain.com +# pagesTlsSecret: gitlab-pages-tls # An optional reference to a tls secret to use in pages + +## Storage Class Options +## If defined, volume.beta.kubernetes.io/storage-class: +## If not defined, but provider is gke, will use SSDs +## Otherwise default: volume.alpha.kubernetes.io/storage-class: default +#gitlabConfigStorageClass: default +#gitlabDataStorageClass: default +#gitlabRegistryStorageClass: default +#postgresStorageClass: default +#redisStorageClass: default + +healthCheckToken: 'SXBAQichEJasbtDSygrD' +# Optional, for GitLab EE images only +#gitlabEELicense: base64-encoded-license + +# Additional omnibus configuration, +# see https://docs.gitlab.com/omnibus/settings/configuration.html +# for possible configuration options +#omnibusConfigRuby: | +# gitlab_rails['smtp_enable'] = true +# gitlab_rails['smtp_address'] = "smtp.example.org" + +gitlab-runner: + checkInterval: 1 + # runnerRegistrationToken must equal initialSharedRunnersRegistrationToken + runnerRegistrationToken: "tQtCbx5UZy_ByS7FyzUH" + # resources: + # limits: + # memory: 500Mi + # cpu: 600m + # requests: + # memory: 500Mi + # cpu: 600m + runners: + privileged: true + ## Build Container specific configuration + ## + # builds: + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + + ## Service Container specific configuration + ## + # services: + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + + ## Helper Container specific configuration + ## + # helpers: + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi diff --git a/kubernetes/Charts/gitlab-runner b/kubernetes/Charts/gitlab-runner new file mode 160000 index 0000000..eb13342 --- /dev/null +++ b/kubernetes/Charts/gitlab-runner @@ -0,0 +1 @@ +Subproject commit eb133421ec2cea448fe81fc28a67feeb622f54ce diff --git a/kubernetes/Charts/gitlab-runner-values.yaml b/kubernetes/Charts/gitlab-runner-values.yaml new file mode 100644 index 0000000..70eab07 --- /dev/null +++ b/kubernetes/Charts/gitlab-runner-values.yaml @@ -0,0 +1,12 @@ +# gitlabUrl: https://gitlab.reddit.voytenkov.ru +# runnerToken: "glrt-_6P_DRxkFCxbo5BsFUKV" +concurrent: 10 +rbac: + create: true +runners: + config: | + [[runners]] + executor = "kubernetes" + [runners.kubernetes] + image = "ubuntu:20.04" + privileged = true diff --git a/kubernetes/Charts/gitlab-values.yaml b/kubernetes/Charts/gitlab-values.yaml new file mode 100644 index 0000000..fe23503 --- /dev/null +++ b/kubernetes/Charts/gitlab-values.yaml @@ -0,0 +1,23 @@ +global: + hosts: + domain: reddit.voytenkov.ru +certmanager-issuer: + email: admin@reddit.voytenkov.ru +gitlab-runner: + runners: + config: | + [[runners]] + [runners.kubernetes] + image = "ubuntu:22.04" + privileged = true + {{- if .Values.global.minio.enabled }} + [runners.cache] + Type = "s3" + Path = "gitlab-runner" + Shared = true + [runners.cache.s3] + ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }} + BucketName = "runner-cache" + BucketLocation = "us-east-1" + Insecure = false + {{ end }} diff --git a/kubernetes/Charts/gitlab/CHANGELOG.md b/kubernetes/Charts/gitlab/CHANGELOG.md new file mode 100644 index 0000000..19e8f76 --- /dev/null +++ b/kubernetes/Charts/gitlab/CHANGELOG.md @@ -0,0 +1,5043 @@ +**Note:** This file is automatically generated. Please see the [developer +documentation](doc/development/changelog.md) for instructions on adding your own +entry. + +## 7.6.0 (2023-11-15) + +### Fixed (2 changes) + +- [Add custom static IP key for Geo NGINX controller](gitlab-org/charts/gitlab@e68ef0041ce05615acdff3cfb87da5c005f92ee0) ([merge request](gitlab-org/charts/gitlab!3407)) +- [Fix runner secret templating](gitlab-org/charts/gitlab@a974ffcbc415d49295b88455ffa09e8a7e16c9b1) ([merge request](gitlab-org/charts/gitlab!3445)) + +### Changed (10 changes) + +- [Update gitlab-org/container-registry from 3.85.0-gitlab to 3.86.1-gitlab](gitlab-org/charts/gitlab@2568a6d03fac5dcee08e80ee09e941fc7de0efcd) ([merge request](gitlab-org/charts/gitlab!3466)) +- [Update cert-manager/cert-manager from 1.12.5 to 1.12.6](gitlab-org/charts/gitlab@3b1164b195b831444c9f7baa7fa61b8a836cfe46) ([merge request](gitlab-org/charts/gitlab!3478)) +- [Update gitlab-org/container-registry from 3.85.0-gitlab to 3.86.0-gitlab](gitlab-org/charts/gitlab@639394504513cc18f5aaeedf0e676226087d1213) ([merge request](gitlab-org/charts/gitlab!3466)) +- [Update gitlab-org/charts/gitlab-runner from 0.58.1 to 0.58.2](gitlab-org/charts/gitlab@fa3f2024db1e9fbb31800c2a56ada5dd434f6a6a) ([merge request](gitlab-org/charts/gitlab!3465)) +- [Add k8s 1.26 to documented support and drop k8s 1.19](gitlab-org/charts/gitlab@9cbad96b5340c92f50a60899483b8f1da34a56bc) by @twk3 ([merge request](gitlab-org/charts/gitlab!3444)) +- [Update gitlab-org/gitlab-qa from 12.4.1 to 12.5.0](gitlab-org/charts/gitlab@94d93fdf1ef79af1355c41a978f0ee92b21c7dc8) ([merge request](gitlab-org/charts/gitlab!3450)) +- [Bump gitlab-exporter to version 13.4.1](gitlab-org/charts/gitlab@0c35e7baaf7fc72fac088205202a87c74be8e536) ([merge request](gitlab-org/charts/gitlab!3432)) +- [Update gitlab-org/charts/gitlab-runner from 0.57.1 to 0.58.1](gitlab-org/charts/gitlab@895ba3c786d3b303f804779feb7aa287eda61a21) ([merge request](gitlab-org/charts/gitlab!3445)) +- [Update cert-manager from 1.11.1 to 1.12.5](gitlab-org/charts/gitlab@033b69ed2429807aabbd94e89293938fc9bf6651) ([merge request](gitlab-org/charts/gitlab!3446)) +- [Update gitlab-org/charts/gitlab-runner from 0.57.1 to 0.58.0](gitlab-org/charts/gitlab@ba5295e5f2deeb93b126ca9da7b9f99d871de72f) ([merge request](gitlab-org/charts/gitlab!3445)) + +### Other (1 change) + +- [Deprecate namespace in mailroom.yml](gitlab-org/charts/gitlab@781a94d070a5ae221c33f1a31fdd9ecde15f2be6) ([merge request](gitlab-org/charts/gitlab!3419)) + +## 7.5.2 (2023-11-14) + +No changes. + +## 7.5.1 (2023-10-30) + +### Changed (1 change) + +- [Update gitlab-org/charts/gitlab-runner from 0.57.1 to 0.58.0](gitlab-org/security/charts/gitlab@f22baeb579a3ed2caa78ae1fefc7566ffd71f8db) + +## 7.5.0 (2023-10-20) + +### Added (1 change) + +- [Add template to guard Monitoring objects](gitlab-org/charts/gitlab@cd06e2a6c1ccbadf28cd85e7781fa27a0ff17628) ([merge request](gitlab-org/charts/gitlab!3390)) + +### Fixed (2 changes) + +- [Exclude HAProxy and Traefik templates when gitlab-shell is disabled](gitlab-org/charts/gitlab@4a3295dd4f63ff8895fe3bd70b5ece637e5e5ec4) by @jbblache ([merge request](gitlab-org/charts/gitlab!3433)) +- [Fix templating error in KEDA templates for Sidekiq and Web](gitlab-org/charts/gitlab@5611885e7e7720f1b9ce003f2893735863bfad18) ([merge request](gitlab-org/charts/gitlab!3425)) + +### Changed (7 changes) + +- [Update gitlab-org/container-registry from 3.84.0-gitlab to 3.85.0-gitlab](gitlab-org/charts/gitlab@529399631d87ce5108a205f990d3ed10b4acd9fb) ([merge request](gitlab-org/charts/gitlab!3436)) +- [Update gitlab-org/gitlab-exporter from 13.3.0 to 13.4.0](gitlab-org/charts/gitlab@ba51e4978ad00f1b8d16f76aa87463b7c462adc3) ([merge request](gitlab-org/charts/gitlab!3420)) +- [Update gitlab-org/charts/gitlab-runner from 0.57.0 to 0.57.1](gitlab-org/charts/gitlab@88fbdbfcf1176f660947756998496efeb3513ef1) ([merge request](gitlab-org/charts/gitlab!3423)) +- [Update gitlab-org/gitlab-exporter from 13.2.0 to 13.3.0](gitlab-org/charts/gitlab@2de53f8855fbff484b007a2a99485f2ec978b80c) ([merge request](gitlab-org/charts/gitlab!3413)) +- [Update gitlab-org/container-registry from 3.83.0-gitlab to 3.84.0-gitlab](gitlab-org/charts/gitlab@8d5c2d3386a9a576529fd72c934de704af1d484f) ([merge request](gitlab-org/charts/gitlab!3412)) +- [Update gitlab-org/charts/gitlab-runner from 0.56.0 to 0.57.0](gitlab-org/charts/gitlab@d8e4d0c39ce28a73fcf838f4c06ec0928f25a8f8) ([merge request](gitlab-org/charts/gitlab!3399)) +- [Update gitlab-org/charts/gitlab-runner from 0.56.0 to 0.56.1](gitlab-org/charts/gitlab@39351c74a18bf92d577bc675914a900e6c62eb89) ([merge request](gitlab-org/charts/gitlab!3399)) + +### Other (1 change) + +- [Enable dual-namespace polling for sidekiq probe in gitlab-exporter](gitlab-org/charts/gitlab@08e94769a6169bdc380e7d46b3ed300aa9c9cfab) ([merge request](gitlab-org/charts/gitlab!3388)) + +## 7.4.2 (2023-10-30) + +### Changed (1 change) + +- [Update gitlab-org/charts/gitlab-runner from 0.56.0 to 0.57.1](gitlab-org/security/charts/gitlab@31e21355635bd7767122652673cca0964d04bbd1) + +## 7.4.1 (2023-09-28) + +No changes. + +## 7.4.0 (2023-09-21) + +### Added (2 changes) + +- [Provide option to configure a separate workhorse redis](gitlab-org/charts/gitlab@9e99308a40948c35bf1173a1f54e55299d60ba8f) ([merge request](gitlab-org/charts/gitlab!3296)) +- [Support global image settings for Mailroom chart](gitlab-org/charts/gitlab@4c0e74693966166af1a45c2716a00b9aedbd45ee) ([merge request](gitlab-org/charts/gitlab!3362)) + +### Fixed (1 change) + +- [Restore default `registry.gc.disabled` key](gitlab-org/charts/gitlab@748eb0b168329d312aa63359af5223907b992d12) ([merge request](gitlab-org/charts/gitlab!3394)) + +### Changed (11 changes) + +- [Update gitlab-org/container-registry from 3.82.2-gitlab to 3.83.0-gitlab](gitlab-org/charts/gitlab@f132859596ad43ba618f852b89eddf5177c2759d) ([merge request](gitlab-org/charts/gitlab!3382)) +- [Update gitlab-org/gitlab-qa from 12.4.0 to 12.4.1](gitlab-org/charts/gitlab@3c1a462717ba873a5072310338707ef3ecbfcc19) ([merge request](gitlab-org/charts/gitlab!3381)) +- [Update gitlab-org/container-registry from 3.82.0-gitlab to 3.82.2-gitlab](gitlab-org/charts/gitlab@f7a02aaa7f43107f40f0fb3d2b693785d9af20d9) ([merge request](gitlab-org/charts/gitlab!3374)) +- [Warning user when a non-prod ready subchart is enabled](gitlab-org/charts/gitlab@c16b8a41795a3ff5615a883273913f2f6c225fc5) ([merge request](gitlab-org/charts/gitlab!3352)) +- [Update gitlab-org/container-registry from 3.80.0-gitlab to 3.82.0-gitlab](gitlab-org/charts/gitlab@dc78559c740fb9032a7def8820b54624fbfb5e61) ([merge request](gitlab-org/charts/gitlab!3366)) +- [Update gitlab-org/container-registry from 3.80.0-gitlab to 3.81.0-gitlab](gitlab-org/charts/gitlab@854e9ece8b8fbc2a4344853dcfd6485a7e4663d5) ([merge request](gitlab-org/charts/gitlab!3366)) +- [Update gitlab-org/gitlab-qa from 12.3.0 to 12.4.0](gitlab-org/charts/gitlab@c82d7d57cfae2cf93e9f8cca5dae80ead440a467) ([merge request](gitlab-org/charts/gitlab!3365)) +- [Enforce upgrade stop at 7.3/16.3](gitlab-org/charts/gitlab@46a2f45016f7440849cb7d60fd2427076d0d058a) ([merge request](gitlab-org/charts/gitlab!3342)) +- [Update gitlab-org/charts/gitlab-runner from 0.55.0 to 0.56.0](gitlab-org/charts/gitlab@f14cbc58591049e3e035ee5396b2f096207c4f24) ([merge request](gitlab-org/charts/gitlab!3350)) +- [Update gitlab-org/container-registry from 3.79.0-gitlab to 3.80.0-gitlab](gitlab-org/charts/gitlab@7f61401aaa147497b4a9a32fa25a1c6896bfe394) ([merge request](gitlab-org/charts/gitlab!3341)) +- [Update gitlab-org/gitlab-qa from 12.2.1 to 12.3.0](gitlab-org/charts/gitlab@021b652e4100e94f0f59985cdb21022015275b61) ([merge request](gitlab-org/charts/gitlab!3349)) + +## 7.3.6 (2023-10-30) + +No changes. + +## 7.3.5 (2023-09-28) + +No changes. + +## 7.3.4 (2023-09-18) + +No changes. + +## 7.3.3 (2023-09-12) + +No changes. + +## 7.3.2 (2023-09-05) + +No changes. + +## 7.3.1 (2023-08-31) + +No changes. + +## 7.3.0 (2023-08-21) + +### Added (2 changes) + +- [Add Ingress controller for Geo traffic](gitlab-org/charts/gitlab@aa6b6a7ecef8363392a623423899ff16cd7ba36e) ([merge request](gitlab-org/charts/gitlab!3253)) +- [Add service-level annotations for Pages](gitlab-org/charts/gitlab@f50ee77f113f7a0af9f47d95b35352c49955edd7) ([merge request](gitlab-org/charts/gitlab!3324)) + +### Fixed (4 changes) + +- [Use tcp prefix for KAS service port names](gitlab-org/charts/gitlab@a03b00d64577c51f6ad77668d3ccff273ceff2ba) ([merge request](gitlab-org/charts/gitlab!3327)) +- [Fix SMTP authentication mount](gitlab-org/charts/gitlab@ca343d8c83bf8483002775a04e9dd5cc4cf9fb39) ([merge request](gitlab-org/charts/gitlab!3311)) +- [Registry: fix newline chomping](gitlab-org/charts/gitlab@2c84bfb6524c1b37f61b58c36959df5b4763b674) by @connornasdaq ([merge request](gitlab-org/charts/gitlab!3295)) +- [Fix Zoekt config key password_file](gitlab-org/charts/gitlab@e4f6e0de6cf384ebab75ebb3c710cb7f627a7fa7) ([merge request](gitlab-org/charts/gitlab!3300)) + +### Changed (4 changes) + +- [Update gitlab-org/gitlab-exporter from 13.1.0 to 13.2.0](gitlab-org/charts/gitlab@86042b91f07ecc736d9a6b4b2420fe2be3e5fbc0) ([merge request](gitlab-org/charts/gitlab!3331)) +- [Update gitlab-org/container-registry from 3.78.0-gitlab to 3.79.0-gitlab](gitlab-org/charts/gitlab@1c63ea70ad695118c0a4dc1861f3400e3b8186e0) ([merge request](gitlab-org/charts/gitlab!3310)) +- [Update gitlab-org/gitlab-qa from 12.2.0 to 12.2.1](gitlab-org/charts/gitlab@eff824a0b05538a9d648e21601ac444fc578a701) ([merge request](gitlab-org/charts/gitlab!3299)) +- [Update gitlab-org/charts/gitlab-runner from 0.52.0 to 0.53.0](gitlab-org/charts/gitlab@44694d066d142a42600fd152cc7ce2ca532ab72b) ([merge request](gitlab-org/charts/gitlab!3192)) + +## 7.2.8 (2023-09-28) + +No changes. + +## 7.2.7 (2023-09-18) + +No changes. + +## 7.2.6 (2023-09-12) + +No changes. + +## 7.2.5 (2023-08-31) + +### Fixed (1 change) + +- [Use tcp prefix for KAS service port names](gitlab-org/security/charts/gitlab@a0f550d2dfe32300e80132425c57af82ab000453) + +## 7.2.4 (2023-08-11) + +No changes. + +## 7.2.3 (2023-08-03) + +No changes. + +## 7.2.2 (2023-08-01) + +No changes. + +## 7.2.1 (2023-07-25) + +No changes. + +## 7.2.0 (2023-07-21) + +### Added (3 changes) + +- [Add HAProxy Ingress Controller](gitlab-org/charts/gitlab@fd3c65c3e55df754f85be059fb7f69c9d57879ca) ([merge request](gitlab-org/charts/gitlab!2612)) +- [Add flag to configure graphql_timeout](gitlab-org/charts/gitlab@f8bf1bd31ee542c8bc945f14239ebce4b5991109) ([merge request](gitlab-org/charts/gitlab!3247)) +- [Add support for KEDA ScaledObjects as an alternative to regular HPAs](gitlab-org/charts/gitlab@f0f9ed0f4b2a2117dfe0cb811caa3132a1476c73) ([merge request](gitlab-org/charts/gitlab!3212)) + +### Fixed (3 changes) + +- [Alphabetically sort DB list when creating database.yaml config](gitlab-org/charts/gitlab@9cade68dee1f1f46f31a5bcc4a6ebfbb6de3cfc3) ([merge request](gitlab-org/charts/gitlab!3285)) +- [Fix config name from values.yaml](gitlab-org/charts/gitlab@550f7b119237511792ac7656ffca098c82dad091) ([merge request](gitlab-org/charts/gitlab!3272)) +- [Change ciSecureFiles to type-specific storage form](gitlab-org/charts/gitlab@fc07905f502a567b52f945a220973b3e4c74e941) ([merge request](gitlab-org/charts/gitlab!3241)) + +### Changed (8 changes) + +- [Update gitlab-org/gitlab-qa from 12.1.0 to 12.2.0](gitlab-org/charts/gitlab@a39dab11ece3f8d33af6a90341324de07cc48783) ([merge request](gitlab-org/charts/gitlab!3290)) +- [Add Traefik as a dependency](gitlab-org/charts/gitlab@f947512937e53fff8d8406441f09467a00b6b3ab) ([merge request](gitlab-org/charts/gitlab!2539)) +- [Update gitlab-org/gitlab-qa from 12.0.0 to 12.1.0](gitlab-org/charts/gitlab@953ec4142370d52c34593c256c1cec8843c760a4) ([merge request](gitlab-org/charts/gitlab!3287)) +- [Update gitlab-org/container-registry from 3.77.0-gitlab to 3.78.0-gitlab](gitlab-org/charts/gitlab@b60e9b38926b1ace03f321ae373b7ec17f459643) ([merge request](gitlab-org/charts/gitlab!3274)) +- [Update gitlab-org/gitlab-exporter from 13.0.3 to 13.1.0](gitlab-org/charts/gitlab@0aef6099fbce13f08f89063e95306031e9baace0) ([merge request](gitlab-org/charts/gitlab!3249)) +- [Bump gitlab-zoekt to 0.4.2](gitlab-org/charts/gitlab@a25c5742c6b5ec26c652e94cd2b6d26c4c8cb681) ([merge request](gitlab-org/charts/gitlab!3257)) +- [Update gitlab-org/container-registry from 3.76.0-gitlab to 3.77.0-gitlab](gitlab-org/charts/gitlab@33cae354983e9671a8962cac40d712f37642f338) ([merge request](gitlab-org/charts/gitlab!3246)) +- [Repairs deprecation notice for KAS privateApi](gitlab-org/charts/gitlab@d81630fd7a525eb3e029ff5183043f04210cf22c) ([merge request](gitlab-org/charts/gitlab!3242)) + +### Removed (1 change) + +- [Remove registry migration configuration](gitlab-org/charts/gitlab@7593db8956336c56f038542e6e89d5c8690f03de) ([merge request](gitlab-org/charts/gitlab!3280)) + +## 7.1.5 (2023-08-31) + +### Fixed (1 change) + +- [Use tcp prefix for KAS service port names](gitlab-org/security/charts/gitlab@98761b5d3f40e0ac8f8abe84ae65fda63cd0c365) + +## 7.1.4 (2023-08-03) + +No changes. + +## 7.1.3 (2023-08-01) + +No changes. + +## 7.1.2 (2023-07-04) + +### Fixed (1 change) + +- [Change ciSecureFiles to type-specific storage form](gitlab-org/security/charts/gitlab@6b669a618667a3e03fec8ad195d89faddec73103) + +## 7.1.1 (2023-06-28) + +No changes. + +## 7.1.0 (2023-06-21) + +### Added (3 changes) + +- [feat(gitlab-pages): add missing optional variables on values yaml file](gitlab-org/charts/gitlab@b988fee3aa7b2697d69bb3ca7f6f6b62fd8c925a) by @winkies ([merge request](gitlab-org/charts/gitlab!3220)) +- [Adding Secure Files to object storage config docs](gitlab-org/charts/gitlab@176e31dd7d9c013bae96afacc1d064fe39708142) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3234)) +- [Enable redisYmlOverride to dynamically mount secrets](gitlab-org/charts/gitlab@76273ec693104ffb5c18421bbb06570cd1a90432) ([merge request](gitlab-org/charts/gitlab!3188)) + +### Fixed (2 changes) + +- [Fix image branch naming assumptions in autodevops.sh](gitlab-org/charts/gitlab@4b8a4f95d9d9e2240fe11ddbfa2cd489344784e4) ([merge request](gitlab-org/charts/gitlab!3204)) +- [Return an explicit “true” string from template](gitlab-org/charts/gitlab@add397d99cef7e43a4ef56819089c9b8574cf107) ([merge request](gitlab-org/charts/gitlab!3199)) + +### Changed (7 changes) + +- [Replace busybox with gitlab-base](gitlab-org/charts/gitlab@9fd1998596dd85fd3ba3d8955e80b83a9d8df88b) ([merge request](gitlab-org/charts/gitlab!3181)) +- [Update gitlab-org/container-registry from 3.75.0-gitlab to 3.76.0-gitlab](gitlab-org/charts/gitlab@589a04ff949900f1d5abca22100a18acecea913d) ([merge request](gitlab-org/charts/gitlab!3222)) +- [Update gitlab-org/gitlab-exporter from 13.0.0 to 13.0.3](gitlab-org/charts/gitlab@057b78e64286d8f38d7919ab7e9aee6f8c6eb591) ([merge request](gitlab-org/charts/gitlab!3202)) +- [Update gitlab-org/container-registry from 3.73.1-gitlab to 3.75.0-gitlab](gitlab-org/charts/gitlab@bb5220995c237975b22e2c992e4eb33a54b5286c) ([merge request](gitlab-org/charts/gitlab!3201)) +- [Update gitlab-org/gitlab-exporter from 13.0.0 to 13.0.2](gitlab-org/charts/gitlab@58864e3acf49d780bb90c812bd42cd9db1c524fc) ([merge request](gitlab-org/charts/gitlab!3202)) +- [Update gitlab-org/container-registry from 3.73.1-gitlab to 3.74.0-gitlab](gitlab-org/charts/gitlab@9769b02723f62cb02392d7db627b795d0c9112db) ([merge request](gitlab-org/charts/gitlab!3201)) +- [Make ci_runners_stale_machines_cleanup_worker job run more frequently](gitlab-org/charts/gitlab@b45275cb39b89005d6f17e96528f9c0f23ebeb41) ([merge request](gitlab-org/charts/gitlab!3187)) + +### Removed (1 change) + +- [gitaly: Remove gitaly-ruby configuration](gitlab-org/charts/gitlab@997bd91027ee2f0b650b25e966a45d3cc7dc9983) ([merge request](gitlab-org/charts/gitlab!3151)) + +### Other (3 changes) + +- [Bump gitlab-zoekt to 0.4.0](gitlab-org/charts/gitlab@75046bd4e827b39a0c8c12f8f58f7d32c7230547) ([merge request](gitlab-org/charts/gitlab!3233)) +- [Add troubleshooting docs on s3cmd PermissionError](gitlab-org/charts/gitlab@fb92de457cd14c19218db9c8f37a8672051becdf) ([merge request](gitlab-org/charts/gitlab!3198)) +- [Postgres: correct minimum version in NOTES](gitlab-org/charts/gitlab@5ea24b44e59236bd82b3a81f6c9f0601159778d7) by @jouve ([merge request](gitlab-org/charts/gitlab!3213)) + +## 7.0.8 (2023-08-01) + +No changes. + +## 7.0.7 (2023-07-04) + +### Fixed (1 change) + +- [Change ciSecureFiles to type-specific storage form](gitlab-org/security/charts/gitlab@5f6a2257d383480579fb1f30b18535d0e383c85f) + +## 7.0.6 (2023-06-28) + +No changes. + +## 7.0.5 (2023-06-16) + +No changes. + +## 7.0.4 (2023-06-08) + +No changes. + +## 7.0.3 (2023-06-06) + +No changes. + +## 7.0.2 (2023-06-05) + +No changes. + +## 7.0.1 (2023-05-22) + +No changes. + +## 7.0.0 (2023-05-18) + +### Added (5 changes) + +- [Registry; add support for database discovery for primary records](gitlab-org/charts/gitlab@02618c9b63bfac6c6baf257bc020439a45d3f220) ([merge request](gitlab-org/charts/gitlab!3142)) +- [Add SMTP read and write timeout values](gitlab-org/charts/gitlab@843467c988f90f358d58ace7c6514634443b384f) ([merge request](gitlab-org/charts/gitlab!3156)) +- [Add annotations to upgradeCheck ConfigMap](gitlab-org/charts/gitlab@9bd462052cc3ca33994ff262c66208ec8d70a7c8) by @LukasAuerbeck ([merge request](gitlab-org/charts/gitlab!3116)) +- [ Adding containerSecurityContext logic to geo chart](gitlab-org/charts/gitlab@10d9b8c945f10f9e84f1b280e88a040e33586f5b) ([merge request](gitlab-org/charts/gitlab!3127)) +- [Allow configuring an embedding database](gitlab-org/charts/gitlab@6a923ec7421e814add2fef3069320c13f28f354c) ([merge request](gitlab-org/charts/gitlab!3107)) + +### Fixed (7 changes) + +- [Fix backup spec navigation](gitlab-org/charts/gitlab@76a7ce992586471bfb6c99efb58be1dc1cfce373) ([merge request](gitlab-org/charts/gitlab!3183)) +- [Mount the microsoft_graph_mailer client secret in the backup-job pod](gitlab-org/charts/gitlab@fe175620908510f3b1eb3728bc164cc4bad68e81) ([merge request](gitlab-org/charts/gitlab!3168)) +- [Geo: add geo psql SSL mounts](gitlab-org/charts/gitlab@0ed7ea60b8e3d37e1b9b71977c23f085a8df6250) ([merge request](gitlab-org/charts/gitlab!3170)) +- [Skip pages backup on database upgrade](gitlab-org/charts/gitlab@5efab9266397750252a457a230cddffee87c9143) ([merge request](gitlab-org/charts/gitlab!3167)) +- [Validate that SMTP settings do not enable both TLS and STARTTLS](gitlab-org/charts/gitlab@aefcfb104aaa871a70203fc04a07686d935761f5) ([merge request](gitlab-org/charts/gitlab!3158)) +- [Support configuring proxy_download for each object store type](gitlab-org/charts/gitlab@4db1b9b2b5c0e8da53bb43439d267343be34b447) ([merge request](gitlab-org/charts/gitlab!3154)) +- [Fix possessive](gitlab-org/charts/gitlab@68f0f088cdc7b3be96d92e65c8b21a3ed8104c2f) ([merge request](gitlab-org/charts/gitlab!3097)) + +### Changed (14 changes) + +- [Update gitlab-org/container-registry from 3.73.0-gitlab to 3.73.1-gitlab](gitlab-org/charts/gitlab@5f160022cc68e214ea083189649f8332bdc5df34) ([merge request](gitlab-org/charts/gitlab!3185)) +- [Update bundled Redis sub-chart and add upgrade docs](gitlab-org/charts/gitlab@6e07c473134100d7b63b92d2eac8a369179e9d98) ([merge request](gitlab-org/charts/gitlab!3140)) +- [Use PostgreSQL Chart 11.9.13](gitlab-org/charts/gitlab@5b1febf0757464eac61744a3388acd14667d0d1b) ([merge request](gitlab-org/charts/gitlab!3143)) +- [Enable Sidekiq JSON logs by default](gitlab-org/charts/gitlab@92bb399c4fd13321c51114b2529171cbf71c8e24) ([merge request](gitlab-org/charts/gitlab!3169)) +- [Switch gitlab-shell logs to JSON by default](gitlab-org/charts/gitlab@59a722892c5421621e5a0af640a732ef0cbc8504) ([merge request](gitlab-org/charts/gitlab!3171)) +- [Update gitlab-org/gitlab-exporter from 12.1.1 to 13.0.0](gitlab-org/charts/gitlab@6e9477a65a963a5ae8e3197e76920b21193287ba) ([merge request](gitlab-org/charts/gitlab!3166)) +- [Update gitlab-org/container-registry from 3.72.0-gitlab to 3.73.0-gitlab](gitlab-org/charts/gitlab@aa8116c54b4014647c21044113b02043462c87f4) ([merge request](gitlab-org/charts/gitlab!3165)) +- [Default GitLab chart to have main, and ci connections](gitlab-org/charts/gitlab@f42289a275cb6886c5978c0546dcdb50ee04d991) ([merge request](gitlab-org/charts/gitlab!3132)) +- [Bump certmanager to 1.11.1](gitlab-org/charts/gitlab@e4f2bf7d6d7ed7ff02174957fa8408ebbca63322) ([merge request](gitlab-org/charts/gitlab!3108)) +- [Ensure upgrade path to 7.0](gitlab-org/charts/gitlab@0cdbf193e90b67c30a0cb6b6d02b0a9e8f8562ee) ([merge request](gitlab-org/charts/gitlab!3104)) +- [Unpin mail_room version](gitlab-org/charts/gitlab@ec946052deae64dea6cb7d49b34c26361874a233) ([merge request](gitlab-org/charts/gitlab!3075)) +- [Update gitlab-org/charts/gitlab-runner from 0.51.1 to 0.52.0](gitlab-org/charts/gitlab@7d54b3f3539b63ee661418f0a519c4509b5e1a2a) ([merge request](gitlab-org/charts/gitlab!3121)) +- [NGINX: tweak NGINX upstream configuration](gitlab-org/charts/gitlab@9cf76a7bf6c4c3487820103cb1bb48ef2bca2dbb) ([merge request](gitlab-org/charts/gitlab!3090)) +- [Bump default image to ubuntu:22.04](gitlab-org/charts/gitlab@70452769e698e6187e625cdc7db4d60555b07f4b) by @tlindsay42 ([merge request](gitlab-org/charts/gitlab!2986)) + +### Removed (4 changes) + +- [Remove registry compatibility section](gitlab-org/charts/gitlab@b4a3e47b96a2ddc3b1c0250510f875e114d02445) ([merge request](gitlab-org/charts/gitlab!3117)) +- [Remove bundled Grafana chart and related configuration](gitlab-org/charts/gitlab@24d6c76d54e7800fd8fee20ee5fbba2180d36aae) ([merge request](gitlab-org/charts/gitlab!3112)) +- [Remove deprecated KAS `metrics.port` config](gitlab-org/charts/gitlab@b1bf1b4686c74015b8d93bd24dcef350490fac1b) ([merge request](gitlab-org/charts/gitlab!3040)) +- [Remove 'default_can_create_group' setting](gitlab-org/charts/gitlab@0d58ba1ea5b7d29da3891d6643afe2e72e1480a8) ([merge request](gitlab-org/charts/gitlab!3105)) + +### Other (3 changes) + +- [Consolidate webservice TLS configuration](gitlab-org/charts/gitlab@7412c984cda3683c60ba3c3e48bf2474ec88209e) ([merge request](gitlab-org/charts/gitlab!3135)) +- [Update extraEnvFrom docs](gitlab-org/charts/gitlab@994ab9824f518701ed7059e28c7fdf1b2c97e446) ([merge request](gitlab-org/charts/gitlab!3025)) +- [Add tests for Webservice ConfigMap name](gitlab-org/charts/gitlab@6d51d3fe5475a84166f23d5c5a0f23a1b38ce489) ([merge request](gitlab-org/charts/gitlab!3091)) + +## 6.11.13 (2023-07-27) + +No changes. + +## 6.11.12 (2023-07-14) + +No changes. + +## 6.11.11 (2023-07-04) + +### Fixed (1 change) + +- [Change ciSecureFiles to type-specific storage form](gitlab-org/security/charts/gitlab@c7aea069666f0ba258a6da4ad4219ee288247572) + +## 6.11.10 (2023-06-28) + +No changes. + +## 6.11.9 (2023-06-15) + +No changes. + +## 6.11.8 (2023-06-06) + +No changes. + +## 6.11.7 (2023-06-05) + +No changes. + +## 6.11.6 (2023-05-24) + +No changes. + +## 6.11.5 (2023-05-19) + +No changes. + +## 6.11.4 (2023-05-16) + +### Added (1 change) + +- [Add SMTP read and write timeout values](gitlab-org/charts/gitlab@e340af25bb5f51ab21ca76fefb3c70c063baadf1) ([merge request](gitlab-org/charts/gitlab!3160)) + +### Fixed (1 change) + +- [Validate that SMTP settings do not enable both TLS and STARTTLS](gitlab-org/charts/gitlab@24172826e46afc3a585df642123ba946bce2d9e3) ([merge request](gitlab-org/charts/gitlab!3163)) + +## 6.11.3 (2023-05-10) + +No changes. + +## 6.11.2 (2023-05-03) + +No changes. + +## 6.11.1 (2023-05-01) + +No changes. + +## 6.11.0 (2023-04-21) + +### Added (7 changes) + +- [Add the ability to install the ebs_csi_driver](gitlab-org/charts/gitlab@5c978d41d7cb528eef7f90a520d73b0ce83c7dcf) ([merge request](gitlab-org/charts/gitlab!3083)) +- [Adding containerSecurityContext logic to sidekiq chart](gitlab-org/charts/gitlab@64e60de58e4c2ead512856a605bd30de273321c5) by @rgarcia65201 ([merge request](gitlab-org/charts/gitlab!3044)) +- [Add support for the workhorse GCS client](gitlab-org/charts/gitlab@70f6ea0c037bcc0343ae7fd7da258d8e43a087bd) ([merge request](gitlab-org/charts/gitlab!3060)) +- [Configurations for duo auth](gitlab-org/charts/gitlab@40b28a67dab49bd29f5b3c7604d323db58f958cb) ([merge request](gitlab-org/charts/gitlab!3043)) +- [Bump gitlab-zoekt version to 0.2.0](gitlab-org/charts/gitlab@05b450d0a28b1bfb46245d4e88ee47157f092eca) ([merge request](gitlab-org/charts/gitlab!3049)) +- [Add kubeval for Kubernetes 1.25](gitlab-org/charts/gitlab@973d2080aca68789a5ee061499f2d07a2eecf47a) ([merge request](gitlab-org/charts/gitlab!3031)) +- [Add the gitlab/gitlab-zoekt chart as optional (disabled) dependency](gitlab-org/charts/gitlab@4f02bb948502de173beec97bc436df84202e34af) ([merge request](gitlab-org/charts/gitlab!3018)) + +### Fixed (2 changes) + +- [Add Prometheus annotations to postgres-metrics service](gitlab-org/charts/gitlab@a8ca140916db03aed9309760f68a944bdcc83098) by @remram44 ([merge request](gitlab-org/charts/gitlab!3079)) +- [Webservice: make Workhorse stick around for SHUTDOWN_BLACKOUT_SECONDS](gitlab-org/charts/gitlab@2a14d9b3e7034520cfaa63f9e4af1f60800820dd) ([merge request](gitlab-org/charts/gitlab!3084)) + +### Changed (5 changes) + +- [Update gitlab-org/container-registry from 3.71.0-gitlab to 3.71.0-gitlab](gitlab-org/charts/gitlab@d716d2db682ba941c44481172773b12a8844384a) ([merge request](gitlab-org/charts/gitlab!3100)) +- [Bump Container Registry to v3.71.0-gitlab](gitlab-org/charts/gitlab@170b162a33c1c8727cbcf137c38388e0c3b1cb78) ([merge request](gitlab-org/charts/gitlab!3096)) +- [Update NLB example for AWS Load Balancer Controller](gitlab-org/charts/gitlab@03859fa3c19b41bdeb717eda7bc08c6c4118f669) ([merge request](gitlab-org/charts/gitlab!3014)) +- [Update gitlab-org/container-registry from 3.69.0-gitlab to 3.70.0-gitlab](gitlab-org/charts/gitlab@8b1c2eb3db3a00e738fbbd127ff7259579c2c4d9) ([merge request](gitlab-org/charts/gitlab!3069)) +- [Update gitlab-org/charts/gitlab-runner from 0.51.0 to 0.51.1](gitlab-org/charts/gitlab@3fc3b1280511b6c614d981cba6d27ca862fb1bb0) ([merge request](gitlab-org/charts/gitlab!3061)) + +### Other (4 changes) + +- [Docs: Clarify `global.serviceAccount` usage](gitlab-org/charts/gitlab@e794742aabc27893b3e4c465fc27aa3fc744843c) ([merge request](gitlab-org/charts/gitlab!3110)) +- [Bump gitlab-zoekt to v0.3.0](gitlab-org/charts/gitlab@418f28559cbb547d2cb36b7e56c08bc6046f05c3) ([merge request](gitlab-org/charts/gitlab!3094)) +- [Remove references to unused 'fullnameOverride' key](gitlab-org/charts/gitlab@34b9c0d5d1f5227b8bb1b2496e3be6f9ff3a9ec0) ([merge request](gitlab-org/charts/gitlab!3092)) +- [checkConfig: verify format of omniauth provider content](gitlab-org/charts/gitlab@f419b34386799a83587eeecfea142070477e8029) ([merge request](gitlab-org/charts/gitlab!3054)) + +## 6.10.8 (2023-06-05) + +### Added (1 change) + +- [Add SMTP read and write timeout values](gitlab-org/security/charts/gitlab@a8303f726be912983f132b130cb63412a7d2b519) + +### Fixed (1 change) + +- [Validate that SMTP settings do not enable both TLS and STARTTLS](gitlab-org/security/charts/gitlab@df2fda08bda5585870e965f1162480ffe390921c) + +## 6.10.7 (2023-05-10) + +No changes. + +## 6.10.6 (2023-05-03) + +No changes. + +## 6.10.5 (2023-05-01) + +No changes. + +## 6.10.4 (2023-04-21) + +No changes. + +## 6.10.3 (2023-04-14) + +No changes. + +## 6.10.2 (2023-04-05) + +No changes. + +## 6.10.1 (2023-03-30) + +No changes. + +## 6.10.0 (2023-03-21) + +### Added (6 changes) + +- [Support setting extra env vars for kas](gitlab-org/charts/gitlab@f8c5589fc5c82ea20b3798838da007b066ec67e4) ([merge request](gitlab-org/charts/gitlab!3023)) +- [Add containerSecurityContext helper templates and values to Gitaly chart ](gitlab-org/charts/gitlab@a7cd11bbc886271d4212ad368fd41885a674a647) by @BrettSeedling ([merge request](gitlab-org/charts/gitlab!2793)) +- [Add new cron backup parameter Ref #3076](gitlab-org/charts/gitlab@42b7f8dab938d0d748318d736a42e0070472ccea) by @Vedrillan ([merge request](gitlab-org/charts/gitlab!2984)) +- [Add support for Gitaly GPG signing](gitlab-org/charts/gitlab@d65fa4b7880f2b006cb1f0b54c704d47febee136) ([merge request](gitlab-org/charts/gitlab!2754)) +- [Add support for fsGroupChangePolicy to all subcharts](gitlab-org/charts/gitlab@20283351cbe24015d25b7823746534c9b65a139a) ([merge request](gitlab-org/charts/gitlab!3000)) +- [Added `useGenericEphemeralVolume` for backup-job](gitlab-org/charts/gitlab@ae5f493574d647b050f3a5c50f35f364dec69abe) by @daniel.marks ([merge request](gitlab-org/charts/gitlab!2937)) + +### Fixed (1 change) + +- [Fix config for Registry Deployment TLS SecretName](gitlab-org/charts/gitlab@3be948165d0f20c9fdc9eadaafaaaf80d4e50b09) ([merge request](gitlab-org/charts/gitlab!3017)) + +### Changed (8 changes) + +- [Update gitlab-org/charts/gitlab-runner from 0.50.1 to 0.51.0](gitlab-org/charts/gitlab@2b0632a49d5e3d58d4bd75c08fcb2bb303af21e3) ([merge request](gitlab-org/charts/gitlab!3036)) +- [Honor gitlab.psql.ci.enabled=false when generating database.yml](gitlab-org/charts/gitlab@e65fd651417c88a3f187b5fe00f4ddca2baa2bcc) ([merge request](gitlab-org/charts/gitlab!3016)) +- [Bump Container Registry to v3.69.0-gitlab](gitlab-org/charts/gitlab@c539445598a8991fa34c1af2b15efdf34d7d1adb) ([merge request](gitlab-org/charts/gitlab!3026)) +- [Update gitlab-org/container-registry from 3.67.0-gitlab to 3.68.0-gitlab](gitlab-org/charts/gitlab@5f9964246cf95b29ecd39eb730d6947aebe81249) ([merge request](gitlab-org/charts/gitlab!3007)) +- [Bump prometheus to 2.38.0](gitlab-org/charts/gitlab@6278c7572da075d11b5e5c92089a598288162afe) ([merge request](gitlab-org/charts/gitlab!3001)) +- [Replace deprecated k8s.gcr.io entries](gitlab-org/charts/gitlab@bde4f2113c7df880e14128fff4b6cfcacae2d1a1) by @tlindsay42 ([merge request](gitlab-org/charts/gitlab!2985)) +- [Update gitlab-org/charts/gitlab-runner from 0.49.3 to 0.50.1](gitlab-org/charts/gitlab@eda6fbc036bc24e01cdd2622d0b10662df574d46) ([merge request](gitlab-org/charts/gitlab!2996)) +- [Update gitlab-org/charts/gitlab-runner from 0.49.2 to 0.49.3](gitlab-org/charts/gitlab@82e4e9145a36b1a037674ebe3187116d2adce7a6) ([merge request](gitlab-org/charts/gitlab!2987)) + +### Other (4 changes) + +- [Remove GitLab Runner UBI known limitation](gitlab-org/charts/gitlab@3444929667ec0e7c5cf26e10da984fdcb1442431) ([merge request](gitlab-org/charts/gitlab!3034)) +- [Add docs and config check for gitlab-shell metrics](gitlab-org/charts/gitlab@e46e19b84a47f45018e39af1e5e0731be6982a1f) ([merge request](gitlab-org/charts/gitlab!3006)) +- [Add more context to sidekiq pod deprecation notices](gitlab-org/charts/gitlab@fdaef9d08c68beac06b0bcff16d0ec6b1bc274aa) ([merge request](gitlab-org/charts/gitlab!2966)) +- [Add more context to sidekiq pod deprecation notices](gitlab-org/charts/gitlab@378fd9116dc5147d9d4c23d81a72e0e8089f138e) ([merge request](gitlab-org/charts/gitlab!2972)) + +## 6.9.8 (2023-05-10) + +No changes. + +## 6.9.7 (2023-05-03) + +No changes. + +## 6.9.6 (2023-05-01) + +No changes. + +## 6.9.5 (2023-04-21) + +No changes. + +## 6.9.4 (2023-03-30) + +No changes. + +## 6.9.3 (2023-03-09) + +No changes. + +## 6.9.2 (2023-03-02) + +No changes. + +## 6.9.1 (2023-02-23) + +### Changed (1 change) + +- [Update gitlab-org/charts/gitlab-runner from 0.49.3 to 0.50.1](gitlab-org/charts/gitlab@95cb8869b072a926117edd1335202120dd3db9bc) ([merge request](gitlab-org/charts/gitlab!2998)) + +## 6.9.0 (2023-02-21) + +### Added (4 changes) + +- [Add troubleshooting docs and note about annotation-value-word-blocklist](gitlab-org/charts/gitlab@cef52d0a33abd089e01d77e0749bdfda8b7a3ec2) ([merge request](gitlab-org/charts/gitlab!2978)) +- [redis: Introduce support for Redis Cluster and specifying acl user](gitlab-org/charts/gitlab@630ce39a02927d40fa28a13f0590967a133fd2ef) ([merge request](gitlab-org/charts/gitlab!2873)) +- [Add ci_runners_stale_machines_cleanup_worker cronjob](gitlab-org/charts/gitlab@8742fcbb39033f5e3baaf8226d5a370fd5604357) ([merge request](gitlab-org/charts/gitlab!2913)) +- [Add support for toolbox.securityContext.fsGroupChangePolicy](gitlab-org/charts/gitlab@0217b7f8e8328fbec7c49af7c1f62cd34fcc03f6) ([merge request](gitlab-org/charts/gitlab!2905)) + +### Fixed (4 changes) + +- [Fix unwanted 'v' prefix in helper image tag](gitlab-org/charts/gitlab@47aa2e34bbd38ba968033255e5e035ab9b7c5749) ([merge request](gitlab-org/charts/gitlab!2982)) +- [Fix certmanager http01 solver on global "none" ingress class](gitlab-org/charts/gitlab@dbf596421f7cd5ee7374c107f2d6776249c75c69) ([merge request](gitlab-org/charts/gitlab!2908)) +- [Force copy files in `configure` initContainer](gitlab-org/charts/gitlab@3c8bd2730aa117f9d1d76088a1e6e8d742a0d878) ([merge request](gitlab-org/charts/gitlab!2953)) +- [Fix logic for Self-Signed-Certs Job inclusion](gitlab-org/charts/gitlab@b2d98174b41a831ad3b205cb367bf9904ebc2e25) ([merge request](gitlab-org/charts/gitlab!2862)) + +### Changed (9 changes) + +- [Update gitlab-org/container-registry from 3.66.0-gitlab to 3.67.0-gitlab](gitlab-org/charts/gitlab@6d0ecfb2bce4a1cc7ec021a4ab98e82e3cd8079e) ([merge request](gitlab-org/charts/gitlab!2980)) +- [Use 'gitlab.parseAppVersion' for helper image tags](gitlab-org/charts/gitlab@a350fe160cbb3bc549bafd8dd01d04e08a613623) ([merge request](gitlab-org/charts/gitlab!2878)) +- [Update gitlab-org/charts/gitlab-runner from 0.49.1 to 0.49.2](gitlab-org/charts/gitlab@0ef1d3fdbfb79d6f325bcf67da35b8cdfb9e36c0) ([merge request](gitlab-org/charts/gitlab!2970)) +- [Update gitlab-org/charts/gitlab-runner from 0.49.0 to 0.49.1](gitlab-org/charts/gitlab@89398c8f28e695a4f8416ddf729834e71258a70b) ([merge request](gitlab-org/charts/gitlab!2959)) +- [Update gitlab-org/gitlab-exporter from 12.1.0 to 12.1.1](gitlab-org/charts/gitlab@ec0922cef35b9c6799dcc2db4b6a38ddc8990969) ([merge request](gitlab-org/charts/gitlab!2958)) +- [Update gitlab-org/container-registry from 3.65.1-gitlab to 3.66.0-gitlab](gitlab-org/charts/gitlab@acecf98c3478f2faa1f5b39ef07ced9704184df3) ([merge request](gitlab-org/charts/gitlab!2946)) +- [Update link and information about Prometheus scraping TLS endpoint](gitlab-org/charts/gitlab@ed0e9d353e23f3f89e4685fd2d5ab3ded7b8eadb) ([merge request](gitlab-org/charts/gitlab!2931)) +- [Update gitlab-org/container-registry from 3.65.0-gitlab to 3.65.1-gitlab](gitlab-org/charts/gitlab@8a39c2456ae4fcd3169c8e6fb789b2c715e784ec) ([merge request](gitlab-org/charts/gitlab!2934)) +- [Update gitlab-org/charts/gitlab-runner from 0.48.1 to 0.49.0](gitlab-org/charts/gitlab@b0e0eadd387c10f9d2168902a33c7b07fbf1a331) ([merge request](gitlab-org/charts/gitlab!2933)) + +### Deprecated (1 change) + +- [Deprecate sidekiq queueSelector and negateQueues](gitlab-org/charts/gitlab@4f6e5846dbabd0b16f5fad771b8bb78dfaa241b8) ([merge request](gitlab-org/charts/gitlab!2969)) + +### Other (3 changes) + +- [Add defaultReplicationFactor in Praefect's ConfigMap.](gitlab-org/charts/gitlab@36e44f78978b368c1db99a5dc747686ab4363e8c) by @kyunam-jo ([merge request](gitlab-org/charts/gitlab!2844)) +- [Moved minio config to global in example config](gitlab-org/charts/gitlab@973557e4cf0c5ec1e0c399fcce557fae2a87de17) ([merge request](gitlab-org/charts/gitlab!2952)) +- [Doc - configure the GitLab chart with an decomposed database](gitlab-org/charts/gitlab@af72661b6f82f8f16dab591c8af67e44baf0b998) ([merge request](gitlab-org/charts/gitlab!2890)) + +## 6.8.6 (2023-04-18) + +No changes. + +## 6.8.5 (2023-03-30) + +No changes. + +## 6.8.4 (2023-03-02) + +No changes. + +## 6.8.3 (2023-02-15) + +No changes. + +## 6.8.2 (2023-02-10) + +### Changed (1 change) + +- [Update gitlab-org/charts/gitlab-runner from 0.49.0 to 0.49.1](gitlab-org/security/charts/gitlab@0edebdf10fc3386788d0668ab1b552813f4c60f2) + +## 6.8.1 (2023-01-30) + +No changes. + +## 6.8.0 (2023-01-20) + +### Added (4 changes) + +- [Add redisYmlOverride config setting](gitlab-org/charts/gitlab@977f28ed2da9a30b329e0cef905394a27c7c47dc) ([merge request](gitlab-org/charts/gitlab!2907)) +- [Allow configuring repository cache redis instance](gitlab-org/charts/gitlab@c5f6385840180861b8be564d2a64a032cdf1bc4c) ([merge request](gitlab-org/charts/gitlab!2896)) +- [Improve KAS TLS UX](gitlab-org/charts/gitlab@8fcbe634eb7bf181eb2ddfbd30fd5fe4a3af2fec) ([merge request](gitlab-org/charts/gitlab!2888)) +- [mail_room: Allow configuration of delete_after_delivery parameter](gitlab-org/charts/gitlab@7091675c3a222f35302e1d1876e9b134e0f648ea) ([merge request](gitlab-org/charts/gitlab!2906)) + +### Fixed (1 change) + +- [Fix indent for priorityClassName in Toolbox backup job](gitlab-org/charts/gitlab@e94049797f3788661c7d0967ead0b7581a1c4361) by @george.poputnikov ([merge request](gitlab-org/charts/gitlab!2898)) + +### Changed (4 changes) + +- [Update gitlab-org/container-registry from 3.64.0-gitlab to 3.65.0-gitlab](gitlab-org/charts/gitlab@744f9ca839e3c322e1202ad700f79e61595c7a51) ([merge request](gitlab-org/charts/gitlab!2916)) +- [Update gitlab-org/charts/gitlab-runner from 0.48.0 to 0.48.1](gitlab-org/charts/gitlab@460c275eaca9b1e3bf063947ca49629edef57d80) ([merge request](gitlab-org/charts/gitlab!2915)) +- [Update gitlab-org/gitlab-exporter from 11.18.2 to 12.1.0](gitlab-org/charts/gitlab@428de3dd7c208a0469b18b927fece2bc54029b19) ([merge request](gitlab-org/charts/gitlab!2911)) +- [Update gitlab-org/container-registry from 3.63.0-gitlab to 3.64.0-gitlab](gitlab-org/charts/gitlab@a1edaea5f4d9d2a6d972b7412deafe6a2b50aedb) ([merge request](gitlab-org/charts/gitlab!2904)) + +## 6.7.9 (2023-04-20) + +No changes. + +## 6.7.8 (2023-03-02) + +No changes. + +## 6.7.7 (2023-02-10) + +No changes. + +## 6.7.6 (2023-01-30) + +### Fixed (1 change) + +- [Fix indent for priorityClassName in Toolbox backup job](gitlab-org/security/charts/gitlab@3ef41cf43a34d56bcdfd1353cffc5edec3fe9e08) + +## 6.7.4 (2023-01-12) + +No changes. + +## 6.7.3 (2023-01-11) + +No changes. + +## 6.7.2 (2023-01-09) + +No changes. + +## 6.7.1 (2023-01-05) + +No changes. + +## 6.7.0 (2022-12-21) + +### Added (2 changes) + +- [Add `global.image.tagSuffix` as a helm values option](gitlab-org/charts/gitlab@3121e20827686340a12df2a5181d18e4807c13d4) ([merge request](gitlab-org/charts/gitlab!2881)) +- [Add suggested reviewers secret and configurations](gitlab-org/charts/gitlab@5e5ae509458443db6ad7b7233ba9d0e0ef98a172) ([merge request](gitlab-org/charts/gitlab!2875)) + +### Fixed (1 change) + +- [Fix MS Graph Mailer configuration and handling](gitlab-org/charts/gitlab@db172742491bea2ffe8a809c179cfe8f42911714) ([merge request](gitlab-org/charts/gitlab!2882)) + +### Changed (8 changes) + +- [Update gitlab-org/charts/gitlab-runner from 0.47.1 to 0.48.0](gitlab-org/charts/gitlab@a1dd9edc0d32227922ecad687e844a2bc742ebdc) ([merge request](gitlab-org/charts/gitlab!2889)) +- [Update gitlab-org/container-registry from 3.62.0-gitlab to 3.63.0-gitlab](gitlab-org/charts/gitlab@1a2bd28c62dd2b5cfe4cbf7a20cf108ed9cab860) ([merge request](gitlab-org/charts/gitlab!2885)) +- [Update gitlab-org/container-registry from 3.61.0-gitlab to 3.62.0-gitlab](gitlab-org/charts/gitlab@ee34bbb67372942fff76909803726c23534e84cb) ([merge request](gitlab-org/charts/gitlab!2879)) +- [Update gitlab-org/charts/gitlab-runner from 0.47.0 to 0.47.1](gitlab-org/charts/gitlab@5697ae4eef892034017d3681d5296cd8c838a188) ([merge request](gitlab-org/charts/gitlab!2869)) +- [Set Sidekiq default max concurrency to 20](gitlab-org/charts/gitlab@d60dba0a6c7cd1187e7c4428a5292ce46feb6a30) ([merge request](gitlab-org/charts/gitlab!2868)) +- [Update gitlab-org/charts/gitlab-runner from 0.46.1 to 0.47.0](gitlab-org/charts/gitlab@4d7f34bec4b461e0480794b5e0c1a484b68274ba) ([merge request](gitlab-org/charts/gitlab!2865)) +- [Refine .helmignore](gitlab-org/charts/gitlab@5a91ceb6b30369778092e6bb00d09913ef540c76) ([merge request](gitlab-org/charts/gitlab!2864)) +- [Change the order of KAS Ingress Rules](gitlab-org/charts/gitlab@5fb28d69e17fd20578214696f4bf3b06ceb83c9b) by @rfinch ([merge request](gitlab-org/charts/gitlab!2738)) + +### Other (1 change) + +- [Use kubectl image with kubectl 1.24.7, yq 4.30.1](gitlab-org/charts/gitlab@e0c892e060ac405d8a2c90f7b4d632e1b3512728) ([merge request](gitlab-org/charts/gitlab!2871)) + +## 6.6.8 (2023-02-10) + +No changes. + +## 6.6.7 (2023-01-30) + +### Fixed (1 change) + +- [Fix indent for priorityClassName in Toolbox backup job](gitlab-org/security/charts/gitlab@47836b96b8ae6dd8fd7f7bab4f59e5321ecb023c) + +## 6.6.5 (2023-01-12) + +No changes. + +## 6.6.4 (2023-01-09) + +No changes. + +## 6.6.3 (2022-12-21) + +No changes. + +## 6.6.2 (2022-12-05) + +No changes. + +## 6.6.1 (2022-11-30) + +No changes. + +## 6.6.0 (2022-11-21) + +### Added (8 changes) + +- [Make it possible to choose which nginx-ingress generated service will expose gitlab-shell](gitlab-org/charts/gitlab@5be723580bcaf78c2071a0024785261b33a24f91) by @mike554 ([merge request](gitlab-org/charts/gitlab!2730)) +- [Add global priorityClassName](gitlab-org/charts/gitlab@a79bd8e508352fd7dedd5fe4fe2de8a05c058812) by @robinelfrink ([merge request](gitlab-org/charts/gitlab!2603)) +- [Add auth-cookie-session-timeout flag](gitlab-org/charts/gitlab@04d7859daa17213f03e6f28c7c59f62231955f33) ([merge request](gitlab-org/charts/gitlab!2838)) +- [Allow setting load_balancing.discover.max_replica_pools](gitlab-org/charts/gitlab@7615476dcd686696472894763aa7f441969d6e3f) ([merge request](gitlab-org/charts/gitlab!2841)) +- [Add microsoft_graph_mailer settings](gitlab-org/charts/gitlab@5398a0f8ebd7468201cc3e54c1e58a7a1296fbea) ([merge request](gitlab-org/charts/gitlab!2784)) +- [Allow to set securityContext.fsGroupChangePolicy on Gitaly StatefulSet](gitlab-org/charts/gitlab@fc45b560a8366b9c56459a30c173510ea8d8cc0c) by @ngourdon ([merge request](gitlab-org/charts/gitlab!2786)) +- [Add the ntp host option for praefect](gitlab-org/charts/gitlab@2de143ff6e05cf4ca6a4328c2ea875f3425473c2) by @julien.godin ([merge request](gitlab-org/charts/gitlab!2833)) +- [Support terminationGracePeriodSeconds for kas](gitlab-org/charts/gitlab@591c38e467e39381f98e4880b4070f15fb933b18) ([merge request](gitlab-org/charts/gitlab!2823)) + +### Fixed (1 change) + +- [Remove duplicate labels from geo-logcursor deployment](gitlab-org/charts/gitlab@2b9837a575bb3a096b99b92b2db4e3204f4770fd) by @matthijs.galesloot ([merge request](gitlab-org/charts/gitlab!2848)) + +### Changed (9 changes) + +- [Use HTTP readiness and liveness probes in KAS service](gitlab-org/charts/gitlab@82d46004f1926f2d80f3000b237ff653937ec061) ([merge request](gitlab-org/charts/gitlab!2839)) +- [GKE cluster setup: Use more cost efficient defaults](gitlab-org/charts/gitlab@6ca2dfa9050f071c7ea0e6dd03c53c9934b65dbb) ([merge request](gitlab-org/charts/gitlab!2846)) +- [upgrade-check: fix link to upgrade paths](gitlab-org/charts/gitlab@92546240d859b22a4e74c34e534a41aa8f2cc790) ([merge request](gitlab-org/charts/gitlab!2860)) +- [Update gitlab-org/container-registry from 3.60.2-gitlab to 3.61.0-gitlab](gitlab-org/charts/gitlab@b4f333f9d1d625fba757efb2b30bf2dccdd660c3) ([merge request](gitlab-org/charts/gitlab!2858)) +- [Update gitlab-org/charts/gitlab-runner from 0.46.0 to 0.46.1](gitlab-org/charts/gitlab@df9042dc4670e68d58133ff2c0df91d64d7312fb) ([merge request](gitlab-org/charts/gitlab!2857)) +- [Update gitlab-org/container-registry from 3.60.1-gitlab to 3.60.2-gitlab](gitlab-org/charts/gitlab@241c6e7b2ea0f3519e196ff1d8665dd3db798075) ([merge request](gitlab-org/charts/gitlab!2853)) +- [Reference NGINX Ingress Controller v1.2.1](gitlab-org/charts/gitlab@16806386287fe15c50d7f1cb784f5969f3cc94dc) ([merge request](gitlab-org/charts/gitlab!2843)) +- [Update gitlab-org/container-registry from 3.58.0-gitlab to 3.60.0-gitlab](gitlab-org/charts/gitlab@5704dd87f8b727fcfc4a4a95598963b73a9def9f) ([merge request](gitlab-org/charts/gitlab!2832)) +- [Update gitlab-org/charts/gitlab-runner from 0.45.0 to 0.46.0](gitlab-org/charts/gitlab@c87b340719a325e1dc83a5487ec6478e7664f4a2) ([merge request](gitlab-org/charts/gitlab!2824)) + +### Removed (1 change) + +- [Container Registry: remove testslowimport migration setting](gitlab-org/charts/gitlab@b433267a4a406dc7dbfd22c72de930cf62994eea) ([merge request](gitlab-org/charts/gitlab!2818)) + +## 6.5.9 (2023-01-12) + +No changes. + +## 6.5.8 (2023-01-09) + +No changes. + +## 6.5.7 (2022-12-07) + +No changes. + +## 6.5.6 (2022-11-30) + +No changes. + +## 6.5.5 (2022-11-11) + +No changes. + +## 6.5.4 (2022-11-09) + +No changes. + +## 6.5.3 (2022-11-07) + +No changes. + +## 6.5.2 (2022-11-02) + +No changes. + +## 6.5.1 (2022-10-24) + +No changes. + +## 6.5.0 (2022-10-21) + +### Added (2 changes) + +- [Makes TLS communication between KAS pods possible](gitlab-org/charts/gitlab@d9af396d592f5003c922530fe5e5d78353570d78) ([merge request](gitlab-org/charts/gitlab!2803)) +- [Allow enabling sidekiq_exporter logs](gitlab-org/charts/gitlab@bf9d4bf6cc34807e9c7a3772be5d9c6ea40bd9da) ([merge request](gitlab-org/charts/gitlab!2774)) + +### Fixed (2 changes) + +- [Gitaly: remove Istio prefixes for grpc](gitlab-org/charts/gitlab@bd20b431d0dfa2817a43e739787e8ad22c398942) ([merge request](gitlab-org/charts/gitlab!2811)) +- [Sidekiq/toolbox: add gitlab_shell.ssh_port to gitlab.yml](gitlab-org/charts/gitlab@f9c45bf50a20e9dcff0613ff4cc1414663a5ca29) ([merge request](gitlab-org/charts/gitlab!2782)) + +### Changed (5 changes) + +- [Update gitlab-org/container-registry from 3.57.0-gitlab to 3.58.0-gitlab](gitlab-org/charts/gitlab@af4a7dd04075c820fc24731db3e08e25b07a3660) ([merge request](gitlab-org/charts/gitlab!2813)) +- [Document that Google Cloud CDN needs bucket permissions](gitlab-org/charts/gitlab@4adb9229a0583ae2bf4f3276e3e760edcd1a9720) ([merge request](gitlab-org/charts/gitlab!2799)) +- [Registry: use secret from redis cache configuration](gitlab-org/charts/gitlab@4ea66c7b3908b9feef9399ed0f2bd61848f16565) ([merge request](gitlab-org/charts/gitlab!2771)) +- [CI: Specify `type` labels for issue-bot](gitlab-org/charts/gitlab@a57455ad73d115d063c7977f0896f862c88cd724) ([merge request](gitlab-org/charts/gitlab!2796)) +- [Update gitlab-org/charts/gitlab-runner from 0.44.0 to 0.45.0](gitlab-org/charts/gitlab@2360a35e65df8719e5b4e1fe0c4da48ea9827225) ([merge request](gitlab-org/charts/gitlab!2790)) + +### Deprecated (1 change) + +- [Deprecate `default_can_create_group` setting](gitlab-org/charts/gitlab@f1a26138682ffb1cb364752066ec23edf675d97a) ([merge request](gitlab-org/charts/gitlab!2763)) + +### Other (2 changes) + +- [Update nokogiri from 1.11.2 to 1.13.8](gitlab-org/charts/gitlab@4ca05285a0120d69a708d6fb406c441199ea3d9e) ([merge request](gitlab-org/charts/gitlab!2780)) +- [Update activesupport from 6.0.3.4 to 7.0.4](gitlab-org/charts/gitlab@184a94790f7de95aec576ad273d4fb9a9ec2722e) ([merge request](gitlab-org/charts/gitlab!2781)) + +## 6.4.6 (2022-11-30) + +No changes. + +## 6.4.5 (2022-11-15) + +No changes. + +## 6.4.4 (2022-11-02) + +No changes. + +## 6.4.3 (2022-10-19) + +No changes. + +## 6.4.2 (2022-10-04) + +No changes. + +## 6.4.1 (2022-09-29) + +No changes. + +## 6.4.0 (2022-09-21) + +### Added (5 changes) + +- [Add support for Kerberos settings](gitlab-org/charts/gitlab@09d14a62711de10cf6b493f01bb5d07c9ab3b90a) by @risson ([merge request](gitlab-org/charts/gitlab!2132)) +- [Registry: support defining a local set of sentinels](gitlab-org/charts/gitlab@dbaca1a0a0c58607b0380e134bc7748e56b3f7c8) ([merge request](gitlab-org/charts/gitlab!2729)) +- [Add AWS EKS-specific instructions in Quick Start](gitlab-org/charts/gitlab@33db1da75cd44cb0f93f6440123e2f8d710ee7c1) ([merge request](gitlab-org/charts/gitlab!2725)) +- [Registry: add checkConfig and RSpec for svc TLS](gitlab-org/charts/gitlab@3b7fc26280dda65606b41b2f85d6b16d84b01651) ([merge request](gitlab-org/charts/gitlab!2726)) +- [Add 1.22 cluster references](gitlab-org/charts/gitlab@58a6afff10c6d34997fb490f2d635a08c3cdea30) ([merge request](gitlab-org/charts/gitlab!2674)) + +### Fixed (3 changes) + +- [Adds `gitlab.extraEnvFrom` to sidekiq main container](gitlab-org/charts/gitlab@cd76f7222c5e7ad6947653fe25192f9228f5138b) ([merge request](gitlab-org/charts/gitlab!2759)) +- [Fix digest of GitLab NGINX Ingress Controller](gitlab-org/charts/gitlab@2e387219e6f667d5e81173ec0b69463b77eb277c) ([merge request](gitlab-org/charts/gitlab!2744)) +- [gitlab.scripts.configure.secrets: handle duplicates, allow none](gitlab-org/charts/gitlab@c4f4d03a4275ace1d618330b46cf4b2316c918ac) ([merge request](gitlab-org/charts/gitlab!2703)) + +### Changed (6 changes) + +- [Provide default secretName for Workhorse TLS](gitlab-org/charts/gitlab@de5e7378e6ecb2626031a7ee10ccbb8b9641c8d2) ([merge request](gitlab-org/charts/gitlab!2764)) +- [Add appProtocol prefix to Service port names](gitlab-org/charts/gitlab@5efcf454a38f39a8c8007c7e326eb254cb12e203) ([merge request](gitlab-org/charts/gitlab!2705)) +- [Create Pages metrics service if metrics enabled](gitlab-org/charts/gitlab@bf4c2232830ff129c8f886581b6bcbcff0cb8750) ([merge request](gitlab-org/charts/gitlab!2517)) +- [Update gitlab-org/gitlab-exporter from 11.18.0 to 11.18.1](gitlab-org/charts/gitlab@39ecf265ee419c7f8602038ffa39e0aed6e4e64b) ([merge request](gitlab-org/charts/gitlab!2745)) +- [Update gitlab-org/charts/gitlab-runner from 0.43.1 to 0.44.0](gitlab-org/charts/gitlab@4060504d10027abea3891b836a9556ed942756ea) ([merge request](gitlab-org/charts/gitlab!2739)) +- [Update gitlab-org/gitlab-exporter from 11.17.1 to 11.18.0](gitlab-org/charts/gitlab@5155e6cf07d9a353d09a8d6dbdc49e73b2394d6d) ([merge request](gitlab-org/charts/gitlab!2732)) + +### Other (2 changes) + +- [Update rack from 2.2.3 to 3.0.0](gitlab-org/charts/gitlab@99c3a60596cc3f2c4d64b585a0900173b2c29691) ([merge request](gitlab-org/charts/gitlab!2779)) +- [Update gitlab-styles from 6.2.0 to 9.0.0](gitlab-org/charts/gitlab@3b5171699d4a181d2e7cdf95f52333f18f03be93) ([merge request](gitlab-org/charts/gitlab!2769)) + +## 6.3.5 (2022-11-02) + +No changes. + +## 6.3.4 (2022-09-29) + +No changes. + +## 6.3.3 (2022-09-01) + +No changes. + +## 6.3.2 (2022-08-30) + +No changes. + +## 6.3.1 (2022-08-22) + +No changes. + +## 6.3.0 (2022-08-19) + +### Added (4 changes) + +- [Add configMaps and keys for customCA](gitlab-org/charts/gitlab@40e0fba3228041da84c7c51d4194a5e3681d51bb) by @ralgar ([merge request](gitlab-org/charts/gitlab!2676)) +- [Document FIPS-compatible deployment](gitlab-org/charts/gitlab@7eaa650d522f03bd24fecb27b6e4e7d41f4553f4) ([merge request](gitlab-org/charts/gitlab!2678)) +- [Add cron_job for updating of ci_runner_versions](gitlab-org/charts/gitlab@be81639d4aea8495fe472501a2c32dbd50f57c6c) ([merge request](gitlab-org/charts/gitlab!2666)) +- [Allow configuring tolerations for each separate Sidekiq shard deployment](gitlab-org/charts/gitlab@5e638b51f96c3e9e0c75db9ee74c09d2f7c45ab3) ([merge request](gitlab-org/charts/gitlab!2660)) + +### Fixed (3 changes) + +- [Pages: fix config generation for internal TLS](gitlab-org/charts/gitlab@033403a23e62b319269c3a6be8415f892843c992) ([merge request](gitlab-org/charts/gitlab!2697)) +- [GitLab Shell: fix host key walking for gitlab-sshd config](gitlab-org/charts/gitlab@79a4982a40065dc68290bfb2ec50f81013e120d2) ([merge request](gitlab-org/charts/gitlab!2711)) +- [Disable CI artifacts for package publish jobs](gitlab-org/charts/gitlab@920af91a619c3b5ae45796b4f098ec694ddc1b08) ([merge request](gitlab-org/charts/gitlab!2682)) + +### Changed (13 changes) + +- [Use batch/v1 CronJob when available](gitlab-org/charts/gitlab@b9f6bae9ee72c1eb728e49dad0e2d107ce38dc2b) ([merge request](gitlab-org/charts/gitlab!2692)) +- [Update gitlab-org/container-registry from 3.56.0-gitlab to 3.57.0-gitlab](gitlab-org/charts/gitlab@88c9599dad42942358d015a3c781effdfbff28a3) ([merge request](gitlab-org/charts/gitlab!2731)) +- [Update gitlab-org/container-registry from 3.55.0-gitlab to 3.56.0-gitlab](gitlab-org/charts/gitlab@d79bd94fc3af2c7c41d1c48294e0b0e6e358c350) ([merge request](gitlab-org/charts/gitlab!2719)) +- [Use policy/v1 PodDisruptionBudget when available](gitlab-org/charts/gitlab@5f1cf0d0c408e97161278b1b7cba991048794e76) ([merge request](gitlab-org/charts/gitlab!2691)) +- [Update gitlab-org/container-registry from 3.54.0-gitlab to 3.55.0-gitlab](gitlab-org/charts/gitlab@a0aa91ef702e6dcfd434a6ed5a030a415e1d036d) ([merge request](gitlab-org/charts/gitlab!2712)) +- [Update gitlab-org/container-registry from 3.53.0-gitlab to 3.54.0-gitlab](gitlab-org/charts/gitlab@9ee104fbd14dec4483181037b85ff474dc2c78ae) ([merge request](gitlab-org/charts/gitlab!2696)) +- [NGINX: disable allowSnippetAnnotations by default](gitlab-org/charts/gitlab@202ee54ec0ff013fcc563fb67a47590d5a8b466c) ([merge request](gitlab-org/charts/gitlab!2689)) +- [Update gitlab-org/charts/gitlab-runner from 0.43.0 to 0.43.1](gitlab-org/charts/gitlab@e6a5064bc830cdf823ef7e81655ad11e0e2d293d) ([merge request](gitlab-org/charts/gitlab!2695)) +- [Respect NGINX defaultbackend default (disabled)](gitlab-org/charts/gitlab@35090516c663dcfcd45927565f092f2254c4404e) ([merge request](gitlab-org/charts/gitlab!2686)) +- [Run ci_runner_versions_reconciliation_worker daily](gitlab-org/charts/gitlab@ef0770a5001b19fc2404c546fa33e671ceb23daf) ([merge request](gitlab-org/charts/gitlab!2693)) +- [Update gitlab-org/container-registry from 3.51.1-gitlab to 3.53.0-gitlab](gitlab-org/charts/gitlab@55bbca177df5bf8a9aff3bad9d6cdd96510b50b7) ([merge request](gitlab-org/charts/gitlab!2688)) +- [Update gitlab-org/charts/gitlab-runner from 0.42.0 to 0.43.0](gitlab-org/charts/gitlab@793cbed36bb465788ec5541b54c6274aa332e611) ([merge request](gitlab-org/charts/gitlab!2681)) +- [Update the Grafana chart to 6.11.0 and Grafana image to the 7.5.16 release](gitlab-org/charts/gitlab@af113095bac1d57d98436c39c8a4fcbf1004ac7f) ([merge request](gitlab-org/charts/gitlab!2669)) + +### Other (1 change) + +- [Ensures that whitespace is chomped to the left](gitlab-org/charts/gitlab@0e65e3393b244bf8a5f04a631865a2f1487e34ab) ([merge request](gitlab-org/charts/gitlab!2651)) + +## 6.2.5 (2022-09-29) + +No changes. + +## 6.2.4 (2022-08-30) + +No changes. + +## 6.2.3 (2022-08-22) + +No changes. + +## 6.2.2 (2022-08-01) + +No changes. + +## 6.2.1 (2022-07-28) + +No changes. + +## 6.2.0 (2022-07-21) + +### Added (7 changes) + +- [Registry: add support for TLS on the Pod service](gitlab-org/charts/gitlab@2f16a8e0f001c7dc647b6e6b86323c36e41809f2) ([merge request](gitlab-org/charts/gitlab!2673)) +- [Add support for memory and custom metrics in all HPAs](gitlab-org/charts/gitlab@be718a614bcdcc8290fa8f96058df07348bfb90e) ([merge request](gitlab-org/charts/gitlab!2621)) +- [Add TLS support configuration to Workhorse](gitlab-org/charts/gitlab@a3f09d98f6a81c3e14ed77ef1a57d8cebbb95eb0) ([merge request](gitlab-org/charts/gitlab!2628)) +- [Add TLS settings for sidekiq exporter/metrics endpoint](gitlab-org/charts/gitlab@b544e3d4a2ae451d72ee9e8865e2442d44791681) ([merge request](gitlab-org/charts/gitlab!2656)) +- [Add NGINX UBI image settings to UBI example values](gitlab-org/charts/gitlab@8537803ba2d443f048fb883e45ebbf4c2c32f6fc) ([merge request](gitlab-org/charts/gitlab!2661)) +- [Support configuring TLS for GitLab Exporter](gitlab-org/charts/gitlab@c13693818c3832d920f88b2b9fabf501071e626f) ([merge request](gitlab-org/charts/gitlab!2665)) +- [gitaly: Enable admins to inject their own Git configuration](gitlab-org/charts/gitlab@b7aef369dfd57046ff831ba17ca97f0978c51b07) ([merge request](gitlab-org/charts/gitlab!2602)) + +### Fixed (5 changes) + +- [Add a relabel_config to target __scheme__ in the default values](gitlab-org/charts/gitlab@cedee2096d5558aad731c76ffb4f7122db0f9697) ([merge request](gitlab-org/charts/gitlab!2672)) +- [Fix custom certificate authorities not working on UBI containers](gitlab-org/charts/gitlab@faed05de75b98269deabf1336e9e613348417c37) ([merge request](gitlab-org/charts/gitlab!2650)) +- [Add KAS configmap checksum to deployment spec](gitlab-org/charts/gitlab@180b80d2f1b64614c52b69988c4c7358cfa6abe4) ([merge request](gitlab-org/charts/gitlab!2654)) +- [Allow shell maxUnavailable to be a percentage](gitlab-org/charts/gitlab@9758097c837ba2c5dbe4823bde327be82ada51ff) ([merge request](gitlab-org/charts/gitlab!2627)) +- [Fix Workhorse config.toml rendering for AWS access and secret keys](gitlab-org/charts/gitlab@a5c1218e3b3339744152e9a5923ce49cf9a02ab6) ([merge request](gitlab-org/charts/gitlab!2639)) + +### Changed (8 changes) + +- [Update gitlab-org/container-registry from 3.51.0-gitlab to 3.51.1-gitlab](gitlab-org/charts/gitlab@7dfa82a79b8bf4ca0fb26b37f0e665209fa7b5a6) ([merge request](gitlab-org/charts/gitlab!2677)) +- [Update gitlab-org/gitlab-exporter from 11.16.0 to 11.17.1](gitlab-org/charts/gitlab@6c20f5c34f3d632163f085b333653a11d9ca0a3d) ([merge request](gitlab-org/charts/gitlab!2670)) +- [Update gitlab-org/container-registry from 3.49.0-gitlab to 3.51.0-gitlab](gitlab-org/charts/gitlab@8be4ba635aa759b080b462d032c30963f65f2645) ([merge request](gitlab-org/charts/gitlab!2663)) +- [gitaly: Start ignoring gitconfig files](gitlab-org/charts/gitlab@757862b50b7f29184379ed2972bc58bb4421b4e7) ([merge request](gitlab-org/charts/gitlab!2602)) +- [Update gitlab-org/container-registry from 3.48.0-gitlab to 3.49.0-gitlab](gitlab-org/charts/gitlab@c2862cccefcfc4278c1e1f093fa020e6395437a9) ([merge request](gitlab-org/charts/gitlab!2645)) +- [Ensure Azure access and secret keys are JSON in Workhorse config.toml](gitlab-org/charts/gitlab@d53ebf1a569e1d92383c89362aaeb7c97a94e33c) ([merge request](gitlab-org/charts/gitlab!2640)) +- [Update gitlab-org/charts/gitlab-runner from 0.41.0 to 0.42.0](gitlab-org/charts/gitlab@c1eb6efccfe738cd8987fb00de30d18b56c1e17a) ([merge request](gitlab-org/charts/gitlab!2634)) +- [Set webhook as MailRoom's default delivery strategy](gitlab-org/charts/gitlab@de907f875d74ddd08f90c4fa563262c3d05dccde) ([merge request](gitlab-org/charts/gitlab!2622)) + +### Removed (2 changes) + +- [config: Remove mentions of deprecated `self_signed_cert` config](gitlab-org/charts/gitlab@58bf47825841c482e874c13fd4e729b523fe99f4) ([merge request](gitlab-org/charts/gitlab!2664)) +- [Remove NGINX's `isControllerTagValid` helper](gitlab-org/charts/gitlab@f099651db6f1d57cdc9a78a2744ad6c36680fe0a) ([merge request](gitlab-org/charts/gitlab!2668)) + +## 6.1.6 (2022-08-30) + +No changes. + +## 6.1.5 (2022-08-22) + +No changes. + +## 6.1.4 (2022-07-28) + +No changes. + +## 6.1.3 (2022-07-19) + +No changes. + +## 6.1.2 (2022-07-05) + +No changes. + +## 6.1.1 (2022-06-30) + +No changes. + +## 6.1.0 (2022-06-21) + +### Added (5 changes) + +- [Add option to enable Gitaly pack-objects cache](gitlab-org/charts/gitlab@a2841ce441e30f8c898717c1d1026504adba94d0) by @mienkowt ([merge request](gitlab-org/charts/gitlab!2513)) +- [Add support for enabling SSL on Puma](gitlab-org/charts/gitlab@d21249d87f4a761031813b43a06900312afbbf21) ([merge request](gitlab-org/charts/gitlab!2496)) +- [Make PROXY protocol header read timeout configurable](gitlab-org/charts/gitlab@afad21f1e44578f95f547e40de69c385d6b71f1d) ([merge request](gitlab-org/charts/gitlab!2586)) +- [Add global.appConfig.cdnHost setting](gitlab-org/charts/gitlab@3887cd79c5ca98d0efd01c159a070992152d4011) ([merge request](gitlab-org/charts/gitlab!2559)) +- [Add support for configuring gitlab-sshd crypto](gitlab-org/charts/gitlab@56c96ffa820b18d3a18b7526cc064e2bc4e4e585) ([merge request](gitlab-org/charts/gitlab!2581)) + +### Changed (17 changes) + +- [Ensure proxy buffering is always off for KAS](gitlab-org/charts/gitlab@2d9bab7b22249ab11be3b45613fd36034cda8f02) ([merge request](gitlab-org/charts/gitlab!2609)) +- [Update gitlab-org/container-registry from 3.47.0-gitlab to 3.48.0-gitlab](gitlab-org/charts/gitlab@f3f7334c6c04eee956191704392c87c42aba620d) ([merge request](gitlab-org/charts/gitlab!2631)) +- [Disable Puma worker killer by default](gitlab-org/charts/gitlab@ac8d379b19d845d158c93a7a9d000606219db25a) ([merge request](gitlab-org/charts/gitlab!2605)) +- [Update gitlab-org/gitlab-exporter from 11.15.2 to 11.16.0](gitlab-org/charts/gitlab@2a49166b7ee5d5a643db330919da790dc282a13c) ([merge request](gitlab-org/charts/gitlab!2620)) +- [Update gitlab-org/container-registry from 3.46.0-gitlab to 3.47.0-gitlab](gitlab-org/charts/gitlab@1c31f8f9c03586ed7fabe45410b80c121af7d24d) ([merge request](gitlab-org/charts/gitlab!2616)) +- [Update gitlab-org/container-registry from 3.45.0-gitlab to 3.46.0-gitlab](gitlab-org/charts/gitlab@bbd48a58aae456f031c66dab105dcfba5501352e) ([merge request](gitlab-org/charts/gitlab!2610)) +- [Update gitlab-org/container-registry from 3.43.0-gitlab to 3.45.0-gitlab](gitlab-org/charts/gitlab@056fefdd0b8f0e387f83bf4f47a25283e3f740e4) ([merge request](gitlab-org/charts/gitlab!2604)) +- [Update gitlab-org/gitlab-exporter from 11.15.0 to 11.15.2](gitlab-org/charts/gitlab@9eb7b3e63e65d3327a2caadae99880fde4ac1859) ([merge request](gitlab-org/charts/gitlab!2596)) +- [Add annotations support to the upgrade check hook and minio job template](gitlab-org/charts/gitlab@ffc70957e823b90f24927a18849d749d5242133e) by @flintkr ([merge request](gitlab-org/charts/gitlab!2543)) +- [gitaly: Stop setting Rugged's gitconfig search path](gitlab-org/charts/gitlab@bba860d1eb8e3d639d481e38b0b9c57a150f961d) ([merge request](gitlab-org/charts/gitlab!2594)) +- [Update gitlab-shell chart to make login-grace-time configurable](gitlab-org/charts/gitlab@66afd333ccb49e7cfcef1ec920a23d32c44a70d3) ([merge request](gitlab-org/charts/gitlab!2593)) +- [Update gitlab-shell chart to make client-alive-interval configurable](gitlab-org/charts/gitlab@f0914d468108856fda89a5b1a8b2361a8e283d84) ([merge request](gitlab-org/charts/gitlab!2590)) +- [Update gitlab-shell chart to make grace-period configurable](gitlab-org/charts/gitlab@659ea8e0f2f0ad81f472a8d9bd5bfeb7f117d7be) ([merge request](gitlab-org/charts/gitlab!2579)) +- [Set MailRoom's delivery option content_type to text/plain](gitlab-org/charts/gitlab@78641fffe7a5798c73dc56c80601d88e78f73c38) ([merge request](gitlab-org/charts/gitlab!2589)) +- [Update gitlab-org/container-registry from 3.42.0-gitlab to 3.43.0-gitlab](gitlab-org/charts/gitlab@2bde33a3218c0cc3045462934db150c07d881c9e) ([merge request](gitlab-org/charts/gitlab!2588)) +- [Update gitlab-org/charts/gitlab-runner from 0.40.1 to 0.41.0](gitlab-org/charts/gitlab@6c34ec8cdd54b165f50444ff1d75dcad480d53c2) ([merge request](gitlab-org/charts/gitlab!2584)) +- [Update gitlab-org/container-registry from 3.41.1-gitlab to 3.42.0-gitlab](gitlab-org/charts/gitlab@2a0747412050b8f5b94dc23dd1e40bd5cf78496f) ([merge request](gitlab-org/charts/gitlab!2580)) + +## 6.0.5 (2022-07-28) + +No changes. + +## 6.0.4 (2022-06-30) + +No changes. + +## 6.0.3 (2022-06-16) + +No changes. + +## 6.0.2 (2022-06-06) + +No changes. + +## 6.0.1 (2022-06-01) + +### Changed (1 change) + +- [Update gitlab-org/charts/gitlab-runner from 0.40.1 to 0.41.0](gitlab-org/security/charts/gitlab@cbe93d80ae69f991efd3c0535c359db4aef13b38) + +## 6.0.0 (2022-05-20) + +### Added (5 changes) + +- [Expose minReadySeconds on the kas deployment](gitlab-org/charts/gitlab@cdae974244b82428514acdb5ec38aa8eb8c078b4) ([merge request](gitlab-org/charts/gitlab!2566)) +- [Add proxy policy support](gitlab-org/charts/gitlab@1612f7303645897dd33561eb537b52420d2506f0) ([merge request](gitlab-org/charts/gitlab!2567)) +- [Add nginx-ingress PDB maxUnavailable](gitlab-org/charts/gitlab@ea18bbc0f5b830b6428413999b75a7b91ca1ad7d) ([merge request](gitlab-org/charts/gitlab!2554)) +- [Add cron_job for pruning of stale runners](gitlab-org/charts/gitlab@14e4712c03fecb5486d966f6e43425549eb7fe7d) ([merge request](gitlab-org/charts/gitlab!2565)) +- [Enable KAS by default](gitlab-org/charts/gitlab@38a8ad84bec3af58889bf6530a4a14b31d391ea9) ([merge request](gitlab-org/charts/gitlab!2505)) + +### Fixed (1 change) + +- [Mount pages secret/configuration only when enabled in migrations job](gitlab-org/charts/gitlab@bd36aeb18cb92800846940b3a17697eb547c9e93) by @kravvcu ([merge request](gitlab-org/charts/gitlab!2545)) + +### Changed (13 changes) + +- [Update gitlab-org/container-registry from 3.41.0-gitlab to 3.41.1-gitlab](gitlab-org/charts/gitlab@c3963b3dc39af6124b6e0e5c83441c7f3c74062d) ([merge request](gitlab-org/charts/gitlab!2574)) +- [Update gitlab-shell chart to enable PROXY protocol](gitlab-org/charts/gitlab@207e443b4719ae622d459749f9556b0562f2a25a) ([merge request](gitlab-org/charts/gitlab!2558)) +- [Migrate Geo Tracking database configuration into database.yml](gitlab-org/charts/gitlab@5c20e8f269d0296f80ff1762de842780adf64679) ([merge request](gitlab-org/charts/gitlab!2529)) +- [Update gitlab-org/container-registry from 3.40.0-gitlab to 3.41.0-gitlab](gitlab-org/charts/gitlab@25bc19c7ffe7fe68ac81d6c03ecca94a84ba79ac) ([merge request](gitlab-org/charts/gitlab!2557)) +- [gitaly: Switch to bundled Git binaries](gitlab-org/charts/gitlab@c2ce142141fbf31e219e0ecbe1c031b97a556d56) ([merge request](gitlab-org/charts/gitlab!2535)) +- [Update gitlab-org/container-registry from 3.39.3-gitlab to 3.40.0-gitlab](gitlab-org/charts/gitlab@302f70c127e2df1b217d1b0e7e3a798bd34c2e2f) ([merge request](gitlab-org/charts/gitlab!2548)) +- [Update gitlab-org/charts/gitlab-runner from 0.40.0 to 0.40.1](gitlab-org/charts/gitlab@10cc88a75c7a681e1b5260a2124a341718a2eae8) ([merge request](gitlab-org/charts/gitlab!2547)) +- [Update gitlab-org/container-registry from 3.39.2-gitlab to 3.39.3-gitlab](gitlab-org/charts/gitlab@023451e10f7af268f6f992faa92f7261fbcc3664) ([merge request](gitlab-org/charts/gitlab!2538)) +- [Update gitlab-org/gitlab-exporter from 11.14.0 to 11.15.0](gitlab-org/charts/gitlab@47499e7088229827474ec1e55c6a0a5aaf8e59aa) ([merge request](gitlab-org/charts/gitlab!2537)) +- [Sidekiq: Enforce health check + metrics ports](gitlab-org/charts/gitlab@208e0e41992e4efea23f21c5ba0948449b928dbe) ([merge request](gitlab-org/charts/gitlab!2531)) +- [Update gitlab-org/container-registry from 3.39.1-gitlab to 3.39.2-gitlab](gitlab-org/charts/gitlab@93706b34a4e55a8b30132d4955e7cd9f41c470f6) ([merge request](gitlab-org/charts/gitlab!2526)) +- [feat(webservice): better readinessProbe defaults](gitlab-org/charts/gitlab@29be74ce91660c113290fc32ea6f418b12e15a6a) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2518)) +- [Update gitlab-org/container-registry from 3.39.0-gitlab to 3.39.1-gitlab](gitlab-org/charts/gitlab@0e542a5909b51dace885667611f8ee9e7f61da30) ([merge request](gitlab-org/charts/gitlab!2523)) + +### Removed (3 changes) + +- [Remove weak ciphers from nginx-ingress allowed ciphers](gitlab-org/charts/gitlab@a8483c25d642b1e74507c066b52c975ff8a2b0d8) ([merge request](gitlab-org/charts/gitlab!2578)) +- [Remove object storage direct_upload and background_upload config](gitlab-org/charts/gitlab@06afdaf6605661ddc3aeb8937b07787fd788abc3) ([merge request](gitlab-org/charts/gitlab!2564)) +- [Remove deprecated domain-config-source flag from Pages chart](gitlab-org/charts/gitlab@51947e9a4798bd1632cb32b74c18e03c6aafe56a) by @feistel ([merge request](gitlab-org/charts/gitlab!2532)) + +### Other (3 changes) + +- [Update 'Add License' location](gitlab-org/charts/gitlab@53f38975abef245735162df2f3208bd8547703cd) ([merge request](gitlab-org/charts/gitlab!2568)) +- [Add docs on certmanager-issuer chart](gitlab-org/charts/gitlab@74413b7abc3f6c9896fd7a7e0af86b869764411d) ([merge request](gitlab-org/charts/gitlab!2507)) +- [Update kubectl image to use yq v4.23.1](gitlab-org/charts/gitlab@966e02d12b1177888607f0d224caa97adcdc3940) ([merge request](gitlab-org/charts/gitlab!2459)) + +## 5.10.5 (2022-06-30) + +### Changed (1 change) + +- [Makes 14.9 a required upgrade before moving to 14.10](gitlab-org/security/charts/gitlab@ddbd9cfaebe6f84ab132ebb444b16511108e844e) + +## 5.10.4 (2022-06-01) + +No changes. + +## 5.10.3 (2022-05-20) + +### Changed (1 change) + +- [Update gitlab-org/charts/gitlab-runner from 0.40.0 to 0.40.1](gitlab-org/charts/gitlab@a25e1d00d2ef7b4d620a352661c7aacd6d2bdcf1) ([merge request](gitlab-org/charts/gitlab!2550)) + +## 5.10.2 (2022-05-04) + +No changes. + +## 5.10.1 (2022-04-29) + +No changes. + +## 5.10.0 (2022-04-21) + +### Added (4 changes) + +- [Add pages http server timeout options](gitlab-org/charts/gitlab@5b0882f64abdd677df3271bf138439536f017868) ([merge request](gitlab-org/charts/gitlab!2504)) +- [Pages: set auth-scope when access-control](gitlab-org/charts/gitlab@e269539220c1df693dd99d963b8fadcbf105904e) ([merge request](gitlab-org/charts/gitlab!2457)) +- [Add pages zip http client timeout option](gitlab-org/charts/gitlab@0559137be04f56ae33d9f789d5c597ef6054bcda) ([merge request](gitlab-org/charts/gitlab!2442)) +- [Add `databaseTasks: boolean` to `gitlab.psql.` config](gitlab-org/charts/gitlab@5b525c5dbbb23bfa76635688aa8d8382c3a91274) ([merge request](gitlab-org/charts/gitlab!2450)) + +### Fixed (6 changes) + +- [Fix fullname of sidekiq](gitlab-org/charts/gitlab@30fc64733e55fb24ca275eb1049544fe4bb476f1) by @dsonck ([merge request](gitlab-org/charts/gitlab!2495)) +- [Set GITLAB_ASSUME_YES=1 in database-backup script](gitlab-org/charts/gitlab@aea1da17562814583b2e021bb1bf62d607af760f) ([merge request](gitlab-org/charts/gitlab!2492)) +- [Fix the `database_tasks: ` to not change `load_balancing:` behavior](gitlab-org/charts/gitlab@44c3c828ccc3432cb004219a03b4a707592ee4ef) ([merge request](gitlab-org/charts/gitlab!2480)) +- [docs: Drop custom awscli install instructions](gitlab-org/charts/gitlab@ef8f130493cbf640f86b0c97877c52035f0b443c) ([merge request](gitlab-org/charts/gitlab!2472)) +- [Allow empty directives for the CSP](gitlab-org/charts/gitlab@bcd7bc9c257e80c949f42869f4126fa2df136daa) ([merge request](gitlab-org/charts/gitlab!2469)) +- [Fix ineffectual service desk auth token secret key](gitlab-org/charts/gitlab@0cd15f8ce0aa6e2fa9dd74dab1a2787bdbb54e39) ([merge request](gitlab-org/charts/gitlab!2453)) + +### Changed (12 changes) + +- [Update gitlab-org/charts/gitlab-runner from 0.39.0 to 0.40.0](gitlab-org/charts/gitlab@5ebb3121cbd8bb231851dbc57757c9cdc6413197) ([merge request](gitlab-org/charts/gitlab!2521)) +- [Sidekiq: set health check port by default](gitlab-org/charts/gitlab@5d93340fac5c067177fdb1761f518143f087c236) ([merge request](gitlab-org/charts/gitlab!2479)) +- [Update gitlab-org/container-registry from 3.38.0-gitlab to 3.39.0-gitlab](gitlab-org/charts/gitlab@a1cd07c72e6fa1b27ba47cc2a6565027bd157e4c) ([merge request](gitlab-org/charts/gitlab!2510)) +- [eks_bootstrap_script: Update default Kubernetes version to v1.21](gitlab-org/charts/gitlab@73cbcad37d54d325ea85b254c59961e3e543cc79) ([merge request](gitlab-org/charts/gitlab!2499)) +- [Update gitlab-org/container-registry from 3.37.0-gitlab to 3.37.1-gitlab](gitlab-org/charts/gitlab@775548c3377ce985d0a49bb8514048c71e46f720) ([merge request](gitlab-org/charts/gitlab!2497)) +- [Update gitlab-org/gitlab-exporter from 11.13.1 to 11.14.0](gitlab-org/charts/gitlab@107f894d6c14066bfcbf9c32e60113b596d53a9e) ([merge request](gitlab-org/charts/gitlab!2498)) +- [Update gitlab-org/container-registry from 3.36.1-gitlab to 3.37.0-gitlab](gitlab-org/charts/gitlab@adb5ce914c6853a6ecdf9f3e4fc3e5a980b5edba) ([merge request](gitlab-org/charts/gitlab!2482)) +- [Update gitlab-org/gitlab-exporter from 11.13.0 to 11.13.1](gitlab-org/charts/gitlab@4160937ddaa8ac4d8b4958ec2927de836b899e5b) ([merge request](gitlab-org/charts/gitlab!2481)) +- [Update gitlab-org/charts/gitlab-runner from 0.38.1 to 0.39.0](gitlab-org/charts/gitlab@2797875754d610a7088a48e5e995833f774ecfe6) ([merge request](gitlab-org/charts/gitlab!2467)) +- [Update gitlab-org/gitlab-exporter from 11.12.0 to 11.13.0](gitlab-org/charts/gitlab@89158a9032600900ae8378230d0570a784c75601) ([merge request](gitlab-org/charts/gitlab!2466)) +- [Bump container registry to v3.36.1](gitlab-org/charts/gitlab@7c9ca769cc7a6db88a411831c9fc70d48f097899) ([merge request](gitlab-org/charts/gitlab!2461)) +- [Update gitlab-org/container-registry from 3.32.0-gitlab to 3.35.0-gitlab](gitlab-org/charts/gitlab@75f4f63175590048b61930297f12fb199025ddda) ([merge request](gitlab-org/charts/gitlab!2458)) + +### Other (5 changes) + +- [Use new kubectl image with HOME=/tmp/kube](gitlab-org/charts/gitlab@9832a34d01ae33153ae4f37069b1b14afa135048) ([merge request](gitlab-org/charts/gitlab!2486)) +- [Update the backup to 14.9.2](gitlab-org/charts/gitlab@20927df38646ed779bf677c4ffff9f19b88510ec) ([merge request](gitlab-org/charts/gitlab!2485)) +- [Update Operator install docs for version 0.6.1](gitlab-org/charts/gitlab@17243ad2f7d29ca48c712d7a81773c090124349d) ([merge request](gitlab-org/charts/gitlab!2464)) +- [Use image digest from dev tag pipeline](gitlab-org/charts/gitlab@403b765779a8d43cc471ff9d35d6a0e23f9eea21) ([merge request](gitlab-org/charts/gitlab!2463)) +- [Update Operator install docs for version 0.6.0](gitlab-org/charts/gitlab@43398259cef8be83f88ec132b3471ca8dccaf73e) ([merge request](gitlab-org/charts/gitlab!2460)) + +## 5.9.5 (2022-06-01) + +No changes. + +## 5.9.4 (2022-04-29) + +### Other (1 change) + +- [Use new kubectl image with HOME=/tmp/kube](gitlab-org/security/charts/gitlab@f300425610dbef3f1a4d6272c9f572a96424dcfa) + +## 5.9.3 (2022-04-12) + +No changes. + +## 5.9.2 (2022-03-31) + +No changes. + +## 5.9.1 (2022-03-23) + +No changes. + +## 5.9.0 (2022-03-21) + +### Added (7 changes) + +- [Support separate_database_metrics for Praefect](gitlab-org/charts/gitlab@a9624b7f20c8d8d360250c2bdcb4ba1ee8b46b4c) ([merge request](gitlab-org/charts/gitlab!2405)) +- [feat: adds ci Secure Files settings](gitlab-org/charts/gitlab@054bc4d30eabffc81950096c56a1d9696bdeebd1) ([merge request](gitlab-org/charts/gitlab!2437)) +- [Add Spamcheck to GitLab Helm Chart](gitlab-org/charts/gitlab@f838962ee7ff7da85fc0d1b50da22a2c3c55e065) ([merge request](gitlab-org/charts/gitlab!2241)) +- [Add TLS rate-limiting options for GitLab Pages](gitlab-org/charts/gitlab@92659ef1fb2a4f6ba8c5612b6fe0bbd679e06dcc) ([merge request](gitlab-org/charts/gitlab!2403)) +- [Add importnotification settings for the registry](gitlab-org/charts/gitlab@8f1c9f83ebf7d3e863f45955f5c5aa57ee0f69c6) ([merge request](gitlab-org/charts/gitlab!2396)) +- [Add more registry migration configuration options](gitlab-org/charts/gitlab@e8437edcbf9e2ec21652c864a2d6fdd5d280cc73) ([merge request](gitlab-org/charts/gitlab!2389)) +- [Add bizible settings](gitlab-org/charts/gitlab@5a7bbe298d1393bd92bbde844d849bdde06ad50b) ([merge request](gitlab-org/charts/gitlab!2393)) + +### Fixed (1 change) + +- [skip praefect db secret generation for external db](gitlab-org/charts/gitlab@f310323f6d7adfd08fc4bc063c26ce54c0e3a29c) by @walkafwalka ([merge request](gitlab-org/charts/gitlab!2366)) + +### Changed (10 changes) + +- [Add support for configuring Microsoft Graph endpoints](gitlab-org/charts/gitlab@2cb3a252c8eb85786a50a2f646eb3a5c21447f2c) ([merge request](gitlab-org/charts/gitlab!2444)) +- [Update gitlab-org/gitlab-exporter from 11.11.0 to 11.12.0](gitlab-org/charts/gitlab@a4263ab277fab3ac67e86f69172fcd5a58cc7c55) ([merge request](gitlab-org/charts/gitlab!2441)) +- [Update gitlab-org/container-registry from 3.31.0-gitlab to 3.32.0-gitlab](gitlab-org/charts/gitlab@8d7e3fbae410857f5185ef9adca5a7b8ca16d1cb) ([merge request](gitlab-org/charts/gitlab!2432)) +- [Update gitlab-org/charts/gitlab-runner from 0.38.0 to 0.38.1](gitlab-org/charts/gitlab@8d666ef8c25fd5541cc0b6c3463dea193daedb5f) ([merge request](gitlab-org/charts/gitlab!2431)) +- [Add tolerations for the geo-logcursor deployment](gitlab-org/charts/gitlab@97e29a5f7ee662c420459181ffdc184c4ea79e86) by @vmoudy1 ([merge request](gitlab-org/charts/gitlab!2426)) +- [Bump Container Registry to v3.31.0-gitlab](gitlab-org/charts/gitlab@a65743249fde61ea84301e7a6863af9b5cbaa185) ([merge request](gitlab-org/charts/gitlab!2423)) +- [Use CNG images for KAS](gitlab-org/charts/gitlab@adfb07a2bfd6fcdd69f03a8737e0e158ea2b9f73) ([merge request](gitlab-org/charts/gitlab!2398)) +- [Update gitlab-org/container-registry from 3.28.2-gitlab to 3.30.0-gitlab](gitlab-org/charts/gitlab@14fb9cbeac0479a80d6c20897bf3e44e26f95ef5) ([merge request](gitlab-org/charts/gitlab!2412)) +- [Update gitlab-org/container-registry from 3.27.1-gitlab to 3.28.2-gitlab](gitlab-org/charts/gitlab@1a8cff22a5ceb57555fe1cba1f2ab4de625d5e4a) ([merge request](gitlab-org/charts/gitlab!2401)) +- [Update gitlab-org/charts/gitlab-runner from 0.37.2 to 0.38.0](gitlab-org/charts/gitlab@b09571bb48d4301ac2be260daf525fad69c6eaa8) ([merge request](gitlab-org/charts/gitlab!2400)) + +### Other (11 changes) + +- [Updates docs to rename task runner pod to toolbox](gitlab-org/charts/gitlab@5620ec0d6bfde3f0fd0d2757d524a984ce449a50) ([merge request](gitlab-org/charts/gitlab!2433)) +- [Adjust yq syntax based on current version](gitlab-org/charts/gitlab@2ce7be58e29e8991886af29fcf77d9d6807e7f7b) ([merge request](gitlab-org/charts/gitlab!2425)) +- [MR template: reference Distribution MR workflow](gitlab-org/charts/gitlab@e081c47606ccf0f15f152152933e37e6e939a657) ([merge request](gitlab-org/charts/gitlab!2455)) +- [Set Prometheus Server retention to 2 days](gitlab-org/charts/gitlab@6a4240848752782ed0a78455ca213e8dad425e98) ([merge request](gitlab-org/charts/gitlab!2382)) +- [Document how to set TLS Secret for KAS/Grafana](gitlab-org/charts/gitlab@d88d73f6202e923b3874e468c1cc07af924fd720) ([merge request](gitlab-org/charts/gitlab!2429)) +- [Use image digest for helper images](gitlab-org/charts/gitlab@4ab53015bf67f7552e905309ea64eab9752f76ed) ([merge request](gitlab-org/charts/gitlab!2427)) +- [Use yq v4 syntax](gitlab-org/charts/gitlab@662d0b96fd4dd0ccf7ca85db41807598047a6b31) ([merge request](gitlab-org/charts/gitlab!2409)) +- [Update Operator install docs for version 0.5.1](gitlab-org/charts/gitlab@44bbe6236cb050bb9d287790997a7f3860a072c1) ([merge request](gitlab-org/charts/gitlab!2417)) +- [Add troubleshooting docs for YAML parse errors](gitlab-org/charts/gitlab@b9947210a310b2eb69cd0a3727d69f0378b6b3ce) ([merge request](gitlab-org/charts/gitlab!2414)) +- [Update Operator docs for version 0.5.0](gitlab-org/charts/gitlab@bffc825cf4730c78e4127e3b0cd8983f7d0545ea) ([merge request](gitlab-org/charts/gitlab!2407)) +- [Update link to Gitaly Cluster migration](gitlab-org/charts/gitlab@0901cb209b15f7ed43eb04576e249940c3afb608) ([merge request](gitlab-org/charts/gitlab!2399)) + +## 5.8.6 (2022-04-29) + +No changes. + +## 5.8.5 (2022-03-31) + +No changes. + +## 5.8.4 (2022-03-16) + +No changes. + +## 5.8.3 (2022-03-14) + +No changes. + +## 5.8.2 (2022-02-25) + +No changes. + +## 5.8.1 (2022-02-23) + +No changes. + +## 5.8.0 (2022-02-21) + +### Added (1 change) + +- [Add webhook delivery method to mailroom](gitlab-org/charts/gitlab@4b63746c3a154fe3326a5e61562c2c32a0663180) ([merge request](gitlab-org/charts/gitlab!2358)) + +### Fixed (4 changes) + +- [allow modifying praefect values without modifying praefect.service](gitlab-org/charts/gitlab@d459fffc351041a6b0a76c9b8fc21b901ae0866e) by @walkafwalka ([merge request](gitlab-org/charts/gitlab!2365)) +- [Use 'global.ingress.class' in IngressClass name](gitlab-org/charts/gitlab@f4ed8db3410a788f826cfd7cb493434376495acd) ([merge request](gitlab-org/charts/gitlab!2351)) +- [Properly set IngressClass name](gitlab-org/charts/gitlab@d119d297d0854af38174d97afa83ecba2e4d2b8b) ([merge request](gitlab-org/charts/gitlab!2354)) +- [add customization to annotations](gitlab-org/charts/gitlab@46497f36de89853acb7285b893985d445531afe2) ([merge request](gitlab-org/charts/gitlab!2339)) + +### Changed (8 changes) + +- [global.ingress.class=none: don't populate fields](gitlab-org/charts/gitlab@e8dee1d508103a7071b82ea2707932dc77eec157) ([merge request](gitlab-org/charts/gitlab!2385)) +- [Update gitlab-exporter from v11.2.0 to v11.11.0](gitlab-org/charts/gitlab@4f5f31e3c64751ac9a26782c63b4f3a69cd5e1de) ([merge request](gitlab-org/charts/gitlab!2395)) +- [Update gitlab-org/container-registry from 3.25.0-gitlab to 3.27.1-gitlab](gitlab-org/charts/gitlab@4fd9b62af9bd7e2ce16a164c7574e8de13b668fe) ([merge request](gitlab-org/charts/gitlab!2397)) +- [Update gitlab-org/container-registry from 3.24.1-gitlab to 3.25.0-gitlab](gitlab-org/charts/gitlab@5acfce7181e289db597f81967b57e3159b296d6a) ([merge request](gitlab-org/charts/gitlab!2391)) +- [Update gitlab-org/container-registry from 3.23.0-gitlab to 3.24.1-gitlab](gitlab-org/charts/gitlab@b0550f880c617bdab82a6b8031e614b8e7cca9de) ([merge request](gitlab-org/charts/gitlab!2386)) +- [Update prometheus chart version to 15.0.4](gitlab-org/charts/gitlab@8af46ea5c890f3d0cdac029ca71e7c2724714377) ([merge request](gitlab-org/charts/gitlab!2350)) +- [Update gitlab-org/charts/gitlab-runner from 0.37.0 to 0.37.2](gitlab-org/charts/gitlab@f34d45b07016511fac5f00b31b34a39e52ac31bd) ([merge request](gitlab-org/charts/gitlab!2357)) +- [Update gitlab-org/container-registry from 3.22.0-gitlab to 3.23.0-gitlab](gitlab-org/charts/gitlab@dd0100477fa5757c1227fd9fa9beed747d196e60) ([merge request](gitlab-org/charts/gitlab!2356)) + +### Removed (1 change) + +- [Remove operator subchart](gitlab-org/charts/gitlab@3253d9bad99edabce76c7c10321b879a33c46de3) ([merge request](gitlab-org/charts/gitlab!2372)) + +### Other (7 changes) + +- [Document decision for Debian and UBI images](gitlab-org/charts/gitlab@c9bba53f52e70b08d29cdbc6191eb726653d690d) ([merge request](gitlab-org/charts/gitlab!2377)) +- [Document Operator maturity](gitlab-org/charts/gitlab@bd16d1e664568f7ff03149d242d9dbe97c821219) ([merge request](gitlab-org/charts/gitlab!2379)) +- [Unify mailroom enablement empty checks](gitlab-org/charts/gitlab@ee11b3c22bf2f6401810540914fc5866de4c23d2) ([merge request](gitlab-org/charts/gitlab!2388)) +- [Fixed wrong content-security-policy value in documentation](gitlab-org/charts/gitlab@37bab302dffce713e3c83522147e3d1adfdfad89) ([merge request](gitlab-org/charts/gitlab!2373)) +- [Add link to Praefect GA release Epic](gitlab-org/charts/gitlab@a56d361391a2eb28eb9d5b2dc24662243bd7198a) ([merge request](gitlab-org/charts/gitlab!2367)) +- [Update Operator install docs for version 0.4.0](gitlab-org/charts/gitlab@24ca2bc27bfe3ae4e18cafb03ddca7b7de77d507) ([merge request](gitlab-org/charts/gitlab!2359)) +- [Extract _checkConfig.tpl into smaller files](gitlab-org/charts/gitlab@fdcb978062ddf32ae106984531138666b3a1be0e) ([merge request](gitlab-org/charts/gitlab!2348)) + +### change (1 change) + +- [Add ERROR: to output message to make more visible](gitlab-org/charts/gitlab@6fe9d83f2d6be4266c26eb7b91f8e6efc54984ea) ([merge request](gitlab-org/charts/gitlab!2294)) + +## 5.7.7 (2022-03-31) + +No changes. + +## 5.7.6 (2022-03-24) + +No changes. + +## 5.7.5 (2022-03-09) + +No changes. + +## 5.7.4 (2022-02-25) + +No changes. + +## 5.7.3 (2022-02-15) + +No changes. + +## 5.7.2 (2022-02-08) + +No changes. + +## 5.7.1 (2022-02-03) + +No changes. + +## 5.7.0 (2022-01-21) + +### Added (3 changes) + +- [Add domain rate-limiting options for GitLab Pages](gitlab-org/charts/gitlab@b61174649493db72d15fce4334a3fd14e58d58e6) ([merge request](gitlab-org/charts/gitlab!2338)) +- [Registry: Add middleware.storage config ability](gitlab-org/charts/gitlab@d11b891716f870823150c11cadcf68155300c6a5) ([merge request](gitlab-org/charts/gitlab!2328)) +- [Feature gate metrics port exposure, expose on Service](gitlab-org/charts/gitlab@29644d37ebee555b5171f2a26dccbe6fd2bfc43f) ([merge request](gitlab-org/charts/gitlab!2311)) + +### Fixed (1 change) + +- [Revert "Favor GitLab's nodeSelectors instead nginx-ingress"](gitlab-org/charts/gitlab@c01708c7b0be1f4f64663d66f2659664a5ece67f) ([merge request](gitlab-org/charts/gitlab!2342)) + +### Changed (6 changes) + +- [Update gitlab-org/charts/gitlab-runner from 0.36.0 to 0.37.0](gitlab-org/charts/gitlab@f4d6e7ae413cf7a1a010b65c75fa050c8b656b22) ([merge request](gitlab-org/charts/gitlab!2352)) +- [Update gitlab-org/container-registry from 3.21.0-gitlab to 3.22.0-gitlab](gitlab-org/charts/gitlab@af098951c8f43cb27e6e5f865771041044f4bae0) ([merge request](gitlab-org/charts/gitlab!2346)) +- [Update Operator docs for 0.3.0](gitlab-org/charts/gitlab@3c8e8c4dc79796bf1cb5df256d379929b044e2c2) ([merge request](gitlab-org/charts/gitlab!2343)) +- [Add test specs](gitlab-org/charts/gitlab@0777257463d3f6169d7fbc47e2931a3347698630) ([merge request](gitlab-org/charts/gitlab!2304)) +- [Update gitlab-org/container-registry from 3.20.0-gitlab to 3.21.0-gitlab](gitlab-org/charts/gitlab@52b9f0d5b6ae45cbf578dffd94cd1e544938a093) ([merge request](gitlab-org/charts/gitlab!2337)) +- [Update gitlab-org/container-registry from 3.19.0-gitlab to 3.20.0-gitlab](gitlab-org/charts/gitlab@4ae9e795d2ae3ceec5f2d75a9c5c9ecefb88f707) ([merge request](gitlab-org/charts/gitlab!2334)) + +## 5.6.7 (2022-03-31) + +No changes. + +## 5.6.6 (2022-03-01) + +No changes. + +## 5.6.5 (2022-02-25) + +No changes. + +## 5.6.4 (2022-02-03) + +No changes. + +## 5.6.3 (2022-01-18) + +No changes. + +## 5.6.2 (2022-01-11) + +No changes. + +## 5.6.1 (2022-01-04) + +No changes. + +## 5.6.0 (2021-12-21) + +### Changed (6 changes) + +- [Update gitlab-org/container-registry from 3.18.1-gitlab to 3.19.0-gitlab](gitlab-org/charts/gitlab@8c76c6594e07be584709112bd0ad6322bbe2b411) ([merge request](gitlab-org/charts/gitlab!2312)) +- [Update gitlab-org/charts/gitlab-runner from 0.35.3 to 0.36.0](gitlab-org/charts/gitlab@504aebed4b7ee63c73436d081392c531b29d7f6f) ([merge request](gitlab-org/charts/gitlab!2313)) +- [Update gitlab-org/charts/gitlab-runner from 0.35.0 to 0.35.3](gitlab-org/charts/gitlab@7017fda23b1a3788c9e6fb7a5e8f11027775c842) ([merge request](gitlab-org/charts/gitlab!2301)) +- [Update gitlab-org/container-registry from 3.16.0-gitlab to 3.17.0-gitlab](gitlab-org/charts/gitlab@e1b12db5cb630926ee76ce7684fba64263dc79af) ([merge request](gitlab-org/charts/gitlab!2285)) +- [Update gitlab-org/charts/gitlab-runner from 0.34.0 to 0.35.0](gitlab-org/charts/gitlab@12c4740147c25f788061176f124e5749eb9a7726) ([merge request](gitlab-org/charts/gitlab!2275)) +- [Update gitlab-org/container-registry from 3.15.0-gitlab to 3.16.0-gitlab](gitlab-org/charts/gitlab@3d2e013c2c37ee987fa064dacb8ae3f2f645aa4b) ([merge request](gitlab-org/charts/gitlab!2276)) + +## 5.5.4 (2022-02-03) + +No changes. + +## 5.5.3 (2022-01-11) + +No changes. + +## 5.5.2 (2021-12-03) + +No changes. + +## 5.5.1 (2021-12-01) + +No changes. + +## 5.5.0 (2021-11-19) + +### Added (3 changes) + +- [Add MaxURILength option for GitLab Pages](gitlab-org/charts/gitlab@426e60d5229d92090f3e7c207438aac481ce1c8a) ([merge request](gitlab-org/charts/gitlab!2266)) +- [Add loose foreign key cron worker](gitlab-org/charts/gitlab@e37cfdb0f344c51320268784838b4292daa153d7) ([merge request](gitlab-org/charts/gitlab!2265)) +- [Add one_trust_id config](gitlab-org/charts/gitlab@86339448ae78770fc4637020c34370f5c45b03a6) ([merge request](gitlab-org/charts/gitlab!2237)) + +### Fixed (1 change) + +- [Raise Sidekiq job timeout from 5 to 25 seconds](gitlab-org/charts/gitlab@f94968b4bef32446b38c2033364107d1cff6e1bb) ([merge request](gitlab-org/charts/gitlab!2249)) + +### Changed (7 changes) + +- [Update gitlab-org/container-registry from 3.14.3-gitlab to 3.15.0-gitlab](gitlab-org/charts/gitlab@f8f07d262d73c80b2bf863b79358cf9c53214689) ([merge request](gitlab-org/charts/gitlab!2271)) +- [Update gitlab-org/container-registry from 3.14.2-gitlab to 3.14.3-gitlab](gitlab-org/charts/gitlab@34fbd2864de95f80337da3db08ff92323a1a1e33) ([merge request](gitlab-org/charts/gitlab!2264)) +- [Update gitlab-org/container-registry from 3.14.1-gitlab to 3.14.2-gitlab](gitlab-org/charts/gitlab@fe13ae8f5bed9ab67593b526f52bb97835203c41) ([merge request](gitlab-org/charts/gitlab!2257)) +- [Update gitlab-org/container-registry from 3.13.0-gitlab to 3.14.1-gitlab](gitlab-org/charts/gitlab@6119f3f5307166cf99df9a8fdc14ffbc153143fb) ([merge request](gitlab-org/charts/gitlab!2250)) +- [GitLab Shell: replace ERB with gomplate](gitlab-org/charts/gitlab@44923bed8bb1578a68b50d5a0d93b5b8cb51fc05) by @kristofkalocsai ([merge request](gitlab-org/charts/gitlab!2220)) +- [GitLab Pages: replace ERB with gomplate](gitlab-org/charts/gitlab@22119c6893be97ed9d2ea8fd72a12784d45a3abe) by @kristofkalocsai ([merge request](gitlab-org/charts/gitlab!2217)) +- [Update gitlab-org/container-registry from 3.12.0-gitlab to 3.13.0-gitlab](gitlab-org/charts/gitlab@2ea30e59cdad005e45866da788ecf8dfd212eb2b) ([merge request](gitlab-org/charts/gitlab!2235)) + +### Other (1 change) + +- [[Docs] Operator: clarify available chart versions](gitlab-org/charts/gitlab@afcb3d95d2f997cc1d77087bb85a73b918a38101) ([merge request](gitlab-org/charts/gitlab!2268)) + +## 5.4.5 (2022-01-11) + +No changes. + +## 5.4.4 (2021-12-03) + +No changes. + +## 5.4.3 (2021-12-01) + +No changes. + +## 5.4.2 (2021-11-08) + +No changes. + +## 5.4.1 (2021-10-28) + +No changes. + +## 5.4.0 (2021-10-21) + +### Added (2 changes) + +- [Pages: enable proper readiness probe](gitlab-org/charts/gitlab@9b4d367bc96a2430eca9cfb32b916f0860bdd7ff) ([merge request](gitlab-org/charts/gitlab!2225)) +- [Allow configuring redis instance for rate limiting](gitlab-org/charts/gitlab@349cb8056f484dde330589805076ba86e70306d5) ([merge request](gitlab-org/charts/gitlab!2187)) + +### Fixed (4 changes) + +- [Add certificate volumeMounts to Rails deployments](gitlab-org/charts/gitlab@7a1fbf603eca4d698c16275eb1f7dd8dbcfdb45b) ([merge request](gitlab-org/charts/gitlab!2219)) +- [Add missing namespace to default KAS internal URL](gitlab-org/charts/gitlab@582d9b2b3298da78dc7b6c826e7dd5ee705505dd) ([merge request](gitlab-org/charts/gitlab!2207)) +- [Add a preStop hook to registry to sleep for 5 seconds](gitlab-org/charts/gitlab@24efafe6276eb5ea5ae9bc82d670cf0529356dd5) ([merge request](gitlab-org/charts/gitlab!2199)) +- [Move 'global.kas.apiExternalPort' to parent chart](gitlab-org/charts/gitlab@d68096d019a01cf1ba1953fde6b26e6cfcdffa6b) ([merge request](gitlab-org/charts/gitlab!2201)) + +### Changed (5 changes) + +- [Pin mailroom to 0.0.14](gitlab-org/charts/gitlab@5befab88589e25b0b851e6f39432e2051d3628d2) ([merge request](gitlab-org/charts/gitlab!2236)) +- [Update gitlab-org/container-registry from 3.11.1-gitlab to 3.12.0-gitlab](gitlab-org/charts/gitlab@cc5af8331e1f3aef9eaaee88f366e516cfc80c3f) ([merge request](gitlab-org/charts/gitlab!2230)) +- [Update runner chart to v0.33.1](gitlab-org/charts/gitlab@c40f40aab0118470f1b18dd42bae86e85fe1d6e9) by @xasx ([merge request](gitlab-org/charts/gitlab!2206)) +- [Update gitlab-org/charts/gitlab-runner from 0.32.0 to 0.33.0](gitlab-org/charts/gitlab@ce87597fbd8881f1a711affd926c6a332daf9254) ([merge request](gitlab-org/charts/gitlab!2203)) +- [Update gitlab-org/container-registry from 3.11.0-gitlab to 3.11.1-gitlab](gitlab-org/charts/gitlab@3e6492bf41609054214308006289a9e638038e22) ([merge request](gitlab-org/charts/gitlab!2194)) + +### Other (2 changes) + +- [Remove reference to deprecated operator](gitlab-org/charts/gitlab@d03e3293fdfe698eb3b5defe0b919351ef9485eb) ([merge request](gitlab-org/charts/gitlab!2197)) +- [Add $PLATFORM to installation commands](gitlab-org/charts/gitlab@8e72a88fb391cb98f64e712b07e65d65db4ab8fd) ([merge request](gitlab-org/charts/gitlab!2190)) + +## 5.3.6 (2021-12-03) + +No changes. + +## 5.3.5 (2021-11-26) + +No changes. + +## 5.3.4 (2021-10-28) + +No changes. + +## 5.3.3 (2021-10-12) + +No changes. + +## 5.3.2 (2021-10-01) + +No changes. + +## 5.3.1 (2021-09-30) + +No changes. + +## 5.3.0 (2021-09-21) + +### Added (1 change) + +- [Mount SSH host keys into Webservice container](gitlab-org/charts/gitlab@ff3670c0633094d30d5c8d6e89d394f46ae08d29) by @kravvcu ([merge request](gitlab-org/charts/gitlab!2168)) + +### Fixed (3 changes) + +- [Drop the special ingress rule for /admin/sidekiq](gitlab-org/charts/gitlab@63bad505f20df8b0a211343d75dee1e4e9917445) ([merge request](gitlab-org/charts/gitlab!2182)) +- [Rails db: always put main first](gitlab-org/charts/gitlab@ad9b461b0ddedf1e05b45db54e2950c20298380c) ([merge request](gitlab-org/charts/gitlab!2159)) +- [Remove Gitaly's redundant Prometheus listen addr](gitlab-org/charts/gitlab@fe4a41f5f111a536407ed427d295f9b558bee8d9) ([merge request](gitlab-org/charts/gitlab!2153)) + +### Changed (7 changes) + +- [Update gitlab-org/container-registry from 3.10.1-gitlab to 3.11.0-gitlab](gitlab-org/charts/gitlab@09cb819fc9dbfd17262adf977d369034299b42f5) ([merge request](gitlab-org/charts/gitlab!2181)) +- [Deployments: remove .spec.replicas when HPA present](gitlab-org/charts/gitlab@a23f7ed46ee68b5740690a352e3dd452750abb7a) ([merge request](gitlab-org/charts/gitlab!2180)) +- [Update gitlab-org/container-registry from 3.10.0-gitlab to 3.10.1-gitlab](gitlab-org/charts/gitlab@ba458fab385380bb138a5cc0c8bd71c4d49cc199) ([merge request](gitlab-org/charts/gitlab!2172)) +- [Update gitlab-org/container-registry from 3.9.0-gitlab to 3.10.0-gitlab](gitlab-org/charts/gitlab@9bfbdbf5cfd2619109ef5a49e4312f0210395d41) ([merge request](gitlab-org/charts/gitlab!2156)) +- [Change default configuration for HSTS](gitlab-org/charts/gitlab@14936c95c921770b67c28642dc950fa186252bdd) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2118)) +- [Update gitlab-org/charts/gitlab-runner from 0.31.0 to 0.32.0](gitlab-org/charts/gitlab@0665982645d842994a54bddb1269fbb694a743cb) ([merge request](gitlab-org/charts/gitlab!2149)) +- [Adds pages local_store configuration](gitlab-org/charts/gitlab@426c34858876fe0d52cd4fe880f44771af17e19b) ([merge request](gitlab-org/charts/gitlab!2141)) + +## 5.2.7 (2021-11-26) + +No changes. + +## 5.2.6 (2021-10-28) + +No changes. + +## 5.2.5 (2021-09-30) + +No changes. + +## 5.2.4 (2021-09-17) + +No changes. + +## 5.2.3 (2021-09-01) + +No changes. + +## 5.2.2 (2021-08-31) + +No changes. + +## 5.2.1 (2021-08-23) + +No changes. + +## 5.2.0 (2021-08-20) + +### Added (4 changes) + +- [Support many database configuration](gitlab-org/charts/gitlab@2036b4687bf7e507540bc06b27d5862f496c547c) ([merge request](gitlab-org/charts/gitlab!2122)) +- [Registry: add upload purging to maintenance stanza](gitlab-org/charts/gitlab@aae3afb76daf5b8bae04796307f21d7cf26bb6da) ([merge request](gitlab-org/charts/gitlab!2116)) +- [Support Workhorse config options for propagating correlation IDs](gitlab-org/charts/gitlab@53351d219e8a85423fe1b1922e04101994fa4e2e) ([merge request](gitlab-org/charts/gitlab!2106)) +- [Gitlab-sshd experimental support](gitlab-org/charts/gitlab@41879ffce3c39af07dfe767f3a634ab4aa823d19) ([merge request](gitlab-org/charts/gitlab!1855)) + +### Fixed (5 changes) + +- [Add toString to sidekiq deployment image logic](gitlab-org/charts/gitlab@97f20f307b92e4b370ebb57ba9e0c1f9435e2842) ([merge request](gitlab-org/charts/gitlab!2111)) +- [Fix references to traceChunks and sharedState](gitlab-org/charts/gitlab@d136a24903aa4903319f9f4ec8b07b1dde9c97a0) ([merge request](gitlab-org/charts/gitlab!2117)) +- [Add quotes to labels content, preventing unquoted booleans when deploying chart](gitlab-org/charts/gitlab@614778c435dc94b484b84daccf77f8b063432a25) ([merge request](gitlab-org/charts/gitlab!2068)) +- [Gitaly: Bind metrics endpoint to 0.0.0.0 instead of localhost](gitlab-org/charts/gitlab@dc8857272d92ed690744d6166033edabc5ec1952) ([merge request](gitlab-org/charts/gitlab!2100)) +- [Ensure backup includes Pages bucket also](gitlab-org/charts/gitlab@98d52b39c1293037432025afae3f4441a2a2d7c9) ([merge request](gitlab-org/charts/gitlab!2107)) + +### Changed (16 changes) + +- [Standardize imagePullPolicy and imagePullSecrets behavior](gitlab-org/charts/gitlab@d3a329f1753e635188ff2dc02c111382bf406bfb) ([merge request](gitlab-org/charts/gitlab!2130)) +- [Update gitlab-org/container-registry from 3.8.0-gitlab to 3.9.0-gitlab](gitlab-org/charts/gitlab@b076bfc4d000824f4880f14184fc098a88fb56cd) ([merge request](gitlab-org/charts/gitlab!2142)) +- [Bump container registry to v3.8.0](gitlab-org/charts/gitlab@9a754157f2d68c46667f5635ccaf15993a3ecbb5) ([merge request](gitlab-org/charts/gitlab!2139)) +- [Rename pullsecrets template to gitlab.image.pullSecrets](gitlab-org/charts/gitlab@ad5e7a7e0239df01dc6afbbb00c2a5cf1c57abe8) ([merge request](gitlab-org/charts/gitlab!2126)) +- [Use renamed image: task-runner -> toolbox](gitlab-org/charts/gitlab@e880a913a22e8f3631cedcb3522fb9caba6bb9c4) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2099)) +- [Deprecate global.imagePullPolicy and move it to global.image.pullPolicy](gitlab-org/charts/gitlab@f49cc36c333b2997ebea99db6568b68dac925add) ([merge request](gitlab-org/charts/gitlab!2120)) +- [Update gitlab-org/gitlab-exporter from 11.1.0 to 11.2.0](gitlab-org/charts/gitlab@35f21594c0dc313735a17bcb7991fafdfef2fbe8) ([merge request](gitlab-org/charts/gitlab!2124)) +- [Update gitlab-org/container-registry from 3.6.2-gitlab to 3.7.0-gitlab](gitlab-org/charts/gitlab@b0df57f8d4be24678da3f6e9b7fa4eed820abf04) ([merge request](gitlab-org/charts/gitlab!2123)) +- [Update gitlab-org/container-registry from 3.6.1-gitlab to 3.6.2-gitlab](gitlab-org/charts/gitlab@1e9b17df737a461a5401f8e8b10946822dfbf25f) ([merge request](gitlab-org/charts/gitlab!2115)) +- [Switch busybox/nginx-ingress containers to mirror](gitlab-org/charts/gitlab@df93c5f7c06eef41fff461bdb07ae23da4f84f45) ([merge request](gitlab-org/charts/gitlab!2114)) +- [Update gitlab-org/gitlab-exporter from 11.0.1 to 11.1.0](gitlab-org/charts/gitlab@b8099e5d4774dcf0e8b7abc4a09f07cfebe18483) ([merge request](gitlab-org/charts/gitlab!2109)) +- [Update gitlab-org/container-registry from 3.6.0-gitlab to 3.6.1-gitlab](gitlab-org/charts/gitlab@620c3b9e6dad1e11eede8b0c22952cf794aad76c) ([merge request](gitlab-org/charts/gitlab!2102)) +- [Update gitlab-org/charts/gitlab-runner from 0.30.0 to 0.31.0](gitlab-org/charts/gitlab@3fba0b2a29774cf3118b5cf7121bd95a9116708c) ([merge request](gitlab-org/charts/gitlab!2101)) +- [Update gitlab-org/container-registry from 3.5.2-gitlab to 3.6.0-gitlab](gitlab-org/charts/gitlab@ec98f3663375be3ddf7fec7ab6078fbb65aabeb9) ([merge request](gitlab-org/charts/gitlab!2096)) +- [Update gitlab-exporter appVersion 11.0.1](gitlab-org/charts/gitlab@d6cc85961e3d8369460840e70415b593bd82e432) ([merge request](gitlab-org/charts/gitlab!2092)) +- [Update gitlab-org/gitlab-exporter from 10.5.0 to 11.0.0](gitlab-org/charts/gitlab@2c2a8c2b877b45d47b8bb61a09ed6cb5f8b79392) ([merge request](gitlab-org/charts/gitlab!2092)) + +## 5.1.8 (2021-11-15) + +No changes. + +## 5.1.7 (2021-09-30) + +No changes. + +## 5.1.6 (2021-09-27) + +No changes. + +## 5.1.5 (2021-09-02) + +No changes. + +## 5.1.4 (2021-08-31) + +No changes. + +## 5.1.3 (2021-08-17) + +### Fixed (1 change) + +- [Fix labels boolean value not being escaped bug](gitlab-org/charts/gitlab@0714357dd8f46874f8abbba6e805ba98e3e30c4b) ([merge request](gitlab-org/charts/gitlab!2121)) + +## 5.1.2 (2021-08-03) + +No changes. + +## 5.1.1 (2021-07-28) + +No changes. + +## 5.1.0 (2021-07-21) + +### Fixed (3 changes) + +- [Fixed duplicate labels generated by local and `.standardLabels`](gitlab-org/charts/gitlab@34d79356d8adbd732fb7a7a26416e73480220585) ([merge request](gitlab-org/charts/gitlab!2067)) +- [Fix forbidden error while accessing smartcard ingress](gitlab-org/charts/gitlab@38464add1376203104b3783edafb12818d312a00) ([merge request](gitlab-org/charts/gitlab!2053)) +- [Webservice: address common.labels duplication](gitlab-org/charts/gitlab@198feaa11a915e21271a98200b8dc5403823cea6) ([merge request](gitlab-org/charts/gitlab!2054)) + +### Changed (6 changes) + +- [Update gitlab-org/gitlab-exporter from 10.4.0 to 10.5.0](gitlab-org/charts/gitlab@07a8e4b1bad7743f4f7b6ed4ee1b9951beda33c8) ([merge request](gitlab-org/charts/gitlab!2080)) +- [Set GitLab 14.0 as the min supported upgrade version](gitlab-org/charts/gitlab@902017356aae050141adc15d53da4f25aa83ddb8) ([merge request](gitlab-org/charts/gitlab!2086)) +- [Allow PostgreSQL adapter tcp parameter tuning](gitlab-org/charts/gitlab@caf7c65467e5a3490323231ab38bb1c841eb6e0e) ([merge request](gitlab-org/charts/gitlab!2082)) +- [Bump Container Registry to v3.5.1-gitlab](gitlab-org/charts/gitlab@a8e2c62c3755b7f25f56a59bab1c90573529214d) ([merge request](gitlab-org/charts/gitlab!2079)) +- [Update gitlab-org/container-registry from 3.5.0-gitlab to 3.5.1-gitlab](gitlab-org/charts/gitlab@3bd4bda15ef96ae1dd10ea31b3b1fdba47f699c8) ([merge request](gitlab-org/charts/gitlab!2079)) +- [Update gitlab-org/gitlab-exporter from 10.3.0 to 10.4.0](gitlab-org/charts/gitlab@9802bdd7b9cab3b42307729b59e38a27c82d2231) ([merge request](gitlab-org/charts/gitlab!2035)) + +### Security (1 change) + +- [Do not automount SA token when not needed](gitlab-org/charts/gitlab@108af40ae28e55c882feae66eaecd3a0d0f45996) ([merge request](gitlab-org/charts/gitlab!2093)) + +## 5.0.12 (2021-11-05) + +No changes. + +## 5.0.11 (2021-09-23) + +No changes. + +## 5.0.10 (2021-09-02) + +No changes. + +## 5.0.9 (2021-08-31) + +No changes. + +## 5.0.8 (2021-08-25) + +No changes. + +## 5.0.7 (2021-08-03) + +No changes. + +## 5.0.6 (2021-07-20) + +No changes. + +## 5.0.5 (2021-07-08) + +No changes. + +## 5.0.4 (2021-07-07) + +No changes. + +## 5.0.3 (2021-07-06) + +No changes. + +## 5.0.2 (2021-07-01) + +No changes. + +## 5.0.1 (2021-06-24) + +No changes. + +## 5.0.0 (2021-06-21) + +### Added (7 changes) + +- [Make ClientAliveInterval configurable for openssh](gitlab-org/charts/gitlab@6b244f199eb03f3a19eab6b33d6a74aef44c9563) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2049)) +- [Add GKE load balancer options for KAS service](gitlab-org/charts/gitlab@a67751788fc952a0280333e5646f37e1106554f1) ([merge request](gitlab-org/charts/gitlab!1911)) +- [Add initial upgrade docs for version 5 of the chart](gitlab-org/charts/gitlab@4fa460e639f7e6ee4b1dc2cad50272b6d483c7d7) ([merge request](gitlab-org/charts/gitlab!2027)) +- [Add global.ingress.provider and checks to allow changing the ingress provider](gitlab-org/charts/gitlab@b5522e7edb61be66cb31223afe57f95c386ea4b5) ([merge request](gitlab-org/charts/gitlab!2033)) +- [Set Workhorse shutdown to workerTimeout + 1 by default](gitlab-org/charts/gitlab@e0b57b779b0a432ae669ba10a583b3ab255f1b59) ([merge request](gitlab-org/charts/gitlab!2037)) +- [Allow configuring redis instance for trace chunks](gitlab-org/charts/gitlab@db72918ec278de8984dab7a111fc4f2e958662ff) ([merge request](gitlab-org/charts/gitlab!2031)) +- [gitlab/kas: add image pullSecrets to chart](gitlab-org/charts/gitlab@517b3c6ffdd49d594084135371f63f2a78c5791e) ([merge request](gitlab-org/charts/gitlab!2006)) + +### Fixed (5 changes) + +- [Fix support for an existing ServiceAccount](gitlab-org/charts/gitlab@62636629a9663fa4c5f673fea8ce6023932fa065) ([merge request](gitlab-org/charts/gitlab!2045)) +- [gitlab-shell: quote tcp configmap port](gitlab-org/charts/gitlab@f7af9592fdf52bcdcbb93bf3c82ade97f1fc881f) ([merge request](gitlab-org/charts/gitlab!2047)) +- [Fix link to NGINX configuration docs](gitlab-org/charts/gitlab@5b225a7c843d54a1634473c6dc0aeededa0ffb01) ([merge request](gitlab-org/charts/gitlab!2046)) +- [Move Sidekiq's logging.format to _sidekiq.tpl](gitlab-org/charts/gitlab@db79ec4c066882ff01eb5d57ee8b85439455c295) ([merge request](gitlab-org/charts/gitlab!2021)) +- [Fix ingress.configureCertmanager to have higher priority than global](gitlab-org/charts/gitlab@f6dcdb7a0ccbc972313135a4499cb968ad16dd45) ([merge request](gitlab-org/charts/gitlab!1980)) + +### Changed (12 changes) + +- [GitLab Runner to 0.30.0](gitlab-org/charts/gitlab@d9b0310f1a700ed806f50ff373b5745ade06511b) ([merge request](gitlab-org/charts/gitlab!2060)) +- [Update certmanager to 1.2.0 and min k8s version to 1.16](gitlab-org/charts/gitlab@171be67fd3a16ebeb92b4abafd63caa867419e0a) ([merge request](gitlab-org/charts/gitlab!2041)) +- [Update the min k8s and helm versions](gitlab-org/charts/gitlab@352a9cfb3a9c20faa29c0d32cfeab2a515a3970e) ([merge request](gitlab-org/charts/gitlab!2050)) +- [Remove Helm 2 related tasks from cloud installation scripts](gitlab-org/charts/gitlab@24f7ec7b6839d2220db4d229df478390a0b2ac9c) ([merge request](gitlab-org/charts/gitlab!2040)) +- [Remove spaces from sidekiq queues and negateQueues](gitlab-org/charts/gitlab@978f109daff26a70b3562deab800f60c21b0ddb6) ([merge request](gitlab-org/charts/gitlab!1387)) +- [Bump Container Registry to v3.5.0-gitlab](gitlab-org/charts/gitlab@d95bd8302460ab0884b463e5b2efc8d9662d8ff6) ([merge request](gitlab-org/charts/gitlab!2042)) +- [Update helm test to test updated endpoint](gitlab-org/charts/gitlab@90f165255326f8f98251f9f46c46611546f91813) ([merge request](gitlab-org/charts/gitlab!2044)) +- [bump default self-signed cert expiry to 10yr](gitlab-org/charts/gitlab@0bf962ac30535fb0ce58a5da7384c9ba2b12ecfc) ([merge request](gitlab-org/charts/gitlab!2034)) +- [Update minimum required version of PostgreSQL from 11 to 12](gitlab-org/charts/gitlab@9729a60d24fa11602da347ba1c49abb168a5d740) ([merge request](gitlab-org/charts/gitlab!2012)) +- [Only permit upgrades from 4.12](gitlab-org/charts/gitlab@a8facddb582dccf6b97a634370abd34e9bdb3b4c) ([merge request](gitlab-org/charts/gitlab!2029)) +- [add changes suggested by @WarheadsSE in gitlab-org/charts/gitlab!2000](gitlab-org/charts/gitlab@6380ee8b1a2eeebefc1258e08bd7a9a981a8bb04) ([merge request](gitlab-org/charts/gitlab!2019)) +- [Update gitlab-org/charts/gitlab-runner from 0.28.0 to 0.29.0](gitlab-org/charts/gitlab@32447b667c8fd39f4fde45c0fe4b12b9d85c245f) ([merge request](gitlab-org/charts/gitlab!2008)) + +### Removed (3 changes) + +- [Remove deprecated `experimentalQueueSelector` option for Sidekiq](gitlab-org/charts/gitlab@007788f0ba373f7d3fc51623ea5b70021b62ca5b) ([merge request](gitlab-org/charts/gitlab!2023)) +- [Remove the old resouce changes notices](gitlab-org/charts/gitlab@1755275b75dfe669c038e44dd2d218e3aa62c2e6) ([merge request](gitlab-org/charts/gitlab!2028)) +- [Remove ability to disable cluster from sidekiq values](gitlab-org/charts/gitlab@0de93fe181cd8c514aec013bf7e1541e1b41660b) ([merge request](gitlab-org/charts/gitlab!2024)) + +## 4.12.13 (2021-10-29) + +No changes. + +## 4.12.12 (2021-09-21) + +No changes. + +## 4.12.11 (2021-09-02) + +No changes. + +## 4.12.10 (2021-08-10) + +No changes. + +## 4.12.9 (2021-08-03) + +No changes. + +## 4.12.8 (2021-07-07) + +No changes. + +## 4.12.7 (2021-07-05) + +No changes. + +## 4.12.6 (2021-07-01) + +No changes. + +## 4.12.5 (2021-06-21) + +No changes. + +## 4.12.4 (2021-06-14) + +No changes. + +## 4.12.3 (2021-06-07) + +No changes. + +## 4.12.2 (2021-06-01) + +No changes. + +## 4.12.1 (2021-05-25) + +No changes. + +## 4.12.0 (2021-05-21) + +### Added (2 changes) + +- [Add support for SMTP connection pooling](gitlab-org/charts/gitlab@9db6d3baca1efae954130cf34a030e1d38907d97) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1963)) +- [Add Sidekiq routing rules configuration](gitlab-org/charts/gitlab@7538f58c173881d2221098007306ef4b84a191e1) ([merge request](gitlab-org/charts/gitlab!1968)) + +### Fixed (2 changes) + +- [Shared-secrets: add annotations to self-signed job](gitlab-org/charts/gitlab@165e685da49147c584e0f1dc5403787dc669adf4) ([merge request](gitlab-org/charts/gitlab!1998)) +- [Fix grafana ingress misconfiguration](gitlab-org/charts/gitlab@81277b932410b41d468371492e59f4aafcf64eff) ([merge request](gitlab-org/charts/gitlab!1955)) + +### Changed (8 changes) + +- [Remove shared-secrets chart and move templates to root](gitlab-org/charts/gitlab@9dc08d0e2158abbccafe550b9059da0187e2d6e2) ([merge request](gitlab-org/charts/gitlab!1982)) +- [Switch to using the new runner config for cache](gitlab-org/charts/gitlab@ffd6c5e48462d8230eb6948267c6952882812de9) ([merge request](gitlab-org/charts/gitlab!1989)) +- [Update Ingress Api version to `networking.k8s.io/v1/Ingress`](gitlab-org/charts/gitlab@ffdfd9af150f2254fbbd754814d10495328670d2) ([merge request](gitlab-org/charts/gitlab!1984)) +- [Registry to v3.4.0-gitlab](gitlab-org/charts/gitlab@bf0be4e577293310622436ba13bb4700298ff180) ([merge request](gitlab-org/charts/gitlab!1975)) +- [Resolve registry and webservice ingress enabled bug](gitlab-org/charts/gitlab@ee1e3f90a386e50984410307e386569a95d28892) ([merge request](gitlab-org/charts/gitlab!1972)) +- [Pass GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN as file instead of ENV](gitlab-org/charts/gitlab@7a049f4dba9f41bc72308bbaa2618e954e590b10) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1920)) +- [Update Ingress API version from 'extensions/v1beta1' to 'networking.k8s.io/v1'](gitlab-org/charts/gitlab@d883ad9c149e36ff67f4080f520711f0c76de2f4) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1951)) +- [Enables the ability to configure the notification_secret](gitlab-org/charts/gitlab@80f49f27e8070580afb808d0fec6f3ad0cb89dd8) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1948)) + +### Deprecated (1 change) + +- [Add deprecation warning for Unicorn](gitlab-org/charts/gitlab@214fb34a7d64df9506d66b3f1b2d4b21aa5bddb2) ([merge request](gitlab-org/charts/gitlab!1987)) + +### Other (2 changes) + +- [Refactor a yaml indentation inconsistency](gitlab-org/charts/gitlab@e43cbb7f3b75ef88ef6a478ef809826b7e51bfbe) ([merge request](gitlab-org/charts/gitlab!1978)) +- [Support using PAGES_UPDATE_LEGACY_STORAGE env variable to enable Pages disk access](gitlab-org/charts/gitlab@ba72fead4cc4af5268a258b7a4bdbac85665f15c) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1938)) + +## 4.11.7 (2021-07-07) + +No changes. + +## 4.11.6 (2021-07-01) + +No changes. + +## 4.11.5 (2021-06-01) + +No changes. + +## 4.11.4 (2021-05-14) + +No changes. + +## 4.11.3 (2021-04-30) + +No changes. + +## 4.11.2 (2021-04-27) + +No changes. + +## 4.11.1 (2021-04-22) + +- No changes. + +## 4.11.0 (2021-04-22) + +### Removed (1 change) + +- Gitaly - move metrics port from service to pod. !1947 + +### Fixed (5 changes, 1 of them is from the community) + +- Fixes incorrect set hostname for geo syncing Container Registry. !1913 +- Allow separate external Gitaly when Praefect is enabled. !1928 +- Registry: use separate, minimal config for migration. !1939 +- Configure the metrics endpoint of praefect to be reachable from all interfaces not just localhost. !1946 (Tim Neumann) +- Bump gitlab-exporter to 10.2.0 to fix Puma related crash. !1954 + +### Changed (3 changes) + +- GitLab Runner to 0.27.0 / 13.10.0. !1904 +- Registry to 3.3.0-gitlab. !1942 +- GitLab Runner chart to 0.28.0. !1956 + +### Added (7 changes) + +- Add Registry migrations job. !1857 +- Add checkConfig to validate Gitaly storage names. !1873 +- [shared-secrets chart] If Secret key does not exist, patch it in. !1883 +- Allow configuring terminationGracePeriodSeconds for Sidekiq pod. !1905 +- Add online GC configurations to registry chart. !1908 +- Add Microsoft Graph config support for MailRoom. !1929 +- Added support for IAM roles in EKS. !1940 + + +## 4.10.5 (2021-06-01) + +No changes. + +## 4.10.4 (2021-04-27) + +No changes. + +## 4.10.3 (2021-04-13) + +- No changes. + +## 4.10.2 (2021-04-01) + +### Fixed (1 change) + +- Fix for Rancher/RKE: Remove extra space before -}} in _kas.tpl. !1925 + + +## 4.10.1 (2021-03-31) + +### Fixed (1 change) + +- Fixes Container Registry notification when Geo syncing is disabled. !1899 + +### Changed (1 change) + +- GitLab Exporter to 10.1.0. !1915 + + +## 4.10.0 (2021-03-22) + +### Fixed (6 changes, 2 of them are from the community) + +- Skip kas redis.password_file when password disabled. !1853 +- Add missing hostnameOverride logic. !1861 +- Use template for label selectors on NGINX objects. !1877 (Antony Perigault) +- Webervice: Fix template loadBalancerSourceRanges in Service object. !1882 (Rafed Ramzi) +- Fix Registry ingress' serviceName value. !1887 +- Update GKE bootstrap script to wait for the api to be available. !1894 + +### Changed (9 changes, 1 of them is from the community) + +- Fixes podLabels for sidekiq deployments. !1842 +- Adds common labels for all webservice deployment objects. !1856 +- Bump Container Registry to v3.1.0-gitlab. !1866 +- Adds Geo Notification Event for Container Registry. !1868 +- honour existing health check script shipped with gitlab-mailroom container. !1875 (Dmitry Makovey) +- Add internal and external URL config for KAS. !1879 +- Use HTTP liveness check for mailroom. !1891 +- Bump Container Registry to v3.2.0-gitlab. !1893 +- Bump Container Registry to v3.2.1-gitlab. !1896 + +### Added (6 changes, 1 of them is from the community) + +- Add optional networkpolicy for KAS. !1837 +- Support specifying `nodeSelector` globally. !1839 (Marshall Cottrell) +- Add global.ingress.path to address #2563. !1846 +- Add database configurations to registry chart. !1854 +- Webservice: enable per-deployment blackoutSeconds. !1867 +- Add migration configurations to registry chart. !1888 + + +## 4.9.7 (2021-04-27) + +No changes. + +## 4.9.6 (2021-04-13) + +- No changes. + +## 4.9.5 (2021-03-31) + +- No changes. + +## 4.9.4 (2021-03-17) + +### Changed (1 change) + +- GitLab Runner to 0.26.0. !1858 + + +## 4.9.3 (2021-03-08) + +- No changes. + +## 4.9.2 (2021-03-04) + +- No changes. + +## 4.9.1 (2021-02-23) + +- No changes. + +## 4.9.0 (2021-02-22) + +### Fixed (8 changes, 1 of them is from the community) + +- Add custom annotations for shared-secrets job. !1774 +- Prevent all Gitaly pods from restarting when replicas are changed. !1806 +- Fix Praefect spec test and warning typo. !1812 +- Allow the use of TCP ProxyProtocol in ELB AWS. !1814 (Cristhian Roa) +- CI: Shorten RELEASE_NAME to 48 characters. !1819 +- Fixes podLabels for sidekiq deployments. !1826 +- Fix SMTP openssl_verify_mode implementation. !1831 +- Fix redis service templating when Helm release includes 'redis'. !1832 + +### Changed (14 changes) + +- Support migration from Gitaly to Praefect. !1757 +- Bump Redis chart to Redis 6.0.10. !1772 +- Adds common labels for Container Registry Chart. !1778 +- Fix pod labels for GitLab ShellChart. !1779 +- Bump Container Registry to v3.0.0-gitlab. !1780 +- Add common pod labels for Webservices. !1785 +- Add common pod labels for kas. !1791 +- Add common pod labels for mailroom. !1792 +- Modify logic to check if Praefect is enabled. !1797 +- Add common pod labels for task-runner. !1798 +- Add common pod labels for praefect. !1799 +- Add common pod labels for Pages. !1805 +- Add common pod labels for Gitaly. !1829 +- Webservice: accept / or /* for default ingress.path. !1841 + +### Performance (2 changes) + +- Bump gitlab-exporter to v10.0.0, tune malloc to release memory earlier. !1777 +- Tune Ruby GC for gitlab-exporter. !1820 + +### Added (7 changes) + +- Expose settings to control GitLab Shell logging. !1767 +- Add application settings cache expiry support. !1768 +- Automatically enable OAuth for GitLab Pages. !1782 +- Add matomo_disable_cookies setting. !1813 +- Adds common labels across all objects for GitLab Geo-Logcursor chart. !1822 +- Add support for specifying a nodeSelector for Kas. !1836 +- KAS: Add ability to disable Redis. !1838 + +### Other (3 changes) + +- Emit Ruby Prometheus metrics for gitlab-exporter. !1790 +- Clarify EKS installation instructions. !1801 +- Add outgoing email section to 'globals' docs. !1821 + + +## 4.8.8 (2021-04-13) + +- No changes. + +## 4.8.7 (2021-03-31) + +- No changes. + +## 4.8.6 (2021-03-17) + +- No changes. + +## 4.8.5 (2021-03-04) + +- No changes. + +## 4.8.4 (2021-02-11) + +- No changes. + +## 4.8.3 (2021-02-05) + +- No changes. + +## 4.8.2 (2021-02-01) + +### Fixed (2 changes) + +- Fixes backups when GitLab KAS is enabled. !1765 +- Fix Gitaly persistence configuration. !1796 + + +## 4.8.1 (2021-01-26) + +### Changed (1 change) + +- Update GitLab Runner chart to 0.25.0. !1775 + + +## 4.8.0 (2021-01-22) + +### Fixed (2 changes, 1 of them is from the community) + +- Add --subnetwork flag to the GKE bootstrap script. !1737 (rhassanein) +- Fix spelling and logic for Gitaly hook volumes. !1747 + +### Changed (6 changes) + +- Support multiple virtual_storages in Praefect. !1618 +- Update gitlab-container-registry to v2.13.0-gitlab. !1723 +- Adds common labels for GitLab Sidekiq Chart. !1727 +- Adds common labels for GitLab Exporter. !1743 +- Bump gitlab-exporter to v8.0.0. !1745 +- Bump Container Registry to v2.13.1-gitlab. !1755 + +### Added (7 changes, 2 of them are from the community) + +- Support override of exposed hostname for grafana and webservice Ingress. !1621 (Louis Baumann) +- Add GitLab Pages chart. !1677 +- Adds common labels across all objects for GitLab Shell's chart. !1707 +- Allow configurable service type for webservice. !1726 +- Add support for custom domains in GitLab Pages. !1728 +- Add tolerations for minio create bucket job. !1744 (David ALEXANDRE) +- Add upgrade survey link to upgrade output. !1762 + + +## 4.7.9 (2021-03-17) + +- No changes. + +## 4.7.8 (2021-03-04) + +- No changes. + +## 4.7.7 (2021-02-11) + +- No changes. + +## 4.7.6 (2021-02-01) + +- No changes. + +## 4.7.5 (2021-01-25) + +### Fixed (2 changes, 1 of them is from the community) + +- Fix dependency proxy object storage config. !1531 (Maikel Vlasman) +- Fix spelling and logic for Gitaly hook volumes (backport 4.7.x). !1761 + +### Changed (2 changes) + +- GitLab Runner chart to 0.15.0. !1224 +- GitLab Runner chart to 0.16.0, v12.10.1. !1299 + +### Added (2 changes, 2 of them are from the community) + +- Minio: Adds podLabels and podAnnotations to chart. !1264 (Kavanaugh Latiolais) +- Support custom labels for Pods of GitLab components. !1457 (Maxence Laude) + + +## 4.7.4 (2021-01-13) + +- No changes. + +## 4.7.3 (2021-01-08) + +- No changes. + +## 4.7.2 (2021-01-07) + +### Fixed (1 change) + +- Fix nginx-ingress checkConfig error. !1730 + + +## 4.7.1 (2020-12-23) + +### Changed (1 change) + +- GitLab Runner to 0.24.0. !1724 + + +## 4.7.0 (2020-12-22) + +### Fixed (3 changes) + +- Make consolidated object store config a non-default option. !1588 +- Support using dedicated bucket for Minio. !1652 +- Add extraEnv to task-runner backup job. !1721 + +### Changed (10 changes, 1 of them is from the community) + +- Rename and deprecate configuration keys because Piwik rebranded as Matomo. !1602 (Katrin Leinweber @katrinleinweber) +- Remove Service port from gitlab-kas. !1659 +- Add prometheus annotations for kas. !1660 +- Allow toggling redirects to storage backends on a per-repository basis. !1667 +- Use gitlab-exporter v7.1.2. !1675 +- Registry: update to v2.12.0-gitlab. !1683 +- Update gitlab-kas to v13.7.0. !1694 +- Add install survey link to helm install notes. !1711 +- Add ability to customize workhorse scheme. !1714 +- Webservice: convert to generator pattern, allow splitting traffic groups. + +### Added (7 changes) + +- Add TLS support to Praefect. !1613 +- Add encrypted_settings_key_base rails secret. !1617 +- Add server-side global hook support through configmaps. !1653 +- Allow change or deletion of settings in Gitaly StatefulSet securityContexts. !1665 +- Add support for /database_bloat endpoint in gitlab-exporter. !1673 +- Configurable termination graceperiod for NGINX. !1685 +- Support setting of application_name in database.yml. !1712 + +### Other (2 changes) + +- Update NGINX from v0.20.0 to 0.41.2. !1690 +- Changes the default loglevel for registry to info. !1703 + + +## 4.6.7 (2021-02-11) + +- No changes. + +## 4.6.6 (2021-02-01) + +### Fixed (1 change, 1 of them is from the community) + +- Fix dependency proxy object storage config. !1531 (Maikel Vlasman) + +### Changed (2 changes) + +- GitLab Runner chart to 0.15.0. !1224 +- GitLab Runner chart to 0.16.0, v12.10.1. !1299 + +### Added (2 changes, 2 of them are from the community) + +- Minio: Adds podLabels and podAnnotations to chart. !1264 (Kavanaugh Latiolais) +- Support custom labels for Pods of GitLab components. !1457 (Maxence Laude) + + +## 4.6.5 (2021-01-13) + +- No changes. + +## 4.6.4 (2021-01-07) + +- No changes. + +## 4.6.3 (2020-12-10) + +### Changed (1 change, 1 of them is from the community) + +- Update gitlab-runner from 0.22.0 to 0.23.0. !1686 (Jan Brummelte) + + +## 4.6.2 (2020-12-07) + +- No changes. + +## 4.6.1 (2020-11-23) + +- No changes. + +## 4.6.0 (2020-11-22) + +### Fixed (2 changes) + +- Configures gitlab-kas ingress with its own TLS certificate. !1644 +- GitLab Shell: sshd_config observe internalPort. !1663 + +### Changed (10 changes) + +- Update default service ports for GitLab Kubernetes Agent Server (kas). !1587 +- custom ca: Loosen the mount permissions to 0440. !1605 +- Populate three dots of DNS for internal Services. !1606 +- Change KAS service route to be subdomain by default, instead of a fixed path. !1623 +- Upgraded Ruby bundler gem to 2.1.4. !1624 +- Certificates: update to 20191127-r2 tag. !1625 +- Mark Sidekiq queue selector as no longer experimental. !1631 +- NGINX: reduce controller to 2 replicas by default. !1635 +- Use config file instead of command line arguments for kas. !1655 +- Set default annotation to help balance webservice traffic. !1661 + +### Added (5 changes) + +- Export GitLab Pages settings in Rails pods. !1598 +- Support Sentry for container registry. !1609 +- Adds configurability of terminationGracePeriod for GitLab-Shell. !1610 +- Expose observability port for gitlab-kas. !1646 +- Adds readiness probe for gitlab-shell. !1649 + +### Other (3 changes) + +- Add Image Resizer config defaults. !1595 +- Update resource specifications for Webservice and Sidekiq. !1634 +- Set release_package to run manually. !1641 + + +## 4.5.7 (2021-01-13) + +- No changes. + +## 4.5.6 (2021-01-07) + +- No changes. + +## 4.5.5 (2020-12-07) + +### Other (1 change) + +- Set release_package to run manually. !1641 + + +## 4.5.4 (2020-11-13) + +- No changes. + +## 4.5.3 (2020-11-04) + +- No changes. + +## 4.5.2 (2020-11-02) + +### Fixed (2 changes) + +- geo-logcursor: move redis secrets to optional. !1614 +- Remove trailing space causing errors in the deprecation template. !1615 + + +## 4.5.1 (2020-10-22) + +- No changes. + +## 4.5.0 (2020-10-22) + +### Fixed (1 change) + +- Fix PG password error when enabling extensions during DB init. !1593 + +### Changed (3 changes) + +- Make stackdriver profiling credentials optional. !1558 +- Updated location for Grafana chart. !1594 +- Update Prometheus chart location. !1596 + +### Added (3 changes) + +- Add auto_link_user setting. !1555 +- Adds configurable termination grace period for webservice. !1569 +- Adds log format configuration for gitlab-shell chart. !1581 + +### Other (3 changes) + +- Remove db-pool configuration. !1551 +- cleanup registry.fullname templates. !1568 +- Bump default gitlab-kas image tag to v0.0.6. !1582 + + +## 4.4.6 (2020-12-07) + +### Other (1 change) + +- Set release_package to run manually. !1641 + + +## 4.4.5 (2020-11-04) + +### Fixed (2 changes) + +- Fix PG password error when enabling extensions during DB init. !1593 +- geo-logcursor: move redis secrets to optional. !1614 + + +## 4.4.4 (2020-10-15) + +### Fixed (1 change) + +- Praefect: fixup certificates mounts #2341. !1590 + + +## 4.4.3 (2020-10-07) + +### Added (1 change) + +- Adds NetworkPolicy for gitlab-shell. !1580 + + +## 4.4.2 (2020-10-01) + +### Changed (1 change) + +- GitLab Runner chart to 0.21.1. !1573 + +### Other (2 changes) + +- Bump default gitlab-kas image tag to v0.0.5. !1565 +- Update GitLab Version to 13.4.2. + + +## 4.4.1 (2020-09-24) + +### Other (1 change) + +- Update GitLab Version to 13.4.1. + + +## 4.4.0 (2020-09-22) + +### Fixed (1 change) + +- Moves GITLAB_WORKHORSE_SENTRY_DSN to the workhorse container. !1543 +- Fix dependency proxy object storage config. !1531 (Maikel Vlasman) + +### Changed (7 changes, 1 of them is from the community) + +- Disable MIME type guessing in s3cmd. !1512 +- Disable workhorse archive cache by default. !1520 +- Removing dots from job names. !1540 +- Upgrade default PostgreSQL version to 11.9. !1550 +- Add PG connect_timeout setting. !1552 +- Update container-registry to 2.11.0-gitlab. !1553 +- Make Gitaly service values global options. !1559 + +### Added (11 changes, 1 of them is from the community) + +- Add support for Praefect. !1493 +- Support Stackdriver Profiling for registry. !1494 +- Add support for configuring smartcard authentication. !1510 +- Support UBI certificates container. !1511 +- Exposes the workhorse prometheus port. !1514 +- Adds Content Security Policy (CSP) configuration. !1534 +- Allow for additional labels for services. !1537 +- Add danger job for validating the extension of changelog entries. !1542 (Matthias van de Meent) +- Document upgrade steps for PostgreSQL 11 -> 12. !1545 +- Add Azure Blob storage configuration options. !1546 +- Add S3 server side encryption settings. !1549 + +### Other (2 changes) + +- Adds capability to specify memoryKiller per Pod. !1536 +- Update GitLab Version to 13.4.0. + + +## 4.3.9 (2020-11-02) + +- No changes. + +## 4.3.8 (2020-10-23) + +- No changes. + +## 4.3.7 (2020-10-01) + +### Other (1 change) + +- Update GitLab Version to 13.3.7. + + +## 4.3.6 (2020-09-14) + +### Changed (1 change) + +- Update runner chart to Runner 13.3.1 (chart 0.20.1). !1538 + +### Other (1 change) + +- Update GitLab Version to 13.3.6. + + +## 4.3.5 (2020-09-04) + +### Other (1 change) + +- Update GitLab Version to 13.3.5. + + +## 4.3.4 (2020-09-02) + +### Other (1 change) + +- Update GitLab Version to 13.3.4. + + +## 4.3.3 (2020-09-02) + +### Fixed (1 change) + +- Only create object_storage 'connection' block if feature enabled. !1517 + +### Other (1 change) + +- Update GitLab Version to 13.3.3. + + +## 4.3.2 (2020-08-28) + +### Fixed (2 changes, 2 of them are from the community) + +- Add missing bucket variables. !1515 (Chris Boot) +- Add object_store secret to backup CronJob. !1516 (Chris Boot) + +### Other (1 change) + +- Update GitLab Version to 13.3.2. + + +## 4.3.1 (2020-08-25) + +### Changed (1 change) + +- Update GitLab Runner to 13.3.0 (runner chart 0.20.0). !1513 + +### Other (1 change) + +- Update GitLab Version to 13.3.1. + + +## 4.3.0 (2020-08-22) + +### Removed (1 change) + +- Geo - Remove FDW related config. !1496 + +### Fixed (1 change) + +- Fix misaligned indent for rack_attack. + +### Changed (4 changes) + +- Changed Prometheus to use GitLab specific annotations. !1439 +- Update GitLab Operator to v0.10. !1478 +- Bump Container Registry to v2.10.1-gitlab. !1483 +- Flips daemonMode option for Memory Killer. !1490 + +### Added (5 changes, 1 of them is from the community) + +- Provide possibility of passing the postgresql password via a file instead of secret. !1422 (Tiago Posse ) +- Add support for DependencyProxy. !1464 +- Support consolidated object storage configuration. !1479 +- Adds NetworkPolicy object for the Webservice. !1491 +- Workhorse: support configuring logFormat, default JSON. !1497 +- Support custom labels for Pods of GitLab components !1457 (Maxence Laude) + +### Other (1 change) + +- Update GitLab Version to 13.3.0. + + +## 4.2.10 (2020-10-01) + +### Other (1 change) + +- Update GitLab Version to 13.2.10. + + +## 4.2.9 (2020-09-04) + +### Other (1 change) + +- Update GitLab Version to 13.2.9. + + +## 4.2.8 (2020-09-02) + +### Other (1 change) + +- Update GitLab Version to 13.2.8. + + +## 4.2.7 (2020-09-02) + +### Other (1 change) + +- Update GitLab Version to 13.2.7. + + +## 4.2.6 (2020-08-18) + +### Other (1 change) + +- Update GitLab Version to 13.2.6. + + +## 4.2.5 (2020-08-18) + +### Changed (1 change) + +- Update GitLab Runner chart to 0.19.2. !1489 + +### Other (1 change) + +- Update GitLab Version to 13.2.5. + + +## 4.2.4 (2020-08-11) + +### Other (1 change) + +- Update GitLab Version to 13.2.4. + + +## 4.2.3 (2020-08-05) + +### Other (1 change) + +- Update GitLab Version to 13.2.3. + + +## 4.2.2 (2020-07-30) + +### Other (1 change) + +- Update GitLab Version to 13.2.2. + + +## 4.2.1 (2020-07-24) + +### Fixed (1 change, 1 of them is from the community) + +- Use the global `psql` config parameters when the local `psql` configuration does not contain that config key, instead of going to the default option. !1461 (Matthias van de Meent) + +### Changed (1 change) + +- Update GitLab Runner to 0.19.1. !500 + +### Other (1 change) + +- Update GitLab Version to 13.2.1. + + +## 4.2.0 (2020-07-22) + +### Fixed (2 changes) + +- Restore per sub-chart configuration of PostgreSQL (#1812). !1420 +- Redis: switch encoding method for redis password in URI. !1447 + +### Changed (2 changes) + +- Support extraEnv at the pod level for Sidekiq. !1443 +- Set default database pool size to 1 as the application will calculate the best pool size based on concurrency. + +### Added (3 changes, 1 of them is from the community) + +- Gitaly PVC support annotations. !1419 (Andy Ai) +- Allows overriding targetAverageValue in sidekiq pods. !1428 +- Gitaly: support TLS flag for external instances. !1446 + +### Other (2 changes, 1 of them is from the community) + +- Add an annotations support to the migrations job template. !1423 (Tiago Posse) +- Update GitLab Version to 13.2.0. + + +## 4.1.12 (2020-09-04) + +### Other (1 change) + +- Update GitLab Version to 13.1.11. + + +## 4.1.11 (2020-09-02) + +### Other (1 change) + +- Update GitLab Version to 13.1.10. + + +## 4.1.10 (2020-09-02) + +### Other (1 change) + +- Update GitLab Version to 13.1.9. + + +## 4.1.9 (2020-08-18) + +### Other (1 change) + +- Update GitLab Version to 13.1.8. + + +## 4.1.7 (2020-08-05) + +### Other (1 change) + +- Update GitLab Version to 13.1.6. + + +## 4.1.6 (2020-07-24) + +### Other (1 change) + +- Update GitLab Version to 13.1.5. + + +## 4.1.5 (2020-07-24) + +### Other (1 change) + +- Update GitLab Version to 13.1.5. + + +## 4.1.4 (2020-07-09) + +### Other (1 change) + +- Update GitLab Version to 13.1.4. + + +## 4.1.3 (2020-07-06) + +### Changed (1 change) + +- Update GitLab Runner chart to 0.18.1. !1433 + +### Other (1 change) + +- Update GitLab Version to 13.1.3. + + +## 4.1.2 (2020-07-01) + +### Other (1 change) + +- Update GitLab Version to 13.1.2. + + +## 4.1.1 (2020-06-24) + +### Fixed (1 change) + +- Update mailroom example docs to show the proper syntax for .mailbox. !1417 + +### Other (1 change) + +- Update GitLab Version to 13.1.1. + + +## 4.1.0 (2020-06-22) + +### Fixed (3 changes, 1 of them is from the community) + +- Added validation for redis host configuration. !1381 (Julius Kvedaras) +- Fix GitLab Shell TCP config. !1393 +- Fix sentinel configuration for service_desk mailroom service. !1412 + +### Changed (5 changes) + +- Break up gitlab-shell of gitaly config. !1353 +- Bump gitlab-exporter chart to 7.0.4. !1374 +- gitlab-shell - disable all forwarding via sshd. !1391 +- Centralize database.yml template (Rails). !1408 +- Update gitlab-exporter to version 7.0.6. !1411 + +### Added (13 changes, 5 of them are from the community) + +- Add tracing support to helm chart. !1234 (Dmitry Chepurovskiy) +- Added the ability to control the serviceAccounts of GitLab sub-charts. !1303 (Mark Tew) +- Added Service Desk email configuration. !1324 +- Add gitlab.deploymentAnnotations template to charts in repository. !1351 +- Implement extraEnv pattern. !1377 +- Adds extraVolumeMounts for Sidekiq pods. !1380 +- Support passing registry notification headers as k8s secrets. !1383 +- Add nodePort configuration in NGINX service for gitlab-shell. !1394 +- Adds Sentry support for sidekiq and webservice. !1398 +- Add option to configure priorityClassName on Webservice chart. !1405 (Dragos Sutu) +- Add option to configure priorityClassName on Sideqik chart. !1406 (Dragos Sutu) +- Database: support load balancing reads (#1004). !1414 +- Adds update strategy to be configured for webservice. (Stepan Kuksenko) + +### Other (4 changes) + +- Add support for enabling the btree_gist pg extension. !1372 +- Ensure upgraded to 4.0 before 4.1. !1403 +- Update GitLab Runner chart to 0.18.0. !1416 +- Update GitLab Version to 13.1.0. + + +## 4.0.12 (2020-08-18) + +### Other (1 change) + +- Update GitLab Version to 13.0.14. + + +## 4.0.11 (2020-08-18) + +### Other (1 change) + +- Update GitLab Version to 13.0.13. + + +## 4.0.10 (2020-08-05) + +### Other (1 change) + +- Update GitLab Version to 13.0.12. + + +## 4.0.9 (2020-07-09) + +### Other (1 change) + +- Update GitLab Version to 13.0.10. + + +## 4.0.8 (2020-07-06) + +### Other (1 change) + +- Update GitLab Version to 13.0.9. + + +## 4.0.7 (2020-07-01) + +### Other (1 change) + +- Update GitLab Version to 13.0.8. + + +## 4.0.6 (2020-06-25) + +### Other (1 change) + +- Update GitLab Version to 13.0.7. + + +## 4.0.5 (2020-06-10) + +### Changed (1 change) + +- Update GitLab Runner to 0.17.1. !1395 + +### Other (1 change) + +- Update GitLab Version to 13.0.6. + + +## 4.0.4 (2020-06-04) + +### Other (1 change) + +- Update GitLab Version to 13.0.5. + + +## 4.0.3 (2020-06-03) + +### Other (1 change) + +- Update GitLab Version to 13.0.4. + + +## 4.0.2 (2020-05-29) + +### Fixed (3 changes, 1 of them is from the community) + +- Mailroom: follow Redis Queues instance (#2097). !1347 +- Fix an bug in which it was impossible to configure the unicorn memory killer. !1365 (Matthias van de Meent) +- Ensure database-upgrade scripts ignores running on the backup pods. !1367 + +### Changed (1 change) + +- Update GitLab Runner to 0.17.0. !1356 + +### Other (1 change) + +- Update GitLab Version to 13.0.3. + + +## 4.0.1 (2020-05-27) + +### Fixed (1 change) + +- Ensure database-upgrade scripts ignores running on the backup pods. !1367 + +### Changed (1 change) + +- Update GitLab Runner to 0.17.0. !1356 + +### Other (1 change) + +- Update GitLab Version to 13.0.1. + + +## 4.0.0 (2020-05-22) + +### Fixed (2 changes) + +- Add defaulting of multi-redis password enabled (#2030). !1335 +- Mailroom: follow Redis Queues instance (#2097). !1347 + +### Changed (9 changes, 1 of them is from the community) + +- Deploy ChaosKube Helm chart. !1296 +- Allow configuration of security context user to help with Openshift installs. !1306 (Mickaël Canévet) +- Moved gitlab-shell settings to gitaly config.toml. !1308 +- Make sidekiq-cluster the default. !1317 +- Update gitlab-exporter to 7.0.2. !1321 +- Bump Container Registry to v2.9.1-gitlab. !1326 +- Updated documention to include multi Redis support. !1330 +- NGINX: Enable HTTP2, as all services support it. !1338 +- Bump gitlab-exporter to 7.0.3. !1345 + +### Added (8 changes, 2 of them are from the community) + +- Add task-runner pod antiAffinity support to helm chart. !1025 (Sam Wenham) +- Replace unicorn chart with webservice. !1145 (Dmitry Chepurovskiy) +- Provides capability to configure PDB per sidekiq pod config. !1292 +- Adds update strategy to be configured for Container Registry. !1293 +- Adds update strategy to be configured for sidekiq. !1294 +- Update min chart/gitlab versions for the major release. !1300 +- Add support for ci_jwt_signing_key Rails secret. !1318 +- Add extraEnvs for Sidekiq. !1333 + +### Other (2 changes) + +- Update bitnami/postgres -> 8.9.4, postgres -> 11.7.0. !1320 +- Update GitLab Version to 13.0.0. + + +## 3.3.13 (2020-07-06) + +### Other (1 change) + +- Update GitLab Version to 12.10.14. + + +## 3.3.12 (2020-07-01) + +### Other (1 change) + +- Update GitLab Version to 12.10.13. + + +## 3.3.11 (2020-06-25) + +### Other (1 change) + +- Update GitLab Version to 12.10.12. + + +## 3.3.9 (2020-06-04) + +### Other (1 change) + +- Update GitLab Version to 12.10.10. + + +## 3.3.7 (2020-05-29) + +### Other (1 change) + +- Update GitLab Version to 12.10.8. + + +## 3.3.6 (2020-05-27) + +### Fixed (1 change) + +- backport Mailroom: follow Redis Queues instance (#2097). !1354 + +### Other (1 change) + +- Update GitLab Version to 12.10.7. + + +## 3.3.5 (2020-05-15) + +### Changed (1 change) + +- Update GitLab runner chart to 0.16.1. !1331 + +### Other (1 change) + +- Update GitLab Version to 12.10.6. + + +## 3.3.4 (2020-05-14) + +### Other (1 change) + +- Update GitLab Version to 12.10.5. + + +## 3.3.3 (2020-05-04) + +### Other (1 change) + +- Update GitLab Version to 12.10.3. + + +## 3.3.2 (2020-04-30) + +### Fixed (3 changes) + +- Fixed PostgreSQL port when enabling Geo. !1304 +- Fix redis secret templating when password.enabled=false. !1313 +- Add terraform_state secret to task-runner. !1315 + +### Other (1 change) + +- Update GitLab Version to 12.10.2. + + +## 3.3.1 (2020-04-24) + +### Other (1 change) + +- Update GitLab Version to 12.10.1. + + +## 3.3.0 (2020-04-22) + +### Removed (1 change) + +- Remove Redis from Gitlab-Shell and Gitaly charts. !1271 + +### Fixed (3 changes, 2 of them are from the community) + +- Fix the gitaly service name not being used correctly in all places. !1204 (Matthias van de Meent) +- Change default concurrency setting for Sidekiq to 25 globally. !1233 +- Fixed that unnecessary secret is generated when using external Redis. !1237 (Colin Luo) + +### Changed (6 changes) + +- Updated Helm references and commands to v3 notations. !1210 +- Support queues, negateQueues, and experimentalQueueSelector for Sidekiq when cluster is enabled. !1251 +- Updated references to deprecated postgresql and redis charts. !1253 +- Make GitLab task-runner scalable, default 1 #1254. !1263 +- GitLab Exporter to 7.0.1. !1265 +- Bump Container Registry to v2.9.0-gitlab. !1273 + +### Added (6 changes, 2 of them are from the community) + +- Add storage setting for terraform state. !1208 +- Ability to override PostgreSQL port for subcharts. !1212 (Stepan Kuksenko) +- Expose settings to configure Registry notifications. !1225 +- Add option for using Sidekiq Cluster to start Sidekiq. !1247 +- Add optional `priorityClassName` configuration value to Gitaly chart. !1282 (Theo Meneau) +- Support configuration of multiple Redis instances. !1287 +- Minio: Adds podLabels and podAnnotations to chart. !1264 (Kavanaugh Latiolais) + +### Other (1 change) + +- Update GitLab Version to 12.10.0. + + +## 3.2.9 (2020-06-10) + +### Other (1 change) + +- Update GitLab Version to 12.9.10. + + +## 3.2.8 (2020-06-03) + +### Other (1 change) + +- Update GitLab Version to 12.9.9. + + +## 3.2.7 (2020-05-27) + +### Other (1 change) + +- Update GitLab Version to 12.9.8. + + +## 3.2.6 (2020-05-14) + +### Other (1 change) + +- Update GitLab Version to 12.9.7. + + +## 3.2.5 (2020-04-30) + +### Other (1 change) + +- Update GitLab Version to 12.9.5. + + +## 3.2.4 (2020-04-17) + +### Other (1 change) + +- Update GitLab Version to 12.9.4. + + +## 3.2.3 (2020-04-15) + +### Added (1 change, 1 of them is from the community) + +- Add support for the Seat Link enabled flag. !1272 (Matthias van de Meent) + +### Other (1 change) + +- Update GitLab Version to 12.9.3. + + +## 3.2.2 (2020-03-31) + +### Other (1 change) + +- Update GitLab Version to 12.9.2. + + +## 3.2.1 (2020-03-26) + +### Other (1 change) + +- Update GitLab Version to 12.9.1. + + +## 3.2.0 (2020-03-22) + +### Fixed (4 changes, 1 of them is from the community) + +- Fix unicorn worker killer configuration. !1199 (Matthias van de Meent) +- Fix logic of registry HPA deprecations. !1203 +- Ensure kubectl jobs are not run as root. !1206 +- Add gitlab.host to Migrations Rails config #1947. !1215 + +### Changed (2 changes) + +- Update gitlab-org/gitlab-exporter from 6.0.0 to 6.1.0. !1176 +- Bump Container Registry to v2.8.2-gitlab. !1214 + +### Other (1 change) + +- Update GitLab Version to 12.9.0. + + +## 3.1.8 (2020-04-30) + +### Other (1 change) + +- Update GitLab Version to 12.8.10. + + +## 3.1.7 (2020-04-15) + +### Other (1 change) + +- Update GitLab Version to 12.8.9. + + +## 3.1.6 (2020-03-26) + +### Fixed (1 change) + +- Fix logic of registry HPA deprecations. !1203 + +### Other (1 change) + +- Update GitLab Version to 12.8.8. + + +## 3.1.5 (2020-03-16) + +### Other (1 change) + +- Update GitLab Version to 12.8.7. + + +## 3.1.4 (2020-03-11) + +### Other (1 change) + +- Update GitLab Version to 12.8.6. + + +## 3.1.3 (2020-03-09) + +### Other (1 change) + +- Update GitLab Version to 12.8.5. + + +## 3.1.2 + +### Changed (1 change) + +- Update gitlab-org/charts/gitlab-runner from 0.13.1 to 0.14.0. !1187 + +### Other (1 change) + +- Update GitLab Version to 12.8.2. + + +## 3.1.1 + +### Other (1 change) + +- Update GitLab Version to 12.8.1. + + +## 3.1.0 + +### Fixed (4 changes, 2 of them are from the community) + +- Route gitlab-shell and gitaly requests through workhorse. !1114 (Dmitry Chepurovskiy) +- Enabled Geo configuration checks. !1121 +- Disable cert-manager's webook that validates its CRDs. !1139 (Erik Sundell (@consideRatio)) +- Corrected references to gitlab-runner.install. !1149 + +### Changed (8 changes) + +- Update gitlab-exporter to 5.2.2. !1087 +- Changed migrations job to use task-runner image. !1126 +- Bump registry to v2.7.7-gitlab. !1133 +- Update registry chart versions to reflect recent changes. !1144 +- Update gitlab-exporter to 6.0.0. !1151 +- Align gitlab/unicorn chart service names for Istio environments. !1153 +- Bump Container Registry to v2.8.0-gitlab. !1172 +- Updated EKS bootstrap script to default to Kubernetes 1.14. !1175 + +### Added (6 changes, 3 of them are from the community) + +- Allows the database `pool` to be configurable. !1111 (skarbek) +- Added ability to set NodePort and ExternalTrafficPolicy for gitlab-shell service. !1112 (Dmitry Chepurovskiy) +- Adds logging.format option to enable structured json logging for sidekiq. !1132 +- Performance: enable Bootsnap for all Rails-derived containers. !1157 +- NOTES: add notice of runner default to unprivilieged. !1158 +- Add `component` field to the nginx ingress podAntiAffinity. !1169 (Ivan Kurnosov (@zerkms)) + +### Other (5 changes) + +- Document command for easily fetching ELB hostname. !1159 +- Doc: link upstream docs for why GitLab Runner is not privileged by default. !1160 +- Include GitLab Exporter & GitLab Grafana to sub-chart lists. !1161 +- Bump Container Registry to v2.8.1-gitlab. !1173 +- Update GitLab Version to 12.8.0. + + +## 3.0.7 (2020-04-15) + +### Other (1 change) + +- Update GitLab Version to 12.7.9. + + +## 3.0.6 (2020-03-26) + +### Fixed (1 change) + +- Fix logic of registry HPA deprecations. !1203 + +### Other (1 change) + +- Update GitLab Version to 12.7.8. + + +## 3.0.5 + +### Other (1 change) + +- Update GitLab Version to 12.7.7. + + +## 3.0.4 + +### Fixed (1 change, 1 of them is from the community) + +- Use the volume with Postgres client SSL certificate in the gitlab-exporter deployment. !1162 (Franciszek Walkowiak) + +### Other (1 change) + +- Update GitLab Version to 12.7.6. + + +## 3.0.3 + +### Fixed (1 change) + +- Workhorse - set sentinel port default. !1135 + +### Other (1 change) + +- Update GitLab Version to 12.7.5. + + +## 3.0.2 + +### Changed (1 change) + +- Update gitlab-runner chart to 0.13.1. !1138 + +### Other (1 change) + +- Update GitLab Version to 12.7.4. + + +## 3.0.1 + +### Changed (1 change) + +- Update gitlab-runner chart to 0.13.0. !1131 + +### Other (1 change) + +- Update GitLab Version to 12.7.2. + + +## 3.0.0 + +### Fixed (2 changes) + +- NGINX: port spec.clusterIP fixup, unblock upgrades in Helm v3. !1082 +- Set globals at top level for newer Helm versions. !1083 + +### Changed (7 changes) + +- Upgrade bundled PostgreSQL chart to stable/postgresql 7.7.0. !955 +- Bump the requests for exporter and migrations. !967 +- Moved Gitaly enabled flag to global namespace. !1081 +- Changed from forked Redis chart to upstream chart. !1086 +- Update Prometheus chart to v10.0.0. !1089 +- Split the operator bootstrap out of the chart. !1090 +- Registy now defaults to GitLab's container registry fork version v2.7.6-gitlab. !1105 + +### Added (4 changes, 2 of them are from the community) + +- Add Selectors to SideKiq Deployments. !876 +- Added ability to configure sshd MaxStartups for gitlab-shell. !1058 (Dmitry Chepurovskiy) +- Adds Network Policy object for Sidekiq Deployments. !1102 (skarbek) +- Add the maxRequestDurationSeconds configuration and move unicorn workersTimeout to global. !1103 + +### Other (2 changes) + +- Use mail_room gem version from Gemfile.lock as appVersion in the chart. !1088 +- Update GitLab Version to 12.7.0. + + +## 2.6.9 + +### Other (1 change) + +- Update GitLab Version to 12.6.8. + + +## 2.6.8 + +### Fixed (1 change, 1 of them is from the community) + +- Use the volume with Postgres client SSL certificate in the gitlab-exporter deployment. !1162 (Franciszek Walkowiak) + +### Other (1 change) + +- Update GitLab Version to 12.6.7. + + +## 2.6.7 + +### Other (1 change) + +- Update GitLab Version to 12.6.6. + + +## 2.6.6 + +### Fixed (1 change) + +- Mount secrets.yml to dependencies initContainer. !1108 + +### Other (1 change) + +- Update GitLab Version to 12.6.4. + + +## 2.6.5 + +### Other (1 change) + +- Update GitLab Version to 12.6.4. + + +## 2.6.4 + +### Other (1 change) + +- Update GitLab Version to 12.6.3. + + +## 2.6.3 + +### Fixed (1 change) + +- Correctly set the proper gitaly release version. !1092 + +### Other (1 change) + +- Update GitLab Version to 12.6.2. + + +## 2.6.2 + +### Other (1 change) + +- Update GitLab Version to 12.6.2. + + +## 2.6.1 + +### Other (2 changes) + +- Update gitlab-org/charts/gitlab-runner from 0.11.0 to 0.12.0. !1085 +- Update GitLab Version to 12.6.1. + + +## 2.6.0 + +### Fixed (3 changes, 1 of them is from the community) + +- Geo: automate secondary migrations behaviors. !1055 +- Fix reference to piwik url and site ID in GitLab chart template. !1061 (Kevinjil) +- Corrected indentation issue with Gitaly volumeClaimTemplate selector. !1070 + +### Deprecated (1 change) + +- Deprecate init.image and init.tag settings in favor of init.image.repository and init.image.tag. !1062 + +### Changed (4 changes, 1 of them is from the community) + +- Upgrade nginx ingress controller to 0.21 to Enable TLSv1.3, and TLSv1.1 is disabled by default. !1014 (Xiangxuan Liu) +- Specify Kubernetes 1.12 as minimum required version and use v1.13 tools and libraries. !1053 +- Updated gitlab-exporter to 5.1.0. !1075 +- Update certmanager to 0.10.1. !1079 + +### Added (6 changes, 3 of them are from the community) + +- Added support of memory killer daemon mode. !1040 (Dmitry Chepurovskiy) +- Added http probes for sidekiq and unicorn. !1045 (Dmitry Chepurovskiy) +- Enable Bootsnap cache in Task runner. !1056 +- Add global setting to configure busybox image for initContainers. !1062 +- Adding capability to use pullsecrets in order to download minio mc image. !1066 (Mustafa Bhabhrawala) +- Enable Bootsnap cache in migrations. !1069 + +### Other (2 changes) + +- Document the use of external Minio for object storage. !1005 +- Update GitLab Version to 12.6.0. + + +## 2.5.11 + +### Other (1 change) + +- Update GitLab Version to 12.5.10. + + +## 2.5.10 + +### Other (1 change) + +- Update GitLab Version to 12.5.9. + + +## 2.5.9 + +### Fixed (1 change) + +- Mount secrets.yml to dependencies initContainer. !1108 + +### Other (1 change) + +- Update GitLab Version to 12.5.7. + + +## 2.5.8 + +### Other (1 change) + +- Update GitLab Version to 12.5.7. + + +## 2.5.7 + +### Other (1 change) + +- Update GitLab Version to 12.5.6. + + +## 2.5.6 + +### Added (1 change, 1 of them is from the community) + +- Redis-HA added storageClass Value. !1077 (conblem) + +### Other (1 change) + +- Update GitLab Version to 12.5.5. + + +## 2.5.5 + +### Other (1 change) + +- Update GitLab Version to 12.5.4. + + +## 2.5.4 + +### Fixed (1 change) + +- Fix bug that broke gitlab-exporter from connecting to external pg hosts. !1060 + +### Other (1 change) + +- Update GitLab Version to 12.5.3. + + +## 2.5.3 + +### Other (1 change) + +- Update GitLab Version to 12.5.2. + + +## 2.5.2 + +### Other (1 change) + +- Update GitLab Version to 12.5.1. + + +## 2.5.1 + +### Added (1 change) + +- Geo: support configuration and deployment of GitLab Geo #1212. !877 + +### Other (1 change) + +- Update GitLab Version to 12.5.0. + + +## 2.5.0 + +### Fixed (2 changes) + +- Fixed -k switch for eks_bootstrap_script and eksctl website reference. !1016 +- Fixed Redis Sentinel support for gitlab-workhorse. !1043 + +### Changed (5 changes) + +- Update shell logging inside gitaly to use gitaly config file. !1004 +- Add internal_socket_dir to gitaly config. !1017 +- Update grafana chart to 4.0.1. !1026 +- Mailroom: update probes to direct binary. !1036 +- Update prometheus chart to 9.0.0. !1039 + +### Added (7 changes, 1 of them is from the community) + +- Support running Gitaly over TLS. !969 +- Registry: Add support for setting relativeurls config. !1007 (thom8) +- Allow to specify an initial Enterprise license. !1008 +- Added creds subcommand to eks_bootstrap_script. !1020 +- Add shutdown blackout for unicorn. !1028 +- Sidekiq: add negateQueues functionality. !1029 +- Add LDAP preventSignin. !1031 + +### Other (2 changes) + +- Update gitlab-runner to 0.11.0/12.5.0. !1046 +- Update GitLab Version to 12.5.0. + + +## 2.4.13 + +### Other (1 change) + +- Update GitLab Version to 12.4.8. + + +## 2.4.12 + +### Other (1 change) + +- Update GitLab Version to 12.4.7. + + +## 2.4.10 + +### Other (1 change) + +- Update GitLab Version to 12.4.5. + + +## 2.4.9 + +### Other (1 change) + +- Update GitLab Version to 12.4.4. + + +## 2.4.8 + +### Other (1 change) + +- Update GitLab Version to 12.4.3. + + +## 2.4.7 + +### Fixed (1 change) + +- Support use of kube2iam for cache when minio is disabled. !1011 + +### Added (2 changes) + +- enable many pods for mailroom. !1019 +- Creates NetworkPolicy object for Mailroom. !1023 + +### Other (2 changes) + +- Adds the global gitlab annotations to mailroom. +- Update GitLab Version to 12.4.2. + + +## 2.4.6 + +### Fixed (1 change) + +- global.ingress.tls default to empty map. !1022 + +### Added (1 change) + +- Allow to configure the liveness probe for gitlab-shell. !1021 + +### Other (1 change) + +- Update GitLab Version to 12.4.2. + + +## 2.4.5 + +### Other (2 changes) + +- Update GitLab Runner to v12.4.1. !1018 +- Update GitLab Version to 12.4.1. + + +## 2.4.4 + +### Added (1 change) + +- Added Redis Sentinel support. !999 + +### Other (1 change) + +- Update GitLab Version to 12.4.1. + + +## 2.4.3 + +### Fixed (1 change) + +- Broken pluck expectation in gitlab.ingress.tls.configured #1653. !1013 + +### Other (1 change) + +- Update GitLab Version to 12.4.1. + + +## 2.4.2 + +### Fixed (1 change) + +- Fix artifacts upload by ensuring appropriate tmp directory permissions. !1010 + +### Other (1 change) + +- Update GitLab Version to 12.4.0. + + +## 2.4.1 + +### Fixed (2 changes) + +- Fix typo in nginx backend PDB. !1006 +- Unicorn add shared /tmp mount. !1009 + +### Other (1 change) + +- Update GitLab Version to 12.4.0. + + +## 2.4.0 + +### Fixed (5 changes, 1 of them is from the community) + +- Handle CRLF line endings #1541. !938 +- Use specified Gitaly port in listen_address. !970 +- Convert Gitaly port to an Integer before rendering in config files. !979 +- Removed unused persistence.volumeName from gitaly's values.yaml. !990 (aurelien.balteaux) +- Unicorn: set ipWhitelist default to documented value. !997 + +### Changed (3 changes) + +- Switch to using newer APIs for ones dropped in k8s 1.16. !975 +- Update the grafana chart to 3.8.15. !976 +- Update unicorn.rb to match upstream changes. !988 + +### Added (4 changes) + +- Added S/MIME support. !943 +- Allow to configure liveness and readiness probes for unicorn/workhorse. !985 +- Improve sidekiq readinessProbe to check for sidekiq process. !994 +- Add pre-upgrade hook for pausing Gitaly while operator is in place. !998 + +### Other (3 changes) + +- Add example values for UBI-based deployment. !986 +- Update gitlab-runner to 0.10.0/12.4.0. !1003 +- Update GitLab Version to 12.4.0. + + +## 2.3.12 + +### Fixed (2 changes) + +- Broken pluck expectation in gitlab.ingress.tls.configured #1653. !1013 +- global.ingress.tls default to empty map. !1022 + +### Other (1 change) + +- Update GitLab Version to 12.3.9. + + +## 2.3.11 + +### Other (1 change) + +- Update GitLab Version to 12.3.8. + + +## 2.3.10 + +### Other (1 change) + +- Update GitLab Version to 12.3.7. + + +## 2.3.9 + +### Fixed (1 change) + +- Fix typo in nginx backend PDB. !1006 + +### Other (1 change) + +- Update GitLab Version to 12.3.6. + + +## 2.3.8 + +### Fixed (1 change) + +- 1499/Fix monitoring ip_whitelist : change kind comparison to slice. !993 + +### Changed (1 change) + +- Provides ability to customize the Container Registry HPA. !991 + +### Added (1 change, 1 of them is from the community) + +- Tolerations for gitlab-exporter. !996 (Taylor Daugherty) + +### Other (1 change) + +- Update GitLab Version to 12.3.5. + + +## 2.3.7 + +### Other (1 change) + +- Update GitLab Version to 12.3.5. + + +## 2.3.6 + +### Other (2 changes) + +- Update gitlab-runner to v0.9.1. !987 +- Update GitLab Version to 12.3.4. + + +## 2.3.5 + +### Fixed (1 change, 1 of them is from the community) + +- Fix volumeMounts indentation in task-runner backup-job. !983 (Chris Boot) + +### Other (1 change) + +- Update GitLab Version to 12.3.4. + + +## 2.3.3 + +### Other (1 change) + +- Update GitLab Version to 12.3.2. + + +## 2.3.2 + +### Other (1 change) + +- Update GitLab Version to 12.3.1. + + +## 2.3.1 + +### Fixed (1 change) + +- Pin gitlab-exporter version to the proper image. + +### Other (1 change) + +- Update GitLab Version to 12.3.0. + + +## 2.3.0 + +### Fixed (4 changes, 2 of them are from the community) + +- Set the default retention for Prometheus data to 15d. !905 (Gerard Hickey) +- Removes duplicate http key from registry config. !923 (jarv) +- Configure the backup cron to use a different tmp volume than the task-runner. !942 +- Disable object storage for disabled features. !962 + +### Changed (4 changes, 1 of them is from the community) + +- Update operator to v0.7, introduces status subresource, and gitaly waiting fixes. !906 +- Update the sidekiq queues example with all of the queues #1429. !909 (Mike Rennie) +- Set a sane default of 2 seconds for Unicorn 'readinessProbe.timeoutSeconds'. !950 +- Set a sane default of 2 seconds for Workhorse 'readinessProbe.timeoutSeconds'. !964 + +### Added (6 changes, 4 of them are from the community) + +- Added Grafana support into chart install. !789 (Gerard Hickey) +- Allow postgres to use a serviceName as well as a host #1458. !886 (Mike Rennie) +- Allow the monitoring IP whitelist to be specified for unicorn #1499. !887 (Mike Rennie) +- Add missing gitaly config options. !939 +- Added scheduling options for redis Subchart. !949 (Willi Eggeling) +- Option to bypass two-factor auth for certain omniauth providers. !961 + +### Other (3 changes) + +- Rename gitlab-monitor to gitlab-exporter. !897 +- Update gitlab-runner to 0.9.0/12.3.0. !965 +- Update GitLab Version to 12.3.0. + + +## 2.2.12 + +### Fixed (1 change) + +- Fix typo in nginx backend PDB. !1006 + +### Other (1 change) + +- Update GitLab Version to 12.2.9. + + +## 2.2.11 + +### Other (1 change) + +- Update GitLab Version to 12.2.8. + + +## 2.2.10 + +### Other (1 change) + +- Update GitLab Version to 12.2.7. + + +## 2.2.9 + +### Other (1 change) + +- Update GitLab Version to 12.2.7. + +### Fixed (1 change, 1 of them is from the community) + +- Fix volumeMounts indentation in task-runner backup-job. !983 (Chris Boot) + +### Other (1 change) + +- Update GitLab Version to 12.2.8. + + +## 2.2.8 + +### Other (1 change) + +- Update GitLab Version to 12.2.7. + + +## 2.2.7 + +### Fixed (1 change) + +- Disable object storage for disabled features. !962 + +### Other (1 change) + +- Update GitLab Version to 12.2.6. + + +## 2.2.6 + +### Other (1 change) + +- Update GitLab Version to 12.2.5. + + +## 2.2.5 + +### Fixed (1 change) + +- Set/expose securityContext for upgrade check hook. !915 + +### Added (2 changes, 1 of them is from the community) + +- Adds readiness and liveness configuration for Registry. !932 +- Allows draintimeout to be configured for registry. !934 (jarv) + +### Other (2 changes) + +- Update gitlab-runner to 0.8.0/12.2.0. !912 +- Update GitLab Version to 12.2.4. + + +## 2.2.4 + +### Added (2 changes, 2 of them are from the community) + +- Adds deployment annotations for the registry service. !893 (jarv) +- Add support for the storagedriver health check. !922 (jarv) + +### Other (1 change) + +- Update GitLab Version to 12.2.4. + + +## 2.2.3 + +### Other (1 change) + +- Update GitLab Version to 12.2.4. + + +## 2.2.2 + +### Other (1 change) + +- Update GitLab Version to 12.2.3. + + +## 2.2.1 + +### Other (1 change) + +- Update GitLab Version to 12.2.1. + + +## 2.2.0 + +### Fixed (4 changes, 1 of them is from the community) + +- Workaround for pausing deployments during Helm upgrade. !783 +- separate sidekiq hpa resource with dashes. !880 +- Chart pull policies syntax restored to previous and documented names. !904 +- Fix issue with GCS cron backup getting stuck. (894) + +### Changed (2 changes) + +- Use global values for kubectl image, deprecate chart-local settings. !864 +- Registry: add loadBalancerIP configuration, template clusterIP. !874 + +### Added (5 changes, 3 of them are from the community) + +- Provide option to disable using prepared statements for postgres #1444. !872 (Mike Renie) +- Enable registry to accept windows images with foreign layers. !888 (Semjon Bibow) +- Add loadBalancerIP and loadBalancerSourceRanges to gitlab-shell chart. !889 (Taylor Daugherty) +- Registry: Adds optional networkpolicy configuration. !891 +- Adds the ability to finely configure logging options for the Container Registry. !899 + +### Other (3 changes) + +- Update operator to v0.6 for newer k8s support. !895 +- Document global.ingress.class & sample Traefik. !898 +- Update GitLab Version to 12.2.0. + + +## 2.1.14 + +### Other (1 change) + +- Update GitLab Version to 12.1.14. + + +## 2.1.13 + +### Fixed (1 change, 1 of them is from the community) + +- Fix volumeMounts indentation in task-runner backup-job. !983 (Chris Boot) + +### Other (1 change) + +- Update GitLab Version to 12.1.14. + + +## 2.1.12 + +### Other (1 change) + +- Update GitLab Version to 12.1.13. + + +## 2.1.11 + +### Other (1 change) + +- Update GitLab Version to 12.1.12. + + +## 2.1.10 + +### Other (1 change) + +- Update GitLab Version to 12.1.11. + + +## 2.1.8 + +### Fixed (1 change) + +- Chart pull policies syntax restored to previous and documented names. !904 + +### Other (1 change) + +- Update GitLab Version to 12.1.8. + + +## 2.1.7 + +### Other (1 change) + +- Update GitLab Version to 12.1.6. + + +## 2.1.6 + +### Fixed (1 change, 1 of them is from the community) + +- Disable client-side validation of kubectl apply to fix #1497. !885 (Semjon Bibow) + +### Other (1 change) + +- Update GitLab Version to 12.1.4. + + +## 2.1.5 + +### Fixed (1 change) + +- Generated Random Secrets Should Not Wrap. !875 + +### Other (1 change) + +- Update GitLab Version to 12.1.4. + + +## 2.1.4 + +### Other (1 change) + +- Update GitLab Version to 12.1.4. + + +## 2.1.3 + +### Other (1 change) + +- Update GitLab Version to 12.1.3. + + +## 2.1.2 + +### Other (1 change) + +- Update GitLab Version to 12.1.2. + + +## 2.1.1 + +### Other (1 change) + +- Update GitLab Version to 12.1.1. + + +## 2.1.0 + +### Fixed (8 changes, 2 of them are from the community) + +- Mailroom: fix redis without passsword. !816 (arthur13) +- Add ability to specify extrernal objectStorage for task-runner backup. !821 (Matthew Cascio) +- Fix ability to set internal port of gitlab-workhorse. !840 +- Use sort to compare versions in upgrade logic. !846 +- Freeze the version of redis exporter image. !850 +- Fixed shared secrets whitespace templating #1410. !861 +- Escape and quote all passwords in ERB templates. !869 +- Set pullPolicy for CI to Always #1460. !873 + +### Changed (2 changes) + +- Add prometheus metrics debug configuration. !838 +- Make version changes to chart files only if incoming version is higher. !859 + +### Added (5 changes, 3 of them are from the community) + +- Make the Task Runner backup backend configurable. !707 (Vic Iglesias) +- Support Git over SSH on OpenShift. !824 +- Registry: Add service port for Prometheus metrics. !842 +- Support for optional extra arguments for the cron based backup on Kubernetes. !854 (Gerard Boor) +- Document global.appConfig.defaultProjectsFeatures.containerRegistry #1456. !871 (Mike Rennie) + +### Other (4 changes) + +- CI: add CI vars to helm properties. !851 +- Run before_fork only once on boot for Unicorn. !852 +- Update gitlab-runner to 0.7.0/12.1.0. !878 +- Update GitLab Version to 12.1.0. + + +## 2.0.7 + +### Other (1 change) + +- Update GitLab Version to 12.0.9. + + +## 2.0.6 + +### Other (1 change) + +- Update GitLab Version to 12.0.8. + + +## 2.0.5 + +### Other (1 change) + +- Update GitLab Version to 12.0.6. + + +## 2.0.4 + +### Fixed (4 changes) + +- Use sort to compare versions in upgrade logic. !846 +- Freeze the version of redis exporter image. !850 +- Fixed shared secrets whitespace templating #1410. !861 +- Escape and quote all passwords in ERB templates. !869 + +### Other (1 change) + +- Update GitLab Version to 12.0.4. + + +## 2.0.3 (2019-07-03) + +### Other (1 change) + +- Update GitLab Version to 12.0.3. + + +## 2.0.2 (2019-06-26) + +### Changed (1 change) + +- Updated the gitlab-monitor tags to properly match its upstream release. + +### Other (2 changes) + +- Update gitlab-runner to 0.6.0/12.0.0. !832 +- Update GitLab Version to 12.0.2. + + +## 2.0.1 (2019-06-25) + +### Other (1 change) + +- Update GitLab Version to 12.0.1. + + +## 2.0.0 (2019-06-22) + +### Fixed (6 changes) + +- Ensure unicorn.rb issues appropriate lifecycle hooks. !791 +- Add missing object storage settings in task-runner. !793 +- Disable storage redirect of Registry when the internal Minio is used. !797 +- Port over https://github.com/helm/charts/pull/13646. !804 +- Add SMTP and other missing settings for task-runner. !809 +- Fix example smtp settings. !810 + +### Changed (2 changes) + +- Prioritize the external object storage connection settings before the global minio configuration. !802 +- Updated supported Kubernetes to 1.10 and Helm to 2.12. !808 + +### Added (6 changes, 2 of them are from the community) + +- Cron based backup support using Kubernetes and task runner. !548 (Thomas Miller) +- Add support for tolerations. !553 (Mike Rennie) +- Add gitlab-monitor to Helm Chart. !787 +- Add ability to specify network to use when creating a GKE cluster. !799 +- Modified anyuid to reflect project level instead of cluster. !803 +- Prevent upgrades from old chart versions. !828 + +### Other (2 changes, 1 of them is from the community) + +- Default Registry replicas to minReplicas. !794 (skarbek) +- Update GitLab Version to 12.0.0. + + +## 1.9.8 + +### Other (1 change) + +- Update GitLab Version to 11.11.8. + + +## 1.9.7 + +### Fixed (2 changes) + +- Freeze the version of redis exporter image. !850 +- Fixed shared secrets whitespace templating #1410. !861 + +### Other (1 change) + +- Update GitLab Version to 11.11.7. + + +## 1.9.5 (2019-06-26) + +### Other (1 change) + +- Update GitLab Version to 11.11.4. + + +## 1.9.4 (2019-06-21) + +### Added (1 change) + +- Add chart-info configmap to allow an upgrade path to the GitLab 12.0. !829 + +### Other (1 change) + +- Update GitLab Version to 11.11.3. + + +## 1.9.3 (2019-06-10) + +### Other (1 change) + +- Update GitLab Version to 11.11.3. + + +## 1.9.2 (2019-06-05) + +### Other (2 changes) + +- Update gitlab-runner to 0.5.2/11.11.2. !806 +- Update GitLab Version to 11.11.2. + + +## 1.9.1 (2019-06-03) + +### Other (2 changes) + +- Update GitLab Runner Helm Chart to 0.5.1. !801 +- Update GitLab Version to 11.11.1. + + +## 1.9.0 (2019-05-22) + +### Changed (4 changes) + +- Transition Operator from Cluster to Namespace Role. !764 +- Replace subgroup with GitLab class annotation. !772 +- Rename subgroup to CRD prefix. !773 +- Add default Referrer-Policy to nginx-ingress headers. !774 + +### Performance (1 change) + +- Unicorn: increase worker memory defaults. + +### Added (3 changes, 1 of them is from the community) + +- Add checkConfig logic to detect known bad configurations. !757 +- Persistent storage for task-runner tmp directory. !769 (jansmets) +- Enable Sidekiq Memory Killer Configuration. !776 + +### Other (2 changes) + +- Update gitlab-runner to 0.5.0/11.11.0. !798 +- Update GitLab Version to 11.11.0. + + +## 1.8.6 (2019-07-03) + +### Other (1 change) + +- Update GitLab Version to 11.10.8. + + +## 1.8.5 (2019-06-26) + +### Performance (1 change) + +- Unicorn: increase worker memory defaults. + +### Added (1 change, 1 of them is from the community) + +- Persistent storage for task-runner tmp directory. !769 (jansmets) + +### Other (1 change) + +- Update GitLab Version to 11.10.7. + + +## 1.8.4 (2019-05-01) + +### Other (1 change) + +- Update GitLab Version to 11.10.4. + + +## 1.8.3 (2019-04-30) + +### Other (1 change) + +- Update GitLab Version to 11.10.3. + + +## 1.8.2 (2019-04-29) + +### Other (1 change) + +- Update GitLab Version to 11.10.2. + + +## 1.8.1 (2019-04-24) + +### Other (2 changes) + +- Update gitlab-runner to 0.4.1/11.10.1. !768 +- Update GitLab Version to 11.10.1. + + +## 1.8.0 (2019-04-22) + +### Fixed (2 changes) + +- Quote read passwords in yml files. !717 +- Ensure README present in helm package. !752 + +### Changed (2 changes) + +- Update operator to use recreate deployment strategy. !728 +- Bump gitlab-operator to v0.4. !744 + +### Added (3 changes, 1 of them is from the community) + +- Expose unicorn memory limits via chart values. !738 (Paul Nicholson) +- Add support for when setting for external diffs. !743 +- ElasticSearch is now available. !746 + +### Other (2 changes) + +- Update gitlab-runner to 0.4.0/11.10.0. !765 +- Update GitLab Version to 11.10.0. + + +## 1.7.5 (2019-04-11) + +### Other (1 change) + +- Update GitLab Version to 11.9.8. + + +## 1.7.4 (2019-04-10) + +### Fixed (1 change) + +- Ensure README present in helm package. !752 + +### Other (1 change) + +- Update GitLab Version to 11.9.7. + + +## 1.7.3 (2019-04-05) + +### Fixed (2 changes) + +- Mount object storage secrets related to external diffs to pods. !745 +- Fix support for NGINX Ingress DaemonSets. !748 + +### Other (1 change) + +- Update GitLab Version to 11.9.6. + + +## 1.7.2 (2019-04-02) + +### Fixed (1 change) + +- Application: use groups in componentKinds. !740 + +### Other (1 change) + +- Update GitLab Version to 11.9.4. + + +## 1.7.1 (2019-03-25) + +### Other (2 changes) + +- Update gitlab-runner to 0.3.0/11.9.0. !735 +- Update GitLab Version to 11.9.1. + + +## 1.7.0 (2019-03-22) + +### Fixed (5 changes, 3 of them are from the community) + +- Set the Redis client ID to nil as some servers have that command disabled. !666 (Vic Iglesias) +- Set the life span of Registry certificate to 10 years. !701 +- Add Gitaly configuration to migrations job. !710 +- Add missing certificates initContainer to gitaly. !716 (Harry Lee (tclh123)) +- Provide Kubernetes 1.8 backwards compatibility for init-container secret copying. !720 (Fabian Jucker) + +### Changed (3 changes, 1 of them is from the community) + +- Extract shared configuration script of ruby-based pods into own template. !685 (Matthias van de Meent (Cofano Software Solutions)) +- Move cron_jobs setting from sidekiq to global context. !693 +- Allow disabling of the unicorn helm test. !721 + +### Added (5 changes, 1 of them is from the community) + +- Allow use of password-less Redis services (external). !665 (Vic Iglesias) +- Add support for using object storage for storing MR diffs. !698 +- Allow Disabling of ClusterRoles in ApplicationCRD. !702 +- Add eks_bootstrap_script. !706 +- Registry: Add caompatibility for Docker manifest schema1. !724 + +### Other (2 changes) + +- Automate version mapping updates. !704 +- Update GitLab Version to 11.9.0. + + +## 1.6.3 (2019-03-20) + +### Changed (1 change) + +- Allow disabling of the unicorn helm test. !721 + +### Other (1 change) + +- Update GitLab Version to 11.8.3. + + +## 1.6.2 (2019-03-13) + +### Fixed (1 change) + +- Add Gitaly configuration to migrations job. !710 + +### Other (1 change) + +- Update GitLab Version to 11.8.2. + + +## 1.6.1 (2019-03-04) + +### Fixed (1 change) + +- Remove duplicate gravatar entries from 'gitlab.yml.erb'. !700 + +### Other (2 changes) + +- Update gitlab-runner to 0.2.0/11.8.0. !697 +- Update GitLab Version to 11.8.1. + + +## 1.6.0 (2019-02-22) + +### Fixed (1 change) + +- Ensure Piwik and Google Analytics are disabled by default. + +### Changed (4 changes) + +- Switched gitlab-shell HPA to use a target cpu value, rather than a percentage. !655 +- Update the gitlab-shell resource requests to be a bit lower, reflecting latest testing. !656 +- Upgrade registry to version 2.7.1. !681 +- Use gitlab-operator version 0.3. !692 + +### Added (2 changes, 2 of them are from the community) + +- Adds configuration options for connecting Gitlab with database using mutual TLS. !626 (Lukas Grundmann) +- Add tls option to smtp settings. !648 (Igor Storozhuk) + +### Other (3 changes) + +- Restructure the documentation. !588 +- Allow static ServiceAccount Name in shared-secrets. !688 +- Update GitLab Version to 11.8.0. + + +## 1.5.3 (2019-02-05) + +### Other (1 change) + +- Update GitLab Version to 11.7.5. + + +## 1.5.2 (2019-02-05) + +### Other (1 change) + +- Update GitLab Version to 11.7.4. + + +## 1.5.1 (2019-01-31) + +### Other (2 changes) + +- Update gitlab-runner to 0.1.45/11.7.0. !654 +- Update GitLab Version to 11.7.3. + + +## 1.5.0 (2019-01-22) + +### Fixed (5 changes, 1 of them is from the community) + +- Generate omniauth attribute values correctly as expected by GitLab. !610 +- Ensure the operator deployment uses the immutable labels properly. !613 +- Ensure a newline before appending to registry/storage/config to make sure yaml is rendered correctly. !621 +- Fix 500 error when you don't set the parameter auto_sign_in_with_provider with OmniAuth enabled. !623 (David Kulak) +- Rails: set CA certificate path for SMTP. !625 + +### Changed (1 change) + +- Update gitlab-operator version to 0.2. !645 + +### Performance (1 change) + +- Add retry options for migration jobspec. !642 + +### Added (3 changes, 3 of them are from the community) + +- Allow configuration of securityContext user/group on all deployments with persistent volumes. !519 (Mike Rennie) +- add the node selector for registry chart. !602 (Jubel Han) +- Provide a way to reference a secret containing the LDAP password. !634 (Matthias van de Meent (Cofano Software Solutions)) + +### Other (2 changes) + +- Move ingress enabled detection to helper method. !607 +- Update GitLab Version to 11.7.0. + + +## 1.4.4 (2019-01-17) + +### Other (1 change) + +- Update GitLab Version to 11.6.5. + + +## 1.4.3 (2019-01-16) + +### Other (2 changes) + +- Update gitlab/gitlab-runner to v0.1.44. !633 +- Update GitLab Version to 11.6.4. + + +## 1.4.2 (2019-01-05) + +### Other (1 change) + +- Update GitLab Version to 11.6.3. + + +## 1.4.1 (2019-01-02) + +### Other (1 change) + +- Update GitLab Version to 11.6.2. + + +## 1.4.0 (2018-12-22) + +### Fixed (1 change, 1 of them is from the community) + +- Move LFS and Upload temporary storage to ephemeral disk. !587 (Robert Jordan) + +### Changed (2 changes, 1 of them is from the community) + +- CI now does not run any tasks which the repository is not configured for. !569 (Matthias van de Meent (Cofano Software Solutions)) +- Refine unicorn resource resqeusts. !586 + +### Added (8 changes, 3 of them are from the community) + +- Added option for annotations for use with IAM roles. !504 (Deniz Zoeteman) +- Provide a way to skip certain steps in the backup-procedure. !574 (Matthias van de Meent (Cofano Software Solutions)) +- Add global and chart-local ingress.tls.enabled flags. !577 (Matthias van de Meent (Cofano Software Solutions)) +- Add the operator version label to the gitlab custom resource. !582 +- Added example values file for a minimal gke cluster. !589 +- Add examples for GCS object storage. !592 +- Add support for impersonation_enabled flag in gitlab.yml. !593 +- Allow support for using rediss urls. !600 + +### Other (3 changes) + +- Add extraInitContainers, extraContainers, extraVolumes and extraVolumeMounts to template options. !580 +- Operator Version 0.1. !605 +- Update GitLab Version to 11.6.0. + + +## 1.3.4 (2018-12-14) + +### Other (3 changes) + +- Update GitLab Runner chart 0.1.38. !590 +- Fix Broken Icon Image on Helm Hub. !597 +- Update GitLab Version to 11.5.4. + + +## 1.3.3 (2018-12-06) + +### Other (1 change) + +- Update GitLab Version to 11.5.3. + + +## 1.3.2 (2018-12-04) + +### Added (1 change, 1 of them is from the community) + +- Add packages to the backups task list. !585 (Matthias van de Meent (Cofano Software Solutions)) + +### Other (1 change) + +- Update GitLab Version to 11.5.2. + + +## 1.3.1 (2018-11-28) + +### Other (1 change) + +- Update GitLab Version to 11.5.1. + + +## 1.3.0 (2018-11-22) + +### Fixed (2 changes, 1 of them is from the community) + +- Serve sidekiq assets directly from unicorn. !560 +- Define .metadata.namespace for resources which should have had that defined. !573 (Matthias van de Meent (Cofano Software Solutions)) + +### Changed (2 changes) + +- Make LDAP and Omniauth configuration global to rails based containers. !567 +- Pin the operator image to a specific sha digest. !571 + +### Added (5 changes, 1 of them is from the community) + +- Add additional cleanup policy to Helm prehooks. !550 +- Add GitLab Rails, workhorse and runner secret to documentation. !552 (Maikel Vlasman) +- Add support for Maven repositories. !558 +- Add support for Pseudonymizer. !562 +- Registry: default storage `delete` enabled. !579 + +### Other (4 changes) + +- Add docs about using charts on OpenShift Origin. !555 +- Mount configuration files directly to /srv/gitlab/config instead of /var/opt/gitlab/config/gitlab. !565 +- Update nginx-ingress fork to 0.30.0. !578 +- Update GitLab Version to 11.5.0. + + +## 1.2.6 (2018-11-20) + +### Other (1 change) + +- Update GitLab Version to 11.4.7. + + +## 1.2.5 (2018-11-20) + +### Other (2 changes) + +- Mount configuration files directly to /srv/gitlab/config instead of /var/opt/gitlab/config/gitlab. !565 +- Update GitLab Version to 11.4.6. + + +## 1.2.4 (2018-11-05) + +### Other (1 change) + +- Update GitLab Version to 11.4.5. + + +## 1.2.3 (2018-11-01) + +### Other (1 change) + +- Update GitLab Version to 11.4.4. + + +## 1.2.2 (2018-10-29) + +### Other (1 change) + +- Update GitLab Version to 11.4.3. + + +## 1.2.1 (2018-10-29) + +### Fixed (1 change) + +- Skip custom CA mounts when unnecessary. !544 + +### Other (1 change) + +- Update GitLab Version to 11.4.2. + + +## 1.2.0 (2018-10-22) + +### Security (1 change) + +- Update redis version to 3.2.12. !511 + +### Fixed (4 changes, 1 of them is from the community) + +- Better handle self-signed certificate behaviors in NOTES.txt. !500 +- NGINX: populate ingressClass from template. !520 +- Move shared-secrets jobs run as non-root. !533 +- Make gke bootstrap script work on MacOS. (Robert Marshall) + +### Changed (1 change) + +- Add safe-to-evict annotation to stateless deployments. !523 + +### Added (7 changes, 3 of them are from the community) + +- Add missing settings to configure gitlab.yml. !496 (Erik Sundell) +- Add a global flag to set the gitlab edition that will be installed. !499 (Scott Leggett) +- Allow disabled shared-secrets chart. !510 +- Add Gitlab operator to run upgrades of Gitlab. !516 +- Move jobs management into the operator if it is enabled. !517 +- Provide a way to disable the usage ping options. !525 (Mike Rennie) +- Add control of exposed SSH port. !531 + +### Other (3 changes, 1 of them is from the community) + +- Update Helm minimum requirement to 2.9. !505 +- Use example.com in documentation and examples as per RFC2606. !512 (Scott Leggett) +- Update GitLab Version to 11.4.0. + + +## 1.1.6 (2018-10-17) + +### Other (1 change) + +- Update GitLab Version to 11.3.6. + + +## 1.1.5 (2018-10-15) + +### Fixed (1 change) + +- Sidekiq: add credentials for Registry, #785. !535 + +### Added (1 change, 1 of them is from the community) + +- Add registry.enabled param in unicorn chart. !508 (Flavien Peyre) + +### Other (1 change) + +- Update GitLab Version to 11.3.5. + + +## 1.1.4 (2018-10-05) + +### Other (1 change) + +- Update GitLab Version to 11.3.4. + + +## 1.1.3 (2018-10-04) + +### Other (1 change) + +- Update GitLab Version to 11.3.3. + + +## 1.1.2 (2018-10-03) + +### Other (1 change) + +- Update GitLab Version to 11.3.2. + + +## 1.1.1 (2018-10-01) + +### Other (1 change) + +- Update GitLab Version to 11.3.1. + + +## 1.1.0 (2018-09-22) + +### Fixed (1 change) + +- Fix indentation error in self-signed-certs Job of shared-secrts. + +### Changed (1 change) + +- Registry: move http.secret to k8s secret (auto-generated). !485 + +### Added (3 changes, 2 of them are from the community) + +- Allow to define under which user and group gitaly is running. !473 (Michael Schmid ) +- Ensure job resources can be configured. !482 +- Adds option to specify separate hostname for ssh access. !487 (Gijs Kunze) + +### Other (2 changes, 1 of them is from the community) + +- Added namespace to resources. !443 (Matthias van de Meent (Cofano Software Solutions)) +- Update GitLab Version to 11.3.0. + + +## 1.0.2 (2018-08-28) + +### Fixed (1 change) + +- Fixed setting the connection to a non-default redis port. !470 + + +## 1.0.1 (2018-08-22) + +- No changes. + +## 1.0.0 (2018-08-22) + +### Fixed (4 changes, 1 of them is from the community) + +- Minio/Redis: add spec.strategy.type=Recreate (#633). !423 +- Add missing reference to uploads bucket in task-runner chart. !429 (Matt Welch) +- runner: fix gitlab-runner.cache.secret template. +- Fix changelog danger handling. + +### Changed (13 changes) + +- Move all Minio enabled to global configuration. !389 +- Convert registry storage block to secret. !391 +- Convert rails connection blocks to secrets. !393 +- Add additional instructions to application.yaml, switch to v1beta1 of the CRD, and trigger purely off the create flag. !401 +- Relocate lfs/artifacts/uploads configuration to global `appConfig`. !403 +- Update memory requests based on observations. !418 +- Update certmanager to v0.4.0 (#617). !424 +- Allow external object storage for task-runner. !427 +- Add securtyContext to nginx-ingress-controller deployment to run as non-root user and upgrade image version to 0.15.0. !431 +- Replace self-signed certificate generation, automatically CA add to custom CAs. !441 +- Default sidekiq chart queues to upstream source defaults. !449 +- Rails pods, except migrations, will wait for their desired schema version before starting. !462 +- Bump the gitalb-runner chart version to 0.1.33. !468 + +### Performance (1 change) + +- Use targetValue instead of targetUtilization fo hpa autoscaling. !433 + +### Added (7 changes, 3 of them are from the community) + +- support multiple gitaly instances. !377 +- Set preStop hooks to sidekiq and unicorn charts for graceful shutdown. !382 (Balasankar C) +- Add option to configure missing settings from gitlab.yml. !395 (Balasankar C) +- Move gitlab-workhorse to a separate container. !397 (Ian Baum) +- Implment support for incoming emails by adding a mailroom chart. !425 +- Enable NGINX Ingress metrics by default. !434 +- Add capability to inject custom root CAs. !436 + +### Other (8 changes) + +- Better document the initial storage configuration options. !412 +- Restructure examples and link docs. !445 +- Add retreival of self-signed CA to NOTES.txt output when in use. !457 +- Add example values for Minikube. !459 +- Document deprecations behavior and deceision. +- Update external object storage documentation. +- add anti-affinity to nginx. +- Remove Dockerfile since it's been moved to gitlab-org/gitlab-build-images. + + +## 0.3.5 (2018-07-31) + +### Fixed (1 change) + +- Pin the minio/mc image version to a know working tag. !426 + + +## 0.3.4 (2018-07-31) + +- No changes. + +## 0.3.3 (2018-07-27) + +- No changes. + +## 0.3.2 (2018-07-26) + +- No changes. + +## 0.3.1 (2018-07-23) + +- No changes. + +## 0.3.0 + +### Security (4 changes, 4 of them are from the community) + +- Use minimum permissions for certmanager-issuer chart. !352 (Corey O'Brien) +- Limit nginx to chart namespace. !354 (Corey O'Brien) +- Limit rbac permission for shared-secrets. !356 (Corey O'Brien) +- Use self-signed certificate as last resort. !360 (Corey O'Brien) + +### Fixed (1 change) + +- Expanded OmniAuth configuration in Unicorn. !328 + +### Changed (3 changes, 1 of them is from the community) + +- Change location of gitlab source code to /srv/gitlab. !15 (Balasankar C) +- Remove chart version from redis-ha immutable fields. !337 +- Explicitly set resources.requests.cpu=50m on initContainers to enforce reduced resources. !369 + +### Added (1 change, 1 of them is from the community) + +- Support optional Application CRD. !363 (Corey O'Brien) + +## 0.2.0 + +### Fixed (1 change, 1 of them is from the community) + +- Add consistent metadata for all charts. !319 (Corey O'Brien) + +### Changed (2 changes, 1 of them is from the community) + +- Change the initial root password to be contained in a secret, and autogenerated. !296 +- Replace hardcoded image references with values. !324 (Dave Konopka) + +### Other (1 change, 1 of them is from the community) + +- Bump redis version to 3.2.6. !325 (Corey O'Brien) + +## 2018-06-12 + +### Removed (1 change) + +- Removed version number from statefulset metadata. !318 + +### Fixed (1 change) + +- Resolve No longer possible to disable nginx ingress. !311 + +### Changed (1 change, 1 of them is from the community) + +- Use .Release.Name in the name of all Secrets. !302 (Corey O'Brien) + +### Added (3 changes) + +- Unicorn: add support for object storage of job artifacts. !255 +- Add global setting for imagePullPolicy. !305 +- Sidekiq: add object storage configuration. !314 + +## 2018-06-05 + +### Changed (1 change) + +- GitLab image tags can be set using a global, and default to the chart appVersion. !304 + +### Added (1 change, 1 of them is from the community) + +- Increase minimum repliacs to 2+ via HPAs where relevant. !285 (Corey O'Brien) + +### Other (2 changes, 1 of them is from the community) + +- Remove placeholder charts. !301 (Corey O'Brien) +- Use upstream gitlab-runner. + +## 2018-05-29 + +### Fixed (1 change, 1 of them is from the community) + +- Fix selectors for minio PDB to exclude Job Pods. !292 (Corey O'Brien) + +### Added (3 changes, 2 of them are from the community) + +- Implement global configuration for Gitaly. !287 +- Add options to set annotations on Services. !298 (Corey O'Brien) +- Added soft host anti-affinity by default. (Corey O'Brien) + +## 2018-05-22 + +### Added (3 changes, 3 of them are from the community) + +- Add a script for running helm without tiller running in the cluster. !281 (Corey O'Brien) +- Add configuration for auxiliary cron jobs. !283 (Dave Konopka) +- Add basic PodDisruptionBudgets. !284 (Corey O'Brien) + +## 2018-05-15 + +### Changed (2 changes) + +- Replace omnibus postgresql instance with postegresql chart based on upstream. !216 +- Switch Gitaly Deployment to a StatefulSet. !271 + +### Added (5 changes, 1 of them is from the community) + +- Add prometheus exporter to postgres. !239 +- Added configuration options for workhorse. !269 (Corey O'Brien) +- Add ability to configure Redis via Globals. !273 +- Add prometheus exporter to gitaly. !274 +- Add configuration for ldap authentication. + +## 2018-05-08 + +### Security (1 change) + +- Update NGINX Ingress to 0.14.0. !249 + +### Added (1 change) + +- Add configuration options for time_zone, rack_attack, trusted_proxies, and extras. !260 + +## 2018-05-01 + +### Added (2 changes, 1 of them is from the community) + +- Add configuration options for outgoing email persona. !238 (Corey O'Brien) +- Add object storage support for Uploads. !250 + +## 2018-04-17 + +### Fixed (1 change) + +- Add updated sidekiq queues for GitLab 10.7. !212 + +### Added (3 changes, 1 of them is from the community) + +- Implement global to configure extnernal static IP to simplify. !206 +- Unicorn: add support for configuring Omniauth. !210 +- Add Prometheus metrics exporters to Redis and Redis-HA charts. !215 (Dave Konopka) + +### Other (2 changes, 1 of them is from the community) + +- Bring CHANGELOG logic from gitlab-ce to helm.gitlab.io. !200 (Jason Plum) +- Changelog: introduce changelog_manager, with CI. !208 + +## 2018-03-22 Alpha + +- See [alpha documentation](https://docs.gitlab.com/charts/releases/alpha.html) diff --git a/kubernetes/Charts/gitlab/CONTRIBUTING.md b/kubernetes/Charts/gitlab/CONTRIBUTING.md new file mode 100644 index 0000000..e49ac15 --- /dev/null +++ b/kubernetes/Charts/gitlab/CONTRIBUTING.md @@ -0,0 +1,178 @@ +## Contributing + +Thank you for your interest in contributing to this GitLab project! We welcome +all contributions. By participating in this project, you agree to abide by the +[code of conduct](#code-of-conduct). + +## Developer Certificate of Origin + License + +By contributing to GitLab B.V., You accept and agree to the following terms and +conditions for Your present and future Contributions submitted to GitLab B.V. +Except for the license granted herein to GitLab B.V. and recipients of software +distributed by GitLab B.V., You reserve all right, title, and interest in and to +Your Contributions. All Contributions are subject to the following DCO + License +terms. + +[DCO + License](https://gitlab.com/gitlab-org/dco/blob/master/README.md) + +_This notice should stay as the first item in the CONTRIBUTING.md file._ + +## Merge requests + +We welcome merge requests with fixes and improvements to GitLab code, tests, +and/or documentation. The issues that are specifically suitable for +community contributions are listed with the label +[`Accepting Merge Requests` on our issue tracker][accepting-mrs], but you are +free to contribute to any other issue you want. + +Please note that if an issue is marked for the current milestone either before +or while you are working on it, a team member may take over the merge request +in order to ensure the work is finished before the release date. + +If you want to add a new feature that is not labeled it is best to first create +a feedback issue (if there isn't one already) and leave a comment asking for it +to be marked as `Accepting Merge Requests`. + +Merge requests should be opened at [GitLab.com][gitlab-mr-tracker]. + +### Merge request guidelines + +If you can, please submit a merge request with the fix or improvements +including tests. If you don't know how to fix the issue but can write a test +that exposes the issue we will accept that as well. In general bug fixes that +include a regression test are merged quickly while new features without proper +tests are least likely to receive timely feedback. The workflow to make a merge +request is as follows: + +1. Fork the project into your personal space on GitLab.com +1. Create a feature branch, branch away from `master` +1. Write code and charts changes. +1. If deemed necessary, provide MR to the [Cloud Native GitLab containers][CNG]. + - Provide the related Issue and MR link from that repository. +1. [Generate a changelog entry with `bin/changelog`][changelog] +1. If you have multiple commits please combine them into a few logically + organized commits by [squashing them][git-squash] +1. Push the commit(s) to your fork +1. Submit a merge request (MR) to the `master` branch + 1. Ensure the MR description uses the `General Change` template, and the appropriate + items are checked off. + 1. Your merge request needs at least 1 approval but feel free to require more. + For instance if you're touching multiple charts, replacing a provider, or + altering an behavior on a global level. + 1. You don't have to select any approvers, but you can if you really want + specific people to approve your merge request. +1. The MR title should describe the change you want to make +1. The MR description should give a motive for your change and the method you + used to achieve it. + 1. If you are contributing code, fill in the template already provided in the + "Description" field. + 1. If you are contributing documentation + 1. Choose `Documentation` from the "Choose a template" menu and fill in the template. + 1. Ensure the branch name starts with `docs-` or ends with `-docs` + 1. Mention the issue(s) your merge request solves, using the `Solves #XXX` or + `Closes #XXX` syntax to auto-close the issue(s) once the merge request will + be merged. +1. If you're allowed to, set a relevant milestone and labels +1. Be prepared to answer questions and incorporate feedback even if requests + for this arrive weeks or months after your MR submission + 1. If a discussion has been addressed, select the "Resolve discussion" button + beneath it to mark it resolved. +1. When writing commit messages please follow + [these](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) + [guidelines](http://chris.beams.io/posts/git-commit/). + +Please keep the change in a single MR **as small as possible**. If you want to +contribute a large feature think very hard what the minimum viable change is. +Can you split the functionality? Can you do part of the refactor? The increased +reviewability of small MRs that leads to higher code quality is more important +to us than having a minimal commit log. The smaller an MR is the more likely it +is it will be merged (quickly). After that you can send more MRs to enhance it. +The ['How to get faster PR reviews' document of Kubernetes](https://github.com/kubernetes/community/blob/master/contributors/devel/faster_reviews.md) also has some great points regarding this. + +For examples of feedback on merge requests please look at already +[closed merge requests][closed-merge-requests]. +Please ensure that your merge request meets the contribution acceptance criteria. + +### Contribution acceptance criteria + +1. The change is as small as possible +1. If you suspect a failing CI build is unrelated to your contribution, you may + try and restart the failing CI job or ask a developer to fix the + aforementioned failing test +1. Your MR initially contains a single commit (please use `git rebase -i` to + squash commits) +1. Your changes can merge without problems (if not please rebase if you're the + only one working on your feature branch, otherwise, merge `master`) +1. Does not break any existing functionality +1. Fixes one specific issue or implements one specific feature (do not combine + things, send separate merge requests if needed) +1. Keeps the GitLab chart clean and well structured +1. Contains functionality we think other users will benefit from too +1. Changes do not adversely degrade configuration experience. + - If a change would affect the experience of a user of this chart by increased + complexity, at install or re-configuration, a strong case must be presented. +1. Changes do not adversely degrade performance. + - Performance within the chart refers to several factors, the most + significant being installation and restart times. +1. Changes after submitting the merge request should be in separate commits + (no squashing). +1. It conforms to the [developer documentation](doc/development/README.md). +1. The merge request meets the [definition of done](#definition-of-done). + +## Definition of done + +If you contribute to GitLab please know that changes involve more than just +code. We have the following [definition of done][definition-of-done]. Please ensure you support +the feature you contribute through all of these steps. + +1. Description explaining the relevancy (see following item) +1. Working and clean code that is commented where needed +1. Deployment and QA pass on the CI cluster +1. Performance/scalability implications have been considered, addressed, and tested +1. Documented in the `/doc` directory +1. [Changelog entry added][changelog], if necessary +1. Reviewed and any concerns are addressed +1. Merged by a project maintainer +1. Added to the release blog article, if relevant +1. Added to [the website](https://gitlab.com/gitlab-com/www-gitlab-com/), if relevant +1. Community questions answered +1. Answers to questions radiated (in docs/wiki/support etc.) + +## Code of conduct + +As contributors and maintainers of this project, we pledge to respect all people +who contribute through reporting issues, posting feature requests, updating +documentation, submitting pull requests or patches, and other activities. + +We are committed to making participation in this project a harassment-free +experience for everyone, regardless of level of experience, gender, gender +identity and expression, sexual orientation, disability, personal appearance, +body size, race, ethnicity, age, or religion. + +Examples of unacceptable behavior by participants include the use of sexual +language or imagery, derogatory comments or personal attacks, trolling, public +or private harassment, insults, or other unprofessional conduct. + +Project maintainers have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct. Project maintainers who do not follow the +Code of Conduct may be removed from the project team. + +This code of conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. + +Instances of abusive, harassing, or otherwise unacceptable behavior can be +reported by emailing contact@gitlab.com. + +This Code of Conduct is adapted from the [Contributor Covenant][contributor-covenant], version 1.1.0, +available at [http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/). + +[accepting-mrs]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues?label_name=Accepting+Merge+Requests +[gitlab-mr-tracker]: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests +[closed-merge-requests]: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests?assignee_id=&label_name=&milestone_id=&scope=&sort=&state=closed +[contributor-covenant]: http://contributor-covenant.org +[changelog]: doc/development/changelog.md "Generate a changelog entry" +[git-squash]: https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits +[definition-of-done]: http://guide.agilealliance.org/guide/definition-of-done.html +[contributor-covenant]: http://contributor-covenant.org +[CNG]: https://gitlab.com/gitlab-org/build/CNG/ diff --git a/kubernetes/Charts/gitlab/Chart.yaml b/kubernetes/Charts/gitlab/Chart.yaml new file mode 100644 index 0000000..325dde6 --- /dev/null +++ b/kubernetes/Charts/gitlab/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: GitLab is the most comprehensive AI-powered DevSecOps Platform. +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png +keywords: +- gitlab +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab +sources: +- https://gitlab.com/gitlab-org/charts/gitlab +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/LICENSE.md b/kubernetes/Charts/gitlab/LICENSE.md new file mode 100644 index 0000000..4abe8b8 --- /dev/null +++ b/kubernetes/Charts/gitlab/LICENSE.md @@ -0,0 +1,25 @@ +Copyright (c) 2011-2017 GitLab B.V. + +With regard to the GitLab Software: + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +For all third party components incorporated into the GitLab Software, those +components are licensed under the original license provided by the owner of the +applicable component. diff --git a/kubernetes/Charts/gitlab/README.md b/kubernetes/Charts/gitlab/README.md new file mode 100644 index 0000000..32cdcad --- /dev/null +++ b/kubernetes/Charts/gitlab/README.md @@ -0,0 +1,49 @@ +[![pipeline status](https://gitlab.com/gitlab-org/charts/gitlab/badges/master/pipeline.svg)](https://gitlab.com/gitlab-org/charts/gitlab/pipelines) + +# Cloud Native GitLab Helm Chart + +The `gitlab` chart is the best way to operate GitLab on Kubernetes. It contains +all the required components to get started, and can scale to large deployments. + +Some of the key benefits of this chart and [corresponding containers](https://gitlab.com/gitlab-org/build/CNG) are: + +- Improved scalability and reliability. +- No requirement for root privileges. +- Utilization of object storage instead of NFS for storage. + +## Detailed documentation + +See the [repository documentation](doc/index.md) for how to install GitLab and +other information on charts, tools, and advanced configuration. + +For easy of reading, you can find this documentation rendered on +[docs.gitlab.com/charts](https://docs.gitlab.com/charts). + +### Configuration Properties + +We're often asked to put a table of all possible properties directly into this README. +These charts are _massive_ in scale, and as such the number of properties exceeds +the amount of context we're comfortable placing here. Please see our (nearly) +[comprehensive list of properties and defaults](doc/installation/command-line-options.md). + +**Note:** We _strongly recommend_ following our complete documentation, as opposed to +jumping directly into the settings list. + +## Architecture and goals + +See [architecture documentation](doc/architecture/index.md) for an overview +of this project goals and architecture. + +## Known issues and limitations + +See [limitations](doc/index.md#limitations). + +## Release Notes + +Check the [version mappings documentation](doc/installation/version_mappings.md) for information on important releases, +and see the [changelog](CHANGELOG.md) for the full details on any release. + +## Contributing + +See the [contribution guidelines](CONTRIBUTING.md) and then check out the +[development styleguide](doc/development/index.md). diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/Chart.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/Chart.yaml new file mode 100644 index 0000000..7a8e804 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E + url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg +apiVersion: v1 +appVersion: v1.12.6 +description: A Helm chart for cert-manager +home: https://github.com/cert-manager/cert-manager +icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png +keywords: +- cert-manager +- kube-lego +- letsencrypt +- tls +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: cert-manager-maintainers@googlegroups.com + name: cert-manager-maintainers + url: https://cert-manager.io +name: cert-manager +sources: +- https://github.com/cert-manager/cert-manager +version: v1.12.6 diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/README.md b/kubernetes/Charts/gitlab/charts/cert-manager/README.md new file mode 100644 index 0000000..b105ca1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/README.md @@ -0,0 +1,271 @@ +# cert-manager + +cert-manager is a Kubernetes addon to automate the management and issuance of +TLS certificates from various issuing sources. + +It will ensure certificates are valid and up to date periodically, and attempt +to renew certificates at an appropriate time before expiry. + +## Prerequisites + +- Kubernetes 1.20+ + +## Installing the Chart + +Full installation instructions, including details on how to configure extra +functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/). + +Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources. +This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. + +```bash +$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.crds.yaml +``` + +To install the chart with the release name `my-release`: + +```console +## Add the Jetstack Helm repository +$ helm repo add jetstack https://charts.jetstack.io + +## Install the cert-manager helm chart +$ helm install my-release --namespace cert-manager --version v1.12.6 jetstack/cert-manager +``` + +In order to begin issuing certificates, you will need to set up a ClusterIssuer +or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). + +More information on the different types of issuers and how to configure them +can be found in [our documentation](https://cert-manager.io/docs/configuration/). + +For information on how to configure cert-manager to automatically provision +Certificates for Ingress resources, take a look at the +[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/). + +> **Tip**: List all releases using `helm list` + +## Upgrading the Chart + +Special considerations may be required when upgrading the Helm chart, and these +are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/). + +**Please check here before performing upgrades!** + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +If you want to completely uninstall cert-manager from your cluster, you will also need to +delete the previously installed CustomResourceDefinition resources: + +```console +$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.crds.yaml +``` + +## Configuration + +The following table lists the configurable parameters of the cert-manager chart and their default values. + +| Parameter | Description | Default | +| --------- | ----------- | ------- | +| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | +| `global.commonLabels` | Labels to apply to all resources | `{}` | +| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | +| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` | +| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | +| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` | +| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | +| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | | +| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | | +| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | +| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | +| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | +| `image.tag` | Image tag | `v1.12.6` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `replicaCount` | Number of cert-manager replicas | `1` | +| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | +| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `.extraArgs` | `` | +| `extraArgs` | Optional flags for cert-manager | `[]` | +| `extraEnv` | Optional environment variables for cert-manager | `[]` | +| `serviceAccount.create` | If `true`, create a new service account | `true` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `serviceAccount.annotations` | Annotations to add to the service account | | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | +| `volumes` | Optional volumes for cert-manager | `[]` | +| `volumeMounts` | Optional volume mounts for cert-manager | `[]` | +| `resources` | CPU/memory resource requests/limits | `{}` | +| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) | +| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node affinity for pod assignment | `{}` | +| `tolerations` | Node tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` | +| `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` | +| `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` | +| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | +| `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` | +| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | +| `livenessProbe.successThreshold` | The liveness probe success threshold | `1` | +| `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` | +| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | +| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | +| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | | +| `prometheus.enabled` | Enable Prometheus monitoring | `true` | +| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | +| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | +| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | +| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | +| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | +| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | +| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` | +| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | +| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` | +| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | +| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | +| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | +| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | +| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | +| `podLabels` | Labels to add to the cert-manager pod | `{}` | +| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` | +| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` | +| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | +| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | +| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | +| `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` | +| `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` | +| `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` | +| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | +| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` | +| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | +| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` | +| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` | +| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | +| `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | +| `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | +| `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | +| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | +| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | +| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` | +| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | +| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | +| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | +| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | | +| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | | +| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | +| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | +| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` | +| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | +| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | +| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | +| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | +| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` | +| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | +| `webhook.image.tag` | Webhook image tag | `v1.12.6` | +| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | +| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | +| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) | +| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) | +| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` | +| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` | +| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | | +| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | | +| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` | +| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` | +| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | +| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` | +| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` | +| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` | +| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` | +| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` | +| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` | +| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` | +| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | +| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | +| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | +| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` | +| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` | +| `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | +| `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | +| `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | +| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | +| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` | +| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | | +| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` | +| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | +| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | +| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | +| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | +| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` | +| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | +| `cainjector.image.tag` | cainjector image tag | `v1.12.6` | +| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | +| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) | +| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) | +| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` | +| `acmesolver.image.tag` | acmesolver image tag | `v1.12.6` | +| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` | +| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | +| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) | +| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) | +| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` | +| `startupapicheck.backoffLimit` | Job backoffLimit | `4` | +| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` | +| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` | +| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` | +| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` | +| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` | +| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` | +| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | +| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | +| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | +| `startupapicheck.image.tag` | startupapicheck image tag | `v1.12.6` | +| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | +| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | +| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | | +| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` | +| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` | + +### Default Security Contexts + +The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies. + +Default pod-level securityContext: +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +Default containerSecurityContext: +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +``` + +### Assigning Values + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release -f values.yaml . +``` +> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml) + +## Contributing + +This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager). diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/cert-manager/templates/NOTES.txt new file mode 100644 index 0000000..1025354 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/NOTES.txt @@ -0,0 +1,15 @@ +cert-manager {{ .Chart.AppVersion }} has been deployed successfully! + +In order to begin issuing certificates, you will need to set up a ClusterIssuer +or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). + +More information on the different types of issuers and how to configure them +can be found in our documentation: + +https://cert-manager.io/docs/configuration/ + +For information on how to configure cert-manager to automatically provision +Certificates for Ingress resources, take a look at the `ingress-shim` +documentation: + +https://cert-manager.io/docs/usage/ingress/ diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/cert-manager/templates/_helpers.tpl new file mode 100644 index 0000000..90db4af --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/_helpers.tpl @@ -0,0 +1,174 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cert-manager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "cert-manager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cert-manager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Webhook templates +*/}} + +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'webhook' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "webhook.name" -}} +{{- printf "webhook" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "webhook.fullname" -}} +{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}} +{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "webhook.caRef" -}} +{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "webhook.serviceAccountName" -}} +{{- if .Values.webhook.serviceAccount.create -}} + {{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.webhook.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +cainjector templates +*/}} + +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'cainjector' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "cainjector.name" -}} +{{- printf "cainjector" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cainjector.fullname" -}} +{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}} +{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cainjector.serviceAccountName" -}} +{{- if .Values.cainjector.serviceAccount.create -}} + {{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.cainjector.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +startupapicheck templates +*/}} + +{{/* +Expand the name of the chart. +Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain +compatibility with the v0.9 deployment selector. +*/}} +{{- define "startupapicheck.name" -}} +{{- printf "startupapicheck" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "startupapicheck.fullname" -}} +{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}} +{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "startupapicheck.serviceAccountName" -}} +{{- if .Values.startupapicheck.serviceAccount.create -}} + {{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.startupapicheck.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "chartName" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Labels that should be added on each resource +*/}} +{{- define "labels" -}} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- if eq (default "helm" .Values.creator) "helm" }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ include "chartName" . }} +{{- end -}} +{{- if .Values.global.commonLabels}} +{{ toYaml .Values.global.commonLabels }} +{{- end }} +{{- end -}} + +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used + +This gets around an problem within helm discussed here +https://github.com/helm/helm/issues/5358 +*/}} +{{- define "cert-manager.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-deployment.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-deployment.yaml new file mode 100644 index 0000000..1220173 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-deployment.yaml @@ -0,0 +1,117 @@ +{{- if .Values.cainjector.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cainjector.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} + {{- with .Values.cainjector.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.cainjector.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- with .Values.cainjector.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 8 }} + {{- with .Values.cainjector.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cainjector.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "cainjector.serviceAccountName" . }} + {{- if hasKey .Values.cainjector "automountServiceAccountToken" }} + automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }} + {{- end }} + {{- with .Values.global.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.cainjector.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-cainjector + {{- with .Values.cainjector.image }} + image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }} + args: + {{- if .Values.global.logLevel }} + - --v={{ .Values.global.logLevel }} + {{- end }} + {{- with .Values.global.leaderElection }} + - --leader-election-namespace={{ .namespace }} + {{- if .leaseDuration }} + - --leader-election-lease-duration={{ .leaseDuration }} + {{- end }} + {{- if .renewDeadline }} + - --leader-election-renew-deadline={{ .renewDeadline }} + {{- end }} + {{- if .retryPeriod }} + - --leader-election-retry-period={{ .retryPeriod }} + {{- end }} + {{- end }} + {{- with .Values.cainjector.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.cainjector.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cainjector.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cainjector.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cainjector.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cainjector.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cainjector.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cainjector.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cainjector.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml new file mode 100644 index 0000000..f080b75 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if .Values.cainjector.podDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "cainjector.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + + {{- with .Values.cainjector.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml new file mode 100644 index 0000000..b75b9eb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml @@ -0,0 +1,20 @@ +{{- if .Values.cainjector.enabled }} +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cainjector.fullname" . }}-psp + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "cainjector.fullname" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml new file mode 100644 index 0000000..e2bfa26 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.cainjector.enabled }} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cainjector.fullname" . }}-psp + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cainjector.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp.yaml new file mode 100644 index 0000000..24f01da --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.cainjector.enabled }} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "cainjector.fullname" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-rbac.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-rbac.yaml new file mode 100644 index 0000000..2aa59ee --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-rbac.yaml @@ -0,0 +1,103 @@ +{{- if .Values.cainjector.enabled }} +{{- if .Values.global.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cainjector.fullname" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cainjector.fullname" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cainjector.fullname" . }} +subjects: + - name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "cainjector.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] + +--- + +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "cainjector.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cainjector.fullname" . }}:leaderelection +subjects: + - kind: ServiceAccount + name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-serviceaccount.yaml new file mode 100644 index 0000000..fedc731 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/cainjector-serviceaccount.yaml @@ -0,0 +1,27 @@ +{{- if .Values.cainjector.enabled }} +{{- if .Values.cainjector.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "cainjector.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + {{- with .Values.cainjector.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} + {{- with .Values.cainjector.serviceAccount.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/crds.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/crds.yaml new file mode 100644 index 0000000..8206987 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/crds.yaml @@ -0,0 +1,4462 @@ +{{- if .Values.installCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io + labels: + app: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + # Generated labels {{- include "labels" . | nindent 4 }} +spec: + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Approved")].status + name: Approved + type: string + - jsonPath: .status.conditions[?(@.type=="Denied")].status + name: Denied + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + type: string + - jsonPath: .spec.username + name: Requestor + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + type: object + required: + - issuerRef + - request + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. + type: string + extra: + description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: object + additionalProperties: + type: array + items: + type: string + groups: + description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: array + items: + type: string + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + request: + description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. + type: string + format: byte + uid: + description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + username: + description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + status: + description: Status of the CertificateRequest. This is set and managed automatically. + type: object + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. + type: string + format: byte + certificate: + description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. + type: string + format: byte + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + type: array + items: + description: CertificateRequestCondition contains condition information for a CertificateRequest. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io + labels: + app: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + # Generated labels {{- include "labels" . | nindent 4 }} +spec: + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Certificate resource. + type: object + required: + - issuerRef + - secretName + properties: + additionalOutputFormats: + description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. + type: array + items: + description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. + type: object + required: + - type + properties: + type: + description: Type is the name of the format type that should be written to the Certificate's target Secret. + type: string + enum: + - DER + - CombinedPEM + commonName: + description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. + type: array + items: + type: string + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + emailAddresses: + description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. + type: array + items: + type: string + encodeUsagesInRequest: + description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest + type: boolean + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + keystores: + description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + literalSubject: + description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook. + type: string + privateKey: + description: Options to control private keys used for the Certificate. + type: object + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + type: string + enum: + - RSA + - ECDSA + - Ed25519 + encoding: + description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + enum: + - PKCS1 + - PKCS8 + rotationPolicy: + description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + type: string + enum: + - Never + - Always + size: + description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + type: integer + renewBefore: + description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: + description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + type: integer + format: int32 + secretName: + description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: + description: Annotations is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + labels: + description: Labels is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uris: + description: URIs is a list of URI subjectAltNames to be set on the Certificate. + type: array + items: + type: string + usages: + description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: Status of the Certificate. This is set and managed automatically. + type: object + properties: + conditions: + description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. + type: array + items: + description: CertificateCondition contains condition information for an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. + type: string + format: date-time + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. + type: string + format: date-time + notBefore: + description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. + type: string + format: date-time + renewalTime: + description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. + type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." + type: integer + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: challenges.acme.cert-manager.io + labels: + app: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + # Generated labels {{- include "labels" . | nindent 4 }} +spec: + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + properties: + authorizationURL: + description: The URL to the ACME Authorization resource that this challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + key: + description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' + type: string + solver: + description: Contains the domain solving configuration that should be used to solve this challenge resource. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + token: + description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". + type: string + enum: + - HTTP-01 + - DNS-01 + url: + description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. + type: boolean + status: + type: object + properties: + presented: + description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io + labels: + app: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/instance: "{{ .Release.Name }}" + # Generated labels {{- include "labels" . | nindent 4 }} +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + categories: + - cert-manager + scope: Cluster + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + type: object + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. + type: string + format: byte + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' + type: string + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + type: array + items: + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. + type: string + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + kubernetes: + description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + type: object + required: + - role + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceAccountRef: + description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + name: + description: Name of the ServiceAccount used to request a token. + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + type: object + properties: + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + type: string + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io + labels: + app: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/instance: "{{ .Release.Name }}" + # Generated labels {{- include "labels" . | nindent 4 }} +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + type: object + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. + type: string + format: byte + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' + type: string + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + type: array + items: + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. + type: string + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + kubernetes: + description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + type: object + required: + - role + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceAccountRef: + description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + name: + description: Name of the ServiceAccount used to request a token. + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the Issuer. This is set and managed automatically. + type: object + properties: + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + type: string + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io + labels: + app: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/name: '{{ template "cert-manager.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + # Generated labels {{- include "labels" . | nindent 4 }} +spec: + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - issuerRef + - request + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + duration: + description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + request: + description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. + type: string + format: byte + status: + type: object + properties: + authorizations: + description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. + type: array + items: + description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. + type: object + required: + - url + properties: + challenges: + description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. + type: array + items: + description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. + type: object + required: + - token + - type + - url + properties: + token: + description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. + type: string + identifier: + description: Identifier is the DNS name to be validated as part of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL is the URL of the Authorization that must be completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + certificate: + description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. + type: string + format: byte + failureTime: + description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. + type: string + served: true + storage: true +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/deployment.yaml new file mode 100644 index 0000000..aea5736 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/deployment.yaml @@ -0,0 +1,204 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "cert-manager.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ template "cert-manager.name" . }} + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + {{- with .Values.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ template "cert-manager.name" . }} + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }} + {{- if not .Values.podAnnotations }} + annotations: + {{- end }} + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + {{- end }} + spec: + serviceAccountName: {{ template "cert-manager.serviceAccountName" . }} + {{- if hasKey .Values "automountServiceAccountToken" }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- end }} + {{- with .Values.global.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-controller + {{- with .Values.image }} + image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.global.logLevel }} + - --v={{ .Values.global.logLevel }} + {{- end }} + {{- if .Values.clusterResourceNamespace }} + - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }} + {{- else }} + - --cluster-resource-namespace=$(POD_NAMESPACE) + {{- end }} + {{- with .Values.global.leaderElection }} + - --leader-election-namespace={{ .namespace }} + {{- if .leaseDuration }} + - --leader-election-lease-duration={{ .leaseDuration }} + {{- end }} + {{- if .renewDeadline }} + - --leader-election-renew-deadline={{ .renewDeadline }} + {{- end }} + {{- if .retryPeriod }} + - --leader-election-retry-period={{ .retryPeriod }} + {{- end }} + {{- end }} + {{- with .Values.acmesolver.image }} + - --acme-http01-solver-image={{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}} + {{- end }} + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.ingressShim }} + {{- if .defaultIssuerName }} + - --default-issuer-name={{ .defaultIssuerName }} + {{- end }} + {{- if .defaultIssuerKind }} + - --default-issuer-kind={{ .defaultIssuerKind }} + {{- end }} + {{- if .defaultIssuerGroup }} + - --default-issuer-group={{ .defaultIssuerGroup }} + {{- end }} + {{- end }} + {{- if .Values.featureGates }} + - --feature-gates={{ .Values.featureGates }} + {{- end }} + {{- if .Values.maxConcurrentChallenges }} + - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }} + {{- end }} + {{- if .Values.enableCertificateOwnerRef }} + - --enable-certificate-owner-ref=true + {{- end }} + {{- if .Values.dns01RecursiveNameserversOnly }} + - --dns01-recursive-nameservers-only=true + {{- end }} + {{- with .Values.dns01RecursiveNameservers }} + - --dns01-recursive-nameservers={{ . }} + {{- end }} + ports: + - containerPort: 9402 + name: http-metrics + protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.http_proxy }} + - name: HTTP_PROXY + value: {{ . }} + {{- end }} + {{- with .Values.https_proxy }} + - name: HTTPS_PROXY + value: {{ . }} + {{- end }} + {{- with .Values.no_proxy }} + - name: NO_PROXY + value: {{ . }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + + {{- with .Values.livenessProbe }} + {{- if .enabled }} + # LivenessProbe settings are based on those used for the Kubernetes + # controller-manager. See: + # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + livenessProbe: + httpGet: + port: http-healthz + path: /livez + scheme: HTTP + initialDelaySeconds: {{ .initialDelaySeconds }} + periodSeconds: {{ .periodSeconds }} + timeoutSeconds: {{ .timeoutSeconds }} + successThreshold: {{ .successThreshold }} + failureThreshold: {{ .failureThreshold }} + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podDnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.podDnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/networkpolicy-egress.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/networkpolicy-egress.yaml new file mode 100644 index 0000000..0971200 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/networkpolicy-egress.yaml @@ -0,0 +1,23 @@ +{{- if .Values.webhook.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "webhook.fullname" . }}-allow-egress + namespace: {{ include "cert-manager.namespace" . }} +spec: + egress: + {{- with .Values.webhook.networkPolicy.egress }} + {{- toYaml . | nindent 2 }} + {{- end }} + podSelector: + matchLabels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- with .Values.webhook.podLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + policyTypes: + - Egress +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/networkpolicy-webhooks.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/networkpolicy-webhooks.yaml new file mode 100644 index 0000000..349877a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/networkpolicy-webhooks.yaml @@ -0,0 +1,25 @@ +{{- if .Values.webhook.networkPolicy.enabled }} + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "webhook.fullname" . }}-allow-ingress + namespace: {{ include "cert-manager.namespace" . }} +spec: + ingress: + {{- with .Values.webhook.networkPolicy.ingress }} + {{- toYaml . | nindent 2 }} + {{- end }} + podSelector: + matchLabels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- with .Values.webhook.podLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + policyTypes: + - Ingress + +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..dab75ce --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/poddisruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "cert-manager.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp-clusterrole.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp-clusterrole.yaml new file mode 100644 index 0000000..1d40a02 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "cert-manager.fullname" . }}-psp + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "cert-manager.fullname" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp-clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp-clusterrolebinding.yaml new file mode 100644 index 0000000..4f09b6b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-psp + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp.yaml new file mode 100644 index 0000000..9e99f5c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/psp.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "cert-manager.fullname" . }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/rbac.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/rbac.yaml new file mode 100644 index 0000000..830e372 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/rbac.yaml @@ -0,0 +1,544 @@ +{{- if .Values.global.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "cert-manager.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] + +--- + +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "cert-manager.fullname" . }}:leaderelection + namespace: {{ .Values.global.leaderElection.namespace }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cert-manager.fullname" . }}:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + +--- + +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-issuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- + +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-certificates + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-orders + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update", "patch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-challenges + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update", "patch"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [ "gateway.networking.k8s.io" ] + resources: [ "httproutes" ] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- + +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways", "httproutes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways/finalizers", "httproutes/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-issuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-issuers +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-certificates + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-certificates +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-orders + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-orders +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-challenges + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-challenges +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-view + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + {{- if .Values.global.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] + + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-edit + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + {{- if .Values.global.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + +--- + +# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cert-manager" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["signers"] + verbs: ["approve"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cert-manager" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount + +--- + +# Permission to: +# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers +# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cert-manager" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + verbs: ["sign"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cert-manager" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/service.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/service.yaml new file mode 100644 index 0000000..ec34d58 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.prometheus.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "cert-manager.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- with .Values.serviceAnnotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + {{- with .Values.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + name: tcp-prometheus-servicemonitor + targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} + selector: + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..6026842 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + {{- with .Values.serviceAccount.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/servicemonitor.yaml new file mode 100644 index 0000000..9d9e899 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/servicemonitor.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "cert-manager.fullname" . }} +{{- if .Values.prometheus.servicemonitor.namespace }} + namespace: {{ .Values.prometheus.servicemonitor.namespace }} +{{- else }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }} + {{- with .Values.prometheus.servicemonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if .Values.prometheus.servicemonitor.annotations }} + annotations: + {{- with .Values.prometheus.servicemonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +spec: + jobLabel: {{ template "cert-manager.fullname" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" +{{- if .Values.prometheus.servicemonitor.namespace }} + namespaceSelector: + matchNames: + - {{ include "cert-manager.namespace" . }} +{{- end }} + endpoints: + - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} + path: {{ .Values.prometheus.servicemonitor.path }} + interval: {{ .Values.prometheus.servicemonitor.interval }} + scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }} + honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-job.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-job.yaml new file mode 100644 index 0000000..a9b965e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-job.yaml @@ -0,0 +1,88 @@ +{{- if .Values.startupapicheck.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "startupapicheck.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + {{- with .Values.startupapicheck.jobAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + backoffLimit: {{ .Values.startupapicheck.backoffLimit }} + template: + metadata: + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 8 }} + {{- with .Values.startupapicheck.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.startupapicheck.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: OnFailure + serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }} + {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }} + automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }} + {{- end }} + {{- with .Values.global.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.startupapicheck.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-startupapicheck + {{- with .Values.startupapicheck.image }} + image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }} + args: + - check + - api + - --wait={{ .Values.startupapicheck.timeout }} + {{- with .Values.startupapicheck.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.startupapicheck.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.startupapicheck.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.startupapicheck.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.startupapicheck.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.startupapicheck.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.startupapicheck.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.startupapicheck.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml new file mode 100644 index 0000000..dacd4be --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml @@ -0,0 +1,24 @@ +{{- if .Values.startupapicheck.enabled }} +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "startupapicheck.fullname" . }}-psp + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + {{- with .Values.startupapicheck.rbac.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "startupapicheck.fullname" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml new file mode 100644 index 0000000..54d5a42 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.startupapicheck.enabled }} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "startupapicheck.fullname" . }}-psp + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + {{- with .Values.startupapicheck.rbac.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "startupapicheck.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "startupapicheck.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp.yaml new file mode 100644 index 0000000..f09d60d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-psp.yaml @@ -0,0 +1,51 @@ +{{- if .Values.startupapicheck.enabled }} +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "startupapicheck.fullname" . }} + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} + {{- with .Values.startupapicheck.rbac.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'projected' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-rbac.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-rbac.yaml new file mode 100644 index 0000000..606e725 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-rbac.yaml @@ -0,0 +1,48 @@ +{{- if .Values.startupapicheck.enabled }} +{{- if .Values.global.rbac.create }} +# create certificate role +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "startupapicheck.fullname" . }}:create-cert + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + {{- with .Values.startupapicheck.rbac.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "startupapicheck.fullname" . }}:create-cert + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + {{- with .Values.startupapicheck.rbac.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "startupapicheck.fullname" . }}:create-cert +subjects: + - kind: ServiceAccount + name: {{ template "startupapicheck.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml new file mode 100644 index 0000000..8c41760 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml @@ -0,0 +1,27 @@ +{{- if .Values.startupapicheck.enabled }} +{{- if .Values.startupapicheck.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "startupapicheck.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + {{- with .Values.startupapicheck.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "startupapicheck.name" . }} + app.kubernetes.io/name: {{ include "startupapicheck.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "startupapicheck" + {{- include "labels" . | nindent 4 }} + {{- with .Values.startupapicheck.serviceAccount.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-config.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-config.yaml new file mode 100644 index 0000000..f3f72f0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-config.yaml @@ -0,0 +1,25 @@ +{{- if .Values.webhook.config -}} + {{- if not .Values.webhook.config.apiVersion -}} + {{- fail "webhook.config.apiVersion must be set" -}} + {{- end -}} + + {{- if not .Values.webhook.config.kind -}} + {{- fail "webhook.config.kind must be set" -}} + {{- end -}} +{{- end -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "webhook.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +data: + {{- if .Values.webhook.config }} + config.yaml: | + {{ .Values.webhook.config | toYaml | nindent 4 }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-deployment.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-deployment.yaml new file mode 100644 index 0000000..043c4b1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-deployment.yaml @@ -0,0 +1,185 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "webhook.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- with .Values.webhook.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 8 }} + {{- with .Values.webhook.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "webhook.serviceAccountName" . }} + {{- if hasKey .Values.webhook "automountServiceAccountToken" }} + automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }} + {{- end }} + {{- with .Values.global.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.webhook.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.webhook.hostNetwork }} + hostNetwork: true + {{- end }} + containers: + - name: {{ .Chart.Name }}-webhook + {{- with .Values.webhook.image }} + image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} + args: + {{- if .Values.global.logLevel }} + - --v={{ .Values.global.logLevel }} + {{- end }} + {{- if .Values.webhook.config }} + - --config=/var/cert-manager/config/config.yaml + {{- end }} + {{- $config := default .Values.webhook.config "" }} + {{ if not $config.securePort -}} + - --secure-port={{ .Values.webhook.securePort }} + {{- end }} + {{- if .Values.featureGates }} + - --feature-gates={{ .Values.featureGates }} + {{- end }} + {{- $tlsConfig := default $config.tlsConfig "" }} + {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}} + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca + - --dynamic-serving-dns-names={{ template "webhook.fullname" . }} + - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE) + - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc + {{ if .Values.webhook.url.host }} + - --dynamic-serving-dns-names={{ .Values.webhook.url.host }} + {{- end }} + {{- end }} + {{- with .Values.webhook.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - name: https + protocol: TCP + {{- if $config.securePort }} + containerPort: {{ $config.securePort }} + {{- else if .Values.webhook.securePort }} + containerPort: {{ .Values.webhook.securePort }} + {{- else }} + containerPort: 6443 + {{- end }} + - name: healthcheck + protocol: TCP + {{- if $config.healthzPort }} + containerPort: {{ $config.healthzPort }} + {{- else }} + containerPort: 6080 + {{- end }} + livenessProbe: + httpGet: + path: /livez + {{- if $config.healthzPort }} + port: {{ $config.healthzPort }} + {{- else }} + port: 6080 + {{- end }} + scheme: HTTP + initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + {{- if $config.healthzPort }} + port: {{ $config.healthzPort }} + {{- else }} + port: 6080 + {{- end }} + scheme: HTTP + initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }} + {{- with .Values.webhook.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.webhook.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if or .Values.webhook.config .Values.webhook.volumeMounts }} + volumeMounts: + {{- if .Values.webhook.config }} + - name: config + mountPath: /var/cert-manager/config + {{- end }} + {{- if .Values.webhook.volumeMounts }} + {{- toYaml .Values.webhook.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- with .Values.webhook.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhook.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhook.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.webhook.config .Values.webhook.volumes }} + volumes: + {{- if .Values.webhook.config }} + - name: config + configMap: + name: {{ include "webhook.fullname" . }} + {{- end }} + {{- if .Values.webhook.volumes }} + {{- toYaml .Values.webhook.volumes | nindent 8 }} + {{- end }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-mutating-webhook.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-mutating-webhook.yaml new file mode 100644 index 0000000..f3db011 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-mutating-webhook.yaml @@ -0,0 +1,46 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }} + {{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + {{- if .Values.webhook.url.host }} + url: https://{{ .Values.webhook.url.host }}/mutate + {{- else }} + service: + name: {{ template "webhook.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + path: /mutate + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml new file mode 100644 index 0000000..c8a357c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if .Values.webhook.podDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "webhook.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + + {{- with .Values.webhook.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.webhook.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp-clusterrole.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp-clusterrole.yaml new file mode 100644 index 0000000..f6fa4c5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "webhook.fullname" . }}-psp + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "webhook.fullname" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml new file mode 100644 index 0000000..858df8f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "webhook.fullname" . }}-psp + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "webhook.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp.yaml new file mode 100644 index 0000000..4d5d959 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-psp.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.global.podSecurityPolicy.useAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: {{ .Values.webhook.hostNetwork }} + {{- if .Values.webhook.hostNetwork }} + hostPorts: + - max: {{ .Values.webhook.securePort }} + min: {{ .Values.webhook.securePort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-rbac.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-rbac.yaml new file mode 100644 index 0000000..b075ffd --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-rbac.yaml @@ -0,0 +1,83 @@ +{{- if .Values.global.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "webhook.fullname" . }}:dynamic-serving + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: + - '{{ template "webhook.fullname" . }}-ca' + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "webhook.fullname" . }}:dynamic-serving + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "webhook.fullname" . }}:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "webhook.fullname" . }}:subjectaccessreviews + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +rules: +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "webhook.fullname" . }}:subjectaccessreviews + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "webhook.fullname" . }}:subjectaccessreviews +subjects: +- apiGroup: "" + kind: ServiceAccount + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-service.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-service.yaml new file mode 100644 index 0000000..5f93950 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "webhook.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- with .Values.webhook.serviceAnnotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} + {{- with .Values.webhook.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.webhook.serviceType }} + {{- with .Values.webhook.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + ports: + - name: https + port: 443 + protocol: TCP + targetPort: "https" + selector: + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-serviceaccount.yaml new file mode 100644 index 0000000..dff5c06 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.webhook.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "webhook.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + {{- with .Values.webhook.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} + {{- with .Values.webhook.serviceAccount.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-validating-webhook.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-validating-webhook.yaml new file mode 100644 index 0000000..a5d168e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/templates/webhook-validating-webhook.yaml @@ -0,0 +1,55 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + app.kubernetes.io/name: {{ include "webhook.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "webhook" + {{- include "labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}} + {{- with .Values.webhook.validatingWebhookConfigurationAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - {{ include "cert-manager.namespace" . }} + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + failurePolicy: Fail + sideEffects: None + clientConfig: + {{- if .Values.webhook.url.host }} + url: https://{{ .Values.webhook.url.host }}/validate + {{- else }} + service: + name: {{ template "webhook.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + path: /validate + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/cert-manager/values.yaml b/kubernetes/Charts/gitlab/charts/cert-manager/values.yaml new file mode 100644 index 0000000..66df39a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/cert-manager/values.yaml @@ -0,0 +1,692 @@ +# Default values for cert-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + # Reference to one or more secrets to be used when pulling images + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imagePullSecrets: [] + # - name: "image-pull-secret" + + # Labels to apply to all resources + # Please note that this does not add labels to the resources created dynamically by the controllers. + # For these resources, you have to add the labels in the template in the cert-manager custom resource: + # eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress + # ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress + # eg. secretTemplate in CertificateSpec + # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec + commonLabels: {} + # team_name: dev + + # Optional priority class to be used for the cert-manager pods + priorityClassName: "" + rbac: + create: true + # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + aggregateClusterRoles: true + + podSecurityPolicy: + enabled: false + useAppArmor: true + + # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + logLevel: 2 + + leaderElection: + # Override the namespace used for the leader election lease + namespace: "kube-system" + + # The duration that non-leader candidates will wait after observing a + # leadership renewal until attempting to acquire leadership of a led but + # unrenewed leader slot. This is effectively the maximum duration that a + # leader can be stopped before it is replaced by another candidate. + # leaseDuration: 60s + + # The interval between attempts by the acting master to renew a leadership + # slot before it stops leading. This must be less than or equal to the + # lease duration. + # renewDeadline: 40s + + # The duration the clients should wait between attempting acquisition and + # renewal of a leadership. + # retryPeriod: 15s + +installCRDs: false + +replicaCount: 1 + +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + +podDisruptionBudget: + enabled: false + + minAvailable: 1 + # maxUnavailable: 1 + + # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) + # or a percentage value (e.g. 25%) + +# Comma separated list of feature gates that should be enabled on the controller +# Note: do not use this field to pass feature gate values into webhook +# component as this behaviour relies on a bug that will be fixed in cert-manager 1.13 +# https://github.com/cert-manager/cert-manager/pull/6093 +# Use webhook.extraArgs to pass --feature-gates flag directly instead. +featureGates: "" + +# The maximum number of challenges that can be scheduled as 'processing' at once +maxConcurrentChallenges: 60 + +image: + repository: quay.io/jetstack/cert-manager-controller + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-controller + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + pullPolicy: IfNotPresent + +# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer +# resources. By default, the same namespace as cert-manager is deployed within is +# used. This namespace will not be automatically created by the Helm chart. +clusterResourceNamespace: "" + +# This namespace allows you to define where the services will be installed into +# if not set then they will use the namespace of the release +# This is helpful when installing cert manager as a chart dependency (sub chart) +namespace: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + # Automount API credentials for a Service Account. + # Optional additional labels to add to the controller's ServiceAccount + # labels: {} + automountServiceAccountToken: true + +# Automounting API credentials for a particular pod +# automountServiceAccountToken: true + +# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted +enableCertificateOwnerRef: false + +# Setting Nameservers for DNS01 Self Check +# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check + +# Comma separated string with host and port of the recursive nameservers cert-manager should query +dns01RecursiveNameservers: "" + +# Forces cert-manager to only use the recursive nameservers for verification. +# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers +dns01RecursiveNameserversOnly: false + +# Additional command line flags to pass to cert-manager controller binary. +# To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help +extraArgs: [] + # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver + # - --controllers=*,-certificaterequests-approver + +extraEnv: [] +# - name: SOME_VAR +# value: 'some value' + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +# Pod Security Context +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +# Container Security Context to be set on the controller component container +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + +volumes: [] + +volumeMounts: [] + +# Optional additional annotations to add to the controller Deployment +# deploymentAnnotations: {} + +# Optional additional annotations to add to the controller Pods +# podAnnotations: {} + +podLabels: {} + +# Optional annotations to add to the controller Service +# serviceAnnotations: {} + +# Optional additional labels to add to the controller Service +# serviceLabels: {} + +# Optional DNS settings, useful if you have a public and private DNS zone for +# the same domain on Route 53. What follows is an example of ensuring +# cert-manager can access an ingress or DNS TXT records at all times. +# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for +# the cluster to work. +# podDnsPolicy: "None" +# podDnsConfig: +# nameservers: +# - "1.1.1.1" +# - "8.8.8.8" + +nodeSelector: + kubernetes.io/os: linux + +ingressShim: {} + # defaultIssuerName: "" + # defaultIssuerKind: "" + # defaultIssuerGroup: "" + +prometheus: + enabled: true + servicemonitor: + enabled: false + prometheusInstance: default + targetPort: 9402 + path: /metrics + interval: 60s + scrapeTimeout: 30s + labels: {} + annotations: {} + honorLabels: false + +# Use these variables to configure the HTTP_PROXY environment variables +# http_proxy: "http://proxy:8080" +# https_proxy: "https://proxy:8080" +# no_proxy: 127.0.0.1,localhost + +# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core +# for example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master +affinity: {} + +# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core +# for example: +# tolerations: +# - key: foo.bar.com/role +# operator: Equal +# value: master +# effect: NoSchedule +tolerations: [] + +# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core +# for example: +# topologySpreadConstraints: +# - maxSkew: 2 +# topologyKey: topology.kubernetes.io/zone +# whenUnsatisfiable: ScheduleAnyway +# labelSelector: +# matchLabels: +# app.kubernetes.io/instance: cert-manager +# app.kubernetes.io/component: controller +topologySpreadConstraints: [] + +# LivenessProbe settings for the controller container of the controller Pod. +# +# Disabled by default, because the controller has a leader election mechanism +# which should cause it to exit if it is unable to renew its leader election +# record. +# LivenessProbe durations and thresholds are based on those used for the Kubernetes +# controller-manager. See: +# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 +livenessProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 8 + +webhook: + replicaCount: 1 + timeoutSeconds: 10 + + # Used to configure options for the webhook pod. + # This allows setting options that'd usually be provided via flags. + # An APIVersion and Kind must be specified in your values.yaml file. + # Flags will override options that are set here. + config: + # apiVersion: webhook.config.cert-manager.io/v1alpha1 + # kind: WebhookConfiguration + + # The port that the webhook should listen on for requests. + # In GKE private clusters, by default kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. so configuring + # securePort: 10250, will work out of the box without needing to add firewall + # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. + # This should be uncommented and set as a default by the chart once we graduate + # the apiVersion of WebhookConfiguration past v1alpha1. + # securePort: 10250 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + # Pod Security Context to be set on the webhook component Pod + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + podDisruptionBudget: + enabled: false + + minAvailable: 1 + # maxUnavailable: 1 + + # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) + # or a percentage value (e.g. 25%) + + # Container Security Context to be set on the webhook component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + # Optional additional annotations to add to the webhook Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the webhook Pods + # podAnnotations: {} + + # Optional additional annotations to add to the webhook Service + # serviceAnnotations: {} + + # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # mutatingWebhookConfigurationAnnotations: {} + + # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # validatingWebhookConfigurationAnnotations: {} + + # Additional command line flags to pass to cert-manager webhook binary. + # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + extraArgs: [] + # Path to a file containing a WebhookConfiguration object used to configure the webhook + # - --config= + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + + nodeSelector: + kubernetes.io/os: linux + + affinity: {} + + tolerations: [] + + topologySpreadConstraints: [] + + # Optional additional labels to add to the Webhook Pods + podLabels: {} + + # Optional additional labels to add to the Webhook Service + serviceLabels: {} + + image: + repository: quay.io/jetstack/cert-manager-webhook + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-webhook + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + # Optional additional labels to add to the webhook's ServiceAccount + # labels: {} + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + + # Automounting API credentials for a particular pod + # automountServiceAccountToken: true + + # The port that the webhook should listen on for requests. + # In GKE private clusters, by default kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. so configuring + # securePort: 10250, will work out of the box without needing to add firewall + # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + securePort: 10250 + + # Specifies if the webhook should be started in hostNetwork mode. + # + # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom + # CNI (such as calico), because control-plane managed by AWS cannot communicate + # with pods' IP CIDR and admission webhooks are not working + # + # Since the default port for the webhook conflicts with kubelet on the host + # network, `webhook.securePort` should be changed to an available port if + # running in hostNetwork mode. + hostNetwork: false + + # Specifies how the service should be handled. Useful if you want to expose the + # webhook to outside of the cluster. In some cases, the control plane cannot + # reach internal services. + serviceType: ClusterIP + # loadBalancerIP: + + # Overrides the mutating webhook and validating webhook so they reach the webhook + # service using the `url` field instead of a service. + url: {} + # host: + + # Enables default network policies for webhooks. + networkPolicy: + enabled: false + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + egress: + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + # On OpenShift and OKD, the Kubernetes API server listens on + # port 6443. + - port: 6443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 + + volumes: [] + volumeMounts: [] + +cainjector: + enabled: true + replicaCount: 1 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + # Pod Security Context to be set on the cainjector component Pod + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + podDisruptionBudget: + enabled: false + + minAvailable: 1 + # maxUnavailable: 1 + + # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) + # or a percentage value (e.g. 25%) + + # Container Security Context to be set on the cainjector component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + + # Optional additional annotations to add to the cainjector Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the cainjector Pods + # podAnnotations: {} + + # Additional command line flags to pass to cert-manager cainjector binary. + # To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + extraArgs: [] + # Enable profiling for cainjector + # - --enable-profiling=true + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: + kubernetes.io/os: linux + + affinity: {} + + tolerations: [] + + topologySpreadConstraints: [] + + # Optional additional labels to add to the CA Injector Pods + podLabels: {} + + image: + repository: quay.io/jetstack/cert-manager-cainjector + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-cainjector + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + # Automount API credentials for a Service Account. + # Optional additional labels to add to the cainjector's ServiceAccount + # labels: {} + automountServiceAccountToken: true + + # Automounting API credentials for a particular pod + # automountServiceAccountToken: true + + volumes: [] + volumeMounts: [] + +acmesolver: + image: + repository: quay.io/jetstack/cert-manager-acmesolver + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-acmesolver + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + +# This startupapicheck is a Helm post-install hook that waits for the webhook +# endpoints to become available. +# The check is implemented using a Kubernetes Job- if you are injecting mesh +# sidecar proxies into cert-manager pods, you probably want to ensure that they +# are not injected into this Job's pod. Otherwise the installation may time out +# due to the Job never being completed because the sidecar proxy does not exit. +# See https://github.com/cert-manager/cert-manager/pull/4414 for context. +startupapicheck: + enabled: true + + # Pod Security Context to be set on the startupapicheck component Pod + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + # Container Security Context to be set on the controller component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + # Timeout for 'kubectl check api' command + timeout: 1m + + # Job backoffLimit + backoffLimit: 4 + + # Optional additional annotations to add to the startupapicheck Job + jobAnnotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + + # Optional additional annotations to add to the startupapicheck Pods + # podAnnotations: {} + + # Additional command line flags to pass to startupapicheck binary. + # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: + kubernetes.io/os: linux + + affinity: {} + + tolerations: [] + + # Optional additional labels to add to the startupapicheck Pods + podLabels: {} + + image: + repository: quay.io/jetstack/cert-manager-ctl + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-ctl + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + pullPolicy: IfNotPresent + + rbac: + # annotations for the startup API Check job RBAC and PSP resources + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + + # Automounting API credentials for a particular pod + # automountServiceAccountToken: true + + serviceAccount: + # Specifies whether a service account should be created + create: true + + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + + # Optional additional annotations to add to the Job's ServiceAccount + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + + # Automount API credentials for a Service Account. + automountServiceAccountToken: true + + # Optional additional labels to add to the startupapicheck's ServiceAccount + # labels: {} + + volumes: [] + volumeMounts: [] diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/Chart.yaml b/kubernetes/Charts/gitlab/charts/certmanager-issuer/Chart.yaml new file mode 100644 index 0000000..4345d8a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +appVersion: 0.2.2 +description: Configuration Job to add LetsEncrypt Issuer to cert-manager +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- cert-manager +- tls +- letsencrypt +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: certmanager-issuer +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/certmanager-issuer +- https://gitlab.com/gitlab-org/build/CNG/tree/master/kubectl +- https://github.com/jetstack/cert-manager +version: 0.1.0 diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_create_issuer.sh b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_create_issuer.sh new file mode 100644 index 0000000..57b318b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_create_issuer.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -e ; + +issuer_file=$1 +namespace={{ .Release.Namespace }} + +echo "Creating the certmanager issuer..." +set +e ; # The CRD may not exist yet. We need to retry until this passes +while ! kubectl --namespace=$namespace apply -f ${issuer_file:=issuer.yml}; do + sleep 1; +done ; +set -e ; # reset `e` as active diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_helpers.tpl new file mode 100644 index 0000000..9759cd2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "certmanager-issuer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "certmanager-issuer.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified job name. +Due to the job only being allowed to run once, we add the chart revision so helm +upgrades don't cause errors trying to create the already ran job. +Due to the helm delete not cleaning up these jobs, we add a random value to +reduce collision +*/}} +{{- define "certmanager-issuer.jobname" -}} +{{- $name := printf "%s-issuer" .Release.Name | trunc 55 | trimSuffix "-" -}} +{{- printf "%s-%d" $name .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Returns the http01 solver's ingress class field. Takes the IngressClass as paramter. +If the IngressClass is "none", the field is not set. + See: https://cert-manager.io/docs/configuration/acme/http01/#class +*/}} +{{- define "certmanager-issuer.http01.ingress.class.field" -}} +{{- $ingressClass := . | default "" -}} +{{- if ne "none" $ingressClass -}} +class: {{ $ingressClass }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_issuer.yaml b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_issuer.yaml new file mode 100644 index 0000000..5061d4f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/_issuer.yaml @@ -0,0 +1,27 @@ +{{ if (pluck "configureCertmanager" .Values.global.ingress (dict "configureCertmanager" false) | first) }} +{{- $ingressCfg := dict "global" $.Values.global.ingress "local" .ingress "context" $ -}} +{{- $ingressClassName := include "ingress.class.name" $ingressCfg -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Release.Name }}-issuer + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + acme: + # The ACME server URL + server: {{ .Values.server | quote }} + # Email address used for ACME registration + email: {{ required "You must provide an email to associate with your TLS certificates. Please set certmanager-issuer.email" .Values.email | quote }} + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: {{ .Release.Name }}-acme-key + # Enable the HTTP-01 challenge provider + solvers: + - selector: {} + http01: + ingress: + {{ include "certmanager-issuer.http01.ingress.class.field" $ingressClassName -}} +{{ end }} diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/cert-manager.yml b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/cert-manager.yml new file mode 100644 index 0000000..2a59eb0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/cert-manager.yml @@ -0,0 +1,15 @@ +{{ if (pluck "configureCertmanager" .Values.global.ingress (dict "configureCertmanager" false) | first) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-certmanager + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + create-issuer: | +{{ include (print $.Template.BasePath "/_create_issuer.sh") . | indent 4 }} + issuer.yml: | +{{ include (print $.Template.BasePath "/_issuer.yaml") . | indent 4 }} +{{ end }} diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/issuer-job.yaml b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/issuer-job.yaml new file mode 100644 index 0000000..7878755 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/issuer-job.yaml @@ -0,0 +1,43 @@ +{{ if (pluck "configureCertmanager" .Values.global.ingress (dict "configureCertmanager" false) | first) }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.global.kubectl.image -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "certmanager-issuer.jobname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 300 + template: + metadata: + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + securityContext: + runAsUser: {{ .Values.global.kubectl.securityContext.runAsUser }} + fsGroup: {{ .Values.global.kubectl.securityContext.fsGroup }} + {{- if .Values.rbac.create }} + serviceAccountName: {{ template "fullname" . }} + {{- end }} + restartPolicy: OnFailure + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6}} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + containers: + - name: create-issuer + image: {{ include "gitlab.kubectl.image" . }} + command: ['/bin/bash', '/scripts/create-issuer', '/scripts/issuer.yml'] + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + volumeMounts: + - name: scripts + mountPath: /scripts + resources: +{{ toYaml .Values.resources | indent 12 }} + volumes: + - name: scripts + configMap: + name: {{ template "fullname" . }}-certmanager +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/rbac-config.yaml b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/rbac-config.yaml new file mode 100644 index 0000000..78fed4a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/templates/rbac-config.yaml @@ -0,0 +1,41 @@ +{{ if and .Values.rbac.create (pluck "configureCertmanager" .Values.global.ingress (dict "configureCertmanager" false) | first) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + namespace: {{ .Release.Namespace }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "update", "create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/certmanager-issuer/values.yaml b/kubernetes/Charts/gitlab/charts/certmanager-issuer/values.yaml new file mode 100644 index 0000000..ac41524 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/certmanager-issuer/values.yaml @@ -0,0 +1,18 @@ +# Configure an ACME Issuer in cert-manager. Only used if global.ingress.configureCertmanager is true. +server: https://acme-v02.api.letsencrypt.org/directory + +# Provide an email to associate with your TLS certificates +# email: + +rbac: + create: true + +resources: + requests: + cpu: 50m + +# Priority class assigned to pods +priorityClassName: "" + +common: + labels: {} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab-ci.yml b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab-ci.yml new file mode 100644 index 0000000..a769ac8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab-ci.yml @@ -0,0 +1,220 @@ +############## +# Conditions # +############## + +.if-merge-request-pipeline: &if-merge-request-pipeline + if: $CI_PIPELINE_SOURCE == "merge_request_event" + +.if-default-branch: &if-default-branch + if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + +.if-stable-release-branch: &if-stable-release-branch + if: $CI_COMMIT_REF_NAME =~ /\A[0-9]+-[0-9]+-stable\z/ + +.if-release-tag: &if-release-tag + if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/charts/gitlab-runner"' + +.if-security-release-tag: &if-security-release-tag + if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/security/charts/gitlab-runner"' + +######### +# Rules # +######### + +.rules:default: + rules: + - <<: *if-merge-request-pipeline + - <<: *if-default-branch + - <<: *if-stable-release-branch + - <<: *if-release-tag + - <<: *if-security-release-tag + +.rules:release:development: + rules: + - <<: *if-default-branch + when: never + - <<: *if-merge-request-pipeline + when: manual + +.rules:release:beta: + rules: + - <<: *if-default-branch + +.rules:release:stable: + rules: + - <<: *if-release-tag + - <<: *if-security-release-tag + +############ +# Pipeline # +############ + +default: + image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base-helm-3.7 + tags: + - gitlab-org + +variables: + GIT_CLONE_PATH: $CI_BUILDS_DIR/gitlab-runner + ALPINE_IMAGE_TAG: "3.18" + HELM_UNITTEST_PLUGIN_VERSION: "0.3.4" + KIND_VERSION: "v0.20.0" + KUBECTL_VERSION: "v1.27.4" + +stages: +- test +- release +- post-release + +lint: + extends: + - .rules:default + stage: test + script: + - helm lint . + +unit_tests: + extends: + - .rules:default + script: + - helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${HELM_UNITTEST_PLUGIN_VERSION} + - helm unittest . + +.integration_test: + extends: + - .rules:default + variables: + DOCKER_HOST: "tcp://kubernetes:2375/" + DOCKER_TLS_CERTDIR: "" + DOCKER_DRIVER: overlay2 + INTEGRATION_HELM_POD_RELEASE_LABEL: release=$INTEGRATION_RUNNER_NAME + stage: test + services: + - name: docker:20.10.16-dind + alias: kubernetes + image: docker:20.10.16-git + before_script: + - apk add --no-cache openssl curl bash curl-dev + - bash scripts/check_token.sh "${TOKEN_TYPE}" "${TOKEN}" + script: + # Initialize KIND cluster + - curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl + - curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64 && chmod +x /usr/local/bin/kind + - kind create cluster --config=$(pwd)/scripts/kind-config.yaml + - kind get kubeconfig|sed -e 's/0.0.0.0/kubernetes/g' > kubeconfig.yaml + - export KUBECONFIG=$(pwd)/kubeconfig.yaml + - kubectl version + - kubectl cluster-info + - bash -c "for _i in {0..60}; do kubectl -n default get serviceaccount default -o name > /dev/null 2>&1 && break; sleep 1; done" + - bash -c "for _i in {0..60}; do kubectl get nodes|grep -w Ready > /dev/null 2>&1 && break; sleep 1; done" + # Install helm latest version instead of pre-installed one in registry.gitlab.com/gitlab-org/gitlab-build-images image + - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash + # Run tests + - bash -x scripts/integration.sh "${TOKEN_TYPE}" "${TOKEN}" "${VALUE_YAML_FILE}" + after_script: + - > + [ ! -f $(pwd)/kubeconfig.yaml ] && exit 0 + - export KUBECONFIG=$(pwd)/kubeconfig.yaml + - bash -x scripts/integration_cleanup.sh + tags: + - gitlab-org-docker + +# Registration token is deprecated and will be removed in GitLab 18.0 +# This integration test also will be removed in GitLab 18.0 +integration test registration token: + extends: + - .integration_test + variables: + INTEGRATION_RUNNER_NAME: integration-test-$CI_COMMIT_SHORT_SHA-registration-token + TOKEN_TYPE: "registration" + TOKEN: $REGISTRATION_TOKEN + VALUE_YAML_FILE: "./values.yaml" + +integration test authentication token: + extends: + - .integration_test + variables: + INTEGRATION_RUNNER_NAME: integration-test-$CI_COMMIT_SHORT_SHA-authentication-token + TOKEN_TYPE: "authentication" + TOKEN: $AUTHENTICATION_TOKEN + VALUE_YAML_FILE: "./values.yaml" + +integration test mount empty dir: + extends: + - .integration_test + variables: + INTEGRATION_RUNNER_NAME: "integration-test-$CI_COMMIT_SHORT_SHA-empty-dir" + TOKEN_TYPE: "authentication" + TOKEN: $AUTHENTICATION_TOKEN + VALUE_YAML_FILE: "./scripts/empty-dir.yaml" + +release development: + extends: + - .rules:release:development + stage: release + script: + - helm package . + artifacts: + paths: + - gitlab-runner*.tgz + expire_in: 7d + allow_failure: true + +release beta: + extends: + - .rules:release:beta + stage: release + variables: + S3_URL: s3://${S3_BUCKET}${S3_PATH} + REPO_URL: https://${S3_BUCKET}.s3.amazonaws.com${S3_PATH} + script: + - apk add --no-cache py-pip + - pip install awscli + - 'beta_info=$(git describe --long | sed -r "s/v[0-9\.]+(-rc[0-9]+)?-//")' + - 'build_time=$(date +%s)' + - 'sed -r "s/(version: [0-9\.]+-beta)/\1-${build_time}-${beta_info}/" -i Chart.yaml' + - 'sed -r "s/appVersion: .*/appVersion: bleeding/" -i Chart.yaml' + - 'sed -r "s/imagePullPolicy: IfNotPresent/imagePullPolicy: Always/" -i values.yaml' + - mkdir -p public/ + - aws s3 cp ${S3_URL}/index.yaml public/index.yaml || true + - (cd public; helm package ../) + - helm repo index public --merge public/index.yaml --url ${REPO_URL} + - aws s3 sync public ${S3_URL} --acl public-read + - 'echo "To install repository run: helm repo add gitlab-runner-beta ${REPO_URL} && helm repo update"' + +release stable: + extends: + - .rules:release:stable + stage: release + image: alpine:${ALPINE_IMAGE_TAG} + script: + - apk add --no-cache curl + - curl --fail-with-body + --request POST + --form "token=$CI_JOB_TOKEN" + --form ref=master + --form "variables[CHART_NAME]=$CI_PROJECT_NAME" + --form "variables[RELEASE_REF]=$CI_COMMIT_REF_NAME" + https://gitlab.com/api/v4/projects/2860651/trigger/pipeline + +trigger charts update: + extends: + - .rules:release:stable + stage: post-release + image: alpine:${ALPINE_IMAGE_TAG} + script: + - apk add --no-cache curl + - curl --fail-with-body + --request POST + --form "token=${GITLAB_CHARTS_TRIGGER_TOKEN}" + --form ref=master + --form "variables[DEPS_PIPELINE]=true" + https://gitlab.com/api/v4/projects/3828396/trigger/pipeline + needs: + - job: release stable + +############## +# Includes # +############## +include: + - template: Security/Dependency-Scanning.gitlab-ci.yml diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/branch.release.yml b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/branch.release.yml new file mode 100644 index 0000000..e5dfc38 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/branch.release.yml @@ -0,0 +1,29 @@ +actions: + - changelog_entry: + scope: new-feature + entry: Update GitLab Runner version to v{{ .Release.AppVersion }} + + - write: + file: Chart.yaml + contents: | + apiVersion: v1 + name: gitlab-runner + version: {{ .Release.Version }} + appVersion: {{ .Release.AppVersion }} + description: GitLab Runner + keywords: + - git + - ci + - deploy + sources: + - https://gitlab.com/gitlab-org/charts/gitlab-runner + - https://gitlab.com/gitlab-org/gitlab-runner + - https://docs.gitlab.com/runner/ + icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png + maintainers: + - name: GitLab Inc. + email: support@gitlab.com + + - commit: + files: [Chart.yaml] + message: Update Chart version to v{{ .Release.Version }} and used GitLab Runner version to v{{ .Release.AppVersion }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/changelog.yml b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/changelog.yml new file mode 100644 index 0000000..67de73e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/changelog.yml @@ -0,0 +1,52 @@ +default_scope: other +names: + new-feature: New features + security-fix: Security fixes + fix: Bug fixes + maintenance: Maintenance + runner-distribution: GitLab Runner distribution + documentation: Documentation changes + other: Other changes +order: +- new-feature +- security-fix +- fix +- maintenance +- runner-distribution +- documentation +- other +label_matchers: +- labels: + - runner-distribution + scope: runner-distribution +- labels: + - feature::addition + scope: new-feature +- labels: + - security + scope: security-fix +- labels: + - type::bug + scope: fix +- labels: + - type::maintenance + scope: maintenance +- labels: + - feature::enhancement + scope: new-feature +- labels: + - maintenance::refactor + scope: maintenance +- labels: + - maintenance::pipelines + scope: maintenance +- labels: + - maintenance::workflow + scope: maintenance +- labels: + - documentation + scope: documentation +authorship_labels: +- Community contribution +skip_changelog_labels: +- skip-changelog diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/merge.release.yml b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/merge.release.yml new file mode 100644 index 0000000..18bc7e7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/.gitlab/merge.release.yml @@ -0,0 +1,25 @@ +actions: + - write: + file: Chart.yaml + contents: | + apiVersion: v1 + name: gitlab-runner + version: {{ .Release.VersionObject.NextMinor.StringNoPrefix }}-beta + appVersion: bleeding + description: GitLab Runner + keywords: + - git + - ci + - deploy + sources: + - https://gitlab.com/gitlab-org/charts/gitlab-runner + - https://gitlab.com/gitlab-org/gitlab-runner + - https://docs.gitlab.com/runner/ + icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png + maintainers: + - name: GitLab Inc. + email: support@gitlab.com + + - commit: + files: [Chart.yaml] + message: Update Chart version to {{ .Release.VersionObject.NextMinor }}-beta and used GitLab Runner version to bleeding diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/.helmignore b/kubernetes/Charts/gitlab/charts/gitlab-runner/.helmignore new file mode 100644 index 0000000..48ba9d6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +gitlab-runner*.tgz +scripts/ +tests/ diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/CHANGELOG.md b/kubernetes/Charts/gitlab/charts/gitlab-runner/CHANGELOG.md new file mode 100644 index 0000000..66eaa34 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/CHANGELOG.md @@ -0,0 +1,677 @@ +## v0.58.2 (2023-11-03) + +### Bug fixes + +- Update the default probeTimeoutSeconds to 3 seconds !448 + +## v0.58.1 (2023-10-24) + +### Bug fixes + +- Update liveness probe to support authentication token !446 + +## v0.58.0 (2023-10-20) + +### New features + +- Update GitLab Runner version to v16.5.0 +- Add shutdown_timeout flag for global section config !435 (Maxim Tacu @mtacu) + +### Bug fixes + +- Add missing rbac when debugging services !442 (Ismael Posada Trobo @iposadat) +- Adjust the runner image to match the configured podSecurityContext !434 (Harald Dunkel @hdunkel) +- Support for external secrets added via values.yaml envVars value; avoid setting volumes and volume mounts for nonexistent secrets !426 (Thomas Spear @tspearconquest) +- Make livenessProbe actually probe for a working runner !404 (fiskhest @fiskhest) +- helm: fix runners.config template rendering !386 (Viktor Oreshkin @stek29) + +### Maintenance + +- Add ephemeral-storage example in resources.requests and resources.limits !443 +- Update broken and outdated links in Helm chart values.yaml !438 (Kolja Lucht @k0jak) + +## v0.57.1 (2023-10-06) + +### New features + +- Update GitLab Runner version to v16.4.1 + +## v0.57.0 (2023-09-25) + +### New features + +- Update GitLab Runner version to v16.3.2 + +## v0.56.1 (2023-09-18) + +### New features + +- Update GitLab Runner version to v16.3.1 + +## v0.56.0 (2023-08-21) + +### New features + +- Update GitLab Runner version to v16.2.1 + +## v0.55.0 (2023-07-23) + +### New features + +- Update GitLab Runner version to v16.1.1 + +## v0.54.0 (2023-06-21) + +### New features + +- Update GitLab Runner version to v16.0.3 + +## v0.53.2 (2023-06-08) + +### New features + +- Update GitLab Runner version to v16.0.2 + +### Bug fixes + +- Revert cache settings through Kubernetes secret in values yaml !406 +- Take in account registration token from secret !405 +- Support empty rules defined in the values.yaml !402 + +### Maintenance + +- Remove reference to rbac.resources and rbac.verbs !403 + +## v0.52.1 (2023-06-02) + +### New features + +- Update GitLab Runner version to v15.11.1 + +## v0.53.1 (2023-05-25) + +### New features + +- Update GitLab Runner version to v16.0.1 + +## v0.53.0 (2023-05-22) + +### New features + +- Update GitLab Runner version to v16.0.0 + +### Maintenance + +- Adapt the Helm Chart to support the next Token Architecture !398 +- Remove namespace and cache deprecated fields from the Helm Chart project !397 +- Remove all deprecated fields that can be resolved with template merging !393 +- Fix failure in integration tests !390 + +## v0.52.0 (2023-04-22) + +### New features + +- Update GitLab Runner version to v15.11.0 + +### Bug fixes + +- Enable ability to use tini instead of dumb-init !385 +- Invalid yaml when creating service account with no annotations !381 (Zev Isert @zevisert) + +### Maintenance + +- Fix failure in integration tests !390 +- Add merge release config to be executed after stable branches are merged into the main branch !387 + +## v0.48.0 (2022-12-17) + +### New features + +- Update GitLab Runner version to 15.7.0 + +## v0.47.0 (2022-11-22) + +### New features + +- Update GitLab Runner version to 15.6.0 + +## v0.46.0 (2022-10-21) + +### New features + +- Update GitLab Runner version to 15.5.0 + +## v0.45.0 (2022-09-21) + +### New features + +- Update GitLab Runner version to 15.4.0 +- Add secrets update permission to RBAC example provided !349 (Tim Hobbs @hobti01) + +### Bug fixes + +- Revert "Merge branch 'feature/unregister-one-runner' into 'main'" !362 + +### Maintenance + +- Fix the pipeline being blocked by development release !357 +- Docs: Update values.yaml comments to reference kubernetes service accounts docs !310 + +## v0.44.0 (2022-08-19) + +### New features + +- Update GitLab Runner version to 15.3.0 +- Add secrets update permission to RBAC example provided !349 (Tim Hobbs @hobti01) + +### Maintenance + +- Fix the pipeline being blocked by development release !357 + +### Documentation changes + +- Docs: Update values.yaml comments to reference kubernetes service accounts docs !310 + +## v0.43.0 (2022-07-20) + +### New features + +- Update GitLab Runner version to 15.2.0 + +### Documentation changes + +- Fix some dead links !356 (Ben Bodenmiller @bbodenmiller) + +## v0.42.0 (2022-06-20) + +### New features + +- Update GitLab Runner version to 15.1.0 +- Add priority classname !350 +- Update namespaces to be consistent across manifests !343 (blacktide @blacktide) +- Add freely configurable securityContext to deployment !354 +- Add possibility to overwrite default image registry !351 (Patrik Votoček @vrtak-cz) +- Make session server service annotations configurable !336 (Matthias Baur @m.baur) + +### Maintenance + +- Add volume and volumeMount support to runner deployment !348 +- ci: Update Helm from 3.4.1 to 3.7.2 !347 (Takuya Noguchi @tnir) +- Update Docker to 20.10 on integration test !346 (Takuya Noguchi @tnir) +- Update default registry to GitLab Runner registry !345 +- Update casing of GitLab in values YAML file !344 (Ben Bodenmiller @bbodenmiller) +- Remove unneeded rbac role !335 (Matthias Baur @m.baur) + +## v0.41.0 (2022-05-19) + +### New features + +- Update GitLab Runner version to 15.0.0 +- Add the ability to unregister only one runner !329 (LAKostis @LAKostis) +- Remove init container and instead project secrets !312 +- Don't repeat chart name if release name starts with the chart name !232 (Ahmadali Shafiee @ahmadalli) + +### Maintenance + +- Use Helm 3 instead of 2.16.9 on lint/release jobs !342 (Takuya Noguchi @tnir) + +## v0.40.0 (2022-04-20) + +### New features + +- Update GitLab Runner version to 14.10.0 +- Add the possibility to configure maximum timeout that will be set for jobs when using the runner !341 (Adrien Gooris @adrien.gooris) + +### Maintenance + +- Add a post-release CI job to trigger a deps pipeline in Charts repo !339 +- Add helm install integration test !326 +- Make loadBalancerSourceRanges of Session Server configurable !334 (Matthias Baur @m.baur) + +## v0.39.0 (2022-03-21) + +### New Features + +- Update GitLab Runner version to 14.9.0 + +### Bug fixes + +- Disable metrics endpoint by default !337 + +### Maintenance + +- Update labels according to latest taxonomy !338 + +## v0.38.1 (2022-03-02) + +### New Features + +- Update GitLab Runner version to 14.8.2 + +## v0.38.0 (2022-02-21) + +### Maintenance + +- Fix urls with runners configuration information !314 (Dmitriy Stoyanov @DmitriyStoyanov) +- k8s rbac: add more resources in comment. !307 (Chen Yufei @cyfdecyf) +- Add dependency scanning to Runner Helm Chart project !331 + +## v0.37.2 (2022-01-24) + +### Bug fixes + +- Fix appVersion to 14.7.0 + +## v0.37.1 (2022-01-20) + +### Bug fixes + +- Set sessionServer to false by default !332 + +## v0.37.0 (2022-01-19) + +### New Features + +- Update GitLab Runner version to 14.7.0 +- Add support for interactive web terminal !320 + +## v0.36.0 (2021-12-18) + +### New features + +- Update GitLab Runner version to 14.6.0 + +### Bug fixes + +- Fix prometheus annotation unquoted value !323 + +### GitLab Runner distribution + +- Fix the security release rule in .gitlab-ci.yml !324 +- Fail the stable release job on curl failures !322 + +## v0.35.3 (2021-12-13) + +### Maintenance + +- Fix prometheus annotation unquoted value !323 + +## v0.35.2 (2021-12-10) + +### Security + +- Update GitLab Runner version to 14.5.2 + +## v0.35.1 (2021-12-01) + +### Security + +- Update GitLab Runner version to 14.5.1 + +## v0.35.0 (2021-11-21) + +### New features + +- Update GitLab Runner version to 14.5.0 + +### Maintenance + +- Don't run pipelines only for MRs !318 +- Update changelog generator configuration !317 +- Adds configurable value probeTimeoutSeconds !306 (Kyle Wetzler @kwetzler1) + +## v0.34.0-rc1 (2021-10-11) + +### New features + +- Update GitLab Runner version to 14.4.0-rc1 + +### Maintenance + +- Disallow setting both replicas and runnerToken !289 + +## v0.33.0 (2021-09-29) + +### New features + +- Update GitLab Runner version to 14.3.0 + +### Maintenance + +- Update container entrypoint to use `dumb-init` to avoid zombie processes !311 (Georg Lauterbach @georglauterbach) + +## v0.32.0 (2021-08-22) + +### New features + +- Update GitLab Runner version to 14.2.0 +- Add support for revisionHistoryLimit !299 (Romain Grenet @romain.grenet1) + +## v0.31.0 (2021-07-20) + +### New features + +- Update GitLab Runner version to 14.1.0 + +### Bug fixes + +- Only add environment variables if values set !295 (Matthew Warman @mcwarman) + +## v0.30.0 (2021-06-19) + +### New features + +- Update GitLab Runner version to 14.0.0 + +### Bug fixes + +- Resolve runner ignores request_concurrency !296 + +### Maintenance + +- refactor: change default brach references to main !298 +- Add support for specifying schedulerName on deployment podspec. !284 (Dominic Bevacqua @dbevacqua) + +## v0.29.0 (2021-05-20) + +### New features + +- Update GitLab Runner version to 13.12.0 + +## v0.28.0 (2021-04-20) + +### New features + +- Update GitLab Runner version to 13.11.0 + +### Maintenance + +- Pass runners.config through the template engine !290 (Dmitriy @Nevoff89) +- Add role support of individual verbs list for different resources !280 (Horatiu Eugen Vlad @hvlad) +- Use runner namespace for role and role binding if it is specified !256 (Alex Sears @searsaw) +- Add optional configuration values for pod security context `runAsUser` and `supplementalGroups` !242 (Horatiu Eugen Vlad @hvlad) + +### Documentation changes + +- docs: add notice that we run tpl on runner config !291 +- Add comment on imagePullPolicy !288 + +## v0.27.0 (2021-03-21) + +### New features + +- Update GitLab Runner version to 13.10.0 +- Allow setting deployment replicas !286 +- Add support for specify ConfigMaps for gitlab-runner deployment !285 +- Allow to mount arbitrary Kubernetes secrets !283 + +## v0.26.0 (2021-02-22) + +### New features + +- Update GitLab Runner version to 13.9.0 +- Make executor configurable !273 (Matthias Baur @m.baur) + +### Other changes + +- Typo fix !282 (Ben Bodenmiller @bbodenmiller) + +## v0.25.0 (2021-01-20) + +### New features + +- Support secrets for Azure cache !277 +- Update GitLab Runner version to 13.8.0 + +### Maintenance + +- Fix release CI stage failing due to Helm stable deprecation !278 +- Update GitLab Changelog configuration !275 + +### Documentation changes + +- Update link to doc in README.md !276 + +## v0.24.0 (2020-12-21) + +### New features + +- Update GitLab Runner version to 13.7.0 +- add optional 'imagePullSecrets' to deployment !269 (Christian Schoofs @schoofsc) + +### Other changes + +- Make description configruable !229 (Matthias Baur @m.baur) + +## v0.23.0 (2020-11-21) + +### New features + +- Update GitLab Runner version to 13.6.0 +- Allow user to specify any runner configuraton !271 + +## v0.22.0 (2020-10-20) + +### New features + +- Update GitLab Runner version to 13.5.0 +- Add pull secrets to service account for runner image !241 (Horatiu Eugen Vlad @hvlad) + +### Maintenance + +- Set allowPrivilegeEscalation to false for gitlab-runner pod !243 (Horatiu Eugen Vlad @hvlad) + +### Documentation changes + +- Add comment on ubuntu image & securityContext !260 + +## v0.21.0 (2020-09-21) + +### Maintenance + +- Update GitLab Runner version to 13.4.0 +- Fix changelog generator config to catch all maintenance related labels !255 + +### Other changes + +- Add scripts/security-harness script !258 + +## v0.20.0 (2020-08-20) + +### New features + +- Update GitLab Runner version to 13.3.0 +- Enable custom commands !250 + +### Maintenance + +- Add `release stable` job for security fork !252 +- Update changelog generator to accept new labels !249 + +## v0.19.0 (2020-07-20) + +### New features + +- Allow user to define PodSecurityPolicy !184 (Paweł Kalemba @pkalemba) +- Update GitLab Runner version to 13.2.0 + +### Documentation changes + +- Fix external links within values.yaml !248 (Alexandre Jardin @alexandre.jardin) + +## v0.18.0 (2020-06-19) + +### Maintenance + +- Update GitLab Runner version to 13.1.0 + +### Other changes + +- Fix unregister when using token secret !231 (Bernd @arabus) +- Support specifying pod security context. !219 (Chen Yufei @cyfdecyf) + +## v0.17.1 (2020-06-01) + +### Maintenance + +- Update GitLab Runner version to 13.0.1 + +## v0.17.0 (2020-05-20) + +### New features + +- Expose settings for kubernetes resource limits and requests overwrites !220 (Alexander Petermann @lexxxel) +- Add support for setting Node Tolerations !188 (Zeyu Ye @Shuliyey) + +### Maintenance + +- Update GitLab Runner version to 13.0.0 +- Update package name in note !234 +- Pin CI jobs to gitlab-org runners !222 + +## v0.16.0 (2020-04-22) + +### New features + +- Add Service Account annotation support !211 (David Rosson @davidrosson) + +### Bug fixes + +- Support correct spelling of GCS secret !214 (Arthur Wiebe @arthur65) + +### Maintenance + +- Remove dependency of `gitlab-runner-builder` runner !221 +- Fix linting for forks with a different name than "gitlab-runner" !218 +- Install gitlab-changelog installation !217 + +### Other changes + +- Update GitLab Runner version to 12.10.1 +- Change listen address to not force IPv6 !213 (Fábio Matavelli @fabiomatavelli) + +## v0.15.0 (2020-03-20) + +### Maintenance + +- Update GitLab Runner version to 12.9.0 +- Update changelog generator configuration !212 +- Replace changelog entries generation script !209 + +### Other changes + +- Fix values.yaml typo !210 (Brian Choy @bycEEE) + +## v0.14.0 (2020-02-22) + +- Update GitLab Runner version to 12.8.0 + +## v0.13.0 (2020-01-20) + +- Add podLabels to the deployment !198 +- Mount custom-certs in configure init container !202 + +## v0.12.0 (2019-12-22) + +- Add `apiVersion: v1` to chart.yaml !195 +- Add documentation to protected Runners !193 +- Make securityContext configurable !199 +- Update GitLab Runner version to 12.6.0 + +## v0.11.0 (2019-11-20) + +- Variables for RUNNER_OUTPUT_LIMIT, and KUBERNETES_POLL_TIMEOUT !50 +- Add support for register protected Runners !185 + +## v0.10.1 (2019-10-28) + +- Update GitLab Runner to 12.4.1 + +## v0.10.0 (2019-10-21) + +- Updated GitLab Runner to 12.4.0 +- Use updated project path to release helm chart !172 +- Update resources API to stable verson !167 +- Add support for specifying log format !170 +- Use the cache.secret template to check if the secretName is set !166 +- Drop need for helm force update for now !181 +- Fix image version detection for old helm versions !173 + +## v0.9.0 (2019-09-20) + +- Use updated project path to release helm chart !172 +- Enabling horizontal pod auto-scaling based on custom metrics !127 +- Change base image used for CI jobs !156 +- Remove DJ as a listed chart maintainer !160 +- Release beta version on master using Bleeding Edge image !155 +- Update definition of 'release beta' CI jobs !164 +- Fix certs path in the comment in values file !148 +- Implement support for run-untagged option !140 +- Use new location for helm charts repo !162 +- Follow-up to adding run-untagged support !165 + +## v0.8.0 (2019-08-22) + +- Add suport for graceful stop !150 + +## v0.7.0 (2019-07-22) + +- Fix broken anchor link for gcs cache docs !135 +- Allow user to set rbac roles !112 +- Bump used Runner version to 12.1.0 !149 + +## v0.6.0 (2019-06-24) + +- Allow to manually build the package for development branches !120 +- When configuring cache: if no S3 secret assume IAM role !111 +- Allow to define request_concurrency value !121 +- Bump used Runner version to 12.0.0 !138 + +## v0.5.0 (2019-05-22) + +- Bump used Runner version to 11.11.0 !126 + +## v0.4.1 (2019-04-24) + +- Bump used Runner version to 11.10.1 !113 + +## v0.4.0 (2019-04-22) + +- Bump used Runner version to 11.10.0-rc2 !108 +- Fix a typo in values.yaml !101 +- Add pod labels for jobs !98 +- add hostAliases for pod assignment !89 +- Configurable deployment annotations !44 +- Add pod annotations for jobs !97 +- Bump used Runner version to 11.10.0-rc1 !107 + +## v0.3.0 (2019-03-22) + +- Change mount of secret with S3 distributed cache credentials !64 +- Add environment variables to runner !48 +- Replace S3_CACHE_INSECURE with CACHE_S3_INSECURE !90 +- Update values.yaml to remove invalid anchor in comments !85 +- Bump used Runner version to 11.9.0 !102 + +## v0.2.0 (2019-02-22) + +- Fix the error caused by unset 'locked' value !79 +- Create LICENSE file !76 +- Add CONTRIBUTING.md file !81 +- Add plain MIT text into LICENSE and add NOTICE !80 +- Fix incorrect custom secret documentation !71 +- Add affinity, nodeSelector and tolerations for pod assignment !56 +- Ignore scripts directory when buildin helm chart !83 +- Bump used Runner version to 11.8.0-rc1 !87 +- Fix year in Changelog - it's already 2019 !84 + +## v0.1.45 (2019-01-22) + +- Trigger release only for tagged versions !72 +- Fixes typos in values.yaml comments !60 +- Update chart to bring closer to helm standard template !43 +- Add nodeSelector config parameter for CI job pods !19 +- Prepare CHANGELOG management !75 +- Track app version in Chart.yaml !74 +- Fix the error caused by unset 'locked' value !79 +- Bump used Runner version to 11.7.0 !82 diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/CONTRIBUTING.md b/kubernetes/Charts/gitlab/charts/gitlab-runner/CONTRIBUTING.md new file mode 100644 index 0000000..1e55f92 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/CONTRIBUTING.md @@ -0,0 +1,16 @@ +## Developer Certificate of Origin + License + +By contributing to GitLab B.V., You accept and agree to the following terms and +conditions for Your present and future Contributions submitted to GitLab B.V. +Except for the license granted herein to GitLab B.V. and recipients of software +distributed by GitLab B.V., You reserve all right, title, and interest in and to +Your Contributions. All Contributions are subject to the following DCO + License +terms. + +[DCO + License](https://gitlab.com/gitlab-org/dco/blob/master/README.md) + +All Documentation content that resides under the [docs/ directory](/docs) of this +repository is licensed under Creative Commons: +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/). + +_This notice should stay as the first item in the CONTRIBUTING.md file._ diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/Chart.yaml new file mode 100644 index 0000000..606f6d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 16.5.0 +description: GitLab Runner +icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png +keywords: +- git +- ci +- deploy +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab-runner +sources: +- https://gitlab.com/gitlab-org/charts/gitlab-runner +- https://gitlab.com/gitlab-org/gitlab-runner +- https://docs.gitlab.com/runner/ +version: 0.58.2 diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/DEVELOPMENT.md b/kubernetes/Charts/gitlab/charts/gitlab-runner/DEVELOPMENT.md new file mode 100644 index 0000000..a4dc4d2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/DEVELOPMENT.md @@ -0,0 +1,12 @@ +# Developement + +## Running tests + +1. install helm unittest plugin: + ```bash + helm plugin install https://github.com/helm-unittest/helm-unittest.git + ``` +2. run tests: + ```bash + helm unittest . + ``` diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/LICENSE b/kubernetes/Charts/gitlab/charts/gitlab-runner/LICENSE new file mode 100644 index 0000000..eacbe84 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2018-2019 GitLab B.V. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/Makefile b/kubernetes/Charts/gitlab/charts/gitlab-runner/Makefile new file mode 100644 index 0000000..d83671c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/Makefile @@ -0,0 +1,20 @@ +GITLAB_CHANGELOG_VERSION ?= master +GITLAB_CHANGELOG = .tmp/gitlab-changelog-$(GITLAB_CHANGELOG_VERSION) + +.PHONY: generate_changelog +generate_changelog: export CHANGELOG_RELEASE ?= dev +generate_changelog: $(GITLAB_CHANGELOG) + # Generating new changelog entries + @$(GITLAB_CHANGELOG) -project-id 6329679 \ + -release $(CHANGELOG_RELEASE) \ + -starting-point-matcher "v[0-9]*.[0-9]*.[0-9]*" \ + -config-file .gitlab/changelog.yml \ + -changelog-file CHANGELOG.md + +$(GITLAB_CHANGELOG): OS_TYPE ?= $(shell uname -s | tr '[:upper:]' '[:lower:]') +$(GITLAB_CHANGELOG): DOWNLOAD_URL = "https://storage.googleapis.com/gitlab-runner-tools/gitlab-changelog/$(GITLAB_CHANGELOG_VERSION)/gitlab-changelog-$(OS_TYPE)-amd64" +$(GITLAB_CHANGELOG): + # Installing $(DOWNLOAD_URL) as $(GITLAB_CHANGELOG) + @mkdir -p $(shell dirname $(GITLAB_CHANGELOG)) + @curl -sL "$(DOWNLOAD_URL)" -o "$(GITLAB_CHANGELOG)" + @chmod +x "$(GITLAB_CHANGELOG)" diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/NOTICE b/kubernetes/Charts/gitlab/charts/gitlab-runner/NOTICE new file mode 100644 index 0000000..6d6682b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/NOTICE @@ -0,0 +1,29 @@ +With regard to the GitLab Software: + +The MIT License (MIT) + +Copyright (c) 2018-2019 GitLab B.V. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +--- + +For all third party components incorporated into the GitLab Software, those +components are licensed under the original license provided by the owner of the +applicable component. diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/README.md b/kubernetes/Charts/gitlab/charts/gitlab-runner/README.md new file mode 100644 index 0000000..8d888cc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/README.md @@ -0,0 +1,8 @@ +# GitLab Runner Helm Chart + +This chart deploys a GitLab Runner instance into your Kubernetes +cluster. For more information, please review [our documentation](https://docs.gitlab.com/charts/charts/gitlab/gitlab-runner). + +# Development + +Please follow [development documentation](DEVELOPMENT.md). diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/NOTES.txt new file mode 100644 index 0000000..68ab758 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/NOTES.txt @@ -0,0 +1,36 @@ +{{- if include "gitlab-runner.gitlabUrl" . }} +Your GitLab Runner should now be registered against the GitLab instance reachable at: {{ include "gitlab-runner.gitlabUrl" . }} +{{- else -}} +############################################################################################# +## WARNING: You did not specify an gitlabUrl in your 'helm install' call. ## +############################################################################################# + +This deployment will be incomplete until you provide the URL that your +GitLab instance is reachable at: + + helm upgrade {{ .Release.Name }} \ + --set gitlabUrl=http://gitlab.your-domain.com,runnerRegistrationToken=your-registration-token \ + gitlab/gitlab-runner +{{- end -}} + +{{- if not .Values.runners.config }} +############################################################################################# +## WARNING: You don't seem to be using the GitLab Runner config template functionality. ## +## Configuring the GitLab Runner through that template is recommended as other ## +## configuration options will be deprecated in Helm Chart 1.0. Read more at ## +## https://docs.gitlab.com/runner/install/kubernetes.html#using-configuration-template. ## +############################################################################################# +{{- end }} + +{{- $runnerNamespace := regexFind "\\s*namespace\\s*=.+\\s*" (tpl .Values.runners.config $) | regexFind "=.+" | trimPrefix "=" | trim -}} +{{- if regexMatch "\\s*namespace\\s*=" .Values.runners.config }} + +Runner namespace {{ $runnerNamespace }} was found in runners.config template. +{{- if .Values.runners.namespace }} + +############################################################################################# +## WARNING: You have set the namespace in runners.config and also set in deprecated ## +## runner.namespace element. The runners.config namespace will be ignored. ## +############################################################################################# +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/_env_vars.tpl b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/_env_vars.tpl new file mode 100644 index 0000000..0394205 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/_env_vars.tpl @@ -0,0 +1,28 @@ +{{- define "gitlab-runner.runner-env-vars" }} +- name: CI_SERVER_URL + value: {{ include "gitlab-runner.gitlabUrl" . }} +- name: RUNNER_EXECUTOR + value: {{ default "kubernetes" .Values.runners.executor | quote }} +{{- if eq (include "gitlab-runner.isAuthToken" .) "false" }} +- name: REGISTER_LOCKED + {{ if or (not (hasKey .Values.runners "locked")) .Values.runners.locked -}} + value: "true" + {{- else -}} + value: "false" + {{- end }} +- name: RUNNER_TAG_LIST + value: {{ default "" .Values.runners.tags | quote }} +{{- end }} +{{- if eq (default "kubernetes" .Values.runners.executor) "kubernetes" }} +{{- if not (regexMatch "\\s*namespace\\s*=" .Values.runners.config) }} +- name: KUBERNETES_NAMESPACE + value: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} +{{- if .Values.envVars -}} +{{ range .Values.envVars }} +- name: {{ .name }} + value: {{ .value | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/_helpers.tpl new file mode 100644 index 0000000..961a826 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/_helpers.tpl @@ -0,0 +1,110 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gitlab-runner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "gitlab-runner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if hasPrefix $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gitlab-runner.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Define the name of the secret containing the tokens +*/}} +{{- define "gitlab-runner.secret" -}} +{{- default (include "gitlab-runner.fullname" .) .Values.runners.secret | quote -}} +{{- end -}} + +{{/* +Define the name of the s3 cache secret +*/}} +{{- define "gitlab-runner.cache.secret" -}} +{{- if hasKey .Values.runners.cache "secretName" -}} +{{- .Values.runners.cache.secretName | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Template for outputing the gitlabUrl +*/}} +{{- define "gitlab-runner.gitlabUrl" -}} +{{- .Values.gitlabUrl | quote -}} +{{- end -}} + +{{/* +Define the image, using .Chart.AppVersion and GitLab Runner image as a default value +*/}} +{{- define "gitlab-runner.image" }} +{{- $appVersion := ternary "bleeding" (print "v" .Chart.AppVersion) (eq .Chart.AppVersion "bleeding") -}} +{{- $appVersionImageTag := printf "alpine-%s" $appVersion -}} +{{- $imageTag := default $appVersionImageTag .Values.image.tag -}} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.image $imageTag }} +{{- end -}} + +{{/* +Define the server session timeout, using 1800 as a default value +*/}} +{{- define "gitlab-runner.server-session-timeout" }} +{{- default 1800 .Values.sessionServer.timeout }} +{{- end -}} + +{{/* +Define the server session internal port, using 9000 as a default value +*/}} +{{- define "gitlab-runner.server-session-external-port" }} +{{- default 9000 .Values.sessionServer.externalPort }} +{{- end -}} + +{{/* +Define the server session external port, using 8093 as a default value +*/}} +{{- define "gitlab-runner.server-session-internal-port" }} +{{- default 8093 .Values.sessionServer.internalPort }} +{{- end -}} + +{{/* +Unregister runners on pod stop +*/}} +{{- define "gitlab-runner.unregisterRunners" -}} +{{- if or (and (hasKey .Values "unregisterRunners") .Values.unregisterRunners) (and (not (hasKey .Values "unregisterRunners")) .Values.runnerRegistrationToken) -}} +lifecycle: + preStop: + exec: + command: ["/entrypoint", "unregister", "--all-runners"] +{{- end -}} +{{- end -}} + +{{/* +Define if the registration token provided (if any) +is an authentication token or not +*/}} +{{- define "gitlab-runner.isAuthToken" -}} +{{- $isAuthToken := false -}} +{{- $hasRegistrationToken := hasKey .Values "runnerRegistrationToken" -}} +{{- if $hasRegistrationToken -}} +{{- $isAuthToken = (hasPrefix "glrt-" .Values.runnerRegistrationToken) -}} +{{- end -}} +{{- $isAuthToken -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/configmap.yaml new file mode 100644 index 0000000..9f559a6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/configmap.yaml @@ -0,0 +1,217 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + entrypoint: | + #!/bin/bash + set -e + + export CONFIG_PATH_FOR_INIT="{{ ternary "/.gitlab-runner/" "/home/gitlab-runner/.gitlab-runner/" (and (hasKey .Values.securityContext "runAsNonRoot") (not .Values.securityContext.runAsNonRoot)) }}" + mkdir -p ${CONFIG_PATH_FOR_INIT} + cp /configmaps/config.toml ${CONFIG_PATH_FOR_INIT} + + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + quit() { + kill -TERM "$child" + } + + trap quit QUIT TERM + + sh /configmaps/set-session-server-address & + child=$! + wait "$child" + {{- end }} + + # Set up environment variables for cache + if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then + export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey) + export CACHE_S3_SECRET_KEY=$(cat /secrets/secretkey) + fi + + if [[ -f /secrets/gcs-applicaton-credentials-file ]]; then + export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-applicaton-credentials-file" + elif [[ -f /secrets/gcs-application-credentials-file ]]; then + export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file" + else + if [[ -f /secrets/gcs-access-id && -f /secrets/gcs-private-key ]]; then + export CACHE_GCS_ACCESS_ID=$(cat /secrets/gcs-access-id) + # echo -e used to make private key multiline (in google json auth key private key is oneline with \n) + export CACHE_GCS_PRIVATE_KEY=$(echo -e $(cat /secrets/gcs-private-key)) + fi + fi + + if [[ -f /secrets/azure-account-name && -f /secrets/azure-account-key ]]; then + export CACHE_AZURE_ACCOUNT_NAME=$(cat /secrets/azure-account-name) + export CACHE_AZURE_ACCOUNT_KEY=$(cat /secrets/azure-account-key) + fi + + if [[ -f /secrets/runner-registration-token ]]; then + export REGISTRATION_TOKEN=$(cat /secrets/runner-registration-token) + fi + + if [[ -f /secrets/runner-token ]]; then + export CI_SERVER_TOKEN=$(cat /secrets/runner-token) + fi + + # Register the runner + if ! sh /configmaps/register-the-runner; then + exit 1 + fi + + # Run pre-entrypoint-script + if ! bash /configmaps/pre-entrypoint-script; then + exit 1 + fi + + # Start the runner + exec /entrypoint run \ + {{- if and .Values.runners.executor (ne "shell" ((.Values.runners.executor) | toString)) }} + --user=gitlab-runner \ + {{- end }} + --working-directory=/home/gitlab-runner + + config.toml: | + shutdown_timeout = {{ .Values.shutdown_timeout }} + concurrent = {{ .Values.concurrent }} + check_interval = {{ .Values.checkInterval }} + log_level = {{ default "info" .Values.logLevel | quote }} + {{- if .Values.logFormat }} + log_format = {{ .Values.logFormat | quote }} + {{- end }} + {{- if .Values.metrics.enabled }} + listen_address = ":{{ .Values.metrics.port }}" + {{- end }} + {{- if .Values.sentryDsn }} + sentry_dsn = "{{ .Values.sentryDsn }}" + {{- end }} + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + [session_server] + session_timeout = {{ include "gitlab-runner.server-session-timeout" . }} + listen_address = "0.0.0.0:{{ include "gitlab-runner.server-session-internal-port" . }}" + advertise_address = "SESSION_SERVER_IP:{{ include "gitlab-runner.server-session-external-port" . }}" + {{- end }} + + {{ if .Values.runners.config }} + config.template.toml: {{ tpl .Values.runners.config $ | toYaml | indent 2 }} + {{ end }} + + register-the-runner: | + #!/bin/bash + MAX_REGISTER_ATTEMPTS=30 + + # Reset/unset the not needed flags when an authentication token + RUN_UNTAGGED="{{ ternary "--run-untagged=true" "" (and (hasKey .Values.runners "runUntagged") .Values.runners.runUntagged) }}" + ACCESS_LEVEL="{{ ternary "--access-level=ref_protected" "" (and (hasKey .Values.runners "protected") .Values.runners.protected) }}" + + if [ ! -z "$REGISTRATION_TOKEN" ] && [ "${REGISTRATION_TOKEN#glrt-}" != "$REGISTRATION_TOKEN" ]; then + RUN_UNTAGGED="" + ACCESS_LEVEL="" + unset REGISTER_LOCKED + unset RUNNER_TAG_LIST + fi + + for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do + echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}" + /entrypoint register \ + {{- if and (hasKey .Values.runners "name") .Values.runners.name }} + --name={{ .Values.runners.name | quote -}} \ + {{- end }} + {{- if and (hasKey .Values.runners "maximumTimeout") .Values.runners.maximumTimeout }} + --maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \ + {{- end }} + {{- if eq (include "gitlab-runner.isAuthToken" . ) "false" }} + ${RUN_UNTAGGED} \ + {{- end }} + {{- if eq (include "gitlab-runner.isAuthToken" . ) "false" }} + ${ACCESS_LEVEL} \ + {{- end }} + {{- if .Values.runners.config }} + --template-config /configmaps/config.template.toml \ + {{- else if .Values.runners.configPath }} + --template-config {{ .Values.runners.configPath }} \ + {{- end }} + --non-interactive + + retval=$? + + if [ ${retval} = 0 ]; then + break + elif [ ${i} = ${MAX_REGISTER_ATTEMPTS} ]; then + exit 1 + fi + + sleep 5 + done + + exit 0 + + check-live: | + #!/bin/bash + set -eou pipefail + + if ! /usr/bin/pgrep -f ".*register-the-runner" > /dev/null && ! /usr/bin/pgrep -f "gitlab.*runner" > /dev/null ; then + exit 1 + fi + + name=$(awk -F'"' '/^ name = ".*"/ { print $2 }' "${HOME%/root}/.gitlab-runner/config.toml") + url=$(awk -F'"' '/^ url = ".*"/ { print $2 }' "${HOME%/root}/.gitlab-runner/config.toml") + + gitlab-runner verify -n "$name" -u "$url" 2>&1 | grep -E "is alive|is valid" + + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + set-session-server-address: | + #!/bin/bash + + {{- if (not .Values.sessionServer.publicIP) }} + APISERVER=https://kubernetes.default.svc \ + && SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount \ + && NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) \ + && TOKEN=$(cat ${SERVICEACCOUNT}/token) \ + && CACERT=${SERVICEACCOUNT}/ca.crt \ + && header="Authorization: Bearer ${TOKEN}" + + SERVICEURL=${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/{{ include "gitlab-runner.fullname" . }}-session-server + + has_address=false + while [ "${has_address}" = false ]; do + SERVICEIP=$(curl —-silent \ + --cacert ${CACERT} \ + --header "${header}" \ + -X GET ${SERVICEURL} 2>/dev/null \ + | grep '"ip":' | cut -d ":" -f2 | xargs) + + # for aws, the hostname is available but not the external IP + SERVICEHOSTNAME=$(curl —-silent \ + --cacert ${CACERT} \ + --header "${header}" \ + -X GET ${SERVICEURL} 2>/dev/null \ + | grep '"hostname":' | cut -d ":" -f2 | xargs) + + ADDRESS="${SERVICEHOSTNAME:-$SERVICEIP}" + + if [ -z "${ADDRESS}" ] + then + echo "Service LoadBalancer External Address not yet available" + has_address=false + sleep 5 + else + has_address=true + sed -i -e "s/SESSION_SERVER_IP/${ADDRESS}/g" ${CONFIG_PATH_FOR_INIT}/config.toml + fi + done + {{- else }} + sed -i -e "s/SESSION_SERVER_IP/{{ .Values.sessionServer.publicIP }}/g" ${CONFIG_PATH_FOR_INIT}/config.toml + {{- end}} + {{ end }} + + pre-entrypoint-script: | +{{ .Values.preEntrypointScript | default "" | indent 4 }} + +{{ if not (empty .Values.configMaps) }}{{ toYaml .Values.configMaps | indent 2 }}{{ end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/deployment.yaml new file mode 100644 index 0000000..9cf9b6c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{- range $key, $value := .Values.deploymentLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: + {{- toYaml .Values.deploymentAnnotations | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.hpa}} + replicas: {{ default 1 .Values.replicas }} + {{- end}} + revisionHistoryLimit: {{ default 10 .Values.revisionHistoryLimit }} + selector: + matchLabels: + app: {{ include "gitlab-runner.fullname" . }} + template: + metadata: + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{- range $key, $value := .Values.podLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if or .Values.runnerRegistrationToken .Values.runnerToken .Values.runners.secret }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.metrics.enabled }} + prometheus.io/scrape: 'true' + prometheus.io/port: {{ .Values.metrics.port | quote }} + {{- end }} + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if hasKey .Values "automountServiceAccountToken" }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: {{ toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: {{ if .Values.rbac.create }}{{ include "gitlab-runner.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} + containers: + - name: {{ include "gitlab-runner.fullname" . }} + image: {{ include "gitlab-runner.image" . }} + imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} + securityContext: {{ toYaml .Values.securityContext | nindent 10 }} + {{- include "gitlab-runner.unregisterRunners" . | nindent 8 }} + {{- if .Values.useTini }} + command: ["/usr/local/bin/tini", "--", "/bin/bash", "/configmaps/entrypoint"] + {{- else }} + command: ["/usr/bin/dumb-init", "--", "/bin/bash", "/configmaps/entrypoint"] + {{- end }} + env: + {{ include "gitlab-runner.runner-env-vars" . | indent 8 }} + livenessProbe: + exec: + command: ["/bin/bash", "/configmaps/check-live"] + initialDelaySeconds: 60 + timeoutSeconds: {{ default 3 .Values.probeTimeoutSeconds }} + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: ["/usr/bin/pgrep","gitlab.*runner"] + initialDelaySeconds: 10 + timeoutSeconds: {{ default 3 .Values.probeTimeoutSeconds }} + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + ports: + - name: {{ .Values.metrics.portName | quote }} + containerPort: {{ .Values.metrics.port }} + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + - name: session-server + containerPort: {{ include "gitlab-runner.server-session-internal-port" . }} + protocol: TCP + {{- end }} + volumeMounts: + {{- if or (include "gitlab-runner.cache.secret" .) .Values.runnerRegistrationToken .Values.runnerToken .Values.secrets .Values.runners.secret }} + - name: projected-secrets + mountPath: /secrets + {{- end }} + - name: etc-gitlab-runner + mountPath: /home/gitlab-runner/.gitlab-runner + - name: configmaps + mountPath: /configmaps + {{- if .Values.certsSecretName }} + - name: custom-certs + readOnly: true + mountPath: /home/gitlab-runner/.gitlab-runner/certs/ + {{- end }} + {{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumes: + - name: runner-secrets + emptyDir: + medium: "Memory" + - name: etc-gitlab-runner + emptyDir: + medium: "Memory" + {{- if or (include "gitlab-runner.cache.secret" .) .Values.runnerRegistrationToken .Values.runnerToken .Values.secrets .Values.runners.secret }} + - name: projected-secrets + projected: + sources: + {{- if include "gitlab-runner.cache.secret" . }} + - secret: + name: {{ include "gitlab-runner.cache.secret" . }} + {{- end }} + {{- if or .Values.runnerRegistrationToken .Values.runnerToken .Values.runners.secret }} + - secret: + name: {{ include "gitlab-runner.secret" . }} + items: + - key: runner-registration-token + path: runner-registration-token + - key: runner-token + path: runner-token + {{- end }} + {{- range .Values.secrets }} + - secret: +{{ toYaml . | indent 16 }} + {{- end }} + {{- end }} + {{- if .Values.certsSecretName }} + - name: custom-certs + secret: + secretName: {{ .Values.certsSecretName }} + {{- end }} + - name: configmaps + configMap: + name: {{ include "gitlab-runner.fullname" . }} + {{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 6 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: +{{ toYaml .Values.hostAliases | indent 8 }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/hpa.yaml new file mode 100644 index 0000000..3ec0dc6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/hpa.yaml @@ -0,0 +1,22 @@ +{{- if .Values.hpa}} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} +apiVersion: autoscaling/v2beta1 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "gitlab-runner.fullname" . }} + minReplicas: {{ default 1 .Values.hpa.minReplicas }} + maxReplicas: {{ default 1 .Values.hpa.maxReplicas }} + metrics: +{{ toYaml .Values.hpa.metrics | indent 2 }} +{{- end}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/role-binding.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/role-binding.yaml new file mode 100644 index 0000000..b074cd2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/role-binding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRoleBinding"{{ else }}"RoleBinding"{{ end }} +metadata: + name: {{ include "gitlab-runner.fullname" . }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{ if not .Values.rbac.clusterWideAccess -}} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }} + name: {{ include "gitlab-runner.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gitlab-runner.fullname" . }} + namespace: "{{ .Release.Namespace }}" +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/role.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/role.yaml new file mode 100644 index 0000000..343d22a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }} +metadata: + name: {{ include "gitlab-runner.fullname" . }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{ if not .Values.rbac.clusterWideAccess -}} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +rules: +{{- if .Values.rbac.podSecurityPolicy.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: +{{ toYaml .Values.rbac.podSecurityPolicy.resourceNames | indent 2 }} +{{- end }} +{{- if empty .Values.rbac.rules }} +- apiGroups: [""] + resources: {{ (list "*") | toJson }} + verbs: {{ (list "*") | toJson }} +{{- end -}} +{{ range .Values.rbac.rules }} +- apiGroups: {{ (default (list "") .apiGroups) | toJson }} + resources: {{ (default (list "*") .resources) | toJson }} + verbs: {{ (default (list "*") .verbs) | toJson }} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/secrets.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..767f515 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{- if or .Values.runnerRegistrationToken .Values.runnerToken -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitlab-runner.secret" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + runner-registration-token: {{ default "" .Values.runnerRegistrationToken | b64enc | quote }} + runner-token: {{ default "" .Values.runnerToken | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service-account.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service-account.yaml new file mode 100644 index 0000000..b7139d7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service-account.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- if .Values.rbac.serviceAccountAnnotations }} + annotations: + {{- range $key, $value := .Values.rbac.serviceAccountAnnotations }} + {{ $key }}: {{ tpl ($value) $ | quote }} + {{- end }} + {{- end}} + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.rbac.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.rbac.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service-session-server.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service-session-server.yaml new file mode 100644 index 0000000..0cb825f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service-session-server.yaml @@ -0,0 +1,32 @@ +{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab-runner.fullname" . }}-session-server + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.sessionServer.annotations }} + annotations: + {{- toYaml .Values.sessionServer.annotations | nindent 4 }} + {{- end }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + app: {{ include "gitlab-runner.fullname" . }} + release: "{{ .Release.Name }}" + type: LoadBalancer + {{- if .Values.sessionServer.publicIP }} + loadBalancerIP: {{ .Values.sessionServer.publicIP }} + {{- end }} + {{- if .Values.sessionServer.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.sessionServer.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + ports: + - protocol: TCP + port: {{ include "gitlab-runner.server-session-external-port" . }} + targetPort: {{ include "gitlab-runner.server-session-internal-port" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service.yaml new file mode 100644 index 0000000..af9e821 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/service.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.service.enabled .Values.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab-runner.fullname" . | quote }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . | quote }} + chart: {{ include "gitlab-runner.chart" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.service.labels }} + {{- toYaml .Values.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.service.annotations }} + annotations: + {{- toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP | quote }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: + {{- toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP | quote }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr | quote }} + {{- end }} + {{- end }} + ports: + {{- if .Values.metrics.enabled }} + - name: {{ .Values.metrics.portName | quote }} + {{- if eq .Values.service.type "NodePort" }} + nodePort: {{ .Values.service.metrics.nodePort }} + {{- end }} + port: {{ .Values.metrics.port }} + targetPort: {{ .Values.metrics.portName | quote }} + {{- end }} + {{- if .Values.service.additionalPorts }} + {{- toYaml .Values.service.additionalPorts | nindent 2 }} + {{- end }} + selector: + app: {{ include "gitlab-runner.fullname" . | quote }} + release: {{ .Release.Name | quote }} + type: {{ .Values.service.type | default "ClusterIP" | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/servicemonitor.yaml new file mode 100644 index 0000000..ec0ed5e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/templates/servicemonitor.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.enabled .Values.service.enabled -}} +{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gitlab-runner.fullname" . | quote }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . | quote }} + chart: {{ include "gitlab-runner.chart" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.metrics.serviceMonitor.labels }} + {{- toYaml .Values.metrics.serviceMonitor.labels | nindent 4 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.metrics.portName | quote }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scheme }} + scheme: {{ .Values.metrics.serviceMonitor.scheme | quote }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.metrics.serviceMonitor.tlsConfig | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6) . }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.path }} + path: {{ .Values.metrics.serviceMonitor.path }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + namespaceSelector: + matchNames: + - {{ $.Release.Namespace | quote }} + selector: + matchLabels: + app: {{ include "gitlab-runner.fullname" . | quote }} + chart: {{ include "gitlab-runner.chart" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-runner/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab-runner/values.yaml new file mode 100644 index 0000000..c9bc447 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-runner/values.yaml @@ -0,0 +1,601 @@ +## GitLab Runner Image +## +## By default it's using registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v{VERSION} +## where {VERSION} is taken from Chart.yaml from appVersion field +## +## ref: https://gitlab.com/gitlab-org/gitlab-runner/container_registry/29383?orderBy=NAME&sort=asc&search[]=alpine-v&search[]= +## +## Note: If you change the image to the ubuntu release +## don't forget to change the securityContext; +## these images run on different user IDs. +## +image: + registry: registry.gitlab.com + image: gitlab-org/gitlab-runner + # tag: alpine-v11.6.0 + +## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry) +## the installation fails because dumb-init is not packaged in the image. However, the tini is present. +## This configuration will allow gitlab-runner-ubi-images users to explicitly enabled the use of `tini` instead of `dumb-init` +useTini: false + +## Specify a imagePullPolicy for the main runner deployment +## 'Always' if imageTag is 'latest', else set to 'IfNotPresent' +## +## Note: it does not apply to job containers launched by this executor. +## Use `pull_policy` in [runners.kubernetes] to change it. +## +## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images +## +imagePullPolicy: IfNotPresent + +## Specifying ImagePullSecrets on a Pod +## Kubernetes supports specifying container image registry keys on a Pod. +## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod +## +# imagePullSecrets: +# - name: "image-pull-secret" + +## Timeout, in seconds, for liveness and readiness probes of a runner pod. +# probeTimeoutSeconds: 3 + +## How many runner pods to launch. +## +# replicas: 1 + +## How many old ReplicaSets for this Deployment you want to retain +# revisionHistoryLimit: 10 + +## The GitLab Server URL (with protocol) that want to register the runner against +## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-register +## +# gitlabUrl: http://gitlab.your-domain.com/ + +## DEPRECATED: The Registration Token for adding new Runners to the GitLab Server. +## +## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html +## +# runnerRegistrationToken: "" + +## The Runner Token for adding new Runners to the GitLab Server. This must +## be retrieved from your GitLab Instance. It is token of already registered runner. +## ref: (we don't yet have docs for that, but we want to use existing token) +## +# runnerToken: "" +# + +## Unregister all runners before termination +## +## Updating the runner's chart version or configuration will cause the runner container +## to be terminated and created again. This may cause your Gitlab instance to reference +## non-existant runners. Un-registering the runner before termination mitigates this issue. +## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-unregister +## +# unregisterRunners: true + +## When stopping the runner, give it time to wait for its jobs to terminate. +## +## Updating the runner's chart version or configuration will cause the runner container +## to be terminated with a graceful stop request. terminationGracePeriodSeconds +## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully. +## ref: https://docs.gitlab.com/runner/commands/#signals +terminationGracePeriodSeconds: 3600 + +## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use +## Provide resource name for a Kubernetes Secret Object in the same namespace, +## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory +## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates-targeting-the-gitlab-server +## +# certsSecretName: + +## Configure the maximum number of concurrent jobs +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +concurrent: 10 + +## Number of seconds until the forceful shutdown operation times out and exits the process. +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +shutdown_timeout: 0 + +## Defines in seconds how often to check GitLab for a new builds +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +checkInterval: 30 + +## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +# logLevel: + +## Configure GitLab Runner's logging format. Available values are: runner, text, json +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +# logFormat: + +## Configure GitLab Runner's Sentry DSN. +## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +# sentryDsn: + +## A custom bash script that will be executed prior to the invocation +## gitlab-runner process +# +#preEntrypointScript: | +# echo "hello" + +## Specify whether the runner should start the session server. +## Defaults to false +## ref: +## +## When sessionServer is enabled, the user can either provide a public publicIP +## or rely on the external IP auto discovery +## When a serviceAccountName is used with the automounting to the pod disable, +## we recommend the usage of the publicIP +sessionServer: + enabled: false + # annotations: {} + # timeout: 1800 + # internalPort: 8093 + # externalPort: 9000 + # publicIP: "" + # loadBalancerSourceRanges: + # - 1.2.3.4/32 + +## For RBAC support: +rbac: + create: false + + ## Define list of rules to be added to the rbac role permissions. + ## Each rule supports the keys: + ## - apiGroups: default "" (indicates the core API group) if missing or empty. + ## - resources: default "*" if missing or empty. + ## - verbs: default "*" if missing or empty. + ## + ## Read more about the recommended rules on the following link + ## + ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#configure-runner-api-permissions + ## + rules: [] + # - resources: ["configmaps", "events", "pods", "pods/attach", "pods/exec", "secrets", "services"] + # verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] + # - apiGroups: [""] + # resources: ["pods/exec"] + # verbs: ["create", "patch", "delete"] + # - apiGroups: [""] + # resources: ["pods/log"] + # verbs: ["get"] + + ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs + ## cluster-wide or only within namespace + clusterWideAccess: false + + ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create) + ## + # serviceAccountName: default + + ## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn. + ## Values may refer other values as the _tpl_ function is implicitly applied. Mind the quotes when using this, e.g. + ## serviceAccountAnnotations: + ## eks.amazonaws.com/role-arn: "arn:aws:iam::{{ .Values.global.accountId }}:role/{{ .Values.global.iamRoleName }}" + ## + ## ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html + ## + # serviceAccountAnnotations: {} + + ## Use podSecurity Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + podSecurityPolicy: + enabled: false + resourceNames: + - gitlab-runner + + ## Specify one or more imagePullSecrets used for pulling the runner image + ## + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + ## + # imagePullSecrets: [] + +## Configure integrated Prometheus metrics exporter +## +## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server +## +metrics: + enabled: false + + ## Define a name for the metrics port + ## + portName: metrics + + ## Provide a port number for the integrated Prometheus metrics exporter + ## + port: 9252 + + ## Configure a prometheus-operator serviceMonitor to allow autodetection of + ## the scraping target. Requires enabling the service resource below. + ## + serviceMonitor: + enabled: false + + ## Provide additional labels to the service monitor resource + ## + ## labels: {} + + ## Provide annotations to the service monitor ressource + ## + ## annotations: {} + + ## Define a scrape interval (otherwise prometheus default is used) + ## + ## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config + ## + # interval: "" + + ## Specify the scrape protocol scheme e.g., https or http + ## + # scheme: "http" + + ## Supply a tls configuration for the service monitor + ## + ## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/charts/crds/crds/crd-servicemonitors.yaml + ## + # tlsConfig: {} + + ## The URI path where prometheus metrics can be scraped from + ## + # path: "/metrics" + + ## A list of MetricRelabelConfigs to apply to samples before ingestion + ## + ## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs + ## + # metricRelabelings: [] + + ## A list of RelabelConfigs to apply to samples before scraping + ## + ## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + ## + ## relabelings: [] + +## Configure a service resource e.g., to allow scraping metrics via +## prometheus-operator serviceMonitor +service: + enabled: false + + ## Provide additonal labels for the service + ## + # labels: {} + + ## Provide additonal annotations for the service + ## + # annotations: {} + + ## Define a specific ClusterIP if you do not want a dynamic one + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + # clusterIP: "" + + ## Define a list of one or more external IPs for this service + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + # externalIPs: [] + + ## Provide a specific loadbalancerIP e.g., of an external Loadbalancer + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + # loadBalancerIP: "" + + ## Provide a list of source IP ranges to have access to this service + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support + ## + # loadBalancerSourceRanges: [] + + ## Specify the service type e.g., ClusterIP, NodePort, LoadBalancer or ExternalName + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + ## + type: ClusterIP + + ## Specify the services metrics nodeport if you use a service of type nodePort + ## + # metrics: + + ## Specify the node port under which the prometheus metrics of the runner are made + ## available. + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + ## + # nodePort: "" + + ## Provide a list of additional ports to be exposed by this service + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + ## + # additionalPorts: [] + +## Configuration for the Pods that the runner launches for each new job +## +runners: + # runner configuration, where the multi line strings is evaluated as + # template so you can specify helm values inside of it. + # + # tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function + # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html + config: | + [[runners]] + [runners.kubernetes] + namespace = "{{.Release.Namespace}}" + image = "alpine" + + ## Absolute path for an existing runner configuration file + ## Can be used alongside "volumes" and "volumeMounts" to use an external config file + ## Active if runners.config is empty or null + configPath: "" + + ## Which executor should be used + ## + # executor: kubernetes + + ## DEPRECATED: Specify whether the runner should be locked to a specific project: true, false. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html + ## + # locked: true + + ## DEPRECATED: Specify the tags associated with the runner. Comma-separated list of tags. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html + ## + # tags: "" + + ## Specify the name for the runner. + ## + # name: "" + + ## DEPRECATED:Specify the maximum timeout (in seconds) that will be set for job when using this Runner + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html + ## + # maximumTimeout: "" + + ## DEPRECATED: Specify if jobs without tags should be run. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html + ## + # runUntagged: true + + ## DEPRECATED: Specify whether the runner should only run protected branches. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html + ## + # protected: true + + ## The name of the secret containing runner-token and runner-registration-token + # secret: gitlab-runner + + ## Distributed runners caching + ## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching + ## + ## If you want to use s3 based distributing caching: + ## First of all you need to uncomment General settings and S3 settings sections. + ## + ## Create a secret 's3access' containing 'accesskey' & 'secretkey' + ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/ + ## + ## $ kubectl create secret generic s3access \ + ## --from-literal=accesskey="YourAccessKey" \ + ## --from-literal=secretkey="YourSecretKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + ## If you want to use gcs based distributing caching: + ## First of all you need to uncomment General settings and GCS settings sections. + ## + ## Access using credentials file: + ## Create a secret 'google-application-credentials' containing your application credentials file. + ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section + ## You could configure + ## $ kubectl create secret generic google-application-credentials \ + ## --from-file=gcs-application-credentials-file=./path-to-your-google-application-credentials-file.json + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + ## Access using access-id and private-key: + ## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'. + ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section + ## You could configure + ## $ kubectl create secret generic gcsaccess \ + ## --from-literal=gcs-access-id="YourAccessID" \ + ## --from-literal=gcs-private-key="YourPrivateKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + ## If you want to use Azure-based distributed caching: + ## First, uncomment General settings. + ## + ## Create a secret 'azureaccess' containing 'azure-account-name' & 'azure-account-key' + ## ref: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction + ## + ## $ kubectl create secret generic azureaccess \ + ## --from-literal=azure-account-name="YourAccountName" \ + ## --from-literal=azure-account-key="YourAccountKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + + cache: {} + ## S3 the name of the secret. + # secretName: s3access + ## Use this line for access using gcs-access-id and gcs-private-key + # secretName: gcsaccess + ## Use this line for access using google-application-credentials file + # secretName: google-application-credentials + ## Use this line for access using Azure with azure-account-name and azure-account-key + # secretName: azureaccess + +## Specify the name of the scheduler which used to schedule runner pods. +## Kubernetes supports multiple scheduler configurations. +## ref: https://kubernetes.io/docs/reference/scheduling +# schedulerName: "my-custom-scheduler" + +## Configure securitycontext for the main container +## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +## +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + privileged: false + capabilities: + drop: ["ALL"] + +## Configure securitycontext valid for the whole pod +## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +## +podSecurityContext: + runAsUser: 100 + # runAsGroup: 65533 + fsGroup: 65533 + # supplementalGroups: [65533] + + ## Note: values for the ubuntu image: + # runAsUser: 999 + # fsGroup: 999 + +## Configure resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +## +resources: {} + # limits: + # memory: 256Mi + # cpu: 200m + # ephemeral-storage: 512Mi + # requests: + # memory: 128Mi + # cpu: 100m + # ephemeral-storage: 256Mi + +## Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} + # Example: The gitlab runner manager should not run on spot instances so you can assign + # them to the regular worker nodes only. + # node-role.kubernetes.io/worker: "true" + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + # Example: Regular worker nodes may have a taint, thus you need to tolerate the taint + # when you assign the gitlab runner manager with nodeSelector or affinity to the nodes. + # - key: "node-role.kubernetes.io/worker" + # operator: "Exists" + +## Configure environment variables that will be present when the registration command runs +## This provides further control over the registration process and the config.toml file +## ref: `gitlab-runner register --help` +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html +## +# envVars: +# - name: RUNNER_EXECUTOR +# value: kubernetes + +## list of hosts and IPs that will be injected into the pod's hosts file +hostAliases: [] + # Example: + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # - ip: "10.1.2.3" + # hostnames: + # - "foo.remote" + # - "bar.remote" + +## Annotations to be added to deployment +## +deploymentAnnotations: {} + # Example: + # downscaler/uptime: + +## Labels to be added to deployment +## +deploymentLabels: {} + # Example: + # owner.team: + +## Annotations to be added to manager pod +## +podAnnotations: {} + # Example: + # iam.amazonaws.com/role: + +## Labels to be added to manager pod +## +podLabels: {} + # Example: + # owner.team: + +## HPA support for custom metrics: +## This section enables runners to autoscale based on defined custom metrics. +## In order to use this functionality, Need to enable a custom metrics API server by +## implementing "custom.metrics.k8s.io" using supported third party adapter +## Example: https://github.com/directxman12/k8s-prometheus-adapter +## +#hpa: {} + # minReplicas: 1 + # maxReplicas: 10 + # metrics: + # - type: Pods + # pods: + # metricName: gitlab_runner_jobs + # targetAverageValue: 400m + +## Configure priorityClassName for manager pod. See k8s docs for more info on how pod priority works: +## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: "" + +## Secrets to be additionally mounted to the containers. +## All secrets are mounted through init-runner-secrets volume +## and placed as readonly at /init-secrets in the init container +## and finally copied to an in-memory volume runner-secrets that is +## mounted at /secrets. +secrets: [] + # Example: + # - name: my-secret + # - name: myOtherSecret + # items: + # - key: key_one + # path: path_one + +## Boolean to turn off the automountServiceAccountToken in the deployment +## ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume +## +# automountServiceAccountToken: false + +## Additional config files to mount in the containers in `/configmaps`. +## +## Please note that a number of keys are reserved by the runner. +## See https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml +## for a current list. +configMaps: {} + +## Additional volumeMounts to add to the runner container +## +volumeMounts: [] + # Example: + # - name: my-volume + # mountPath: /mount/path + +## Additional volumes to add to the runner deployment +## +volumes: [] + # Example: + # - name: my-volume + # persistentVolumeClaim: + # claimName: my-pvc diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/Chart.yaml new file mode 100644 index 0000000..92053c6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 0.1.1 +description: A Helm chart for deploying Zoekt as a search engine for GitLab +name: gitlab-zoekt +type: application +version: 0.8.1 diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/LICENSE b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/LICENSE new file mode 100644 index 0000000..eacbe84 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2018-2019 GitLab B.V. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/README.md b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/README.md new file mode 100644 index 0000000..bb86b89 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/README.md @@ -0,0 +1,47 @@ +# GitLab Zoekt Helm Chart + +For deploying Zoekt as a code search engine to support [GitLab exact code search](https://docs.gitlab.com/ee/user/search/exact_code_search.html). + +## Install the chart + +``` +helm install gitlab-zoekt . +``` + +## Enable Lefthook + +```shell +lefthook install +``` + +## Decision Making + +Changes to this repository are first reviewed using the [merge request workflow](https://about.gitlab.com/handbook/engineering/development/enablement/systems/distribution/merge_requests.html) then merged by project maintainers. + +### Maintainers + +Project maintainers can be found on the [GitLab projects page](https://about.gitlab.com/handbook/engineering/projects/#gitlab-zoekt), or located using the [review workload dashboard](https://gitlab-org.gitlab.io/gitlab-roulette/?currentProject=gitlab-zoekt&mode=hide). + +Maintainers are responsible for merging changes within their domain, and having an understanding of the whole project and how changes may impact areas outside their expertise. + +Reviewers can assign to any maintainer and the maintainer will engage the appropriate domain expert if it does not fall within their own. + +In order to continue to expand their expertise maintainers are empowered to merge changes outside their domain but that they are **highly confident** in unless: + +- The change cannot be reverted later +- The change has an established process that needs to be followed (JiHu review, security, legal/license changes) +- The change clearly requires an architectural decision + +When urgent changes are required, maintainers should have a bias-for action, and can make decisions as long as the decisions are later reversible and compliant with known project process requirements. + +#### Dependency Maintainers + +A dependency maintainer has the same responsibilities as a regular maintainer, but the ability to merge is tightly scoped to changes related to dependency versioning only for a specific domain. If any change aside from a dependency versioning is present in the merge request, a regular maintainer is required to perform the maintainer review. + +All changes need to result in a working chart, and the impact of the change in dependency versions needs to be fully understood by the dependency maintainer. Individuals that are already chart reviewers are good candidates to become dependency maintainers. + +| Username | +| -- | +| @dgruzd | +| @terrichu | +| @johnmason | diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/NOTES.txt new file mode 100644 index 0000000..aefb3ee --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/NOTES.txt @@ -0,0 +1,33 @@ +1. Index a repo: + With new indexer: + $ kubectl exec gitlab-zoekt-0 -- curl -s -XPOST -d '{"GitalyConnectionInfo":{"Address":"tcp://gitaly.host:2305","Storage":"default","Path":"@hashed/a/b/c.git"},"RepoId":7,"FileSizeLimit":2097152,"Timeout":"10m"}' 'http://127.0.0.1:{{ .Values.gateway.listen.port }}/indexer/index' + + With legacy indexer: + $ kubectl exec gitlab-zoekt-0 -- curl -s -XPOST -d '{"CloneUrl":"https://gitlab.com/gitlab-org/gitlab-development-kit.git","RepoId":74823}' 'http://127.0.0.1:{{ .Values.gateway.listen.port }}/index' + +2. Search: + $ kubectl exec gitlab-zoekt-0 -- curl -s -XPOST -d '{"Q":"gitaly"}' 'http://127.0.0.1:{{ .Values.gateway.listen.port }}/api/search' + +3. Search with gateway service URL: + + $ kubectl exec -- curl -s -XPOST -d '{"Q":"gitaly"}' 'http://gitlab-zoekt-gateway.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.gateway.listen.port }}/api/search' + +4. Index with gateway service URL: + + $ kubectl exec -- curl -s -XPOST -d '{"GitalyConnectionInfo":{"Address":"tcp://gitaly.host:2305","Storage":"default","Path":"@hashed/a/b/c.git"},"RepoId":7,"FileSizeLimit":2097152,"Timeout":"10m"}' 'http://gitlab-zoekt-gateway.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.gateway.listen.port }}/indexer/index' + + Please note that you need a Gitaly instance to actually index a repository. The example above can be used to verify that you can the indexer even though it errors out with 'cannot find a default branch'. + +5. You can also reach a specific replica through service URL: + + $ kubectl exec -- curl -s -XPOST -d '{"Q":"gitaly"}' 'http://gitlab-zoekt-gateway.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.gateway.listen.port }}/nodes/gitlab-zoekt-0.gitlab-zoekt.{{ .Release.Namespace }}.svc.cluster.local/api/search' + +{{- if .Values.ingress.enabled }} +6. Get the IP of the ingress by running these commands: + $ kubectl get ingress gitlab-zoekt + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. +7. Then do a search via the Ingress + + $ curl -H 'Host: gitlab-zoekt.local' -XPOST -d '{"Q":"gitaly"}' 'http://:{{ .Values.gateway.listen.port }}/api/search' +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/_helpers.tpl new file mode 100644 index 0000000..050807b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/_helpers.tpl @@ -0,0 +1,179 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "gitlab-zoekt.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gitlab-zoekt.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gitlab-zoekt.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Cluster domain +*/}} +{{- define "gitlab-zoekt.clusterDomain" -}} +{{- $dnsResolver := .Values.gateway.dnsResolver }} +{{- $dnsArr := splitList "." $dnsResolver }} +{{- $arrLen := len $dnsArr }} +{{- join "." (slice $dnsArr (sub $arrLen 2) $arrLen) }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gitlab-zoekt.labels" -}} +helm.sh/chart: {{ include "gitlab-zoekt.chart" . }} +{{ include "gitlab-zoekt.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gitlab-zoekt.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gitlab-zoekt.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Gateway selector labels +*/}} +{{- define "gitlab-zoekt.gatewaySelectorLabels" -}} +app.kubernetes.io/name: {{ printf "%s-gateway" (include "gitlab-zoekt.name" .) }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Main svc name +*/}} +{{- define "gitlab-zoekt.gatewaySvc" -}} +{{- printf "%s-gateway" (include "gitlab-zoekt.fullname" .) }} +{{- end }} + +{{/* +Main svc fqdn +*/}} +{{- define "gitlab-zoekt.gatewaySvcFqdn" -}} +{{- include "gitlab-zoekt.gatewaySvc" . }}.{{ .Release.Namespace }}.svc.{{ include "gitlab-zoekt.clusterDomain" . }} +{{- end }} + +{{/* +Main svc URL +*/}} +{{- define "gitlab-zoekt.gatewaySvcUrl" -}} +http{{ .Values.gateway.tls.certificate.enabled | ternary "s" "" }}://{{ include "gitlab-zoekt.gatewaySvcFqdn" . }}:{{ .Values.gateway.listen.port }} +{{- end }} + +{{/* +Backend svc name +Should be set to gitlab-zoekt.fullname. Otherwise, stateful set's DNS stops working correctly +*/}} +{{- define "gitlab-zoekt.backendSvc" -}} +{{- include "gitlab-zoekt.fullname" . }} +{{- end }} + +{{/* +Backend svc fqdn +*/}} +{{- define "gitlab-zoekt.backendSvcFqdn" -}} +{{- include "gitlab-zoekt.backendSvc" . }}.{{ .Release.Namespace }}.svc.{{ include "gitlab-zoekt.clusterDomain" . }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "gitlab-zoekt.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "gitlab-zoekt.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Placeholder label definitions. +These are overridden when this chart is used as a sub-chart of gitlab/gitlab +*/}} +{{- define "gitlab.standardLabels" -}} +{{- end -}} +{{- define "gitlab.commonLabels" -}} +{{- end -}} +{{- define "gitlab.serviceLabels" -}} +{{- end -}} + +{{/* +Create the name of the map to use for external deployment gateway +*/}} +{{- define "gitlab-zoekt.configExternalGatewayMapName" -}} +{{- printf "%s-gateway-nginx-conf" (include "gitlab-zoekt.fullname" .) }} +{{- end }} + +{{/* +Create the name of the map to use for zoekt gateway +*/}} +{{- define "gitlab-zoekt.configZoektGatewayMapName" -}} +{{- printf "%s-nginx-conf" (include "gitlab-zoekt.fullname" .) }} +{{- end }} + +{{- define "gitlab-zoekt.basicAuth.secretName" -}} +{{- if .Values.gateway.basicAuth.secretName }} +{{- printf "%s" (tpl .Values.gateway.basicAuth.secretName $) -}} +{{- else -}} +{{- printf "%s-basicauth" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab-zoekt.internalApi.secretName" -}} +{{- if .Values.indexer.internalApi.secretName }} +{{- printf "%s" (tpl .Values.indexer.internalApi.secretName $) -}} +{{- else -}} +{{- printf "%s-internal-api-secret-name" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab-zoekt.internalApi.secretKey" -}} +{{- if .Values.indexer.internalApi.secretKey }} +{{- printf "%s" (tpl .Values.indexer.internalApi.secretKey $) -}} +{{- else -}} +{{- printf "%s-internal-api-secret-key" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab-zoekt.internalApi.gitlabUrl" -}} +{{- if .Values.indexer.internalApi.gitlabUrl }} +{{- printf "%s" (tpl .Values.indexer.internalApi.gitlabUrl $) -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab-zoekt.internalApi.serviceUrl" -}} +{{- if .Values.indexer.internalApi.serviceUrl }} +{{- printf "%s" (tpl .Values.indexer.internalApi.serviceUrl $) -}} +{{- else }} +{{- include "gitlab-zoekt.gatewaySvcUrl" .}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/certificate.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/certificate.yaml new file mode 100644 index 0000000..a325476 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/certificate.yaml @@ -0,0 +1,29 @@ +{{- if .Values.gateway.tls.certificate.create -}} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.gateway.tls.certificate.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.gateway.tls.certificate.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.gateway.tls.certificate.dnsNames }} + dnsNames: + {{- toYaml . | nindent 4 }} + {{- end }} + secretName: {{ .Values.gateway.tls.certificate.secretName }} + {{- with .Values.gateway.tls.certificate.privateKey }} + privateKey: + {{- toYaml . | nindent 4 }} + {{- end }} + issuerRef: + name: {{ .Values.gateway.tls.certificate.issuer.name }} + kind: {{ .Values.gateway.tls.certificate.issuer.kind }} + group: {{ .Values.gateway.tls.certificate.issuer.group }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/deployment-nginx-configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/deployment-nginx-configmap.yaml new file mode 100644 index 0000000..a4e5922 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/deployment-nginx-configmap.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitlab-zoekt.configExternalGatewayMapName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + nginx.conf: | + user nginx; + + events { + use epoll; + } + + http { + server { + {{- if .Values.gateway.tls.certificate.enabled }} + listen {{ .Values.gateway.listen.port }} ssl; + ssl_certificate /etc/ssl/tls.crt; + ssl_certificate_key /etc/ssl/tls.key; + ssl_protocols TLSv1.2 TLSv1.3; + {{- else }} + listen {{ .Values.gateway.listen.port }}; + {{- end }} + server_tokens off; + + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + resolver {{ .Values.gateway.dnsResolver }}; + + set $backend_gateway {{ include "gitlab-zoekt.backendSvcFqdn" . }}:{{ .Values.gateway.listen.port }}; + + location = /health { + return 200; + } + + location / { + {{- with .Values.gateway }} + proxy_pass http{{ .tls.certificate.enabled | ternary "s" "" }}://$backend_gateway; + {{- end }} + } + + location ~ ^/nodes/([^/]+)/(.*) { + {{- with .Values.gateway }} + set $target_host http{{ .tls.certificate.enabled | ternary "s" "" }}://$1:{{ .listen.port }}/$2; + {{- end }} + + proxy_pass $target_host; + } + } + } diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/deployment.yaml new file mode 100644 index 0000000..6ae6536 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ printf "%s-gateway" (include "gitlab-zoekt.fullname" .) }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + replicas: {{ .Values.gateway.replicas }} + selector: + matchLabels: + {{- include "gitlab-zoekt.gatewaySelectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/deployment-nginx-configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gitlab-zoekt.gatewaySelectorLabels" . | nindent 8 }} + spec: + containers: + - name: zoekt-gateway + securityContext: + {{- toYaml .Values.gateway.securityContext | nindent 12 }} + image: {{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }} + imagePullPolicy: {{ coalesce .Values.gateway.image.pullPolicy .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.gateway.listen.port }} + name: gateway + livenessProbe: + httpGet: + path: /health + port: {{ .Values.gateway.listen.port }} + {{- if .Values.gateway.tls.certificate.enabled }} + scheme: HTTPS + {{- end }} + readinessProbe: + httpGet: + path: /health + port: {{ .Values.gateway.listen.port }} + {{- if .Values.gateway.tls.certificate.enabled }} + scheme: HTTPS + {{- end }} + resources: + {{- toYaml (merge .Values.gateway.resources .Values.resources) | nindent 12 }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + {{- if .Values.gateway.tls.certificate.enabled }} + - name: gateway-cert + mountPath: /etc/ssl/tls.crt + subPath: tls.crt + readOnly: true + - name: gateway-cert + mountPath: /etc/ssl/tls.key + subPath: tls.key + readOnly: true + {{- end }} + volumes: + - name: nginx-conf + configMap: + name: {{ include "gitlab-zoekt.configExternalGatewayMapName" . }} + items: + - key: nginx.conf + path: nginx.conf + {{- if .Values.gateway.tls.certificate.enabled }} + - name: gateway-cert + secret: + secretName: {{ .Values.gateway.tls.certificate.secretName }} + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/ingress.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/ingress.yaml new file mode 100644 index 0000000..742602c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "gitlab-zoekt.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ .Values.gateway.listen.port }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/networkpolicy.yaml new file mode 100644 index 0000000..33c1a6e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- if .Values.networkpolicy.enabled -}} +{{- $fullName := include "gitlab-zoekt.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab-zoekt.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/nginx-configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/nginx-configmap.yaml new file mode 100644 index 0000000..09f8625 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/nginx-configmap.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitlab-zoekt.configZoektGatewayMapName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + nginx.conf: | + user nginx; + + events { + use epoll; + } + + http { + upstream dynamic_index_server { + server 127.0.0.1:{{ .Values.dynamicIndexserver.listen.port }}; + } + + upstream indexer { + server 127.0.0.1:{{ .Values.indexer.listen.port }}; + } + + upstream webserver { + server 127.0.0.1:{{ .Values.webserver.listen.port }}; + } + + server { + {{- if .Values.gateway.tls.certificate.enabled }} + listen {{ .Values.gateway.listen.port }} ssl; + ssl_certificate /etc/ssl/tls.crt; + ssl_certificate_key /etc/ssl/tls.key; + ssl_protocols TLSv1.2 TLSv1.3; + {{- else }} + listen {{ .Values.gateway.listen.port }}; + {{- end }} + {{- if .Values.gateway.basicAuth.enabled }} + auth_basic "Zoekt Basic Authentication required"; + auth_basic_user_file /etc/nginx/basicauth/.htpasswd; + {{- end }} + server_tokens off; + + location = /health { + auth_basic off; + return 200; + } + + location = / { + auth_basic off; + proxy_pass http://webserver/; + } + + location = /metrics { + auth_basic off; + proxy_pass http://webserver/metrics; + } + + location /index { + proxy_pass http://dynamic_index_server; + proxy_read_timeout 30m; + } + + location = /indexer/metrics { + auth_basic off; + proxy_pass http://indexer; + } + + location /indexer { + proxy_pass http://indexer; + proxy_read_timeout 30m; + } + + location / { + proxy_pass http://webserver; + } + } + } diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/serviceaccount.yaml new file mode 100644 index 0000000..55ba242 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gitlab-zoekt.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/stateful_sets.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/stateful_sets.yaml new file mode 100644 index 0000000..9105c77 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/stateful_sets.yaml @@ -0,0 +1,249 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "gitlab-zoekt.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.statefulSetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "gitlab-zoekt.selectorLabels" . | nindent 6 }} + serviceName: {{ include "gitlab-zoekt.fullname" . }} + replicas: {{ .Values.replicas }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gitlab-zoekt.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gitlab-zoekt.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: 60 + {{- if .Values.gateway.basicAuth.enabled }} + initContainers: + - name: create-htpasswd + image: {{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }} + command: ['sh', '-c', 'printf "$(cat /etc/nginx/basicauth-credentials/gitlab_username):$(openssl passwd -6 $(cat /etc/nginx/basicauth-credentials/gitlab_password))\n" > /etc/nginx/basicauth/.htpasswd'] + volumeMounts: + - name: basicauth + mountPath: /etc/nginx/basicauth + - name: basicauth-credentials + mountPath: /etc/nginx/basicauth-credentials + {{- end }} + containers: + - name: zoekt-dynamic-indexserver + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ .Values.dynamicIndexserver.image.repository }}:{{ .Values.dynamicIndexserver.image.tag | default "latest" }} + imagePullPolicy: {{ coalesce .Values.dynamicIndexserver.image.pullPolicy .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.dynamicIndexserver.listen.port }} + name: indexserver + livenessProbe: + httpGet: + path: / + port: {{ .Values.dynamicIndexserver.listen.port }} + readinessProbe: + httpGet: + path: / + port: {{ .Values.dynamicIndexserver.listen.port }} + resources: + {{- toYaml (merge .Values.dynamicIndexserver.resources .Values.resources) | nindent 12 }} + volumeMounts: + - name: zoekt-data + mountPath: /data/repos + - name: zoekt-index + mountPath: /data/index + - name: zoekt-indexer + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ .Values.indexer.image.repository }}:{{ .Values.indexer.image.tag | default "latest" }} + imagePullPolicy: {{ coalesce .Values.indexer.image.pullPolicy .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.indexer.listen.port }} + name: indexer + livenessProbe: + httpGet: + path: /indexer/health + port: {{ .Values.indexer.listen.port }} + readinessProbe: + httpGet: + path: /indexer/health + port: {{ .Values.indexer.listen.port }} + resources: + {{- toYaml (merge .Values.indexer.resources .Values.resources) | nindent 12 }} + volumeMounts: + - name: zoekt-index + mountPath: /data/index + {{- if .Values.indexer.internalApi.enabled }} + - name: internal-api-secret + readOnly: true + mountPath: /.gitlab_shell_secret + subPath: .gitlab_shell_secret + {{- end }} + env: + {{- if .Values.indexer.googleCloudProfiler.enabled }} + - name: GOOGLE_CLOUD_PROFILER_ENABLED + value: "true" + {{- end }} + {{- if .Values.indexer.goGc.enabled }} + - name: GOGC + value: {{ .Values.indexer.goGc.value | quote }} + {{- end }} + {{- if .Values.indexer.internalApi.enabled }} + - name: GITLAB_URL + value: {{ template "gitlab-zoekt.internalApi.gitlabUrl" . }} + - name: SERVICE_URL + value: {{ template "gitlab-zoekt.internalApi.serviceUrl" . }} + {{- end }} + - name: zoekt-webserver + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ .Values.webserver.image.repository }}:{{ .Values.webserver.image.tag | default "latest" }} + imagePullPolicy: {{ coalesce .Values.webserver.image.pullPolicy .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.webserver.listen.port }} + name: webserver + livenessProbe: + httpGet: + path: / + port: {{ .Values.webserver.listen.port }} + readinessProbe: + httpGet: + path: / + port: {{ .Values.webserver.listen.port }} + resources: + {{- toYaml (merge .Values.webserver.resources .Values.resources) | nindent 12 }} + volumeMounts: + - name: zoekt-index + mountPath: /data/index + env: + {{- if .Values.webserver.googleCloudProfiler.enabled }} + - name: GOOGLE_CLOUD_PROFILER_ENABLED + value: "true" + {{- end }} + {{- if .Values.webserver.goGc.enabled }} + - name: GOGC + value: {{ .Values.webserver.goGc.value | quote }} + {{- end }} + - name: zoekt-gateway + securityContext: + {{- toYaml .Values.gateway.securityContext | nindent 12 }} + image: {{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }} + imagePullPolicy: {{ coalesce .Values.gateway.image.pullPolicy .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.gateway.listen.port }} + name: gateway + livenessProbe: + httpGet: + path: /health + port: {{ .Values.gateway.listen.port }} + {{- if .Values.gateway.tls.certificate.enabled }} + scheme: HTTPS + {{- end }} + readinessProbe: + httpGet: + path: /health + port: {{ .Values.gateway.listen.port }} + {{- if .Values.gateway.tls.certificate.enabled }} + scheme: HTTPS + {{- end }} + resources: + {{- toYaml (merge .Values.gateway.resources .Values.resources) | nindent 12 }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + {{- if .Values.gateway.tls.certificate.enabled }} + - name: gateway-cert + mountPath: /etc/ssl/tls.crt + subPath: tls.crt + readOnly: true + - name: gateway-cert + mountPath: /etc/ssl/tls.key + subPath: tls.key + readOnly: true + {{- end }} + {{- if .Values.gateway.basicAuth.enabled }} + - name: basicauth + mountPath: /etc/nginx/basicauth + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: nginx-conf + configMap: + name: {{ include "gitlab-zoekt.configZoektGatewayMapName" . }} + items: + - key: nginx.conf + path: nginx.conf + {{- if .Values.gateway.tls.certificate.enabled }} + - name: gateway-cert + secret: + secretName: {{ .Values.gateway.tls.certificate.secretName }} + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end }} + {{- if .Values.gateway.basicAuth.enabled }} + - name: basicauth + emptyDir: + sizeLimit: 1Mi + - name: basicauth-credentials + secret: + secretName: {{ include "gitlab-zoekt.basicAuth.secretName" . }} + {{- end }} + {{- if .Values.indexer.internalApi.enabled }} + - name: internal-api-secret + secret: + secretName: {{ template "gitlab-zoekt.internalApi.secretName" . }} + items: + - key: {{ template "gitlab-zoekt.internalApi.secretKey" . }} + path: ".gitlab_shell_secret" + {{- end }} + volumeClaimTemplates: + - metadata: + name: zoekt-data + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: {{ .Values.bareRepoStorageClassName }} + resources: + requests: + storage: {{ .Values.bareRepoStorage }} + - metadata: + name: zoekt-index + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: {{ .Values.indexStorageClassName }} + resources: + requests: + storage: {{ .Values.indexStorage }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/svc-backend.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/svc-backend.yaml new file mode 100644 index 0000000..56e6d5d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/svc-backend.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab-zoekt.backendSvc" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - port: {{ .Values.gateway.listen.port}} + name: gateway + selector: + {{- include "gitlab-zoekt.selectorLabels" . | nindent 4 }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/svc-gateway.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/svc-gateway.yaml new file mode 100644 index 0000000..ba92d1f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/templates/svc-gateway.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab-zoekt.gatewaySvc" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab-zoekt.labels" . | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} +{{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }} + clusterIP: {{ .Values.service.clusterIP }} +{{- end }} +{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} + ports: + - port: {{ .Values.gateway.listen.port }} + name: gateway + selector: + {{- include "gitlab-zoekt.gatewaySelectorLabels" . | nindent 4 }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab-zoekt/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/values.yaml new file mode 100644 index 0000000..c25778b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab-zoekt/values.yaml @@ -0,0 +1,161 @@ +# -- The size of storage mounted to the gitlab-zoekt-indexer that will be used to store bare repos.
+# The bare repos are stored as an intermediate step in calculating the +# resulting index and treated like a cache as they will be refetched if +# missing. +# @raw +bareRepoStorage: 5Gi +bareRepoStorageClassName: "" + +# -- The size of storage mounted to the gitlab-zoekt-indexer and zoekt-webserver that will be used to store index files.
+# The index files are those with the `.zoekt` extension and used to serve +# search results. +# @raw +indexStorage: 2Gi +indexStorageClassName: "" + +replicas: 1 +image: + pullPolicy: IfNotPresent +dynamicIndexserver: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-zoekt-dynamic-indexserver + tag: v0.0.1-5f25b + # pullPolicy: + listen: + port: 6060 + resources: {} +indexer: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-zoekt-indexer + tag: v0.1.1-10574 + listen: + port: 6065 + resources: {} + googleCloudProfiler: + enabled: false + internalApi: + enabled: false + secretName: '' + secretKey: '' + gitlabUrl: '' # Internal URL to connect to GitLab + serviceUrl: '' # URL to reach Zoekt service + goGc: + enabled: false + value: 100 +webserver: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-zoekt-webserver + tag: v0.0.2-fcb27 + # pullPolicy: + listen: + port: 6070 + resources: {} + googleCloudProfiler: + enabled: false + goGc: + enabled: false + value: 100 +gateway: + image: + repository: nginx + tag: latest + listen: + port: 8080 + replicas: 1 + resources: {} + securityContext: {} + basicAuth: + enabled: false + secretName: '' # Defaults to {{ .Release.Name }}-basicauth and it must be created outside this chart + dnsResolver: 'kube-dns.kube-system.svc.cluster.local' + tls: + certificate: + enabled: false # Whether to use TLS for the gateway + name: zoekt-gateway-cert + create: false # Whether to create a Certificate with certmanager + dnsNames: [] # You must provide at least one entry if create is true + secretName: zoekt-gateway-cert + issuer: # A valid certmanager issuer + name: "" + kind: Issuer + group: cert-manager.io + annotations: {} + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +statefulSetAnnotations: {} + +podSecurityContext: + fsGroup: 1000 + +securityContext: + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + +service: + type: ClusterIP + clusterIP: None + annotations: {} + # cloud.google.com/load-balancer-type: Internal + # networking.gke.io/internal-load-balancer-allow-global-access: "true" + # loadBalancerIP: 123.123.123.123 + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.regional-static-ip-name: "gitlab-zoekt" + # kubernetes.io/ingress.class: "gce-internal" + host: gitlab-zoekt.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/Chart.yaml new file mode 100644 index 0000000..61eb160 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +appVersion: master +description: Web-based Git-repository manager with wiki and issue-tracking features. +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab +sources: +- https://gitlab.com/gitlab-org/charts/gitlab +version: 0.1.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/Chart.yaml new file mode 100644 index 0000000..969e02b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: GitLab Geo logcursor +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: geo-logcursor +sources: +- https://gitlab.com/charts/gitlab/tree/master/charts/gitlab/charts/geo-logcursor +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-rails +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/_helpers.tpl new file mode 100644 index 0000000..609ac3e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "geo-logcursor.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "geo-logcursor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Shorthand check for is this chart is enabled +*/}} +{{- define "geo-logcursor.enabled" -}} +{{- if eq true .Values.enabled -}} +{{- if include "gitlab.geo.secondary" $ -}} +true +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/configmap.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/configmap.yml new file mode 100644 index 0000000..366c38b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/configmap.yml @@ -0,0 +1,104 @@ +{{- if include "geo-logcursor.enabled" $ -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + installation_type: | + gitlab-helm-chart + database.yml.erb: | + {{- include "gitlab.database.yml" . | nindent 4 }} + smtp_settings.rb: | + {{- include "gitlab.smtp_settings" . | nindent 4 }} + {{- include "gitlab.rails.redis.all" . | nindent 2 }} + gitlab.yml.erb: | + production: &base + gitlab: + host: {{ template "gitlab.gitlab.hostname" . }} + https: {{ hasPrefix "https://" (include "gitlab.gitlab.url" .) }} + {{- with .Values.global.hosts.ssh }} + ssh_host: {{ . | quote }} + {{- end }} + {{- with .Values.global.appConfig }} + {{- if .cdnHost }} + cdn_host: {{ .cdnHost | quote }} + {{- end }} + max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} + impersonation_enabled: {{ .enableImpersonation }} + application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} + usage_ping_enabled: {{ eq .enableUsagePing true }} + seat_link_enabled: {{ eq .enableSeatLink true }} + username_changing_enabled: {{ eq .usernameChangingEnabled true }} + issue_closing_pattern: {{ .issueClosingPattern | quote }} + default_theme: {{ .defaultTheme }} + {{- include "gitlab.appConfig.defaultProjectsFeatures.configuration" $ | nindent 8 }} + {{- if hasKey .initialDefaults "signupEnabled" }} + signup_enabled: {{ .initialDefaults.signupEnabled }} + {{- end }} + graphql_timeout: {{ .graphQlTimeout }} + webhook_timeout: {{ .webhookTimeout }} + {{- end }} + trusted_proxies: + {{- if .Values.trusted_proxies }} + {{- toYaml .Values.trusted_proxies | nindent 10 }} + {{- end }} + time_zone: {{ .Values.global.time_zone | quote }} + email_from: {{ template "gitlab.email.from" . }} + email_display_name: {{ .Values.global.email.display_name | quote }} + email_reply_to: {{ template "gitlab.email.reply_to" . }} + email_subject_suffix: {{ .Values.global.email.subject_suffix | quote }} + {{- with .Values.global.appConfig }} + {{- if .microsoft_graph_mailer.enabled }} + {{- include "gitlab.appConfig.microsoft_graph_mailer" . | nindent 6 }} + {{- end }} + {{- if .incomingEmail.enabled }} + {{- include "gitlab.appConfig.incoming_email" . | nindent 6 }} + {{- end }} + {{- if .serviceDeskEmail.enabled }} + {{- include "gitlab.appConfig.service_desk_email" . | nindent 6 }} + {{- end }} + {{- include "gitlab.appConfig.cronJobs" . | nindent 6 }} + gravatar: + plain_url: {{ .gravatar.plainUrl }} + ssl_url: {{ .gravatar.sslUrl }} + {{- include "gitlab.appConfig.extra" . | nindent 6 }} + {{- end }} + ## Object storage not needed by geo-logcursor + artifacts: + lfs: + uploads: + packages: + external_diffs: + {{- include "gitlab.geo.config" $ | nindent 6 }} + pages: + enabled: false + mattermost: + enabled: false + gitlab_ci: + kerberos: + enabled: false + shared: + ## Gitaly configuratin is _stubbed_, not used by geo-logcursor + gitaly: + client_path: /home/git/gitaly/bin + token: + repositories: + storages: # You must have at least a `default` storage path. + {"default":{"path":"/srv/gitlab/git-data/repositories","gitaly_address":"unix:/srv/gitlab/gitaly/gitaly.socket"}} + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + monitoring: + ip_whitelist: + - 0.0.0.0/0 + sidekiq_exporter: + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "rails-secrets" "optional" "postgres redis") | nindent 4 }} + {{- include "gitlab.psql.ssl.initScript" . | nindent 4 }} + {{- include "gitlab.geo.psql.ssl.initScript" . | nindent 4 }} + +# Leave this here - This line denotes end of block to the parser. +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml new file mode 100644 index 0000000..d7007d8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml @@ -0,0 +1,205 @@ +{{- if include "geo-logcursor.enabled" $ }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh'] + args: [ '-c', 'sh -x /config-logcursor/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.psql.ssl.volumeMount" . | nindent 10 }} + {{- include "gitlab.geo.psql.ssl.volumeMount" . | nindent 10 }} + - name: logcursor-config + mountPath: /config-logcursor + readOnly: true + - name: init-logcursor-secrets + mountPath: /init-config + readOnly: true + - name: logcursor-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + - name: dependencies + image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + args: + - /scripts/wait-for-deps + env: + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + - name: DB_SCHEMA_TARGET + value: 'geo' + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + - name: logcursor-config + mountPath: '/var/opt/gitlab/templates' + - name: logcursor-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: logcursor-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + readOnly: true + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + - name: logcursor-config + mountPath: '/var/opt/gitlab/templates' + - name: logcursor-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: logcursor-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + - name: logcursor-config + mountPath: '/srv/gitlab/INSTALLATION_TYPE' + subPath: installation_type + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + livenessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: {{ .Values.deployment.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.livenessProbe.failureThreshold }} + readinessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: {{ .Values.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.readinessProbe.failureThreshold }} + lifecycle: + preStop: + exec: + command: ["/bin/bash", "-c", "pkill -SIGQUIT -f 'geo_log_cursor'"] + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + {{- include "gitlab.psql.ssl.volume" . | nindent 6 }} + {{- include "gitlab.geo.psql.ssl.volume" . | nindent 6 }} + - name: logcursor-config + configMap: + name: {{ template "fullname" . }} + - name: init-logcursor-secrets + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ template "gitlab.rails-secrets.secret" . }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + {{- include "gitlab.redis.secrets" (dict "globalContext" $) | nindent 10 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 10 }} + {{- end }} + - secret: + name: {{ template "gitlab.geo.psql.password.secret" . }} + items: + - key: {{ template "gitlab.geo.psql.password.key" . }} + path: postgres/geo-psql-password + - name: logcursor-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/serviceaccount.yaml new file mode 100644 index 0000000..69ddca0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/values.yaml new file mode 100644 index 0000000..7c058d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/geo-logcursor/values.yaml @@ -0,0 +1,117 @@ +# Default values for geo-logcursor. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: {} + # pullPolicy: IfNotPresent + # pullSecrets: [] + # repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-geo-logcursor + # tag: master +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} +enabled: true +replicaCount: 1 +global: + geo: + role: primary + nodeName: + psql: + # host: '0.0.0.0' + # port: '5432' + # database: 'gitlabhq_geo_production' + # username: 'gitlab_replicator' + password: {} + # secret: gitlab-geo-postgres + # key: postgresql-password + # ssl: + # secret: gitlab-ssl-secret + # clientKey: client-key.pem + # clientCertificate: client-cert.pem + # serverCA: server-ca.pem + redis: + auth: {} + hosts: + domain: example.com + hostSuffix: + https: true + gitlab: {} + #name: gitlab.example.com + #https: false + registry: {} + #name: registry.example.com + #https: false + minio: {} + #name: minio.example.com + #https: false + +redis: + auth: {} +psql: {} +gitaly: + # host: '0.0.0.0' + # port: 8075 + # serviceName: 'gitaly' + authToken: {} + # secret: gitaly-secret + # key: token +minio: + serviceName: 'minio-svc' + port: 9000 +resources: + # limits: + # cpu: 1 + # memory: 1.5G + requests: + cpu: 300m + memory: 700M + +deployment: + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + strategy: {} + +nodeSelector: {} +tolerations: [] +affinity: + podAntiAffinity: + topologyKey: + +podLabels: {} +common: + labels: {} + +# Priority class assigned to pods +priorityClassName: "" + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/Chart.yaml new file mode 100644 index 0000000..4961488 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: 16.6.0 +description: Git RPC service for handling all the git calls made by GitLab +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- gitaly +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitaly +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitaly +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitaly +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml new file mode 100644 index 0000000..12abaac --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml @@ -0,0 +1,167 @@ +data: + configure: | + set -e + mkdir -p /init-secrets/gitaly /init-secrets/shell + cp -v -r -L /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret + cp -v -r -L /init-config/gitaly_token /init-secrets/gitaly/gitaly_token + {{- if $.Values.global.gitaly.tls.enabled }} + cp -v -L /init-config/gitaly.crt /init-secrets/gitaly/gitaly.crt + cp -v -L /init-config/gitaly.key /init-secrets/gitaly/gitaly.key + {{- end }} + {{- if .Values.gpgSigning.enabled }} + cp -v -L /init-config/signing_key.gpg /init-secrets/gitaly/signing_key.gpg + {{- end }} + config.toml.tpl: | + # The directory where Gitaly's executables are stored + bin_dir = "/usr/local/bin" + + # listen on a TCP socket. This is insecure (no authentication) + listen_addr = "0.0.0.0:{{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }}" + + # Directory where internal sockets reside + # note: no value will result in a `/tmp/gitlab-internal-*` path + # internal_socket_dir = "/home/git" + + {{- if $.Values.global.gitaly.tls.enabled }} + tls_listen_addr = "0.0.0.0:{{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }}" + {{- end }} + + # If metrics collection is enabled, inform gitaly about that + {{- if .Values.metrics.enabled }} + prometheus_listen_addr = "0.0.0.0:{{ default .Values.metrics.port .Values.metrics.metricsPort }}" + {{- end }} + + {{- if $.Values.global.gitaly.tls.enabled }} + [tls] + certificate_path = '/etc/gitlab-secrets/gitaly/gitaly.crt' + key_path = '/etc/gitlab-secrets/gitaly/gitaly.key' + {{- end }} + + {{- if .storage }} + + {{- /* + Passing in "skipStorages=true" below prevents changes in the Gitaly replica counts from modifying + the contents of the ConfigMap, which would cause existing pods to restart unnecessarily. + */}} + {{ if not .skipStorages }} + {% $storages := coll.Slice {{ include "gitlab.praefect.gitaly.storageNames" . }} %} + {{- end }} + + {% $hostname := .Env.HOSTNAME | strings.TrimSpace %} + {% if coll.Has $storages $hostname %} + [[storage]] + name = "{% $hostname %}" + path = "/home/git/repositories" + {% else %} + {% printf "Storage for node %q is not present in the storageNames array. Did you use kubectl to scale up? You need to solely use helm for this purpose." $hostname | fail %} + {% end %} + + {{- else }} + + {{- /* + Passing in "skipStorages=true" below prevents changes in the Gitaly replica counts from modifying + the contents of the ConfigMap, which would cause existing pods to restart unnecessarily. + */}} + {{ if not .skipStorages }} + {% $storages := coll.Slice {{ include "gitlab.gitaly.storageNames" . }} %} + {{- end }} + + {% $index := index (.Env.HOSTNAME | strings.Split "-" | coll.Reverse) 0 | conv.ToInt64 %} + {% if len $storages | lt $index %} + [[storage]] + name = "{% index $storages $index %}" + path = "/home/git/repositories" + {% else %} + {% printf "Storage for node %d is not present in the storageNames array. Did you use kubectl to scale up? You need to solely use helm for this purpose." $index | fail %} + {% end %} + + {{- end }} + + [logging] + {{- with .Values.logging }} + {{- if .level }} + level = "{{ .level }}" + {{- end }} + {{- if .format }} + format = "{{ .format }}" + {{- end }} + {{- if .sentryDsn }} + sentry_dsn = "{{ .sentryDsn }}" + {{- end }} + dir = "/var/log/gitaly" + {{- if .sentryEnvironment }} + sentry_environment = "{{ .sentryEnvironment }}" + {{- end }} + {{- end }} + + {{- if .Values.prometheus.grpcLatencyBuckets }} + [prometheus] + grpc_latency_buckets = {{ .Values.prometheus.grpcLatencyBuckets }} + {{- end }} + + [auth] + token = {% file.Read "/etc/gitlab-secrets/gitaly/gitaly_token" | strings.TrimSpace | data.ToJSON %} + + [git] + use_bundled_binaries = true + ignore_gitconfig = true + {{- if .Values.gpgSigning.enabled }} + signing_key = '/etc/gitlab-secrets/gitaly/signing_key.gpg' + {{- end }} + {{- with .Values.git }} + {{- if .catFileCacheSize }} + catfile_cache_size = {{ .catFileCacheSize }} + {{- end }} + {{- end }} + {{- if .Values.git.config }} + {{- range .Values.git.config }} + + [[git.config]] + key = "{{ .key }}" + value = "{{ .value }}" + {{- end }} + {{- end }} + + [gitlab-shell] + # The directory where gitlab-shell is installed + dir = "/srv/gitlab-shell" + + [gitlab] + # location of shared secret for GitLab Shell / API interaction + secret_file = "/etc/gitlab-secrets/shell/.gitlab_shell_secret" + # URL of API + url = "{{ template "gitlab.workhorse.url" . }}/" + + [gitlab.http-settings] + # read_timeout = 300 + # user = someone + # password = somepass + # ca_file = /etc/ssl/cert.pem + # ca_path = /etc/pki/tls/certs + + [hooks] + # directory containing custom hooks + custom_hooks_dir = "/home/git/custom_hooks" + + {{- if .Values.shell.concurrency }} + {{- range .Values.shell.concurrency }} + {{- if and .rpc .maxPerRepo }} + [[concurrency]] + rpc = "{{ .rpc }}" + max_per_repo = {{ .maxPerRepo }} + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.packObjectsCache.enabled }} + [pack_objects_cache] + enabled = true + {{- with .Values.packObjectsCache }} + {{- if .dir }} + dir = {{ .dir | quote }} + {{- end }} + {{- if .max_age }} + max_age = {{ .max_age }} + {{- end }} + {{- end }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_helpers.tpl new file mode 100644 index 0000000..f724d95 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{- define "gitlab.gitaly.storageNames" -}} +{{- range (coalesce $.Values.internal.names $.Values.global.gitaly.internal.names) }} {{ . | quote }} {{- end }} +{{- end -}} + +{{- define "gitlab.praefect.gitaly.storageNames" -}} +{{- range $_, $storage := $.Values.global.praefect.virtualStorages -}} +{{ range until ($storage.gitalyReplicas | int) }} {{ printf "%s-gitaly-%s-%d" $.Release.Name $storage.name . | quote }} {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml new file mode 100644 index 0000000..d2e0a34 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml @@ -0,0 +1,13 @@ +spec: + {{- if .storage }} + maxUnavailable: {{ default .Values.maxUnavailable .storage.maxUnavailable }} + {{- else }} + maxUnavailable: {{ .Values.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_service_spec.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_service_spec.yaml new file mode 100644 index 0000000..1de369a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_service_spec.yaml @@ -0,0 +1,25 @@ +spec: + type: {{ coalesce .Values.service.type .Values.global.gitaly.service.type }} + clusterIP: "None" + ports: + - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }} + # This port is NOT prefixed with `grpc` due to + # https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3822 + name: tcp-{{ coalesce .Values.service.name .Values.global.gitaly.service.name }} + targetPort: grpc-gitaly + {{- if .Values.global.gitaly.tls.enabled }} + - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }} + name: tls-{{coalesce .Values.service.name .Values.global.gitaly.service.name }} + targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }} + {{- end }} + {{- if .Values.metrics.enabled }} + - port: {{ default .Values.metrics.port .Values.metrics.metricsPort }} + name: http-metrics + targetPort: http-metrics + {{- end }} + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml new file mode 100644 index 0000000..984b19a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -0,0 +1,332 @@ +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +spec: + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} + {{- if .storage }} + serviceName: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" . "name" .storage.name) }} + {{- else }} + serviceName: {{ include "gitlab.gitaly.serviceName" . }} + {{- end }} + {{- if .storage }} + replicas: {{ default (include "gitlab.gitaly.replicas" .) .storage.gitalyReplicas }} + {{- else }} + replicas: {{ include "gitlab.gitaly.replicas" . }} + {{- end }} + podManagementPolicy: Parallel + {{- if .Values.statefulset.strategy }} + updateStrategy: {{ .Values.statefulset.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + {{- $cm := "/configmap.yml" -}} + {{- if .storage }} + {{- $cm = "/configmap-with-praefect.yml" -}} + {{- end }} + checksum/config: {{ include (print .Template.BasePath $cm) (merge (dict) . (dict "skipStorages" true)) | sha256sum }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if and $.Values.metrics.enabled (not $.Values.metrics.serviceMonitor.enabled) }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ default $.Values.metrics.port $.Values.metrics.metricsPort | quote }} + gitlab.com/prometheus_path: {{ $.Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ default $.Values.metrics.port $.Values.metrics.metricsPort | quote }} + prometheus.io/path: {{ $.Values.metrics.path }} + {{- end }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + terminationGracePeriodSeconds: 30 + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" . | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + - name: gitaly-config + mountPath: /config + readOnly: true + - name: init-gitaly-secrets + mountPath: /init-config + readOnly: true + - name: gitaly-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" . | indent 10 }} + ports: + - containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} + name: grpc-gitaly + {{- if .Values.metrics.enabled }} + - containerPort: {{ default $.Values.metrics.port $.Values.metrics.metricsPort }} + name: http-metrics + {{- end }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitaly/templates' + - name: CONFIG_DIRECTORY + value: '/etc/gitaly' + - name: GITALY_CONFIG_FILE + value: '/etc/gitaly/config.toml' + - name: SSL_CERT_DIR + value: '/etc/ssl/certs' + {{- include "gitlab.tracing.env" . | nindent 12 }} + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + - name: gitaly-config + mountPath: '/etc/gitaly/templates' + - name: gitaly-secrets + mountPath: '/etc/gitlab-secrets' + readOnly: true + - name: repo-data + mountPath: '/home/git/repositories' + {{- if and .Values.persistence.enabled .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" + {{- end }} + {{- with .Values.global.gitaly.hooks }} + {{- if .preReceive }} + - name: gitaly-hooks-pre-receive + mountPath: "/home/git/custom_hooks/pre-receive.d" + {{- end }} + {{- if .postReceive }} + - name: gitaly-hooks-post-receive + mountPath: "/home/git/custom_hooks/post-receive.d" + {{- end }} + {{- if .update }} + - name: gitaly-hooks-update + mountPath: "/home/git/custom_hooks/update.d" + {{- end }} + {{- end }} + livenessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: {{ .Values.statefulset.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.statefulset.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.statefulset.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.statefulset.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.statefulset.livenessProbe.failureThreshold }} + readinessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.statefulset.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.statefulset.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.statefulset.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.statefulset.readinessProbe.failureThreshold }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + - name: gitaly-config + configMap: + {{- $cmName := include "fullname" . -}} + {{- if .storage}} + {{- $cmName = printf "%s-%s" $cmName "praefect" -}} + {{- end }} + name: {{ $cmName }} + {{- if not .Values.persistence.enabled }} + - name: repo-data + emptyDir: {} + {{- end }} + - name: gitaly-secrets + emptyDir: + medium: "Memory" + - name: init-gitaly-secrets + projected: + defaultMode: 0440 + sources: + - secret: + name: {{ template "gitlab.gitaly.authToken.secret" . }} + items: + - key: {{ template "gitlab.gitaly.authToken.key" . }} + path: "gitaly_token" + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} + path: ".gitlab_shell_secret" + {{- if .Values.gpgSigning.enabled }} + - secret: + name: {{ .Values.gpgSigning.secret }} + items: + - key: {{ .Values.gpgSigning.key }} + path: "signing_key.gpg" + {{- end }} + {{- if .Values.global.gitaly.tls.enabled }} + {{- $secretName := include "gitlab.gitaly.tls.secret" . -}} + {{- if .storage }} + {{- $secretName = .storage.tlsSecretName -}} + {{- end }} + - secret: + name: {{ $secretName }} + items: + - key: "tls.crt" + path: "gitaly.crt" + - key: "tls.key" + path: "gitaly.key" + {{- end }} + {{- with .Values.global.gitaly.hooks }} + {{- if .preReceive }} + {{- if .preReceive.configmap }} + - name: gitaly-hooks-pre-receive + configMap: + name: {{ .preReceive.configmap }} + defaultMode: 0555 + {{- end }} + {{- end }} + {{- if .postReceive }} + {{- if .postReceive.configmap }} + - name: gitaly-hooks-post-receive + configMap: + name: {{ .postReceive.configmap }} + defaultMode: 0555 + {{- end }} + {{- end }} + {{- if .update }} + {{- if .update.configmap }} + - name: gitaly-hooks-update + configMap: + name: {{ .update.configmap }} + defaultMode: 0555 + {{- end }} + {{- end }} + {{- end }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + + {{- $persistence := .Values.persistence.enabled -}} + {{- $accessMode := .Values.persistence.accessMode -}} + {{- $annotations := .Values.persistence.annotations -}} + {{- $size := .Values.persistence.size -}} + {{- $storageClass := .Values.persistence.storageClass -}} + {{- $matchLabels := .Values.persistence.matchLabels -}} + {{- $matchExpressions := .Values.persistence.matchExpressions -}} + {{- if .storage -}} + {{- if hasKey .storage "persistence" -}} + {{- if and (hasKey .storage.persistence "enabled") .storage.persistence.enabled -}} + {{- $persistence = .storage.persistence.enabled -}} + {{- if .storage.persistence.accessMode -}} + {{- $accessMode = .storage.persistence.accessMode -}} + {{- end -}} + {{- if .storage.persistence.annotations -}} + {{- $annotations = .storage.persistence.annotations -}} + {{- end -}} + {{- if .storage.persistence.size -}} + {{- $size = .storage.persistence.size -}} + {{- end -}} + {{- if .storage.persistence.storageClass -}} + {{- $storageClass = .storage.persistence.storageClass -}} + {{- end -}} + {{- if .storage.persistence.matchLabels -}} + {{- $matchLabels = .storage.persistence.matchLabels -}} + {{- end -}} + {{- if .storage.persistence.matchExpressions -}} + {{- $matchExpressions = .storage.persistence.matchExpressions -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end }} + + {{ if $persistence }} + volumeClaimTemplates: + - metadata: + name: repo-data + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} + annotations: + {{- range $key, $value := $annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: + - {{ $accessMode | quote }} + resources: + requests: + storage: {{ $size | quote }} + {{- if $storageClass }} + {{- if (eq "-" $storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $storageClass }}" + {{- end -}} + {{- end }} + selector: + {{- if $matchLabels }} + matchLabels: + {{- toYaml $matchLabels | nindent 12 }} + {{- end -}} + {{- if $matchExpressions }} + matchExpressions: + {{- toYaml $matchExpressions | nindent 12 }} + {{- end -}} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/configmap-with-praefect.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/configmap-with-praefect.yml new file mode 100644 index 0000000..aabc00a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/configmap-with-praefect.yml @@ -0,0 +1,11 @@ +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-praefect + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +{{ include (print $.Template.BasePath "/_configmap_spec.yaml") (merge (dict) . (dict "storage" "praefect")) }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/configmap.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/configmap.yml new file mode 100644 index 0000000..9167947 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/configmap.yml @@ -0,0 +1,11 @@ +{{- if eq (include "gitlab.gitaly.includeInternalResources" $) "true" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +{{ include (print $.Template.BasePath "/_configmap_spec.yaml") . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml new file mode 100644 index 0000000..9639d32 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +{{- range .Values.global.praefect.virtualStorages -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" $ }}-{{ .name }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.commonLabels" $ | nindent 4 }} + storage: {{ .name }} +{{ include (print $.Template.BasePath "/_pdb_spec.yaml") (merge (dict) $ (dict "storage" .)) }} +--- +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/pdb.yaml new file mode 100644 index 0000000..5d76c15 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/pdb.yaml @@ -0,0 +1,12 @@ +{{- if eq (include "gitlab.gitaly.includeInternalResources" $) "true" -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +{{ include (print $.Template.BasePath "/_pdb_spec.yaml") . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml new file mode 100644 index 0000000..d021129 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled -}} +{{- range .Values.global.praefect.virtualStorages -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.commonLabels" $ | nindent 4 }} + {{- include "gitlab.serviceLabels" $ | nindent 4 }} + storage: {{ .name }} + annotations: + {{- include "gitlab.serviceAnnotations" $ | nindent 4 }} +{{ include (print $.Template.BasePath "/_service_spec.yaml") (merge (dict) $ (dict "storage" .)) }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/service.yaml new file mode 100644 index 0000000..550627d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/service.yaml @@ -0,0 +1,14 @@ +{{- if eq (include "gitlab.gitaly.includeInternalResources" $) "true" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab.gitaly.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +{{ include (print $.Template.BasePath "/_service_spec.yaml") . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/serviceaccount.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/servicemonitor.yaml new file mode 100644 index 0000000..b3170ca --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/servicemonitor.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gitlab.gitaly.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .storage }} + storage: {{ .storage.name }} + {{- end }} + endpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml new file mode 100644 index 0000000..7edf994 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml @@ -0,0 +1,15 @@ +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled (not .Values.global.gitaly.host) -}} +{{- range .Values.global.praefect.virtualStorages -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.commonLabels" $ | nindent 4 }} + storage: {{ .name }} +{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") (merge (dict) $ (dict "storage" .)) }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/statefulset.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/statefulset.yml new file mode 100644 index 0000000..ac310d5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -0,0 +1,11 @@ +{{- if eq (include "gitlab.gitaly.includeInternalResources" $) "true" -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/values.yaml new file mode 100644 index 0000000..50bc291 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitaly/values.yaml @@ -0,0 +1,185 @@ +# Default values for gitaly. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + gitaly: + enabled: true + internal: + names: ["default"] + external: [] + authToken: {} + hooks: {} + # serviceName: + redis: + auth: {} + +gitaly: {} +# serviceName: + +internal: {} +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitaly + # pullPolicy: IfNotPresent + # pullSecrets: [] + # tag: master +service: + tls: {} +annotations: {} +common: + labels: {} +podLabels: {} +serviceLabels: {} + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +## Support for tolerations for pod scheduling +tolerations: [] + +## The Gitaly StatefulSet's priorityClassName +# priorityClassName: + +logging: + format: "json" + # level: + # sentryDsn: + # sentryEnvironment: +git: {} + # catFileCacheSize: + ## Amend the default configuration Gitaly is using when spawning Git + ## commands. Accepts configuration as documented in git-config(1). + # config: + # - {key: "pack.threads", value: 4} +prometheus: {} + # grpcLatencyBuckets: "[1.0, 1.5, 2.0, 2.5]" + +workhorse: {} + # by default, Workhorse is a part of the Webservice Pods / Service + # scheme: 'http' + # host: '0.0.0.0' + # serviceName: 'webservice' + # port: 8181 +shell: + authToken: {} + concurrency: [] + # - rpc: "/gitaly.SmartHTTPService/PostUploadPack" + # maxPerRepo: 20 + # - rpc: "/gitaly.SSHService/SSHUploadPack" + # maxPerRepo: 20 + +## Enable prometheus metrics and set the port to scrape the +## container on. +metrics: + enabled: true + port: 9236 + path: /metrics + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + # DEPRECATED in favor of `metrics.port` as seen above + metricsPort: + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + enabled: true + + ## git repositories Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 50Gi + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + ## + subPath: "" + + ## Only bind to a volume with the following exactly matched labels with values. + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + + ## Only bind to a volume with the following exppression matched labels. + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchExpressions: [] + annotations: {} + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + requests: + cpu: 100m + memory: 200Mi + +## For PodDisruptionBudget, how many pods can be unavailable at one time +maxUnavailable: 1 + +## Allow to overwrite under which User and Group Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the gitaly container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +statefulset: + strategy: {} + livenessProbe: + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + +affinity: + podAntiAffinity: + topologyKey: + +## Enable the Gitaly pack-objects cache +## ref: https://docs.gitlab.com/ee/administration/gitaly/configure_gitaly.html#pack-objects-cache +packObjectsCache: {} +# enabled: false +# dir: "/home/git/repositories/+gitaly/PackObjectsCache" +# max_age: 5m + +## Enable Gitaly to GPG sign all commits created by GitLab +## ref: https://docs.gitlab.com/ee/administration/gitaly/configure_gitaly.html#configure-commit-signing-for-gitlab-ui-commits +gpgSigning: {} + # enabled: false + # secret: glGPG + # key: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/Chart.yaml new file mode 100644 index 0000000..5bfe94c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 13.4.1 +description: Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors) +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- gitlab-exporter +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab-exporter +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-exporter +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-exporter +- https://gitlab.com/gitlab-org/gitlab-exporter +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml new file mode 100644 index 0000000..b5e1acb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml @@ -0,0 +1,83 @@ +{{- if .Values.enabled -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + gitlab-exporter.yml.erb: | + server: + name: webrick + listen_address: 0.0.0.0 + listen_port: {{ .Values.service.internalPort }} + {{ if .Values.tls.enabled -}} + tls_enabled: true + tls_cert_path: /etc/gitlab/gitlab-exporter/tls.crt + tls_key_path: /etc/gitlab/gitlab-exporter/tls.key + {{- end }} + + probes: + db_common: &db_common + methods: + - probe_db + opts: + {{- with $.Values.local.psql.main }} + connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read({{ template "gitlab.psql.password.file" . }}).strip.gsub(/[\'\\]/) { |esc| '\\' + esc } %>' + {{- end }} + database: + multiple: true + ci_builds: + class_name: Database::CiBuildsProber + <<: *db_common + tuple_stats: + class_name: Database::TuplesProber + <<: *db_common + rows_count: + class_name: Database::RowCountProber + <<: *db_common + database_bloat: + class_name: Database::BloatProber + <<: *db_common + + sidekiq: &sidekiq + methods: + - probe_queues + - probe_workers + - probe_retries + - probe_stats + opts: + redis_url: {{ template "gitlab.redis.url" . }} + redis_enable_client: false + probe_non_namespaced: true + probe_namespaced: true + + ruby: &ruby + methods: + - probe_gc + opts: + quantiles: false + + metrics: + multiple: true + ruby: + <<: *ruby + sidekiq: + <<: *sidekiq + ci_builds: + class_name: Database::CiBuildsProber + <<: *db_common + tuple_stats: + class_name: Database::TuplesProber + <<: *db_common + rows_count: + class_name: Database::RowCountProber + <<: *db_common + + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "none" "optional" "redis postgres gitlab-exporter") | nindent 4 }} +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/deployment.yaml new file mode 100644 index 0000000..f696127 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/deployment.yaml @@ -0,0 +1,175 @@ +{{- if .Values.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }} + {{- if .Values.metrics.annotations }} + {{- toYaml .Values.metrics.annotations | nindent 8 }} + {{- else }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ .Values.metrics.port | quote }} + gitlab.com/prometheus_path: {{ .Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/path: {{ .Values.metrics.path }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + + spec: + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if eq (default .Values.global.antiAffinity .antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" . | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.psql.ssl.volumeMount" . | nindent 10 }} + - name: gitlab-exporter-config + mountPath: /config + readOnly: true + - name: init-gitlab-exporter-secrets + mountPath: /init-config + readOnly: true + - name: gitlab-exporter-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag .Chart.AppVersion }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" . | indent 10 }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab-exporter/templates' + - name: CONFIG_DIRECTORY + value: '/etc/gitlab-exporter' + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + ports: + - containerPort: {{ .Values.service.internalPort }} + name: http-metrics + volumeMounts: + - name: gitlab-exporter-config + mountPath: /var/opt/gitlab-exporter/templates/gitlab-exporter.yml.erb + subPath: gitlab-exporter.yml.erb + - name: gitlab-exporter-secrets + mountPath: '/etc/gitlab' + readOnly: true + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + livenessProbe: + exec: + command: + - pgrep + - -f + - gitlab-exporter + readinessProbe: + exec: + command: + - pgrep + - -f + - gitlab-exporter + lifecycle: + preStop: + exec: + command: ["/bin/bash", "-c", "pkill -f 'gitlab-exporter'"] + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + {{- include "gitlab.psql.ssl.volume" . | nindent 6 }} + - name: gitlab-exporter-config + configMap: + name: {{ template "fullname" . }} + - name: init-gitlab-exporter-secrets + projected: + defaultMode: 0400 + sources: + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 10 }} + {{- end }} + {{- include "gitlab.redis.secret" . | nindent 10 }} + {{ if .Values.tls.enabled }} + - secret: + name: {{ template "gitlab.gitlab-exporter.tls.secret" . }} + items: + - key: tls.crt + path: "gitlab-exporter/tls.crt" + - key: tls.key + path: "gitlab-exporter/tls.key" + {{- end }} + + - name: gitlab-exporter-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/service.yaml new file mode 100644 index 0000000..6f9de55 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: http-metrics + protocol: TCP + name: {{ .Values.tls.enabled | ternary "https" "http" }}-metrics + selector: + {{- include "gitlab.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/serviceaccount.yaml new file mode 100644 index 0000000..69ddca0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/servicemonitor.yaml new file mode 100644 index 0000000..f09ad4d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/templates/servicemonitor.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.enabled .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + endpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/values.yaml new file mode 100644 index 0000000..d425ac9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-exporter/values.yaml @@ -0,0 +1,102 @@ +# Default values for gitlab-exporter. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter + # pullPolicy: IfNotPresent + # pullSecrets: [] + # tag: master + +service: + name: gitlab-exporter + type: ClusterIP + externalPort: 9168 + internalPort: 9168 + +metrics: + enabled: true + port: 9168 + path: /metrics + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + # DEPRECATED + annotations: {} + +enabled: true + +tls: + enabled: false + # secretName: + +# Tolerations for pod scheduling +tolerations: [] + +annotations: {} + +# Priority class assigned to pods +priorityClassName: "" + +podLabels: {} +common: + labels: {} +serviceLabels: {} + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +global: + redis: + auth: {} + +redis: + auth: {} + +psql: {} + # port: 5432 + +resources: + # limits: + # cpu: 1 + # memory: 2G + requests: + cpu: 75m + memory: 100M + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +extraEnv: + MALLOC_CONF: 'dirty_decay_ms:0,muzzy_decay_ms:0' + RUBY_GC_HEAP_INIT_SLOTS: 80000 + RUBY_GC_HEAP_FREE_SLOTS_MIN_RATIO: 0.055 + RUBY_GC_HEAP_FREE_SLOTS_MAX_RATIO: 0.111 + +deployment: + strategy: {} + +affinity: + podAntiAffinity: + topologyKey: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/Chart.yaml new file mode 100644 index 0000000..65b3e93 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 16.6.0 +description: Daemon for serving static websites from GitLab projects +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- pages +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab-pages +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-pages +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-pages +- https://gitlab.com/gitlab-org/gitlab-pages +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl new file mode 100644 index 0000000..4912087 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl @@ -0,0 +1,21 @@ +{{/* +Returns the secret name for the Secret containing the TLS certificate and key. +Uses `ingress.tls.secretName` first and falls back to `global.ingress.tls.secretName` +if there is a shared tls secret for all ingresses. +*/}} +{{- define "pages.tlsSecret" -}} +{{- $defaultName := (dict "secretName" "") -}} +{{- if .Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "secretName" (printf "%s-pages-tls" .Release.Name) -}} +{{- else -}} +{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}} +{{- end -}} +{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}} +{{- end -}} + +{{/* +Return the pages-metrics TLS secret name +*/}} +{{- define "pages-metrics.tls.secret" -}} +{{- default (printf "%s-pages-metrics-tls" .Release.Name) $.Values.metrics.tls.secretName | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/configmap.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/configmap.yml new file mode 100644 index 0000000..496b61a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/configmap.yml @@ -0,0 +1,176 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: +data: + config.tpl: | + {{- with .Values.gitlabCache }} + {{- if .cleanup }} + gitlab-cache-cleanup={{ .cleanup }} + {{- end }} + {{- if .expiry }} + gitlab-cache-expiry={{ .expiry }} + {{- end }} + {{- if .refresh }} + gitlab-cache-refresh={{ .refresh }} + {{- end }} + {{- end }} + {{- with .Values.gitlabRetrieval }} + {{- if .interval }} + gitlab-retrieval-interval={{ .interval }} + {{- end }} + {{- if .retries }} + gitlab-retrieval-retries={{ .retries }} + {{- end }} + {{- if .timeout }} + gitlab-retrieval-timeout={{ .timeout }} + {{- end }} + {{- end }} + {{- if not (empty .Values.headers) }} + {{- $headers := .Values.headers | join ";;" }} + header={{ $headers }} + {{- end }} + {{- $externalAddresses := concat $.Values.global.pages.externalHttp $.Values.global.pages.externalHttps | uniq }} + {{- if (empty ($externalAddresses)) }} + listen-proxy=0.0.0.0:{{ .Values.service.internalPort }} + listen-http=0.0.0.0:9090 + {{- else }} + {{- if not (empty $.Values.global.pages.externalHttp) }} + listen-{{ if .Values.useHTTPProxy }}proxy{{ else }}http{{ end }}=0.0.0.0:{{ .Values.service.internalPort | int }} + {{- else }} + listen-{{ if .Values.useHTTPProxy }}proxy{{ else }}http{{ end }}=0.0.0.0:9090 + {{- end }} + {{- if not (empty $.Values.global.pages.externalHttps) }} + listen-https{{ if .Values.useProxyV2 }}-proxyv2{{ end }}=0.0.0.0:{{ .Values.service.customDomains.internalHttpsPort | int }} + root-cert=/etc/gitlab-secrets/pages/{{ template "gitlab.pages.hostname" $ }}.crt + root-key=/etc/gitlab-secrets/pages/{{ template "gitlab.pages.hostname" $ }}.key + {{- end }} + {{- end }} + {{- if kindIs "bool" .Values.propagateCorrelationId }} + propagate-correlation-id={{ eq .Values.propagateCorrelationId true }} + {{- end }} + pages-domain={{ template "gitlab.pages.hostname" . }} + pages-root=/srv/gitlab-pages + log-format={{ .Values.logFormat }} + log-verbose={{ eq .Values.logVerbose true }} + redirect-http={{ eq .Values.redirectHttp true }} + insecure-ciphers={{ eq .Values.insecureCiphers true }} + artifacts-server={{ template "gitlab.pages.artifactsServer" . }} + artifacts-server-timeout={{ default 10 .Values.artifactsServerTimeout }} + gitlab-server={{ template "gitlab.pages.gitlabServer" . }} + internal-gitlab-server={{ template "gitlab.pages.internalGitlabServer" . }} + api-secret-key=/etc/gitlab-secrets/pages/secret + {{- if and .Values.metrics.enabled .Values.metrics.port }} + metrics-address=:{{ .Values.metrics.port | int }} + {{- if .Values.metrics.tls.enabled }} + metrics-certificate=/etc/gitlab-secrets/pages-metrics/pages-metrics.crt + metrics-key=/etc/gitlab-secrets/pages-metrics/pages-metrics.key + {{- end }} + {{- end }} + {{- if .Values.maxConnections }} + max-conns={{ .Values.maxConnections }} + {{- end }} + {{- if .Values.maxURILength }} + max-uri-length={{ .Values.maxURILength }} + {{- end }} + {{- if .Values.serverShutdownTimeout }} + server-shutdown-timeout={{ .Values.serverShutdownTimeout }} + {{- end }} + {{- if .Values.gitlabClientHttpTimeout }} + gitlab-client-http-timeout={{ .Values.gitlabClientHttpTimeout }} + {{- end }} + {{- if .Values.gitlabClientJwtExpiry }} + gitlab-client-jwt-expiry={{ .Values.gitlabClientJwtExpiry }} + {{- end }} + {{- if .Values.sentry.enabled }} + {{- if .Values.sentry.dsn }} + sentry-dsn={{ .Values.sentry.dsn }} + {{- end }} + {{- if .Values.sentry.environment }} + sentry-environment={{ .Values.sentry.environment }} + {{- end }} + {{- end }} + {{- if .Values.statusUri }} + pages-status={{ .Values.statusUri }} + {{- end }} + {{- if .Values.tls.minVersion }} + tls-min-version={{ .Values.tls.minVersion }} + {{- end }} + {{- if .Values.tls.maxVersion }} + tls-max-version={{ .Values.tls.maxVersion }} + {{- end }} + {{- if eq $.Values.global.pages.accessControl true }} + auth-redirect-uri={{ template "oauth.gitlab-pages.authRedirectUri" . }} + auth-client-id={% file.Read "/etc/gitlab-secrets/pages/gitlab_appid" %} + auth-client-secret={% file.Read "/etc/gitlab-secrets/pages/gitlab_appsecret" %} + auth-secret={% file.Read "/etc/gitlab-secrets/pages/auth_secret" %} + auth-scope={{ template "oauth.gitlab-pages.authScope" . }} + {{- end }} + {{- if .Values.authCookieSessionTimeout }} + auth-cookie-session-timeout={{ .Values.authCookieSessionTimeout }} + {{- end }} + {{- with .Values.zipCache }} + {{- if .cleanup }} + zip-cache-cleanup={{ .cleanup }} + {{- end }} + {{- if .expiration }} + zip-cache-expiration={{ .expiration }} + {{- end }} + {{- if .refresh }} + zip-cache-refresh={{ .refresh }} + {{- end }} + {{- end }} + {{- if .Values.zipOpenTimeout }} + zip-open-timeout={{ .Values.zipOpenTimeout }} + {{- end }} + {{- if .Values.zipHTTPClientTimeout }} + zip-http-client-timeout={{ .Values.zipHTTPClientTimeout }} + {{- end }} + {{- if .Values.rateLimitSourceIP }} + rate-limit-source-ip={{ .Values.rateLimitSourceIP }} + {{- end }} + {{- if .Values.rateLimitSourceIPBurst }} + rate-limit-source-ip-burst={{ .Values.rateLimitSourceIPBurst }} + {{- end }} + {{- if .Values.rateLimitDomain }} + rate-limit-domain={{ .Values.rateLimitDomain }} + {{- end }} + {{- if .Values.rateLimitDomainBurst }} + rate-limit-domain-burst={{ .Values.rateLimitDomainBurst }} + {{- end }} + {{- if .Values.rateLimitTLSSourceIP }} + rate-limit-tls-source-ip={{ .Values.rateLimitTLSSourceIP }} + {{- end }} + {{- if .Values.rateLimitTLSSourceIPBurst }} + rate-limit-tls-source-ip-burst={{ .Values.rateLimitTLSSourceIPBurst }} + {{- end }} + {{- if .Values.rateLimitTLSDomain }} + rate-limit-tls-domain={{ .Values.rateLimitTLSDomain }} + {{- end }} + {{- if .Values.rateLimitTLSDomainBurst }} + rate-limit-tls-domain-burst={{ .Values.rateLimitTLSDomainBurst }} + {{- end }} + {{- if .Values.serverReadTimeout }} + server-read-timeout={{ .Values.serverReadTimeout }} + {{- end }} + {{- if .Values.serverReadHeaderTimeout }} + server-read-header-timeout={{ .Values.serverReadHeaderTimeout }} + {{- end }} + {{- if .Values.serverWriteTimeout }} + server-write-timeout={{ .Values.serverWriteTimeout }} + {{- end }} + {{- if .Values.serverKeepAlive }} + server-keep-alive={{ .Values.serverKeepAlive }} + {{- end }} + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "pages" "optional" "none") | nindent 4 }} + {{- if $.Values.metrics.tls.enabled }} + mkdir -p /init-secrets/pages-metrics + cp -v -L /init-config/pages-metrics/pages-metrics.crt /init-secrets/pages-metrics/pages-metrics.crt + cp -v -L /init-config/pages-metrics/pages-metrics.key /init-secrets/pages-metrics/pages-metrics.key + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml new file mode 100644 index 0000000..1aec1d2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml @@ -0,0 +1,193 @@ +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + {{- if .Values.deployment.strategy }} + strategy: + {{- .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }} + {{- if .Values.metrics.annotations }} + {{- toYaml .Values.metrics.annotations | nindent 8 }} + {{- else }} + {{- if $.Values.metrics.tls.enabled }} + gitlab.com/prometheus_scheme: "https" + prometheus.io/scheme: "https" + {{- end }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ .Values.metrics.port | quote }} + gitlab.com/prometheus_path: {{ .Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/path: {{ .Values.metrics.path }} + {{- end }} + {{- end }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if eq (default .Values.global.antiAffinity .antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" $.Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + - name: pages-config + mountPath: /config + readOnly: true + - name: init-pages-secrets + mountPath: /init-config + readOnly: true + - name: pages-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitlab-pages/templates' + - name: CONFIG_DIRECTORY + value: '/etc/gitlab-pages' + - name: PAGES_CONFIG_FILE + value: '/etc/gitlab-pages/config' + - name: GITLAB_PAGES_LOG_FORMAT + value: {{ .Values.logFormat | quote }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} + - name: pages-config + mountPath: '/etc/gitlab-pages/templates' + - name: pages-secrets + mountPath: '/etc/gitlab-secrets' + readOnly: true + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.metrics.enabled }} + ports: + - containerPort: {{ .Values.metrics.port | int }} + name: http-metrics + {{- end }} + # readinessProbe should always hit port used by `listen-http`, as k8s won't use TLS or ProxyV2 + {{- $externalHttp := $.Values.global.pages.externalHttp }} + readinessProbe: + httpGet: + path: {{ $.Values.statusUri | quote }} + port: {{ if $externalHttp }}{{ $.Values.service.internalPort | int }}{{ else }}9090{{ end }} + initialDelaySeconds: {{ $.Values.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $.Values.deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ $.Values.deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ $.Values.deployment.readinessProbe.successThreshold }} + failureThreshold: {{ $.Values.deployment.readinessProbe.failureThreshold }} + volumes: + {{- include "gitlab.extraVolumes" $ | nindent 6 }} + - name: pages-config + configMap: + name: {{ template "fullname" . }} + - name: init-pages-secrets + projected: + defaultMode: 0400 + sources: + {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.minio.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 }} + {{- if not (empty $.Values.global.pages.externalHttps) }} + - secret: + name: {{ template "pages.tlsSecret" . }} + items: + - key: tls.crt + path: pages/{{ template "gitlab.pages.hostname" $ }}.crt + - key: tls.key + path: pages/{{ template "gitlab.pages.hostname" $ }}.key + {{- end }} + {{- if eq $.Values.global.pages.accessControl true }} + - secret: + name: {{ template "oauth.gitlab-pages.secret" . }} + items: + - key: {{ template "oauth.gitlab-pages.appIdKey" . }} + path: pages/gitlab_appid + - key: {{ template "oauth.gitlab-pages.appSecretKey" . }} + path: pages/gitlab_appsecret + - secret: + name: {{ template "gitlab.pages.authSecret.secret" . }} + items: + - key: {{ template "gitlab.pages.authSecret.key" . }} + path: pages/auth_secret + {{- end }} + {{- if $.Values.metrics.tls.enabled }} + - secret: + name: {{ template "pages-metrics.tls.secret" $ }} + items: + - key: "tls.crt" + path: "pages-metrics/pages-metrics.crt" + - key: "tls.key" + path: "pages-metrics/pages-metrics.key" + {{- end }} + - name: pages-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/hpa.yaml new file mode 100644 index 0000000..e58397d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/hpa.yaml @@ -0,0 +1,21 @@ +{{- if not (default $.Values.global.keda.enabled .Values.keda.enabled) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.hpa "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas | int }} + maxReplicas: {{ .Values.hpa.maxReplicas | int }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/ingress.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/ingress.yaml new file mode 100644 index 0000000..940625b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/ingress.yaml @@ -0,0 +1,49 @@ +{{- $externalAddresses := concat $.Values.global.pages.externalHttp $.Values.global.pages.externalHttps | uniq }} +{{- if and (empty ($externalAddresses)) (eq (include "gitlab.ingress.enabled" $) "true") -}} +{{- $hostname := include "gitlab.pages.hostname" . -}} +{{- $tlsSecret := include "pages.tlsSecret" . -}} +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: "*.{{ $hostname }}" + http: + paths: + - path: {{ coalesce $.Values.ingress.path $.Values.global.ingress.path }} + {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} + backend: + service: + name: {{ template "fullname" . }} + port: + number: {{ .Values.service.externalPort }} + {{- else -}} + backend: + serviceName: {{ template "fullname" . }} + servicePort: {{ .Values.service.externalPort }} + {{- end -}} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} + tls: + - hosts: + - {{ $hostname }} + - "*.{{ $hostname }}" + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/keda.yaml new file mode 100644 index 0000000..d157ba3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/keda.yaml @@ -0,0 +1,19 @@ +{{- $kedaCfg := (dict "global" .Values.global "hpa" .Values.hpa "keda" .Values.keda "resources" .Values.resources) -}} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg -}} +{{- if $kedaEnabled -}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/networkpolicy.yaml new file mode 100644 index 0000000..1dfb72a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/pdb.yaml new file mode 100644 index 0000000..03099e5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service-custom-domains.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service-custom-domains.yaml new file mode 100644 index 0000000..7037151 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service-custom-domains.yaml @@ -0,0 +1,48 @@ +{{- $externalAddresses := concat $.Values.global.pages.externalHttp $.Values.global.pages.externalHttps | uniq }} +{{- if not (empty ($externalAddresses)) -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }}-custom-domains + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} + {{- if .Values.service.customDomains.annotations -}} + {{- toYaml .Values.service.customDomains.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.customDomains.type }} + {{- if eq .Values.service.customDomains.type "LoadBalancer" }} + {{- if len $externalAddresses | eq 1 }} + loadBalancerIP: {{ $externalAddresses | first }} + {{- else }} + externalIPs: {{ toJson $externalAddresses }} + {{- end }} + {{- end }} + ports: + {{- if not (empty $.Values.global.pages.externalHttp) }} + - port: 80 + targetPort: {{ .Values.service.internalPort | int }} + protocol: TCP + name: http-{{ template "name" . }} + {{- if and (eq .Values.service.customDomains.type "NodePort") .Values.service.customDomains.nodePort.http }} + nodePort: {{ .Values.service.customDomains.nodePort.http | int }} + {{- end }} + {{- end -}} + {{- if not (empty $.Values.global.pages.externalHttps) }} + - port: 443 + targetPort: {{ .Values.service.customDomains.internalHttpsPort | int }} + protocol: TCP + name: https-{{ template "name" . }} + {{- if and (eq .Values.service.customDomains.type "NodePort") .Values.service.customDomains.nodePort.https }} + nodePort: {{ .Values.service.customDomains.nodePort.https | int }} + {{- end }} + {{- end }} + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service-metrics.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service-metrics.yaml new file mode 100644 index 0000000..51097f7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service-metrics.yaml @@ -0,0 +1,27 @@ +{{- if .Values.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }}-metrics + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + gitlab.com/metrics-service: "true" + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} + {{- if .Values.service.metrics.annotations -}} + {{- toYaml .Values.service.metrics.annotations | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.metrics.port | int }} + targetPort: http-metrics + protocol: TCP + name: {{ .Values.metrics.tls.enabled | ternary "https" "http" }}-metrics + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service.yaml new file mode 100644 index 0000000..ab67b54 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/service.yaml @@ -0,0 +1,35 @@ +{{- $externalAddresses := concat $.Values.global.pages.externalHttp $.Values.global.pages.externalHttps | uniq }} +{{- if empty ($externalAddresses) -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} + {{- if .Values.service.primary.annotations -}} + {{- toYaml .Values.service.primary.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort | int }} + targetPort: {{ .Values.service.internalPort | int }} + protocol: TCP + name: http-{{ template "name" . }}-proxy + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if eq .Values.service.sessionAffinity "ClientIP" }} + sessionAffinityConfig: + clientIP: + timeoutSeconds: {{ .Values.service.sessionAffinityConfig.clientIP.timeoutSeconds }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/serviceaccount.yaml new file mode 100644 index 0000000..687a23c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and .Values.global.pages.enabled $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/servicemonitor.yaml new file mode 100644 index 0000000..e3e56e0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/templates/servicemonitor.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.global.pages.enabled .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + gitlab.com/metrics-service: "true" + endpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/values.yaml new file mode 100644 index 0000000..f5227cb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-pages/values.yaml @@ -0,0 +1,246 @@ +# Default values for gitlab-pages. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + pages: + enabled: false + # hosts: + # pages: + # name: pages.example.com + +hpa: + maxReplicas: 10 + minReplicas: 1 + # targetAverageValue: 100m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below + cpu: + targetType: AverageValue # Utilization or AverageValue + targetAverageValue: 100m + # targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} + +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-pages + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + +service: + type: ClusterIP + externalPort: 8090 + internalPort: 8090 + annotations: {} + customDomains: + type: LoadBalancer + internalHttpsPort: 8091 + nodePort: {} + # http + # https + annotations: {} + metrics: + annotations: {} + primary: + annotations: {} + # Set `sessionAffinity` to `ClientIP` to configure gitlab-pages with session affinity. + # Note that this setting only affects traffic originating within the cluster. + # To enable session affinity for traffic originating from outside the cluster + # when using NGINX, see the NGINX documentation on sticky sessions: + # https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/ + sessionAffinity: None + sessionAffinityConfig: {} + # sessionAffinityConfig: + # clientIP: + # timeoutSeconds: 10800 + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +deployment: + strategy: {} + readinessProbe: + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + +ingress: + apiVersion: + annotations: {} + configureCertmanager: false + tls: {} + path: # / + +# Tolerations for pod scheduling +tolerations: [] + +cluster: true +queueSelector: false + +annotations: {} +podLabels: {} +common: + labels: {} + +serviceLabels: {} +## Additional environment variables to set +extraEnv: {} +# extraEnv: +# SOMEKEY: SOMEVALUE +# SOMEKEY2: SOMEVALUE2 + +maxUnavailable: 1 + +resources: + requests: + cpu: 900m + memory: 2G + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +## Allow configuring pods' priorityClassName. This is used to control pod priority in case of eviction: +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: "" + +artifactsServerTimeout: 10 +artifactsServerUrl: + +# gitlabCache: +# cleanup: +# expiry: +# refresh: + +# gitlabRetrieval +# interval: +# retries: +# timeout: + +gitlabClientHttpTimeout: +gitlabClientJwtExpiry: +gitlabServer: +# Headers is to be a list of strings, Example: +# headers: +# - "Permissions-Policy: interest-cohort=()" +headers: [] +insecureCiphers: false +internalGitlabServer: +logFormat: 'json' +logVerbose: false +maxConnections: +# maxURILength: +# propagateCorrelationId: +redirectHttp: false +sentry: + enabled: false + dsn: + environment: +statusUri: '/-/readiness' +tls: + minVersion: + maxVersion: +useHTTPProxy: false +useProxyV2: false + +# zipCache: +# cleanup: +# expiration: +# refresh: + +# zipOpenTimeout: +# zipHTTPClientTimeout: + +# serverShutdownTimeout: +# serverReadTimeout: +# serverReadHeaderTimeout: +# serverWriteTimeout: +# serverKeepAlive: + +metrics: + enabled: true + port: 9235 + path: /metrics + tls: + enabled: false + # secretName: + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + # DEPRECATED + annotations: {} + +workhorse: {} + # by default, Workhorse is a part of the Webservice Pods / Service + # host: '0.0.0.0' + # serviceName: 'webservice' + # port: 8181 + +affinity: + podAntiAffinity: + topologyKey: + +# authCookieSessionTimeout: + +# rateLimitSourceIP: +# rateLimitSourceIPBurst: +# rateLimitDomain: +# rateLimitDomainBurst: +# rateLimitTLSSourceIP: +# rateLimitTLSSourceIPBurst: +# rateLimitTLSDomain: +# rateLimitTLSDomainBurst: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/Chart.yaml new file mode 100644 index 0000000..b4a07b8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 14.30.0 +description: sshd for Gitlab +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- sshd +- ssh +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab-shell +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-shell +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-shell +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/_shell.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/_shell.tpl new file mode 100644 index 0000000..9673e38 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/_shell.tpl @@ -0,0 +1,19 @@ +{{/* +Return the string 'PROXY' + +The string 'PROXY' ensures the use of ProxyProtocol decoding in a TCP service. +This string is exactly compared with the string 'PROXY' when using nginx-ingress (in capital letters). +See: https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/ +*/}} +{{- define "gitlab.shell.tcp.proxyProtocol" -}} +{{- $inbound := "" -}} +{{- if .Values.global.shell.tcp.proxyProtocol -}} +{{- $inbound = "PROXY" -}} +{{- end -}} +{{- $outbound := "" -}} +{{- $proxySupported := not (eq .Values.config.proxyPolicy "reject" ) }} +{{- if (or .Values.config.proxyProtocol (and $proxySupported (eq .Values.sshDaemon "gitlab-sshd"))) }} +{{- $outbound = "PROXY" -}} +{{- end -}} +:{{ $inbound }}:{{ $outbound }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/configmap-sshd.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/configmap-sshd.yml new file mode 100644 index 0000000..99c85df --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/configmap-sshd.yml @@ -0,0 +1,159 @@ +{{- if and .Values.enabled (eq .Values.sshDaemon "openssh") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-sshd + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + sshd_config: | + # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + + # This is the sshd server system-wide configuration file. See + # sshd_config(5) for more information. + + # This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + + # The strategy used for options in the default sshd_config shipped with + # OpenSSH is to specify options with their default value where + # possible, but leave them commented. Uncommented options override the + # default value. + + Port {{ .Values.service.internalPort }} + #AddressFamily any + #ListenAddress 0.0.0.0 + #ListenAddress :: + + #HostKey /etc/ssh/ssh_host_rsa_key + #HostKey /etc/ssh/ssh_host_dsa_key + #HostKey /etc/ssh/ssh_host_ecdsa_key + #HostKey /etc/ssh/ssh_host_ed25519_key + + # Ciphers and keying + #RekeyLimit default none + + # Logging + #SyslogFacility AUTH + LogLevel {{ .Values.logging.sshdLogLevel | upper }} + + # Authentication: + + PermitRootLogin no + #StrictModes yes + #MaxAuthTries 6 + #MaxSessions 10 + + #PubkeyAuthentication yes + + #AuthorizedPrincipalsFile none + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #HostbasedAuthentication no + # Change to yes if you don't trust ~/.ssh/known_hosts for + # HostbasedAuthentication + #IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes + + # Kerberos options + #KerberosAuthentication no + #KerberosOrLocalPasswd yes + #KerberosTicketCleanup yes + #KerberosGetAFSToken no + + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the ChallengeResponseAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, + # PAM authentication via ChallengeResponseAuthentication may bypass + # the setting of "PermitRootLogin without-password". + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #UsePAM no + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no + #X11Forwarding no + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes + #PrintMotd yes + #PrintLastLog yes + #TCPKeepAlive yes + #UseLogin no + #PermitUserEnvironment no + #Compression delayed + ClientAliveInterval {{ .Values.config.clientAliveInterval }} + #ClientAliveCountMax 3 + #UseDNS no + PidFile /srv/sshd/sshd.pid + #PermitTunnel no + #ChrootDirectory none + #VersionAddendum none + + # no default banner path + #Banner none + + # override default of no subsystems + # Subsystem sftp /usr/lib/ssh/sftp-server + + # the following are HPN related configuration options + # tcp receive buffer polling. disable in non autotuning kernels + #TcpRcvBufPoll yes + + # disable hpn performance boosts + #HPNDisabled no + + # buffer size for hpn to non-hpn connections + #HPNBufferSize 2048 + + + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no + # AllowTcpForwarding no + # PermitTTY no + # ForceCommand cvs server + + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 + # but this is overridden so installations will only check .ssh/authorized_keys + AuthorizedKeysFile .ssh/authorized_keys + + AuthorizedKeysCommand /authorized_keys %u %k + AuthorizedKeysCommandUser git + + PasswordAuthentication no + + AllowUsers git + + # Enable the use of Git protcol v2 + AcceptEnv GIT_PROTOCOL + + # Hard disable all forwarding + DisableForwarding yes + + # Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. + # See `man sshd_config(5)` + {{ if and .Values.config.maxStartups.start .Values.config.maxStartups.rate }} + MaxStartups {{ .Values.config.maxStartups.start }}:{{ .Values.config.maxStartups.rate }}:{{ .Values.config.maxStartups.full }} + {{ else }} + MaxStartups {{ .Values.config.maxStartups.full }} + {{ end }} + + # Specifies amount of time athat the server will disconnect after if the user has not successfully logged in + LoginGraceTime {{ .Values.config.loginGraceTime }} +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/configmap.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/configmap.yml new file mode 100644 index 0000000..86b6965 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/configmap.yml @@ -0,0 +1,100 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "shell" "optional" "none") | nindent 4 }} + mkdir -p /${secret_dir}/ssh + cp -v -r -L /${config_dir}/ssh_host_* /${secret_dir}/ssh/ + chmod 0400 /${secret_dir}/ssh/ssh_host_* + config.yml.tpl: | + # GitLab user. git by default + user: git + + # Url to gitlab instance. Used for api calls. Should end with a slash. + gitlab_url: "{{ template "gitlab.workhorse.url" . }}/" + + secret_file: /etc/gitlab-secrets/shell/.gitlab_shell_secret + + # File used as authorized_keys for gitlab user + auth_file: "/home/git/.ssh/authorized_keys" + + # Log file. + # Default is gitlab-shell.log in the root directory. + {{- if eq .Values.sshDaemon "gitlab-sshd"}} + log_file: "/dev/stdout" + {{- else }} + log_file: "/var/log/gitlab-shell/gitlab-shell.log" + {{- end }} + + log_format: {{ .Values.logging.format }} + + # Audit usernames. + # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but + # incurs an extra API call on every gitlab-shell command. + audit_usernames: false + + {{ if .Values.global.tracing.connection.string }} + gitlab_tracing: {{ .Values.global.tracing.connection.string }} + {{ end }} + + {{- if eq .Values.sshDaemon "gitlab-sshd"}} + # This section configures the built-in SSH server. Ignored when running on OpenSSH. + sshd: + # Address which the SSH server listens on. Defaults to [::]:2222. + listen: "[::]:{{ .Values.service.internalPort }}" + # Address which the server listens on HTTP for monitoring/health checks. Defaults to 0.0.0.0:9122. + web_listen: "0.0.0.0:{{ .Values.metrics.port }}" + # Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 100. + concurrent_sessions_limit: {{ .Values.config.maxStartups.full }} + # PROXY protocol support for correct IP address detection + proxy_protocol: {{ .Values.config.proxyProtocol }} + # PROXY protocol policy ("use", "require", "reject", "ignore"), "use" is the default value + proxy_policy: {{ .Values.config.proxyPolicy }} + # The maximum duration to wait for the PROXY protocol header. Defaults to 500ms + proxy_header_timeout: {{ .Values.config.proxyHeaderTimeout }} + # The server waits for this time (in seconds) for the ongoing connections to complete before shutting down + # The period is 5 seconds smaller than the Kubernetes termination period in order to allow gitlab-sshd exit gracefully + grace_period: {{ sub .Values.deployment.terminationGracePeriodSeconds 5 }} + # Sets an interval after which server will send keepalive message to a client + client_alive_interval: {{ .Values.config.clientAliveInterval }} + # The ciphers allowed + ciphers: + {{- .Values.config.ciphers | toYaml | nindent 8 }} + # The key exchange (KEX) algorithms allowed + kex_algorithms: + {{- .Values.config.kexAlgorithms | toYaml | nindent 8 }} + # The message authentication code (MAC) algorithms allowed + macs: + {{- .Values.config.macs | toYaml | nindent 8 }} + # The server disconnects after this time if the user has not successfully logged in + login_grace_time: {{ .Values.config.loginGraceTime }} + # SSH host key files. + # - Walking {% env.Getenv "KEYS_DIRECTORY" "/etc/ssh" %} for keys. + host_key_files: + {%- range file.Walk ( env.Getenv "KEYS_DIRECTORY" "/etc/ssh" ) %} + {%- if filepath.Base . | filepath.Match "ssh_host_*_key" %} + - {%.%} + {%- end %} + {%- end %} + # GSSAPI-related settings + gssapi: + # Enable the gssapi-with-mic authentication method. Defaults to false. + enabled: {{ .Values.config.gssapi.enabled }} + # Library path for gssapi shared library - defaults to libgssapi_krb5.so.2 + libpath: {{ .Values.config.gssapi.libpath }} + # Keytab path. Defaults to "", system default (usually /etc/krb5.keytab). + keytab: "/etc/krb5.keytab" + # The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file. + service_principal_name: {{ .Values.config.gssapi.servicePrincipalName }} + {{- end }} + krb5.conf: | + {{- .Values.config.gssapi.krb5Config | nindent 4 }} +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml new file mode 100644 index 0000000..dd66eb7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml @@ -0,0 +1,217 @@ +{{- if .Values.enabled -}} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} + checksum/config-sshd: {{ include (print $.Template.BasePath "/configmap-sshd.yml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }} + {{- if .Values.metrics.annotations }} + {{- toYaml .Values.metrics.annotations | nindent 8 }} + {{- else }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ .Values.metrics.port | quote }} + gitlab.com/prometheus_path: {{ .Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/path: {{ .Values.metrics.path }} + {{- end }} + {{- end }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" . | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + - name: shell-config + mountPath: /config + readOnly: true + - name: shell-init-secrets + mountPath: /init-config + readOnly: true + - name: shell-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" . | indent 10 }} + ports: + {{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.metrics.port }} + name: http-metrics + {{- end }} + - containerPort: {{ .Values.service.internalPort }} + name: ssh + env: + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitlab-shell' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab-shell' + - name: KEYS_DIRECTORY + value: '/etc/gitlab-secrets/ssh' + - name: SSH_DAEMON + value: {{ .Values.sshDaemon | quote }} + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + - name: shell-config + mountPath: '/etc/gitlab-shell' + - name: shell-secrets + mountPath: '/etc/gitlab-secrets' + readOnly: true + - name: shell-config + mountPath: '/etc/krb5.conf' + subPath: krb5.conf + readOnly: true + {{- if .Values.config.gssapi.enabled }} + - name: gssapi-keytab + mountPath: '/etc/krb5.keytab' + subPath: {{ .Values.config.gssapi.keytab.key }} + readOnly: true + {{- end }} + {{- if eq .Values.sshDaemon "openssh" }} + - name: sshd-config + mountPath: /etc/ssh/sshd_config + subPath: sshd_config + readOnly: true + {{- end }} + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + livenessProbe: + {{- if eq .Values.sshDaemon "gitlab-sshd" }} + httpGet: + port: {{ .Values.metrics.port }} + path: /health + {{- else }} + exec: + command: + - /scripts/healthcheck + {{- end }} + initialDelaySeconds: {{ .Values.deployment.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.livenessProbe.failureThreshold }} + readinessProbe: + {{- if eq .Values.sshDaemon "gitlab-sshd"}} + httpGet: + port: {{ .Values.metrics.port }} + path: /start + {{- else }} + tcpSocket: + port: {{ .Values.service.internalPort }} + {{- end }} + initialDelaySeconds: {{ .Values.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.readinessProbe.failureThreshold }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.deployment.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds | int }} + {{- end }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + - name: shell-config + configMap: + name: {{ template "fullname" . }} + {{- if .Values.config.gssapi.enabled }} + - name: gssapi-keytab + secret: + secretName: {{ .Values.config.gssapi.keytab.secret }} + {{- end }} + {{- if eq .Values.sshDaemon "openssh" }} + - name: sshd-config + configMap: + name: {{ template "fullname" . }}-sshd + {{- end }} + - name: shell-init-secrets + projected: + defaultMode: 0440 + sources: + - secret: + name: {{ template "gitlab.gitlab-shell.hostKeys.secret" . }} + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} + path: shell/.gitlab_shell_secret + # Actual config dirs that will be used in the container + - name: shell-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/haproxy-tcp-configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/haproxy-tcp-configmap.yaml new file mode 100644 index 0000000..6b1e598 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/haproxy-tcp-configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.enabled -}} +{{- if eq .Values.global.ingress.provider "haproxy" -}} +{{- $port := include "gitlab.shell.port" . | int -}} +{{- $tcpProxyProtocol := include "gitlab.shell.tcp.proxyProtocol" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Namespace }}-haproxy-tcp + namespace: {{ .Release.Namespace }} +data: + # https://haproxy-ingress.github.io/docs/configuration/command-line/#tcp-services-configmap + {{ $port | quote }}: "{{ .Release.Namespace }}/{{ template "fullname" . }}:{{ $port }}{{ $tcpProxyProtocol }}" +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/hpa.yaml new file mode 100644 index 0000000..d6da8f9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/hpa.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.enabled (not (default $.Values.global.keda.enabled .Values.keda.enabled)) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.hpa "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + minReplicas: {{ .Values.minReplicas }} + maxReplicas: {{ .Values.maxReplicas }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/keda.yaml new file mode 100644 index 0000000..cacc22d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/keda.yaml @@ -0,0 +1,19 @@ +{{- $kedaCfg := (dict "global" .Values.global "hpa" .Values.hpa "keda" .Values.keda "minReplicas" .Values.minReplicas "maxReplicas" .Values.maxReplicas "resources" .Values.resources) -}} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg -}} +{{- if and .Values.enabled $kedaEnabled -}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/networkpolicy.yaml new file mode 100644 index 0000000..0239233 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/networkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.enabled -}} +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml new file mode 100644 index 0000000..c4d7357 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml @@ -0,0 +1,16 @@ +{{- if and (eq .Values.global.ingress.provider "nginx") (not .Values.tcpExternalConfig) }} +{{- if .Values.enabled }} +{{- $port := include "gitlab.shell.port" . | int -}} +{{- $tcpProxyProtocol := include "gitlab.shell.tcp.proxyProtocol" . }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "ingress-nginx.tcp-configmap" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + {{ $port | quote }}: "{{ .Release.Namespace }}/{{ template "fullname" . }}:{{ $port }}{{ $tcpProxyProtocol }}" +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/pdb.yaml new file mode 100644 index 0000000..57cd25b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/pdb.yaml @@ -0,0 +1,16 @@ +{{- if .Values.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/service.yaml new file mode 100644 index 0000000..af75b49 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/service.yaml @@ -0,0 +1,47 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.port }} + targetPort: http-metrics + protocol: TCP + name: http-metrics + {{- end }} + - port: {{ include "gitlab.shell.port" . | int }} + targetPort: {{ .Values.service.internalPort }} + protocol: TCP + name: ssh + {{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort | int64 }} + {{- end }} + {{- if or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} + {{- end }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: + {{- toYaml .Values.service.externalIPs | nindent 4 }} +{{- end }} + selector: + {{- include "gitlab.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/serviceaccount.yaml new file mode 100644 index 0000000..69ddca0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/servicemonitor.yaml new file mode 100644 index 0000000..f09ad4d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/servicemonitor.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.enabled .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + endpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml new file mode 100644 index 0000000..c43465c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml @@ -0,0 +1,25 @@ +{{- if .Values.enabled -}} +{{- if eq .Values.global.ingress.provider "traefik" -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRouteTCP +metadata: + name: {{ $.Release.Name }}-gitlab-shell + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + entryPoints: + - gitlab-shell + routes: + - match: HostSNI(`*`) + services: + - name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + port: {{ include "gitlab.shell.port" . | int }} + {{- if .Values.global.shell.tcp.proxyProtocol }} + proxyProtocol: + version: 2 + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/values.schema.json b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/values.schema.json new file mode 100644 index 0000000..b8c9d39 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/values.schema.json @@ -0,0 +1,515 @@ +{ + "schema": "https://json-schema.org/draft-07/schema#", + "properties": { + "annotations": { + "title": "Pod annotations", + "type": "object" + }, + "logging": { + "properties": { + "format": { + "title": "Format to be used for gitlab-shell logs", + "enum": [ + "text", + "json" + ] + }, + "sshdLogLevel": { + "title": "Log level for underlying SSH daemon", + "enum": [ + "QUIET", + "FATAL", + "ERROR", + "INFO", + "VERBOSE" + ] + } + } + }, + "config": { + "properties": { + "loginGraceTime": { + "title": "Amount of time after which server will disconnect on failed logins", + "type": "number" + }, + "maxStartups": { + "$comment": "We either need start and rate to be specified, or full to be specified", + "anyOf": [ + { + "allOf": [ + { + "required": [ + "start", + "rate" + ] + } + ] + }, + { + "required": [ + "full" + ] + } + ], + "properties": { + "full": { + "type": "number" + }, + "rate": { + "type": "number" + }, + "start": { + "type": "number" + } + }, + "title": "Maximum number of concurrent unauthenticated connections to the SSH daemon", + "type": "object" + }, + "proxyProtocol": { + "title": "Enable PROXY support for gitlab-sshd", + "type": "boolean" + }, + "proxyPolicy": { + "title": "The policy for handling PROXY protocol in gitlab-sshd", + "type": "string", + "enum": [ + "use", + "require", + "ignore", + "reject" + ] + }, + "proxyHeaderTimeout": { + "title": "The maximum duration gitlab-sshd will wait before giving up on reading the PROXY protocol header", + "pattern": "^[0-9]+(ms|s|m)$", + "type": "string" + }, + "ciphers": { + "title": "The available ciphers in gitlab-sshd", + "type": "array", + "items": { + "type": "string" + } + }, + "kexAlgorithms": { + "title": "The available KEX (Key Exchange) algorithms in gitlab-sshd", + "type": "array", + "items": { + "type": "string" + } + }, + "macs": { + "title": "The available MAC (message authentication code) algorithms in gitlab-sshd", + "type": "array", + "items": { + "type": "string" + } + }, + "gssapi": { + "properties": { + "enabled": { + "title": "Enable GSS-API support for then gitlab-sshd daemon", + "type": "boolean" + }, + "libpath": { + "title": "Library path for gssapi shared library", + "type": "string" + }, + "keytab": { + "properties": { + "secret": { + "title": "The Kubernetes secret name" + }, + "key": { + "title": "The Kubernetes secret key" + } + }, + "title": "The Kubernetes secret holding the keytab for the gssapi-with-mic authentication method", + "type": "object" + }, + "krb5Config": { + "title": "Content of the `/etc/krb5.conf` file in the gitlab-shell container", + "type": "string" + }, + "servicePrincipalName": { + "title": "The Kerberos service name to be used by the gitlab-sshd daemon", + "type": "string" + } + }, + "title": "GSS-API related settings", + "type": "object" + } + }, + "required": [ + "loginGraceTime", + "maxStartups" + ], + "title": "GitLab Shell configuration", + "type": "object" + }, + "deployment": { + "properties": { + "livenessProbe": { + "properties": { + "failureThreshold": { + "type": "number" + }, + "initialDelaySeconds": { + "type": "number" + }, + "periodSeconds": { + "type": "number" + }, + "successThreshold": { + "type": "number" + }, + "timeoutSeconds": { + "type": "number" + } + }, + "title": "Liveness probe settings", + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "minimum": 5 + } + }, + "required": [ + "livenessProbe" + ], + "title": "Deploment details", + "type": "object" + }, + "enabled": { + "title": "Shell enabled", + "type": "boolean" + }, + "global": { + "properties": { + "shell": { + "properties": { + "authToken": { + "properties": { + "key": { + "title": "Name of the key", + "type": "string" + }, + "secret": { + "title": "Name of the Kubernetes Secret", + "type": "string" + } + }, + "title": "Secret with GitLab Shell authToken to communicate with Workhorse", + "type": "object" + }, + "hostKeys": { + "title": "Secret with SSH Host keys", + "type": "object" + }, + "port": { + "title": "Port used by ingress to pass SSH traffic and shown in UI", + "type": "number" + } + }, + "type": "object" + } + }, + "title": "Global properties", + "type": "object" + }, + "hpa": { + "properties": { + "cpu": { + "properties": { + "targetType": { + "title": "Autoscaling CPU target type", + "type": "string" + }, + "targetAverageUtilization": { + "title": "Autoscaling CPU target utilization", + "type": "number" + }, + "targetAverageValue": { + "title": "Autoscaling CPU target value", + "type": "string" + } + } + }, + "memory": { + "properties": { + "targetType": { + "title": "Autoscaling memory target type", + "type": "string" + }, + "targetAverageUtilization": { + "title": "Autoscaling memory target utilization", + "type": "number" + }, + "targetAverageValue": { + "title": "Autoscaling memory target value", + "type": "string" + } + } + }, + "customMetrics": { + "title": "Autoscaling custom metrics", + "type": "array" + }, + "behavior": { + "title": "Autoscaling behavior definition", + "type": "object" + } + }, + "title": "Horizontal Pod Autoscaler settings", + "type": "object" + }, + "image": { + "properties": { + "pullPolicy": { + "enum": [ + "Always", + "Never", + "IfNotPresent" + ], + "title": "Image pull policy", + "type": "string" + }, + "pullSecrets": { + "title": "Secrets to be used to pull image", + "type": "array" + }, + "repository": { + "title": "Docker image repository", + "type": "string" + } + }, + "required": [ + "repository" + ], + "title": "Docker image details", + "type": "object" + }, + "init": { + "properties": { + "image": { + "properties": { + "repository": { + "title": "Image repository", + "type": "string" + }, + "resources": { + "properties": { + "requests": { + "properties": { + "cpu": { + "title": "Required CPU", + "type": [ + "string", + "number" + ] + } + }, + "title": "Resource requests", + "type": "object" + } + }, + "title": "Resources allocated to init container", + "type": "object" + }, + "tag": { + "title": "Image tag", + "type": "string" + } + }, + "title": "Init container image details", + "type": "object" + } + }, + "required": [ + "image" + ], + "title": "Init container details", + "type": "object" + }, + "maxReplicas": { + "title": "Maximum number of pod replicas", + "type": "number" + }, + "maxUnavailable": { + "title": "Maximum number of unavailable pods", + "anyOf": [ + { "type": "string" }, + { "type": "number" } + ] + }, + "minReplicas": { + "title": "Minimum number of pod replicas", + "type": "number" + }, + "metrics": { + "properties": { + "enabled": { + "title": "Enable generation of metrics via annotations or ServiceMonitor", + "type": "boolean" + }, + "port": { + "title": "Metrics port", + "type": "integer" + }, + "path": { + "title": "Metrics path", + "type": "string" + }, + "serviceMonitor": { + "properties": { + "enabled": { + "title": "Create a ServiceMonitor", + "type": "boolean" + }, + "additionalLabels": { + "title": "Additional labels", + "type": "object" + }, + "endpointConfig": { + "title": "Endpoint config", + "type": "object" + } + }, + "title": "ServiceMonitor", + "type": "object" + }, + "annotations": { + "title": "Metrics annotations", + "type": "object" + } + } + }, + "resources": { + "properties": { + "requests": { + "properties": { + "cpu": { + "title": "Required CPU", + "type": [ + "string", + "number" + ] + }, + "memory": { + "title": "Required Memory", + "type": [ + "string", + "number" + ] + } + }, + "title": "Resource requests", + "type": "object" + } + }, + "title": "Resources allocated to container", + "type": "object" + }, + "service": { + "properties": { + "externalIPs": { + "title": "List of external IPs", + "type": "array" + }, + "externalTrafficPolicy": { + "title": "Service external traffic policy", + "type": "string" + }, + "internalPort": { + "title": "Service internal port", + "type": "number" + }, + "loadBalancerIP": { + "title": "IP address to assign to LoadBalancer", + "type": "string" + }, + "loadBalancerSourceRanges": { + "title": "List of IP CIDRs allowed access to LoadBalancer", + "type": "array" + }, + "name": { + "title": "Name of the service", + "type": "string" + }, + "nodePort": { + "title": "Service node port", + "type": "number" + }, + "type": { + "title": "Type of the service", + "type": "string" + } + }, + "required": [ + "name", + "internalPort", + "type" + ], + "title": "GitLab Shell Kubernetes Service details", + "type": "object" + }, + "sshDaemon": { + "title": "SSH daemon that would be executed inside container", + "enum": [ + "openssh", + "gitlab-sshd" + ] + }, + "tolerations": { + "title": "Tolerations labels for pod assignment", + "type": "array" + }, + "priorityClassName": { + "title": "Priority class assigned to pods", + "type": "string" + }, + "workhorse": { + "properties": { + "host": { + "title": "Workhorse host", + "type": "string" + }, + "port": { + "title": "Workhorse port", + "type": "number" + }, + "serviceName": { + "title": "Workhorse service name", + "type": "string" + } + }, + "title": "Workhorse service details", + "type": "object" + } + }, + "required": [ + "enabled" + ], + "if": { + "properties": { + "enabled": { + "const": true + } + }, + "required": [ + "enabled" + ] + }, + "then": { + "required": [ + "config", + "deployment", + "hpa", + "image", + "maxReplicas", + "service", + "workhorse" + ] + } +} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/values.yaml new file mode 100644 index 0000000..014dc01 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/gitlab-shell/values.yaml @@ -0,0 +1,185 @@ +# Default values for gitlab-shell. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell + # pullPolicy: IfNotPresent + # pullSecrets: [] + # tag: master +service: + name: gitlab-shell + type: ClusterIP + internalPort: 2222 + externalTrafficPolicy: Cluster + # nodePort: xxx + # loadBalancerIP: x.x.x.x + # loadBalancerSourceRanges: + # - x.x.x.x/yy + # externalIPs: + # - x.x.x.x + # - y.y.y.y + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +# Tolerations for pod scheduling +tolerations: [] + +# Priority class assigned to pods +priorityClassName: "" + +global: {} + +enabled: true +annotations: {} +podLabels: {} +common: + labels: {} +serviceLabels: {} +workhorse: {} + # by default, Workhorse is a part of the webservice Pods / Service + # scheme: 'http' + # host: '0.0.0.0' + # serviceName: 'webservice' + # port: 8181 +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + requests: + cpu: 0 + memory: 6M +maxUnavailable: 1 +minReplicas: 2 +maxReplicas: 10 + +hpa: + # targetAverageValue: 100m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below + cpu: + targetType: AverageValue # Utilization or AverageValue + targetAverageValue: 100m + # targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + +deployment: + terminationGracePeriodSeconds: 30 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 2 + strategy: {} + +logging: + format: "json" + sshdLogLevel: "ERROR" + +config: + clientAliveInterval: 0 + loginGraceTime: 60 + maxStartups: + start: 10 + rate: 30 + full: 100 + # If using Traefik, see https://doc.traefik.io/traefik/routing/services/#proxy-protocol + proxyProtocol: false + proxyPolicy: "use" + proxyHeaderTimeout: 500ms + ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr] + kexAlgorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1] + macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1] + gssapi: + enabled: false + libpath: "libgssapi_krb5.so.2" + keytab: + #secret: + key: keytab + krb5Config: "" + servicePrincipalName: "" + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the gitaly container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +metrics: + enabled: false + port: 9122 + path: /metrics + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + # DEPRECATED + annotations: {} + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} + +## Allow to select ssh daemon that would be executed inside container +## Possible values: openssh, gitlab-sshd +sshDaemon: openssh + +affinity: + podAntiAffinity: + topologyKey: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/Chart.yaml new file mode 100644 index 0000000..c9cd8ee --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: GitLab Agent Server +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- agent +- gitlab +- gitlab-kas +- k8s-agent +- kas +- kubernetes +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: kas +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-kas +- https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/_default-config.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/_default-config.yaml new file mode 100644 index 0000000..46334ad --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/_default-config.yaml @@ -0,0 +1,46 @@ +agent: + listen: + address: ":{{ .Values.service.internalPort }}" + websocket: true + {{- if $.Values.global.kas.tls.enabled }} + certificate_file: /etc/kas/tls.crt + key_file: /etc/kas/tls.key + {{- end }} + kubernetes_api: + listen: + address: ":{{ .Values.service.kubernetesApiPort }}" + {{- if $.Values.global.kas.tls.enabled }} + certificate_file: /etc/kas/tls.crt + key_file: /etc/kas/tls.key + {{- end }} + url_path_prefix: "{{ .Values.ingress.k8sApiPath }}" +gitlab: + address: "{{ template "gitlab.workhorse.url" . }}" + external_url: "{{- template "gitlab.gitlab.url" . -}}" + authentication_secret_file: "/etc/kas/.gitlab_kas_secret" +observability: + listen: + address: ":{{ .Values.observability.port }}" + liveness_probe: + url_path: "{{ .Values.observability.livenessProbe.path }}" + readiness_probe: + url_path: "{{ .Values.observability.readinessProbe.path }}" +redis: + {{- include "kas.redis" . | nindent 2 }} +api: + listen: + address: ":{{ .Values.service.apiInternalPort }}" + authentication_secret_file: "/etc/kas/.gitlab_kas_secret" + {{- if $.Values.global.kas.tls.enabled }} + certificate_file: /etc/kas/tls.crt + key_file: /etc/kas/tls.key + {{- end }} +private_api: + listen: + address: ":{{ .Values.service.privateApiPort }}" + authentication_secret_file: "/etc/kas/.gitlab_kas_private_api_secret" + {{- if or .Values.privateApi.tls.enabled $.Values.global.kas.tls.enabled }} + certificate_file: "/etc/kas/tls.crt" + key_file: "/etc/kas/tls.key" + ca_certificate_file: "/etc/ssl/certs/ca-certificates.crt" + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/_helpers.tpl new file mode 100644 index 0000000..bb16adf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/_helpers.tpl @@ -0,0 +1,44 @@ +{{/* +Returns the secret name for the Secret containing the TLS certificate and key. +Uses `ingress.tls.secretName` first and falls back to `global.ingress.tls.secretName` +if there is a shared tls secret for all ingresses. +*/}} +{{- define "kas.tlsSecret" -}} +{{- $defaultName := (dict "secretName" "") -}} +{{- if .Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "secretName" (printf "%s-kas-tls" .Release.Name) -}} +{{- else -}} +{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}} +{{- end -}} +{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}} +{{- end -}} + +{{/* +Build Redis config for KAS +*/}} +{{- define "kas.redis" -}} +{{- if .Values.redis.enabled -}} +{{- if .Values.global.redis.sharedState -}} +{{- $_ := set $ "redisConfigName" "sharedState" -}} +{{- end -}} +{{- include "gitlab.redis.selectedMergedConfig" . -}} +{{- if .redisMergedConfig.password.enabled -}} +password_file: /etc/kas/redis/{{ printf "%s-password" (default "redis" .redisConfigName) }} +{{- end -}} +{{- if not .redisMergedConfig.sentinels }} +server: + address: {{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }} +{{- else }} +sentinel: + addresses: + {{- range $i, $entry := .redisMergedConfig.sentinels }} + - {{ quote (print (trim $entry.host) ":" ( default 26379 $entry.port | int ) ) -}} + {{ end }} + master_name: {{ template "gitlab.redis.host" . }} +{{- end -}} +{{- if eq (.redisMergedConfig.scheme | default "") "rediss" }} +tls: + enabled: true +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/configmap.yaml new file mode 100644 index 0000000..de5a0c0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{- if .Values.global.kas.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + # See https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/pkg/kascfg/config_example.yaml + config.yaml: | + {{- $defaults := include (print $.Template.BasePath "/_default-config.yaml") . | fromYaml -}} + {{- $custom := default .Values.customConfig .Values.global.kas.customConfig -}} + {{- $merged := deepCopy $custom | mergeOverwrite $defaults -}} + {{- $merged | toYaml | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/deployment.yaml new file mode 100644 index 0000000..31d392d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/deployment.yaml @@ -0,0 +1,157 @@ +{{- if .Values.global.kas.enabled -}} +{{- $imageCfg := dict "global" $.Values.global.image "local" $.Values.image -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.deployment.minReadySeconds }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ .Values.observability.port | quote }} + gitlab.com/prometheus_path: {{ .Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.observability.port | quote }} + prometheus.io/path: {{ .Values.metrics.path }} + {{- end }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + {{- if eq (default .Values.global.antiAffinity .antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ template "name" . }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + args: + - "--configuration-file=/etc/kas/config.yaml" + env: + - name: OWN_PRIVATE_API_HOST + value: {{ include "gitlab.kas.serviceHost" . }} + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: OWN_PRIVATE_API_URL + value: "{{ include "gitlab.kas.internal.scheme" . }}://$(POD_IP):{{ .Values.service.privateApiPort }}" + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + ports: + - containerPort: {{ .Values.service.internalPort }} + name: {{ template "name" . }} + - containerPort: {{ .Values.service.kubernetesApiPort }} + name: {{ template "name" . }}-k8s-api + - containerPort: {{ .Values.service.privateApiPort }} + name: {{ template "name" . }}-private-api + - containerPort: {{ .Values.observability.port }} + name: http-metrics + readinessProbe: + httpGet: + path: {{ .Values.observability.readinessProbe.path }} + port: {{ .Values.observability.port }} + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: {{ .Values.observability.livenessProbe.path }} + port: {{ .Values.observability.port }} + initialDelaySeconds: 15 + periodSeconds: 20 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: init-etc-kas + mountPath: /etc/kas + readOnly: true + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds | int }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + - name: init-etc-kas + projected: + defaultMode: 0440 + sources: + - configMap: + name: {{ template "fullname" . }} + - secret: + name: {{ template "gitlab.kas.secret" . }} + items: + - key: {{ template "gitlab.kas.key" . }} + path: .gitlab_kas_secret + - secret: + name: {{ template "gitlab.kas.privateApi.secret" . }} + items: + - key: {{ template "gitlab.kas.privateApi.key" . }} + path: .gitlab_kas_private_api_secret + {{- if or $.Values.privateApi.tls.enabled $.Values.global.kas.tls.enabled }} + - secret: + name: {{ default .Values.privateApi.tls.secretName .Values.global.kas.tls.secretName | quote }} + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end }} + {{- if .Values.redis.enabled -}} + {{- include "gitlab.redis.secrets" (dict "globalContext" $ "instances" "sharedState" "mountRedisYmlOverrideSecrets" false) | nindent 12 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/hpa.yaml new file mode 100644 index 0000000..03e8079 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/hpa.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.kas.enabled (not (default $.Values.global.keda.enabled .Values.keda.enabled)) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.hpa "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + minReplicas: {{ .Values.minReplicas }} + maxReplicas: {{ .Values.maxReplicas }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/ingress.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/ingress.yaml new file mode 100644 index 0000000..ee5fc6e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/ingress.yaml @@ -0,0 +1,76 @@ +{{- if .Values.global.kas.enabled -}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}} +{{- $hostname := include "gitlab.kas.hostname" . -}} +{{- $tlsSecret := include "kas.tlsSecret" . -}} +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if eq "nginx" .Values.global.ingress.provider }} + nginx.ingress.kubernetes.io/proxy-buffering: "off" + nginx.ingress.kubernetes.io/custom-http-errors: "" + {{- end }} + {{- if $.Values.global.kas.tls.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: https + {{- if $.Values.global.kas.tls.verify }} + nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' + nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "fullname" . }}.{{ $.Release.Namespace }}.svc + {{- if $.Values.global.kas.tls.caSecretName }} + nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace }}/{{ $.Values.global.kas.tls.caSecretName }} + {{- end }} + {{- end }} + {{- end }} + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ $hostname }} + http: + paths: + - path: "{{ trimSuffix "/" $.Values.ingress.k8sApiPath }}{{ $.Values.global.ingress.path }}" + {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} + backend: + service: + name: {{ template "gitlab.kas.serviceName" . }} + port: + number: {{ .Values.service.kubernetesApiPort }} + {{- else -}} + backend: + serviceName: {{ template "gitlab.kas.serviceName" . }} + servicePort: {{ .Values.service.kubernetesApiPort }} + {{- end }} + - path: "{{ trimSuffix "/" $.Values.ingress.agentPath }}{{ $.Values.global.ingress.path }}" + {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} + backend: + service: + name: {{ template "gitlab.kas.serviceName" . }} + port: + number: {{ .Values.service.externalPort }} + {{- else -}} + backend: + serviceName: {{ template "gitlab.kas.serviceName" . }} + servicePort: {{ .Values.service.externalPort }} + {{- end }} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} + tls: + - hosts: + - {{ $hostname }} + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/keda.yaml new file mode 100644 index 0000000..80131b7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/keda.yaml @@ -0,0 +1,19 @@ +{{- $kedaCfg := (dict "global" .Values.global "hpa" .Values.hpa "keda" .Values.keda "minReplicas" .Values.minReplicas "maxReplicas" .Values.maxReplicas "resources" .Values.resources) -}} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg -}} +{{- if and .Values.global.kas.enabled $kedaEnabled -}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/networkpolicy.yaml new file mode 100644 index 0000000..7b2d81d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/networkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.kas.enabled -}} +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/pdb.yaml new file mode 100644 index 0000000..1329ec9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/pdb.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.kas.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/service.yaml new file mode 100644 index 0000000..5c062c2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/service.yaml @@ -0,0 +1,48 @@ +{{- if .Values.global.kas.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "gitlab.kas.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +spec: + type: {{ .Values.service.type | quote }} + {{- if (eq .Values.service.type "LoadBalancer") }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP | quote }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range .Values.service.loadBalancerSourceRanges }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + protocol: TCP + name: tcp-{{ template "name" . }}-external-api + - port: {{ .Values.global.kas.service.apiExternalPort }} + targetPort: {{ .Values.service.apiInternalPort }} + protocol: TCP + name: tcp-{{ template "name" . }}-internal-api + - port: {{ .Values.service.kubernetesApiPort }} + targetPort: {{ .Values.service.kubernetesApiPort }} + protocol: TCP + name: tcp-{{ template "name" . }}-k8s-api + {{- if .Values.metrics.enabled }} + - port: {{ .Values.observability.port }} + targetPort: http-metrics + protocol: TCP + name: http-metrics + {{- end }} + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/serviceaccount.yaml new file mode 100644 index 0000000..d87987f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and .Values.global.kas.enabled $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/servicemonitor.yaml new file mode 100644 index 0000000..dadb674 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/templates/servicemonitor.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.global.kas.enabled .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "gitlab.kas.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + endpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/values.yaml new file mode 100644 index 0000000..3167234 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/kas/values.yaml @@ -0,0 +1,160 @@ +# Default values for gitlab-kas. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +annotations: {} +global: + ingress: {} + kas: + enabled: true + redis: + # host: '0.0.0.0' + auth: {} + # hosts: + # kas: + # name: kas.example.com + # https: true + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +hpa: + # targetAverageValue: 100m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below + cpu: + targetType: AverageValue # Utilization or AverageValue + targetAverageValue: 100m + # targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-kas + # tag: latest + # pullPolicy: IfNotPresent + # pullSecrets: [] +ingress: + apiVersion: + annotations: {} + tls: {} + agentPath: / + k8sApiPath: /k8s-proxy +maxReplicas: 10 +maxUnavailable: 1 +minReplicas: 2 +podLabels: {} +common: + labels: {} +serviceLabels: {} +## Additional environment variables to set +extraEnv: {} +extraEnvFrom: {} +resources: + requests: + cpu: 100m + memory: 100M +service: + externalPort: 8150 + internalPort: 8150 + apiInternalPort: 8153 + kubernetesApiPort: 8154 + privateApiPort: 8155 + type: ClusterIP + # loadBalancerIP: + # loadBalancerSourceRanges: +metrics: + enabled: true + path: /metrics + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} +observability: + port: 8151 + livenessProbe: + path: /liveness + readinessProbe: + path: /readiness +serviceAccount: + enabled: false + create: false + annotations: {} +# Tolerations for pod scheduling +tolerations: [] +workhorse: {} + # by default, Workhorse is a part of the Webservice Pods / Service + # scheme: 'http' + # host: '0.0.0.0' + # serviceName: 'webservice' + # port: 8181 +# merged with the default kas config +customConfig: {} + +privateApi: + # secret: + # key: + tls: + enabled: false # DEPRECATED: in favor of `global.kas.tls.enabled` + # secretName: # DEPRECATED: in favor of `global.kas.tls.secretName` +deployment: + terminationGracePeriodSeconds: 300 + strategy: {} + # minReadySeconds: 0 + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 65532 + +redis: + enabled: true + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} + +affinity: + podAntiAffinity: + topologyKey: + +# Priority class assigned to pods +priorityClassName: "" diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/Chart.yaml new file mode 100644 index 0000000..f10822a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: Handling incoming emails +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- mailroom +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: mailroom +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/mailroom +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-mailroom +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/_helpers.tpl new file mode 100644 index 0000000..4dbefb8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the URL desired by Mail_room + +If global.redis.queues is present, use this. If not present, use global.redis +*/}} +{{- define "gitlab.mailroom.redis.url" -}} +{{- if $.Values.global.redis.queues -}} +{{- $_ := set $ "redisConfigName" "queues" }} +{{- end -}} +{{- include "gitlab.redis.url" $ -}} +{{- end -}} + +{{- define "gitlab.mailroom.redis.sentinels" -}} +{{- if $.Values.global.redis.queues -}} +{{- $_ := set $ "redisConfigName" "queues" }} +{{- end -}} +{{- $sentinels := include "gitlab.redis.sentinels" . }} +{{- if $sentinels -}} +:{{- $sentinels | replace " port:" " :port:" | replace " host:" " :host:" -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/configmap.yaml new file mode 100644 index 0000000..87ea3a8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/configmap.yaml @@ -0,0 +1,130 @@ +{{- if and .Values.enabled .Values.global.appConfig.incomingEmail.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + mail_room.yml: | + :health_check: + :address: 0.0.0.0 + :port: 8080 + :mailboxes: + - + {{- with .Values.global.appConfig.incomingEmail }} + :email: {{ .user }} + :name: {{ .mailbox }} + :delete_after_delivery: {{ .deleteAfterDelivery }} + :expunge_deleted: {{ .expungeDeleted }} + {{- if ne .logger.logPath "" }} + :logger: + :log_path: "{{ .logger.logPath }}" + {{- end }} + :inbox_method: {{ .inboxMethod }} + {{- if eq .inboxMethod "microsoft_graph" }} + :inbox_options: + :tenant_id: "{{ .tenantId }}" + :client_id: "{{ .clientId }}" + :client_secret: <%= File.read("/etc/gitlab/mailroom/client_id_incoming_email").strip.to_json %> + :poll_interval: {{ .pollInterval }} + {{- if .azureAdEndpoint }} + :azure_ad_endpoint: {{ .azureAdEndpoint }} + {{- end }} + {{- if .graphEndpoint }} + :graph_endpoint: {{ .graphEndpoint }} + {{- end }} + {{- else }} + :host: {{ .host }} + :port: {{ .port }} + :ssl: {{ .ssl }} + :start_tls: {{ .startTls }} + :password: <%= File.read("/etc/gitlab/mailroom/password_incoming_email").strip.to_json %> + :idle_timeout: {{ .idleTimeout }} + {{- end }} + {{- if eq .deliveryMethod "sidekiq" }} + :delivery_method: sidekiq + :delivery_options: + :redis_url: {{ include "gitlab.mailroom.redis.url" $ }} + :queue: email_receiver + :worker: EmailReceiverWorker + {{- include "gitlab.mailroom.redis.sentinels" $ | nindent 10 }} + {{- else if eq .deliveryMethod "webhook" }} + :delivery_method: postback + :delivery_options: + :delivery_url: '{{ template "gitlab.workhorse.url" $ }}/api/v4/internal/mail_room/incoming_email' + :content_type: "text/plain" + :jwt_auth_header: "Gitlab-Mailroom-Api-Request" + :jwt_issuer: "gitlab-mailroom" + :jwt_algorithm: "HS256" + :jwt_secret_path: "/etc/gitlab/mailroom/incoming_email_webhook_secret" + {{- end }} + {{- end }} + :arbitration_method: redis + :arbitration_options: + :redis_url: {{ include "gitlab.mailroom.redis.url" . }} + :namespace: mail_room:gitlab + {{- include "gitlab.mailroom.redis.sentinels" . | nindent 10 }} + {{- if .Values.global.appConfig.serviceDeskEmail.enabled }} + - + {{- with .Values.global.appConfig.serviceDeskEmail }} + :email: {{ .user }} + :name: {{ .mailbox }} + :delete_after_delivery: {{ .deleteAfterDelivery }} + :expunge_deleted: {{ .expungeDeleted }} + {{- if ne .logger.logPath "" }} + :logger: + :log_path: "{{ .logger.logPath }}" + {{- end }} + :inbox_method: {{ .inboxMethod }} + {{- if eq .inboxMethod "microsoft_graph" }} + :inbox_options: + :tenant_id: "{{ .tenantId }}" + :client_id: "{{ .clientId }}" + :client_secret: <%= File.read("/etc/gitlab/mailroom/client_id_service_desk").strip.to_json %> + :poll_interval: {{ .pollInterval }} + {{- if .azureAdEndpoint }} + :azure_ad_endpoint: {{ .azureAdEndpoint }} + {{- end }} + {{- if .graphEndpoint }} + :graph_endpoint: {{ .graphEndpoint }} + {{- end }} + {{- else }} + :host: {{ .host }} + :port: {{ .port }} + :ssl: {{ .ssl }} + :start_tls: {{ .startTls }} + :password: <%= File.read("/etc/gitlab/mailroom/password_service_desk").strip.to_json %> + :idle_timeout: {{ .idleTimeout }} + {{- end }} + {{- if eq .deliveryMethod "sidekiq" }} + :delivery_method: sidekiq + :delivery_options: + :redis_url: {{ template "gitlab.redis.url" $ }} + :queue: service_desk_email_receiver + :worker: ServiceDeskEmailReceiverWorker + {{- include "gitlab.mailroom.redis.sentinels" $ | nindent 10 }} + {{- else if eq .deliveryMethod "webhook" }} + :delivery_method: postback + :delivery_options: + :delivery_url: '{{ template "gitlab.workhorse.url" $ }}/api/v4/internal/mail_room/service_desk_email' + :content_type: "text/plain" + :jwt_auth_header: "Gitlab-Mailroom-Api-Request" + :jwt_issuer: "gitlab-mailroom" + :jwt_algorithm: "HS256" + :jwt_secret_path: "/etc/gitlab/mailroom/service_desk_email_webhook_secret" + {{- end }} + {{- end }} + :arbitration_method: redis + :arbitration_options: + :redis_url: {{ template "gitlab.redis.url" . }} + :namespace: mail_room:gitlab + {{- include "gitlab.mailroom.redis.sentinels" . | nindent 10 }} + {{- end }} + + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "mailroom" "optional" "redis") | nindent 4 }} +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/deployment.yaml new file mode 100644 index 0000000..b79024c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/deployment.yaml @@ -0,0 +1,163 @@ +{{- if and .Values.enabled .Values.global.appConfig.incomingEmail.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image "context" $ -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + # Don't provide replicas when HPA are present + # replicas: {{ .Values.hpa.minReplicas }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if eq (default .Values.global.antiAffinity .antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + - name: mailroom-config + mountPath: /config/configure + subPath: configure + readOnly: true + - name: init-mailroom-secrets + mountPath: /init-config + readOnly: true + - name: mailroom-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: {{ include "gitlab.image.fullPath" $imageCfg }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + - name: mailroom-config + mountPath: /var/opt/gitlab/mail_room.yml + subPath: mail_room.yml + - name: mailroom-secrets + mountPath: '/etc/gitlab' + readOnly: true + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + livenessProbe: + httpGet: + path: /liveness + port: 8080 + readinessProbe: + exec: + command: + - /scripts/healthcheck + lifecycle: + preStop: + exec: + command: ["/bin/bash", "-c", "pkill -f 'mail_room'"] + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + - name: mailroom-config + configMap: + name: {{ template "fullname" . }} + - name: init-mailroom-secrets + projected: + defaultMode: 0400 + sources: + {{- include "gitlab.redis.secret" . | nindent 10 }} + {{- if eq .Values.global.appConfig.incomingEmail.inboxMethod "microsoft_graph" }} + - secret: + name: {{ .Values.global.appConfig.incomingEmail.clientSecret.secret | required "Missing required secret containing the OAuth2 Client ID for incoming email. Make sure to set `.Values.global.appConfig.incomingEmail.clientSecret.secret`" }} + items: + - key: {{ .Values.global.appConfig.incomingEmail.clientSecret.key }} + path: mailroom/client_id_incoming_email + {{- else }} + - secret: + name: {{ .Values.global.appConfig.incomingEmail.password.secret | required "Missing required secret containing the IMAP password for incoming email. Make sure to set `global.appConfig.incomingEmail.password.secret`" }} + items: + - key: {{ .Values.global.appConfig.incomingEmail.password.key }} + path: mailroom/password_incoming_email + {{ end }} + {{- include "gitlab.appConfig.incomingEmail.mountSecrets" $ | nindent 10 }} + {{- if .Values.global.appConfig.serviceDeskEmail.enabled }} + {{- if eq .Values.global.appConfig.serviceDeskEmail.inboxMethod "microsoft_graph" }} + - secret: + name: {{ .Values.global.appConfig.serviceDeskEmail.clientSecret.secret | required "Missing required secret containing the OAuth2 Client ID for service desk email. Make sure to set `.Values.global.appConfig.serviceDeskEmail.clientSecret.secret`" }} + items: + - key: {{ .Values.global.appConfig.serviceDeskEmail.clientSecret.key }} + path: mailroom/client_id_service_desk + {{- else }} + - secret: + name: {{ .Values.global.appConfig.serviceDeskEmail.password.secret | required "Missing required secret containing the IMAP password for service desk email. Make sure to set `global.appConfig.serviceDeskEmail.password.secret`"}} + items: + - key: {{ .Values.global.appConfig.serviceDeskEmail.password.key }} + path: mailroom/password_service_desk + {{- end }} + {{- include "gitlab.appConfig.serviceDeskEmail.mountSecrets" $ | nindent 10 }} + {{- end }} + - name: mailroom-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/hpa.yaml new file mode 100644 index 0000000..c047085 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/hpa.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.enabled .Values.global.appConfig.incomingEmail.enabled (not (default $.Values.global.keda.enabled .Values.keda.enabled)) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.hpa "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/keda.yaml new file mode 100644 index 0000000..b32bdae --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/keda.yaml @@ -0,0 +1,19 @@ +{{- $kedaCfg := (dict "global" .Values.global "hpa" .Values.hpa "keda" .Values.keda "resources" .Values.resources) -}} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg -}} +{{- if and .Values.enabled .Values.global.appConfig.incomingEmail.enabled $kedaEnabled -}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/networkpolicy.yaml new file mode 100644 index 0000000..0239233 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/networkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.enabled -}} +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/serviceaccount.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/values.yaml new file mode 100644 index 0000000..cf0a5ab --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/mailroom/values.yaml @@ -0,0 +1,201 @@ +image: + # registry: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom + # tag: + # pullPolicy: IfNotPresent + # pullSecrets: [] + +enabled: true + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +# Tolerations for pod scheduling +tolerations: [] + +podLabels: {} +common: + labels: {} + +workhorse: {} + # by default, Workhorse is a part of the Webservice Pods / Service + # scheme: 'http' + # host: '0.0.0.0' + # serviceName: 'webservice' + # port: 8181 + +global: + redis: + auth: {} + appConfig: + incomingEmail: + enabled: false + address: + host: + port: 993 + ssl: true + startTls: false + user: + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: + secret: "" + key: authToken + + serviceDeskEmail: + enabled: false + address: + host: + port: 993 + ssl: true + startTls: false + user: + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: + secret: "" + key: authToken + +hpa: + minReplicas: 1 + maxReplicas: 2 + cpu: + targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 100m + targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + +# Mailroom does not require inbound connections +# This service only requires outgoing connections to the +# IMAP service of choice, the provided or self hosted redis +# service, and DNS. +# An optimal configuration may look like the following: +# +#networkpolicy: +# enabled: true +# egress: +# enabled: true +# # The following rules enable traffic to all external +# # endpoints, except the local +# # network (except DNS requests) +# rules: +# - to: +# - ipBlock: +# cidr: 10.0.0.0/8 +# ports: +# - port: 53 +# protocol: UDP +# - to: +# - ipBlock: +# cidr: 10.0.0.0/8 +# ports: +# - port: 6379 +# protocol: TCP +# - to: +# - ipBlock: +# cidr: 10.0.0.0/8 +# ports: +# - port: 993 +# protocol: TCP + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} + +redis: + auth: {} + +resources: + # limits: + # cpu: 1 + # memory: 2G + requests: + cpu: 50m + memory: 150M + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +deployment: + strategy: {} + +affinity: + podAntiAffinity: + topologyKey: + +# Priority class assigned to pods +priorityClassName: "" diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/Chart.yaml new file mode 100644 index 0000000..a34a26d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: Database migrations and other versioning tasks for upgrading Gitlab +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: migrations +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/migrations +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-rails +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_helpers.tpl new file mode 100644 index 0000000..c7ff8dc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_helpers.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified job name. +Due to the job only being allowed to run once, we add the chart revision so helm +upgrades don't cause errors trying to create the already ran job. +Due to the helm delete not cleaning up these jobs, we add a randome value to +reduce collision +*/}} +{{- define "migrations.jobname" -}} +{{- $name := include "fullname" . | trunc 55 | trimSuffix "-" -}} +{{- printf "%s-%d" $name .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_jobspec.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_jobspec.yaml new file mode 100644 index 0000000..127ab29 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_jobspec.yaml @@ -0,0 +1,191 @@ +{{- if .Values.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "migrations.jobname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- if .Values.annotations }} + annotations: + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + activeDeadlineSeconds: {{ .Values.activeDeadlineSeconds }} + backoffLimit: {{ .Values.backoffLimit }} + template: + metadata: + {{- if or .Values.PodAnnotations .Values.annotations}} + annotations: + {{- range $key, $value := merge .Values.podAnnotations (deepCopy .Values.annotations) }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.psql.ssl.volumeMount" . | nindent 10 }} + {{- include "gitlab.geo.psql.ssl.volumeMount" . | nindent 10 }} + - name: migrations-config + mountPath: /config + readOnly: true + - name: init-migrations-secrets + mountPath: /init-config + readOnly: true + - name: migrations-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + restartPolicy: OnFailure + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" + args: + - /scripts/wait-for-deps + {{- if include "gitlab.geo.secondary" $ }} + - /scripts/geo-db-migrate + {{- else }} + - /scripts/db-migrate + {{- end}} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + - name: BYPASS_SCHEMA_VERSION + value: 'true' + {{- if include "gitlab.geo.secondary" $ }} + - name: DB_SCHEMA_TARGET + value: 'geo' + {{- end }} + {{- if .Values.global.rails.bootsnap.enabled }} + - name: ENABLE_BOOTSNAP + value: '1' + {{- end }} + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + - name: migrations-config + mountPath: '/var/opt/gitlab/templates' + - name: migrations-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: migrations-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + - name: migrations-secrets + mountPath: /srv/gitlab/config/initial_root_password + subPath: migrations/initial_root_password + - name: migrations-secrets + mountPath: /srv/gitlab/config/gitlab_shared_runners_registration_token + subPath: migrations/gitlab_shared_runners_registration_token + {{- if .Values.global.gitlab.license.secret }} + - name: migrations-secrets + mountPath: /srv/gitlab/config/Gitlab.gitlab-license + subPath: migrations/enterprise_license + {{- end }} + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + {{- include "gitlab.psql.ssl.volume" . | nindent 6 }} + {{- include "gitlab.geo.psql.ssl.volume" . | nindent 6 }} + - name: migrations-config + configMap: + name: {{ template "fullname" . }} + - name: init-migrations-secrets + projected: + defaultMode: 0400 + sources: + {{ if and (eq $.Values.global.pages.enabled true) (eq $.Values.global.pages.accessControl true) }} + - secret: + name: {{ template "oauth.gitlab-pages.secret" . }} + items: + - key: {{ template "oauth.gitlab-pages.appIdKey" . }} + path: oauth-secrets/gitlab-pages/appid + - key: {{ template "oauth.gitlab-pages.appSecretKey" . }} + path: oauth-secrets/gitlab-pages/appsecret + - configMap: + name: {{ template "fullname" . }} + items: + - key: pages_redirect_uri + path: oauth-secrets/gitlab-pages/redirecturi + {{- end }} + - secret: + name: {{ template "gitlab.rails-secrets.secret" . }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + {{- include "gitlab.gitaly.clientSecrets" . | nindent 10 }} + {{- include "gitlab.redis.secrets" (dict "globalContext" $) | nindent 10 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 10 }} + {{- end }} + {{- if include "gitlab.geo.secondary" $ }} + - secret: + name: {{ template "gitlab.geo.psql.password.secret" . }} + items: + - key: {{ template "gitlab.geo.psql.password.key" . }} + path: postgres/geo-psql-password + {{- end }} + - secret: + name: {{ template "gitlab.migrations.initialRootPassword.secret" . }} + items: + - key: {{ template "gitlab.migrations.initialRootPassword.key" . }} + path: migrations/initial_root_password + - secret: + name: {{ template "gitlab.gitlab-runner.registrationToken.secret" . }} + items: + - key: runner-registration-token + path: migrations/gitlab_shared_runners_registration_token + {{- if .Values.global.gitlab.license.secret }} + - secret: + name: {{ .Values.global.gitlab.license.secret }} + items: + - key: {{ template "gitlab.migrations.license.key" . }} + path: migrations/enterprise_license + {{- end }} + - name: migrations-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_serviceaccountspec.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_serviceaccountspec.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/_serviceaccountspec.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/configmap.yaml new file mode 100644 index 0000000..4ab2142 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/configmap.yaml @@ -0,0 +1,34 @@ +{{- if .Values.enabled -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + pages_redirect_uri: {{ template "oauth.gitlab-pages.authRedirectUri" . }} + installation_type: | + gitlab-helm-chart + database.yml.erb: | + {{- include "gitlab.database.yml" . | nindent 4 }} + {{- include "gitlab.rails.redis.all" . | nindent 2 }} + gitlab.yml.erb: | + production: &base + gitlab: + host: {{ template "gitlab.gitlab.hostname" . }} + {{- if hasKey .Values.global.appConfig.initialDefaults "signupEnabled" }} + signup_enabled: {{ .Values.global.appConfig.initialDefaults.signupEnabled }} + {{- end }} + {{- include "gitlab.appConfig.gitaly" . | nindent 6 }} + {{- include "gitlab.appConfig.repositories" . | nindent 6 }} + {{- include "gitlab.appConfig.sidekiq.configuration" $ | nindent 6 }} + {{- include "gitlab.geo.config" $ | nindent 6 }} + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "rails-secrets migrations gitaly") | nindent 4 }} + {{- include "gitlab.psql.ssl.initScript" . | nindent 4 }} + {{- include "gitlab.geo.psql.ssl.initScript" . | nindent 4 }} +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/job.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/job.yaml new file mode 100644 index 0000000..68f501c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/templates/job.yaml @@ -0,0 +1,5 @@ +{{- if and .Values.enabled }} +{{ include (print $.Template.BasePath "/_serviceaccountspec.yaml") . }} +--- +{{ include (print $.Template.BasePath "/_jobspec.yaml") . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/values.yaml new file mode 100644 index 0000000..fbe04a8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/migrations/values.yaml @@ -0,0 +1,97 @@ +# Default values for migrations. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: {} + # pullPolicy: IfNotPresent + # pullSecrets: [] + # repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee + # tag: master + +init: + image: {} + # repository: + # tag: + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +# Tolerations for pod scheduling +tolerations: [] + +# Annotations for the job +annotations: {} +# Annotations for the pod +podAnnotations: {} + +# Priority class assigned to pods +priorityClassName: "" + +# Labels for the job +podLabels: {} +common: + labels: {} + +enabled: true +initialRootPassword: {} +redis: + auth: {} +gitaly: + # host: '0.0.0.0' + # port: 8075 + # serviceName: 'gitaly' + authToken: {} + # secret: gitaly-secret + # key: token + +psql: {} + # port: 5432 + +global: + psql: {} + # host: '0.0.0.0' + # port: '5432' + # database: 'gitlabhq_production' + # username: 'gitlab' + # applicationName: + # preparedStatements: false + # databaseTasks: true + # password: + # secret: gitlab-postgres + # key: psql-password + # ssl: + # secret: gitlab-ssl-secret + # clientKey: client-key.pem + # clientCertificate: client-cert.pem + # serverCA: server-ca.pem + redis: + auth: {} + gitaly: + internal: + names: ["default"] + external: [] + authToken: {} +resources: + requests: + cpu: 250m + memory: 200Mi +activeDeadlineSeconds: 3600 +backoffLimit: 6 + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/Chart.yaml new file mode 100644 index 0000000..fc2209b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +appVersion: 16.6.0 +description: Praefect is a router and transaction manager for Gitaly, and a required + component for running a Gitaly Cluster. +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- gitaly +- praefect +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: praefect +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/praefect +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitaly +- https://gitlab.com/gitlab-org/gitaly/-/tree/master/cmd/praefect +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/configmap.yaml new file mode 100644 index 0000000..6dd4ca7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + configure: | + set -e + mkdir -p /init-secrets/praefect + for f in gitaly_token praefect_token db_password + do + cp -v -r -L /init-config/${f} /init-secrets/praefect/${f} + done + {{- if $.Values.global.praefect.tls.enabled }} + cp -v -L /init-config/praefect.crt /init-secrets/praefect/praefect.crt + cp -v -L /init-config/praefect.key /init-secrets/praefect/praefect.key + {{- end }} + config.toml.tpl: | + # TCP address to listen on + listen_addr = '0.0.0.0:{{ include "gitlab.praefect.internalPort" . }}' + + {{- if $.Values.global.praefect.tls.enabled }} + tls_listen_addr = '0.0.0.0:{{ include "gitlab.praefect.tls.internalPort" . }}' + {{- end }} + + {{- if .Values.metrics.enabled }} + prometheus_listen_addr = '0.0.0.0:{{ .Values.metrics.port }}' + {{- end }} + + prometheus_exclude_database_from_default_metrics = {{ eq true .Values.metrics.separate_database_metrics }} + + {{- if $.Values.global.praefect.tls.enabled }} + [tls] + certificate_path = '/etc/gitlab-secrets/praefect/praefect.crt' + key_path = '/etc/gitlab-secrets/praefect/praefect.key' + {{- end }} + + [failover] + enabled = {{ .Values.failover.enabled }} + read_only_after_failover = {{ .Values.failover.readonlyAfter }} + + [auth] + token = {% file.Read "/etc/gitlab-secrets/praefect/praefect_token" | strings.TrimSpace | data.ToJSON %} + + transitioning = false + + [logging] + {{- with .Values.logging }} + {{- if .level }} + level = "{{ .level }}" + {{- end }} + {{- if .format }} + format = "{{ .format }}" + {{- end }} + {{- if .sentryDsn }} + sentry_dsn = "{{ .sentryDsn }}" + {{- end }} + dir = "/var/log/gitaly" + {{- if .sentryEnvironment }} + sentry_environment = "{{ .sentryEnvironment }}" + {{- end }} + {{- end }} + + {{- $scheme := "tcp" -}} + {{- $port := include "gitlab.gitaly.internalPort" $ -}} + {{- if $.Values.global.gitaly.tls.enabled -}} + {{- $scheme = "tls" -}} + {{- $port = include "gitlab.gitaly.tls.internalPort" $ -}} + {{- end -}} + {{- $globalContext := $ }} + {{ range $.Values.global.praefect.virtualStorages }} + {{- $storageName := .name }} + [[virtual_storage]] + name = '{{ $storageName }}' + {{- if .defaultReplicationFactor }} + default_replication_factor = {{ .defaultReplicationFactor }} + {{- end -}} + {{- range until (.gitalyReplicas | int) }} + [[virtual_storage.node]] + {{- $serviceName := include "gitlab.praefect.gitaly.serviceName" (dict "context" $globalContext "name" $storageName) -}} + {{- $podAddress := include "gitlab.praefect.gitaly.qualifiedServiceName" (dict "context" $globalContext "index" . "name" $storageName) }} + storage = '{{ $serviceName }}-{{ . }}' + address = '{{ printf "%s://%s.%s.svc:%s" $scheme $podAddress $globalContext.Release.Namespace $port }}' + token = {% file.Read "/etc/gitlab-secrets/praefect/gitaly_token" | strings.TrimSpace | data.ToJSON %} + {{- end }} + {{ end }} + + [database] + host = '{{ template "gitlab.praefect.psql.host" . }}' + port = {{ template "gitlab.praefect.psql.port" . }} + user = '{{ template "gitlab.praefect.psql.user" . }}' + password = {% file.Read "/etc/gitlab-secrets/praefect/db_password" | strings.TrimSpace | data.ToJSON %} + dbname = '{{ template "gitlab.praefect.psql.dbName" . }}' + sslmode = '{{ $.Values.global.praefect.psql.sslMode }}' diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/pdb.yaml new file mode 100644 index 0000000..03099e5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/service.yaml new file mode 100644 index 0000000..0191ac9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/service.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab.praefect.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- if .Values.metrics.enabled }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "{{ .Values.metrics.metricsPort }}" + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.metricsPort }}" + {{- end }} + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +spec: + type: {{ coalesce .Values.service.type .Values.global.praefect.service.type }} + clusterIP: None + ports: + - name: grpc-{{ coalesce .Values.service.name .Values.global.praefect.service.name }} + port: {{ include "gitlab.praefect.externalPort" . }} + protocol: TCP + targetPort: {{ include "gitlab.praefect.internalPort" . }} + {{- if $.Values.global.praefect.tls.enabled }} + - name: tls-{{ coalesce .Values.service.name .Values.global.praefect.service.name }} + port: {{ include "gitlab.praefect.tls.externalPort" . }} + protocol: TCP + targetPort: {{ include "gitlab.praefect.tls.internalPort" . }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: http-metrics + port: {{ .Values.metrics.port }} + protocol: TCP + targetPort: http-metrics + {{- end }} + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/serviceaccount.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/servicemonitor.yaml new file mode 100644 index 0000000..349f27d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/servicemonitor.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gitlab.praefect.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + endpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/statefulset.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/statefulset.yaml new file mode 100644 index 0000000..c79b894 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -0,0 +1,179 @@ +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + serviceName: {{ template "gitlab.praefect.serviceName" $ }} + replicas: {{ $.Values.replicas }} + podManagementPolicy: Parallel + {{- if .Values.statefulset.strategy }} + updateStrategy: {{ .Values.statefulset.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ .Values.metrics.port | quote }} + gitlab.com/prometheus_path: {{ .Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/path: {{ .Values.metrics.path }} + {{- end }} + spec: + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + - name: praefect-config + mountPath: /config + readOnly: true + - name: init-praefect-secrets + mountPath: /init-config + readOnly: true + - name: praefect-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + containers: + {{- include "gitlab.extraContainers" . | nindent 6 }} + - name: {{ $.Chart.Name }} + image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 8 }} + ports: + - containerPort: {{ include "gitlab.praefect.internalPort" $ }} + {{- if $.Values.global.praefect.tls.enabled }} + - containerPort: {{ include "gitlab.praefect.tls.internalPort" $ }} + {{- end }} + {{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.metrics.port }} + name: http-metrics + {{- end }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitaly/templates' + - name: CONFIG_DIRECTORY + value: '/etc/gitaly' + - name: PRAEFECT_CONFIG_FILE + value: '/etc/gitaly/config.toml' + - name: SSL_CERT_DIR + value: '/etc/ssl/certs' + - name: PRAEFECT_PROMETHEUS_LISTEN_ADDR + value: ':{{ .Values.metrics.port }}' + - name: USE_PRAEFECT_SERVICE + value: '1' + - name: PRAEFECT_AUTO_MIGRATE + value: '{{ .Values.global.praefect.autoMigrate | int }}' + - name: NTP_HOST + value: '{{ .Values.global.praefect.ntpHost }}' + {{- include "gitlab.tracing.env" . | nindent 8 }} + {{- include "gitlab.extraEnv" . | nindent 8 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 8 }} + resources: + {{- toYaml .Values.resources | nindent 10 }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 10 }} + - name: praefect-secrets + mountPath: /etc/gitlab-secrets + readOnly: true + - name: praefect-config + mountPath: /etc/gitaly/templates + dnsPolicy: ClusterFirst + restartPolicy: Always + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + defaultMode: 420 + name: {{ template "fullname" . }} + name: praefect-config + - emptyDir: + medium: Memory + name: praefect-secrets + - name: init-praefect-secrets + projected: + defaultMode: 288 + sources: + - secret: + items: + - key: {{ template "gitlab.gitaly.authToken.key" . }} + path: gitaly_token + name: {{ template "gitlab.gitaly.authToken.secret" . }} + - secret: + items: + - key: {{ template "gitlab.praefect.authToken.key" . }} + path: praefect_token + name: {{ template "gitlab.praefect.authToken.secret" . }} + - secret: + items: + - key: {{ template "gitlab.praefect.dbSecret.key" . }} + path: db_password + name: {{ template "gitlab.praefect.dbSecret.secret" . }} + {{- if $.Values.global.praefect.tls.enabled }} + - secret: + name: {{ template "gitlab.praefect.tls.secret" $ }} + items: + - key: "tls.crt" + path: "praefect.crt" + - key: "tls.key" + path: "praefect.key" + {{- end }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/values.yaml new file mode 100644 index 0000000..5170937 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/praefect/values.yaml @@ -0,0 +1,76 @@ +# Default values for praefect. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +failover: + enabled: true + readonlyAfter: true + +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitaly + # pullPolicy: IfNotPresent + # pullSecrets: [] + +service: + tls: {} + +init: + resources: {} + image: {} + # pullPolicy: IfNotPresent + +metrics: + enabled: true + port: 9236 + separate_database_metrics: true + path: /metrics + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + +## Allow to overwrite under which User and Group we're running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +replicas: 2 + +resources: + requests: + cpu: 100m + memory: 200Mi + +## For PodDisruptionBudget, how many pods can be unavailable at one time +maxUnavailable: 1 + +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +## Support for tolerations for pod scheduling +tolerations: [] + +## The Gitaly StatefulSet's priorityClassName +# priorityClassName: + +gitaly: + service: + tls: {} + # serviceName: + +common: + labels: {} +podLabels: {} +serviceLabels: {} + +statefulset: + strategy: {} + +affinity: + podAntiAffinity: + topologyKey: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/Chart.yaml new file mode 100644 index 0000000..ff1c10c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: Gitlab Sidekiq for asynchronous task processing in rails +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- sidekiq +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: sidekiq +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/sidekiq +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-sidekiq +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/_helpers.tpl new file mode 100644 index 0000000..c277f86 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Returns the extraEnv keys and values to inject into containers. Allows +pod-level values for extraEnv. + +Takes a dict with `local` being the pod-level configuration and `parent` +being the chart-level configuration. + +Pod values take precedence, then chart values, and finally global +values. +*/}} +{{- define "sidekiq.podExtraEnv" -}} +{{- $allExtraEnv := merge (default (dict) .local.extraEnv) (default (dict) .context.Values.extraEnv) .context.Values.global.extraEnv -}} +{{- range $key, $value := $allExtraEnv }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} + +{{/* +Returns a list of _common_ labels to be shared across all +Sidekiq deployments and other shared objects, otherwise +known as pods currently. +*/}} +{{- define "sidekiq.commonLabels" -}} +{{- $commonPodLabels := merge (default (dict) .pod) (default (dict) .global) -}} +{{- range $key, $value := $commonPodLabels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} + +{{/* +Returns a list of _pod_ labels to be shared across all +Sidekiq deployments, otherwise known as pods currently. +*/}} +{{- define "sidekiq.podLabels" -}} +{{- $commonPodLabels := default (dict) .pod -}} +{{- range $key, $value := $commonPodLabels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} + +{{/* +Create a datamodel for our common labels +*/}} +{{- define "sidekiq.pod.common.labels" -}} +{{- $default := dict "labels" (dict) -}} +{{- $_ := set . "common" (merge (default (dict) .common) $default) -}} +{{- end -}} + +{{/* +Return the sidekiq-metrics TLS secret name +*/}} +{{- define "sidekiq-metrics.tls.secret" -}} +{{- default (printf "%s-sidekiq-metrics-tls" .Release.Name) $.Values.metrics.tls.secretName | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/configmap.yaml new file mode 100644 index 0000000..8a829ca --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/configmap.yaml @@ -0,0 +1,154 @@ +{{- if .Values.enabled -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + installation_type: | + gitlab-helm-chart + database.yml.erb: | + {{- include "gitlab.database.yml" . | nindent 4 }} + {{- if $.Values.global.clickhouse.enabled }} + click_house.yml.erb: | + {{- include "gitlab.clickhouse.yml" . | nindent 4 }} + {{- end }} + krb5.conf: | + {{- .Values.global.appConfig.kerberos.krb5Config | nindent 4 }} + smtp_settings.rb: | + {{- include "gitlab.smtp_settings" . | nindent 4 }} + {{- include "gitlab.rails.redis.all" . | nindent 2 }} + gitlab.yml.erb: | + production: &base + gitlab: + host: {{ template "gitlab.gitlab.hostname" . }} + https: {{ hasPrefix "https://" (include "gitlab.gitlab.url" .) }} + {{- with .Values.global.hosts.ssh }} + ssh_host: {{ . | quote }} + {{- end }} + {{- with .Values.global.appConfig }} + {{- if .cdnHost }} + cdn_host: {{ .cdnHost | quote }} + {{- end }} + max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} + impersonation_enabled: {{ .enableImpersonation }} + application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} + usage_ping_enabled: {{ eq .enableUsagePing true }} + seat_link_enabled: {{ eq .enableSeatLink true }} + username_changing_enabled: {{ eq .usernameChangingEnabled true }} + issue_closing_pattern: {{ .issueClosingPattern | quote }} + default_theme: {{ .defaultTheme }} + {{- include "gitlab.appConfig.defaultProjectsFeatures.configuration" $ | nindent 8 }} + {{- if hasKey .initialDefaults "signupEnabled" }} + signup_enabled: {{ .initialDefaults.signupEnabled }} + {{- end }} + graphql_timeout: {{ .graphQlTimeout }} + webhook_timeout: {{ .webhookTimeout }} + {{- end }} + trusted_proxies: + {{- if .Values.trusted_proxies }} + {{- toYaml .Values.trusted_proxies | nindent 10 }} + {{- end }} + time_zone: {{ .Values.global.time_zone | quote }} + {{- include "gitlab.outgoing_email_settings" . | indent 8 }} + {{- with .Values.global.appConfig }} + {{- if .microsoft_graph_mailer.enabled }} + {{- include "gitlab.appConfig.microsoft_graph_mailer" . | nindent 6 }} + {{- end }} + {{- if .incomingEmail.enabled }} + {{- include "gitlab.appConfig.incoming_email" . | nindent 6 }} + {{- end }} + {{- if .serviceDeskEmail.enabled }} + {{- include "gitlab.appConfig.service_desk_email" . | nindent 6 }} + {{- end }} + {{- include "gitlab.appConfig.cronJobs" . | nindent 6 }} + gravatar: + plain_url: {{ .gravatar.plainUrl }} + ssl_url: {{ .gravatar.sslUrl }} + {{- include "gitlab.appConfig.extra" . | nindent 6 }} + {{- end }} + + {{- if $.Values.global.appConfig.object_store.enabled }} + # Consolidated object storage configuration + ## property local configuration will override object_store + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store "context" $) | nindent 6 }} + objects: + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 -}} + {{- end }} + {{- include "gitlab.appConfig.artifacts.configuration" (dict "config" $.Values.global.appConfig.artifacts "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.lfs.configuration" (dict "config" $.Values.global.appConfig.lfs "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.uploads.configuration" (dict "config" $.Values.global.appConfig.uploads "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.packages.configuration" (dict "config" $.Values.global.appConfig.packages "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.external_diffs.configuration" (dict "config" $.Values.global.appConfig.externalDiffs "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.terraformState.configuration" (dict "config" $.Values.global.appConfig.terraformState "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.ciSecureFiles.configuration" (dict "config" $.Values.global.appConfig.ciSecureFiles "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.dependencyProxy.configuration" (dict "config" $.Values.global.appConfig.dependencyProxy "context" $) | nindent 6 }} + {{- include "gitlab.geo.config" $ | nindent 6 }} + {{- include "gitlab.appConfig.sentry.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.sidekiq.configuration" $ | nindent 6 }} + {{- include "gitlab.pages.config" $ | nindent 6 }} + mattermost: + enabled: false + ## Registry Integration + {{- include "gitlab.appConfig.registry.configuration" $ | nindent 6 }} + gitlab_ci: + {{- include "gitlab.appConfig.ldap.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.omniauth.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.kerberos.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.duo.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.duo.configuration" $ | nindent 6 }} + shared: + {{- include "gitlab.appConfig.gitaly" . | nindent 6 }} + {{- include "gitlab.appConfig.repositories" . | nindent 6 }} + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + {{- include "gitlab.appConfig.kas" . | nindent 6 }} + {{- include "gitlab.appConfig.suggested_reviewers" . | nindent 6 }} + {{- include "gitlab.appConfig.zoekt" . | nindent 6 }} + {{- include "gitlab.appConfig.shell" . | nindent 6 }} + {{- include "gitlab.appConfig.shell.ssh_port" . | nindent 8 }} + workhorse: + git: + bin_path: /usr/bin/git + webpack: + monitoring: + ip_whitelist: + - 127.0.0.0/8 + sidekiq_exporter: + {{- if .Values.metrics.enabled }} + enabled: true + address: 0.0.0.0 + port: {{ .Values.metrics.port }} + log_enabled: {{ .Values.metrics.log_enabled }} + {{- if $.Values.metrics.tls.enabled }} + tls_enabled: true + tls_cert_path: "/etc/gitlab/sidekiq-metrics/sidekiq-metrics.crt" + tls_key_path: "/etc/gitlab/sidekiq-metrics/sidekiq-metrics.key" + {{- end }} + {{- end }} + sidekiq_health_checks: + enabled: true + address: 0.0.0.0 + port: {{ .Values.health_checks.port }} + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "gitaly registry rails-secrets") | nindent 4 }} + {{- if $.Values.metrics.tls.enabled }} + mkdir -p /init-secrets/sidekiq-metrics + cp -v -L /init-config/sidekiq-metrics/sidekiq-metrics.crt /init-secrets/sidekiq-metrics/sidekiq-metrics.crt + cp -v -L /init-config/sidekiq-metrics/sidekiq-metrics.key /init-secrets/sidekiq-metrics/sidekiq-metrics.key + {{- end }} + {{- include "gitlab.psql.ssl.initScript" . | nindent 4 }} + {{- include "gitlab.geo.psql.ssl.initScript" . | nindent 4 }} +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/deployment.yaml new file mode 100644 index 0000000..6a85b1e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/deployment.yaml @@ -0,0 +1,387 @@ +{{- if .Values.enabled -}} +{{- $imageCfg := dict "global" $.Values.global.image "local" $.Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +{{- include "database.datamodel.prepare" $ -}} +{{- $chart := printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" -}} +{{- $name := default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- $releaseName := .Release.Name -}} +{{- $releaseService := .Release.Service -}} +{{- $fullname := include "fullname" . -}} +{{- $image := (printf "%s:%s%s" (coalesce .Values.image.repository (include "image.repository" .)) (coalesce .Values.image.tag (include "gitlab.versionTag" . )) (include "gitlab.image.tagSuffix" .)) | toString -}} +{{- $concurrency := .Values.concurrency -}} +{{- $timeout := .Values.timeout -}} +{{- $resources := .Values.resources -}} +{{- $nodeSelector := default .Values.global.nodeSelector .Values.nodeSelector -}} +{{- $tolerations := .Values.tolerations -}} +{{- $minioEnabled := .Values.global.minio.enabled -}} +{{- $minioSecret := include "gitlab.minio.credentials.secret" . -}} +{{- $railsSecretName := include "gitlab.rails-secrets.secret" . -}} +{{- $metricsEnabled := .Values.metrics.enabled -}} +{{- $metricsPort := .Values.metrics.port -}} +{{- $metricsPath := .Values.metrics.path -}} +{{- $healthChecksPort := .Values.health_checks.port -}} +{{- $configMapChecksum := include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- range .Values.pods -}} +{{- $queueName := printf "%s-%s" $fullname .name | trunc 63 }} +{{- $podNodeSelector := default $nodeSelector .nodeSelector -}} +{{- $tolerations := default $tolerations .tolerations -}} +{{- include "sidekiq.pod.common.labels" . }} +{{- $_ := set . "podLabels" (merge (default (dict) .podLabels) (default (dict) $.Values.podLabels) (default (dict) $.Values.global.pod.labels)) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ printf "%s-v2" ($queueName | trunc 60) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "sidekiq.commonLabels" (dict "pod" .common.labels "global" $.Values.common.labels) | nindent 4 }} + queue-pod-name: {{ .name }} + annotations: + {{- include "gitlab.deploymentAnnotations" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 6 }} + queue-pod-name: {{ .name }} + {{- if or $.Values.deployment.strategy .strategy}} + strategy: {{ default $.Values.deployment.strategy .strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" $ | nindent 8 }} + {{- include "sidekiq.commonLabels" (dict "pod" .common.labels "global" $.Values.common.labels) | nindent 8 }} + {{- include "sidekiq.podLabels" (dict "pod" .podLabels ) | nindent 8 }} + queue-pod-name: {{ .name }} + annotations: + checksum/configmap: {{ $configMapChecksum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := $.Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if and $metricsEnabled (not $.Values.metrics.podMonitor.enabled) }} + {{- if $.Values.metrics.annotations }} + {{- toYaml $.Values.metrics.annotations | nindent 8 }} + {{- else }} + {{- if $.Values.metrics.tls.enabled }} + gitlab.com/prometheus_scheme: "https" + prometheus.io/scheme: "https" + {{- end }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ $metricsPort | quote }} + gitlab.com/prometheus_path: {{ $metricsPath }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ $metricsPort | quote }} + prometheus.io/path: {{ $metricsPath }} + {{- end }} + {{- end }} + spec: + {{- with $tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- $priorityClassName := dict "Values" (dict "global" (dict "priorityClassName" $.Values.global.priorityClassName) "priorityClassName" $.Values.priorityClassName) -}} + {{- include "gitlab.priorityClassName" $priorityClassName | nindent 6 }} + {{- include "gitlab.podSecurityContext" $.Values.securityContext | nindent 6 }} + {{- if eq (default $.Values.global.antiAffinity .antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default $.Values.global.affinity.podAntiAffinity.topologyKey $.Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 18 }} + queue-pod-name: {{ .name }} + {{- else if eq (default $.Values.global.antiAffinity .antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default $.Values.global.affinity.podAntiAffinity.topologyKey $.Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 18 }} + {{- end }} + {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} + {{- end }} + automountServiceAccountToken: false + terminationGracePeriodSeconds: {{ int (default $.Values.deployment.terminationGracePeriodSeconds .terminationGracePeriodSeconds) }} + initContainers: + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" $.Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 10 }} + volumeMounts: + {{- tpl (default "" .extraVolumeMounts) $ | nindent 10 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + {{- include "gitlab.psql.ssl.volumeMount" $ | nindent 10 }} + {{- include "gitlab.geo.psql.ssl.volumeMount" $ | nindent 10 }} + - name: sidekiq-config + mountPath: /config + readOnly: true + - name: init-sidekiq-secrets + mountPath: /init-config + readOnly: true + - name: sidekiq-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + - name: dependencies + image: "{{ $image }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + args: + - /scripts/wait-for-deps + env: + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + - name: SIDEKIQ_CONCURRENCY + value: {{ default $concurrency .concurrency | quote }} + - name: SIDEKIQ_TIMEOUT + value: {{ default $timeout .timeout | quote }} + {{- if $.Values.global.rails.bootsnap.enabled }} + - name: ENABLE_BOOTSNAP + value: "1" + {{- end }} + {{- include "gitlab.extraEnv" $ | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + {{- tpl (default "" .extraVolumeMounts) $ | nindent 10 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + {{- include "gitlab.certificates.volumeMount" $ | nindent 10 }} + - name: sidekiq-config + mountPath: '/var/opt/gitlab/templates' + readOnly: true + - name: sidekiq-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: sidekiq-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + readOnly: true + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" $ | nindent 8 }} + - name: {{ $name }} + image: "{{ $image }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + {{- if $metricsEnabled }} + - name: prometheus_multiproc_dir + value: /metrics + {{- end }} + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + - name: SIDEKIQ_QUEUE_SELECTOR + value: {{ include "gitlab.boolean.local" (dict "global" $.Values.queueSelector "local" .queueSelector "default" false) | quote }} + - name: SIDEKIQ_CONCURRENCY + value: {{ default $concurrency .concurrency | quote }} + - name: SIDEKIQ_TIMEOUT + value: {{ default $timeout .timeout | quote }} + - name: SIDEKIQ_QUEUES + value: {{ default $.Values.queues .queues | quote | nospace }} + - name: SIDEKIQ_NEGATE_QUEUES + value: {{ default $.Values.negateQueues .negateQueues | quote | nospace }} + - name: SIDEKIQ_DAEMON_MEMORY_KILLER + value: {{ int $.Values.memoryKiller.daemonMode | quote }} + {{- with default $.Values.memoryKiller .memoryKiller }} + - name: SIDEKIQ_MEMORY_KILLER_CHECK_INTERVAL + value: {{ int .checkInterval | quote }} + - name: SIDEKIQ_MEMORY_KILLER_MAX_RSS + value: {{ int .maxRss | quote }} + {{- if .hardLimitRss }} + - name: SIDEKIQ_MEMORY_KILLER_HARD_LIMIT_RSS + value: {{ int .hardLimitRss | quote }} + {{- end }} + - name: SIDEKIQ_MEMORY_KILLER_GRACE_TIME + value: {{ int .graceTime | quote }} + - name: SIDEKIQ_MEMORY_KILLER_SHUTDOWN_WAIT + value: {{ int .shutdownWait | quote }} + {{- end }} + {{- if $.Values.global.rails.bootsnap.enabled }} + - name: ENABLE_BOOTSNAP + value: "1" + {{- end }} + {{- include "gitlab.tracing.env" $ | nindent 12 }} + {{- include "sidekiq.podExtraEnv" (dict "local" . "context" $) | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} + {{- if $metricsEnabled }} + ports: + - containerPort: {{ $metricsPort }} + name: http-metrics + {{- end }} + volumeMounts: + {{- tpl (default "" .extraVolumeMounts) $ | nindent 10 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + {{- if $metricsEnabled }} + - name: sidekiq-metrics + mountPath: '/metrics' + {{- end }} + - name: sidekiq-config + mountPath: '/var/opt/gitlab/templates' + readOnly: true + - name: sidekiq-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: sidekiq-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + - name: sidekiq-config + mountPath: '/etc/krb5.conf' + subPath: krb5.conf + {{- include "gitlab.appConfig.kerberos.volumeMount" $ | nindent 10 }} + - name: sidekiq-config + mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb' + subPath: smtp_settings.rb + - name: sidekiq-config + mountPath: '/srv/gitlab/INSTALLATION_TYPE' + subPath: installation_type +{{- if $.Values.global.email.smime.enabled }} + - name: smime-creds + mountPath: /home/git/gitlab + readOnly: true +{{- end }} + {{- include "gitlab.certificates.volumeMount" $ | nindent 10 }} + livenessProbe: + httpGet: + path: /liveness + port: {{ $healthChecksPort }} + initialDelaySeconds: {{ $.Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ $.Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ $.Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ $.Values.livenessProbe.successThreshold }} + failureThreshold: {{ $.Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /readiness + port: {{ $healthChecksPort }} + initialDelaySeconds: {{ $.Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $.Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ $.Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ $.Values.readinessProbe.successThreshold }} + failureThreshold: {{ $.Values.readinessProbe.failureThreshold }} + lifecycle: + preStop: + exec: + command: ["/bin/bash", "-c", "pkill -f 'sidekiq'"] + resources: + {{- toYaml ( default $resources .resources ) | nindent 12 }} + volumes: + {{- tpl (default "" .extraVolumes) $ | nindent 6 }} + {{- include "gitlab.extraVolumes" $ | nindent 6 }} + {{- include "gitlab.psql.ssl.volume" $ | nindent 6 }} + {{- include "gitlab.geo.psql.ssl.volume" $ | nindent 6 }} + {{- include "gitlab.appConfig.kerberos.volume" $ | nindent 6 }} + {{- if $metricsEnabled }} + - name: sidekiq-metrics + emptyDir: + medium: "Memory" + {{- end }} + - name: sidekiq-config + projected: + sources: + - configMap: + name: {{ $fullname }} + - name: init-sidekiq-secrets + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ $railsSecretName }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + {{- if $.Values.metrics.tls.enabled }} + - secret: + name: {{ template "sidekiq-metrics.tls.secret" $ }} + items: + - key: "tls.crt" + path: "sidekiq-metrics/sidekiq-metrics.crt" + - key: "tls.key" + path: "sidekiq-metrics/sidekiq-metrics.key" + {{- end }} + {{- include "gitlab.gitaly.clientSecrets" $ | nindent 10 }} + {{- if $.Values.global.clickhouse.enabled }} + {{- include "gitlab.clickhouse.main.secrets" $ | nindent 10 }} + {{- end }} + {{- include "gitlab.redis.secrets" (dict "globalContext" $) | nindent 10 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 10 }} + {{- end }} + {{- if include "gitlab.geo.secondary" $ }} + - secret: + name: {{ template "gitlab.geo.psql.password.secret" $ }} + items: + - key: {{ template "gitlab.geo.psql.password.key" $ }} + path: postgres/geo-psql-password + {{- end }} + - secret: + name: {{ template "gitlab.registry.certificate.secret" $ }} + items: + - key: registry-auth.key + path: registry/gitlab-registry.key + {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 -}} + {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.kas.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.suggestedReviewers.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.zoekt.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.minio.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "ci_secure_files" "config" $.Values.global.appConfig.ciSecureFiles) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 }} + {{- include "gitlab.appConfig.ldap.servers.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.duo.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.omniauth.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.microsoftGraphMailer.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.smtp.mountSecrets" $ | nindent 10 }} +{{- if $.Values.global.email.smime.enabled }} + - name: smime-creds + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ $.Values.global.email.smime.secretName }} + items: + - key: {{ $.Values.global.email.smime.keyName }} + path: .gitlab_smime_key + - key: {{ $.Values.global.email.smime.certName }} + path: .gitlab_smime_cert +{{- end }} + - name: sidekiq-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" $ | nindent 6 }} + {{- if $podNodeSelector }} + nodeSelector: + {{- toYaml $podNodeSelector | nindent 8 }} + {{- end }} +--- +{{ end }} +{{ end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/hpa.yaml new file mode 100644 index 0000000..2405230 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.enabled -}} +{{- $name := default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullname := printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}} +{{- range .Values.pods -}} +{{- $queueName := printf "%s-%s" $fullname .name | trunc 63 }} +{{- $hpa := merge (default dict .hpa) $.Values.hpa }} +{{- $keda := merge (default dict .keda) $.Values.keda }} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" $hpa "context" $) }} +{{- include "sidekiq.pod.common.labels" . }} +{{- if not (default $.Values.global.keda.enabled $keda.enabled) }} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ printf "%s-v2" ($queueName | trunc 60) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "sidekiq.commonLabels" (dict "pod" .common.labels "global" $.Values.common.labels) | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ printf "%s-v2" ($queueName | trunc 60) }} + minReplicas: {{ default $.Values.minReplicas .minReplicas }} + maxReplicas: {{ default $.Values.maxReplicas .maxReplicas }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/keda.yaml new file mode 100644 index 0000000..1d9a6f9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/keda.yaml @@ -0,0 +1,31 @@ +{{- if .Values.enabled -}} +{{- $name := default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullname := printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}} +{{- range .Values.pods -}} +{{- $queueName := printf "%s-%s" $fullname .name | trunc 63 }} +{{- $hpa := merge (default dict .hpa) $.Values.hpa }} +{{- $keda := merge (default dict .keda) $.Values.keda }} +{{- $resources := merge (default dict .resources) $.Values.resources }} +{{- $kedaCfg := (dict "global" $.Values.global "hpa" $hpa "keda" $keda "minReplicas" (default $.Values.minReplicas .minReplicas) "maxReplicas" (default $.Values.maxReplicas .maxReplicas) "resources" $resources) }} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg }} +{{- if $kedaEnabled }} +{{- include "sidekiq.pod.common.labels" . }} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ printf "%s-v2" ($queueName | trunc 60) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "sidekiq.commonLabels" (dict "pod" .common.labels "global" $.Values.common.labels) | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ printf "%s-v2" ($queueName | trunc 60) }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/networkpolicy.yaml new file mode 100644 index 0000000..0239233 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/networkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.enabled -}} +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/pdb.yaml new file mode 100644 index 0000000..08762e7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/pdb.yaml @@ -0,0 +1,25 @@ +{{- if .Values.enabled -}} +{{- $name := default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- $releaseName := .Release.Name -}} +{{- $fullname := printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +{{- range .Values.pods -}} +{{- $queueName := printf "%s-%s" $fullname .name | trunc 63}} +{{- include "sidekiq.pod.common.labels" . }} +--- +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-v1" ($queueName | trunc 60) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "sidekiq.commonLabels" (dict "pod" .common.labels "global" $.Values.common.labels) | nindent 4 }} +spec: + maxUnavailable: {{ default $.Values.maxUnavailable .maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 6 }} + queue-pod-name: {{ .name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/podmonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/podmonitor.yaml new file mode 100644 index 0000000..fb28dd1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/podmonitor.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.enabled .Values.metrics.enabled .Values.metrics.podMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.podMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + podMetricsEndpoints: + - port: http-metrics + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.podMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/serviceaccount.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/values.yaml new file mode 100644 index 0000000..7b47076 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/sidekiq/values.yaml @@ -0,0 +1,371 @@ +# Default values for sidekiq. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: {} + # pullPolicy: IfNotPresent + # pullSecrets: [] + # repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee + # tag: master + +init: + image: {} + # repository: + # tag: + # pullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +# Node labels for pod assignment +# nodeSelector: {} + +# Tolerations for pod scheduling +tolerations: [] + +enabled: true +queueSelector: false + +annotations: {} +podLabels: {} +common: + labels: {} + +logging: + # set to "json" for json + # structured logs + format: "json" + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} + +metrics: + enabled: true + port: 3807 + path: /metrics + log_enabled: false + podMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + # DEPRECATED + annotations: {} + tls: + enabled: false + # secretName: + +health_checks: + port: 3808 + +redis: + auth: {} + +psql: {} + # port: 5432 + +# https://docs.gitlab.com/ee/administration/operations/sidekiq_memory_killer.html#sidekiq-memorykiller +memoryKiller: + daemonMode: true + maxRss: 2000000 + graceTime: 900 + shutdownWait: 30 + checkInterval: 3 + #hardLimitRss: 3000000 + +livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 3 +readinessProbe: + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + +global: + hosts: + domain: example.com + hostSuffix: + https: true + gitlab: {} + #name: gitlab.example.com + #https: false + registry: {} + #name: registry.example.com + #https: false + minio: {} + #name: minio.example.com + #https: false + psql: {} + # host: '0.0.0.0' + # port: '5432' + # database: 'gitlabhq_production' + # username: 'gitlab' + # applicationName: + # preparedStatements: false + # databaseTasks: true + # password: + # secret: gitlab-postgres + # key: psql-password + # ssl: + # secret: gitlab-ssl-secret + # clientKey: client-key.pem + # clientCertificate: client-cert.pem + # serverCA: server-ca.pem + redis: + auth: {} + gitaly: + internal: + names: ["default"] + external: [] + authToken: {} + webservice: {} + minio: + enabled: + credentials: {} + appConfig: + microsoft_graph_mailer: + enabled: false + incomingEmail: + enabled: false + address: + serviceDeskEmail: + enabled: false + address: + lfs: + enabled: true + proxy_download: true + bucket: + connection: {} + artifacts: + enabled: true + proxy_download: true + bucket: + connection: {} + uploads: + enabled: true + proxy_download: true + bucket: + connection: {} + packages: + enabled: true + proxy_download: true + bucket: + connection: {} + externalDiffs: + when: + proxy_download: true + bucket: + connection: {} + terraformState: + enabled: false + bucket: + connection: {} + dependencyProxy: + enabled: false + proxy_download: true + bucket: + connection: {} + ldap: + servers: {} + # 'main' is the GitLab 'provider ID' of this LDAP server + # main: + # label: 'LDAP' + # host: '_your_ldap_server' + # port: 636 + # uid: 'sAMAccountName' + # bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' + # password: '_the_password_of_the_bind_user' + # encryption: 'plain' + omniauth: + enabled: false + autoSignInWithProvider: + syncProfileFromProvider: [] + syncProfileAttributes: ['email'] + allowSingleSignOn: ['saml'] + blockAutoCreatedUsers: true + autoLinkLdapUser: false + autoLinkSamlUser: false + autoLinkUser: [] + externalProviders: [] + allowBypassTwoFactor: [] + providers: [] + # - secret: gitlab-google-oauth2 + # key: provider + sentry: + enabled: false + dsn: + clientside_dsn: + environment: + +gitaly: + # host: '0.0.0.0' + # port: 8075 + # serviceName: 'gitaly' + authToken: {} + # secret: gitaly-secret + # key: token +minio: + serviceName: 'minio-svc' + port: 9000 + +extra: {} + +## Additional environment variables to set +## Note that these will be applied to every +## container in the pod. +extraEnv: {} +# extraEnv: +# SOMEKEY: SOMEVALUE +# SOMEKEY2: SOMEVALUE2 + +rack_attack: + git_basic_auth: + enabled: false + # enabled: true + # ip_whitelist: ["127.0.0.1"] + # maxretry: 10 + # findtime: 60 + # bantime: 3600 + +trusted_proxies: [] + +# Global defaults +minReplicas: 1 +maxReplicas: 10 +concurrency: 20 + +# `deployment.strategy` is utilized to configure the desired upgrade approach and +# configuration for the deployment. See the Kubernetes documentation +# related to this subject. +# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +deployment: + strategy: {} + terminationGracePeriodSeconds: 30 + +hpa: + # targetAverageValue: 350m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below + cpu: + targetType: AverageValue # Utilization or AverageValue + targetAverageValue: 350m + # targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + +timeout: 25 +resources: + # limits: + # memory: 5G + requests: + cpu: 900m + memory: 2G +maxUnavailable: 1 + +# Define queue groups into Pods +pods: + - name: all-in-1 + # concurrency: 20 + # memoryKiller: + # maxRss: 2000000 + # graceTime: 900 + # shutdownWait: 30 + # checkInterval: 3 + # minReplicas: 1 + # maxReplicas: 10 + # strategy: {} + # queues: '' + # extraVolumes + # extraVolumeMounts + # priorityClassName: "" + # hpa: + # cpu: + # targetType: AverageValue + # targetAverageValue: + # targetAverageUtilization: + # memory: + # targetType: AverageValue + # targetAverageValue: + # targetAverageUtilization: + # customMetrics: [] + # behavior: + # scaleDown: + # stabilizationWindowSeconds: + # keda: + # enabled: false + # ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + # pollingInterval: 30 + # cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + # + # common: + # labels: {} + # podLabels: {} + # terminationGracePeriodSeconds: 30 + # nodeSelector: {} + # tolerations: [] + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +## Allow configuring pods' priorityClassName. This is used to control pod priority in case of eviction: +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: "" + +affinity: + podAntiAffinity: + topologyKey: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/Chart.yaml new file mode 100644 index 0000000..b271af3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 1.2.3 +description: GitLab Anti-Spam Engine +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- spamcheck +- anti-spam engine +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: spamcheck +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/spamcheck +- https://gitlab.com/gitlab-org/spamcheck +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/configmap.yaml new file mode 100644 index 0000000..3799e86 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.global.spamcheck.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + # See https://gitlab.com/gitlab-org/spamcheck/-/blob/main/config/config.example.yml + config.yaml: | + grpc_addr: {{ .Values.service.internalPort | quote }} + log_level: {{ .Values.logging.level | quote }} + filter: + allowList: {} + denyList: {} + allowed_domains: {} + +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/deployment.yaml new file mode 100644 index 0000000..c96bed4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/deployment.yaml @@ -0,0 +1,111 @@ +{{- if .Values.global.spamcheck.enabled -}} +{{- $imageCfg := dict "global" $.Values.global.image "local" $.Values.image "context" $ -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 18 }} + {{- end }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: {{ include "gitlab.image.fullPath" $imageCfg }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + ports: + - name: grpc + containerPort: {{ $.Values.service.internalPort }} + env: + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: spamcheck-config-volume + mountPath: /app/config + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + livenessProbe: + exec: + command: ["health-check", "--liveness"] + initialDelaySeconds: {{ .Values.deployment.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.livenessProbe.failureThreshold }} + readinessProbe: + exec: + command: ["health-check", "--readiness"] + initialDelaySeconds: {{ .Values.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.readinessProbe.failureThreshold }} + volumes: + {{- include "gitlab.extraVolumes" $ | nindent 6 }} + - name: spamcheck-config-volume + configMap: + name: {{ template "fullname" . }} + - name: spamcheck-data-volume + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/hpa.yaml new file mode 100644 index 0000000..5371ef0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/hpa.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.spamcheck.enabled (not (default $.Values.global.keda.enabled .Values.keda.enabled)) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.hpa "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas | int }} + maxReplicas: {{ .Values.hpa.maxReplicas | int }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/keda.yaml new file mode 100644 index 0000000..c7caa8a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/keda.yaml @@ -0,0 +1,19 @@ +{{- $kedaCfg := (dict "global" .Values.global "hpa" .Values.hpa "keda" .Values.keda "resources" .Values.resources) -}} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg -}} +{{- if and .Values.global.spamcheck.enabled $kedaEnabled -}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "fullname" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/pdb.yaml new file mode 100644 index 0000000..c1d00cc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/pdb.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.spamcheck.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/service.yaml new file mode 100644 index 0000000..a7fd066 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.spamcheck.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab.spamcheck.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + protocol: TCP + name: grpc + selector: + {{- include "gitlab.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/serviceaccount.yaml new file mode 100644 index 0000000..6ac1e35 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and .Values.global.spamcheck.enabled $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/values.yaml new file mode 100644 index 0000000..1a56c1e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/spamcheck/values.yaml @@ -0,0 +1,108 @@ +# Default values for spamcheck. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +annotations: {} +# global: +# spamcheck: +# enabled: false + +hpa: + maxReplicas: 10 + minReplicas: 1 + # targetAverageValue: 100m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below + cpu: + targetType: AverageValue # Utilization or AverageValue + targetAverageValue: 100m + # targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + + +image: + # registry: + repository: registry.gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck + # tag: + +service: + type: ClusterIP + externalPort: 8001 + internalPort: 8001 + +deployment: + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 60 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + strategy: {} + +init: + resources: + requests: + cpu: 50m + +logging: + level: "info" + +## For PodDisruptionBudget, how many pods can be unavailable at one time +maxUnavailable: 1 + +# Priority class assigned to pods +priorityClassName: "" + +podLabels: {} +common: + labels: {} +serviceLabels: {} + +resources: + requests: + cpu: 100m + memory: 100M + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + +# Tolerations for pod scheduling +tolerations: [] + +## Allow to overwrite under which User and Group we're running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +affinity: + podAntiAffinity: + topologyKey: diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/Chart.yaml new file mode 100644 index 0000000..ed8f302 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: For manually running rake tasks through kubectl +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- rake +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: toolbox +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/toolbox +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-toolbox +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/_helpers.tpl new file mode 100644 index 0000000..ed85e51 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "toolbox.backups.cron.persistence.persistentVolumeClaim" -}} +metadata: +{{- if not .Values.backups.cron.persistence.useGenericEphemeralVolume }} + name: {{ template "fullname" . }}-backup-tmp + namespace: {{ $.Release.Namespace }} +{{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.backups.cron.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.backups.cron.persistence.size | quote }} +{{- if .Values.backups.cron.persistence.volumeName }} + volumeName: {{ .Values.backups.cron.persistence.volumeName }} +{{- end }} +{{- if .Values.backups.cron.persistence.storageClass }} +{{- if (eq "-" .Values.backups.cron.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.backups.cron.persistence.storageClass }}" +{{- end -}} +{{- end }} + selector: +{{- if .Values.backups.cron.persistence.matchLabels }} + matchLabels: + {{- toYaml .Values.backups.cron.persistence.matchLabels | nindent 6 }} +{{- end -}} +{{- if .Values.backups.cron.persistence.matchExpressions }} + matchExpressions: + {{- toYaml .Values.backups.cron.persistence.matchExpressions | nindent 6 }} +{{- end -}} +{{- end -}} + +{{/* +Returns the secret configuring access to the object storage for backups. + +Usage: + {{ include "toolbox.backups.objectStorage.config.secret" .Values.backups.objectStorage }} + +*/}} +{{- define "toolbox.backups.objectStorage.config.secret" -}} +{{- if eq .backend "gcs" -}} +- secret: + name: {{ .config.secret }} + items: + - key: {{ default "config" .config.key }} + path: objectstorage/{{ default "config" .config.key }} +{{- else if eq .backend "azure" -}} +- secret: + name: {{ .config.secret }} + items: + - key: {{ default "config" .config.key }} + path: objectstorage/azure_config +{{- else -}} +- secret: + name: {{ .config.secret }} + items: + - key: {{ default "config" .config.key }} + path: objectstorage/.s3cfg +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/backup-job.yaml new file mode 100644 index 0000000..52c8b9c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -0,0 +1,227 @@ +{{- if and .Values.enabled .Values.backups.cron.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +{{- include "database.datamodel.prepare" . -}} +{{ if or ($.Capabilities.APIVersions.Has "batch/v1/CronJob") (eq $.Values.global.batch.cronJob.apiVersion "batch/v1") -}} +apiVersion: batch/v1 +{{- else -}} +apiVersion: batch/v1beta1 +{{- end }} +kind: CronJob +metadata: + name: {{ template "fullname" . }}-backup + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + concurrencyPolicy: {{ .Values.backups.cron.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backups.cron.failedJobsHistoryLimit }} + schedule: {{ .Values.backups.cron.schedule | quote }} + startingDeadlineSeconds: {{ .Values.backups.cron.startingDeadlineSeconds }} + successfulJobsHistoryLimit: {{ .Values.backups.cron.successfulJobsHistoryLimit }} + suspend: {{ .Values.backups.cron.suspend }} + jobTemplate: + spec: + backoffLimit: {{ .Values.backups.cron.backoffLimit }} + {{- if .Values.backups.cron.activeDeadlineSeconds }} + activeDeadlineSeconds: {{ .Values.backups.cron.activeDeadlineSeconds }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 12 }} + {{- include "gitlab.commonLabels" . | nindent 12 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: {{ .Values.backups.cron.safeToEvict | quote }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + restartPolicy: {{ .Values.backups.cron.restartPolicy }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 12 }} + {{- end }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if not (empty .Values.securityContext.fsGroupChangePolicy) }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- end }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 10 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 12 }} + {{- include "gitlab.certificates.initContainer" . | nindent 12 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 14 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 16 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 16 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} + {{- include "gitlab.psql.ssl.volumeMount" . | nindent 16 }} + - name: toolbox-config + mountPath: /config + readOnly: true + - name: init-toolbox-secrets + mountPath: /init-config + readOnly: true + - name: toolbox-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 16 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 10 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 12 }} + - name: {{ .Chart.Name }}-backup + args: + - /bin/bash + - -c + {{- if eq .Values.backups.objectStorage.backend "s3" }} + - cp /etc/gitlab/.s3cfg $HOME/.s3cfg && backup-utility {{ .Values.backups.cron.extraArgs }} # alpine sleep has no infinity + {{- else if eq .Values.backups.objectStorage.backend "gcs" }} + - sh /var/opt/gitlab/templates/configure-gsutil && backup-utility {{ .Values.backups.cron.extraArgs }} + {{- else if eq .Values.backups.objectStorage.backend "azure" }} + - backup-utility {{ .Values.backups.cron.extraArgs }} + {{- end }} + image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 14 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 16 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 16 }} + - name: ARTIFACTS_BUCKET_NAME + value: {{ .Values.global.appConfig.artifacts.bucket }} + - name: REGISTRY_BUCKET_NAME + value: {{ .Values.global.registry.bucket }} + - name: LFS_BUCKET_NAME + value: {{ .Values.global.appConfig.lfs.bucket }} + - name: UPLOADS_BUCKET_NAME + value: {{ .Values.global.appConfig.uploads.bucket }} + - name: PACKAGES_BUCKET_NAME + value: {{ .Values.global.appConfig.packages.bucket }} + - name: EXTERNAL_DIFFS_BUCKET_NAME + value: {{ .Values.global.appConfig.externalDiffs.bucket }} + - name: TERRAFORM_STATE_BUCKET_NAME + value: {{ .Values.global.appConfig.terraformState.bucket }} + - name: CI_SECURE_FILES_BUCKET_NAME + value: {{ .Values.global.appConfig.ciSecureFiles.bucket }} + - name: BACKUP_BUCKET_NAME + value: {{ .Values.global.appConfig.backups.bucket }} + - name: BACKUP_BACKEND + value: {{ .Values.backups.objectStorage.backend }} + - name: TMP_BUCKET_NAME + value: {{ .Values.global.appConfig.backups.tmpBucket }} + - name: PAGES_BUCKET_NAME + value: {{ .Values.global.pages.objectStore.bucket }} + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + {{- if eq .Values.backups.objectStorage.backend "gcs" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' + {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} + - name: AZURE_CONFIG_FILE + value: '/etc/gitlab/objectstorage/azure_config' + {{- end }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} + - name: toolbox-config + mountPath: '/var/opt/gitlab/templates' + - name: toolbox-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: toolbox-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + - name: toolbox-tmp + mountPath: '/srv/gitlab/tmp' + {{- if and .Values.backups.cron.persistence.enabled .Values.backups.cron.persistence.subPath }} + subPath: "{{ .Values.backups.cron.persistence.subPath }}" + {{- end }} + readOnly: false + {{- include "gitlab.certificates.volumeMount" . | nindent 16 }} + resources: + {{- toYaml .Values.backups.cron.resources | nindent 16 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 12 }} + {{- include "gitlab.psql.ssl.volume" . | nindent 12 }} + - name: toolbox-config + projected: + sources: + - configMap: + name: {{ template "fullname" . }} + - name: toolbox-tmp + {{- if .Values.backups.cron.persistence.enabled }} + {{- if .Values.backups.cron.persistence.useGenericEphemeralVolume }} + ephemeral: + volumeClaimTemplate: + {{- include "toolbox.backups.cron.persistence.persistentVolumeClaim" . | nindent 18 }} + {{- else }} + persistentVolumeClaim: + claimName: {{ template "fullname" . }}-backup-tmp + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + - name: init-toolbox-secrets + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ template "gitlab.rails-secrets.secret" . }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} + path: shell/.gitlab_shell_secret + {{- include "gitlab.gitaly.clientSecrets" . | nindent 16 }} + {{- include "gitlab.redis.secrets" (dict "globalContext" $) | nindent 16 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 16 }} + {{- end }} + - secret: + name: {{ template "gitlab.registry.certificate.secret" . }} + items: + - key: registry-auth.key + path: registry/gitlab-registry.key + {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 16 -}} + {{- if or .Values.backups.objectStorage.config (not .Values.global.minio.enabled) }} + {{- include "toolbox.backups.objectStorage.config.secret" .Values.backups.objectStorage | nindent 16 }} + {{- end }} + {{- include "gitlab.kas.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.pages.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.minio.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "ci_secure_files" "config" $.Values.global.appConfig.ciSecureFiles) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 16 }} + {{- include "gitlab.appConfig.ldap.servers.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.appConfig.omniauth.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.appConfig.microsoftGraphMailer.mountSecrets" $ | nindent 16 }} + - name: toolbox-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 12 }} + {{- include "gitlab.nodeSelector" . | nindent 10 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/configmap.yaml new file mode 100644 index 0000000..435371b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/configmap.yaml @@ -0,0 +1,160 @@ +{{- if .Values.enabled -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + database.yml.erb: | + {{- include "gitlab.database.yml" . | nindent 4 }} + {{- if $.Values.global.clickhouse.enabled }} + click_house.yml.erb: | + {{- include "gitlab.clickhouse.yml" . | nindent 4 }} + {{- end }} + krb5.conf: | + {{- .Values.global.appConfig.kerberos.krb5Config | nindent 4 }} + smtp_settings.rb: | + {{- include "gitlab.smtp_settings" . | nindent 4 }} + {{- include "gitlab.rails.redis.all" . | nindent 2 }} + gitlab.yml.erb: | + production: &base + gitlab: + host: {{ template "gitlab.gitlab.hostname" . }} + https: {{ hasPrefix "https://" (include "gitlab.gitlab.url" .) }} + {{- with .Values.global.hosts.ssh }} + ssh_host: {{ . | quote }} + {{- end }} + {{- with .Values.global.appConfig }} + {{- if .cdnHost }} + cdn_host: {{ .cdnHost | quote }} + {{- end }} + max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} + impersonation_enabled: {{ .enableImpersonation }} + application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} + usage_ping_enabled: {{ eq .enableUsagePing true }} + seat_link_enabled: {{ eq .enableSeatLink true }} + username_changing_enabled: {{ eq .usernameChangingEnabled true }} + issue_closing_pattern: {{ .issueClosingPattern | quote }} + default_theme: {{ .defaultTheme }} + {{- include "gitlab.appConfig.defaultProjectsFeatures.configuration" $ | nindent 8 }} + {{- if hasKey .initialDefaults "signupEnabled" }} + signup_enabled: {{ .initialDefaults.signupEnabled }} + {{- end }} + graphql_timeout: {{ .graphQlTimeout }} + webhook_timeout: {{ .webhookTimeout }} + {{- end }} + trusted_proxies: + {{- if .Values.trusted_proxies }} + {{- toYaml .Values.trusted_proxies | nindent 10 }} + {{- end }} + time_zone: {{ .Values.global.time_zone | quote }} + {{- include "gitlab.outgoing_email_settings" . | indent 8 }} + {{- with .Values.global.appConfig }} + {{- if .microsoft_graph_mailer.enabled }} + {{- include "gitlab.appConfig.microsoft_graph_mailer" . | nindent 6 }} + {{- end }} + {{- include "gitlab.appConfig.cronJobs" . | nindent 6 }} + {{- end }} + + {{- if $.Values.global.appConfig.object_store.enabled }} + # Consolidated object storage configuration + ## property local configuration will override object_store + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store "context" $) | nindent 6 }} + objects: + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 -}} + {{- end }} + {{- include "gitlab.appConfig.artifacts.configuration" (dict "config" $.Values.global.appConfig.artifacts "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.lfs.configuration" (dict "config" $.Values.global.appConfig.lfs "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.uploads.configuration" (dict "config" $.Values.global.appConfig.uploads "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.packages.configuration" (dict "config" $.Values.global.appConfig.packages "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.external_diffs.configuration" (dict "config" $.Values.global.appConfig.externalDiffs "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.terraformState.configuration" (dict "config" $.Values.global.appConfig.terraformState "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.ciSecureFiles.configuration" (dict "config" $.Values.global.appConfig.ciSecureFiles "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.dependencyProxy.configuration" (dict "config" $.Values.global.appConfig.dependencyProxy "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.sidekiq.configuration" $ | nindent 6 }} + {{- include "gitlab.geo.config" $ | nindent 6 }} + {{- include "gitlab.pages.config" $ | nindent 6 }} + mattermost: + enabled: false + ## Registry Integration + {{- include "gitlab.appConfig.registry.configuration" $ | nindent 6 }} + gitlab_ci: + {{- include "gitlab.appConfig.ldap.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.omniauth.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.kerberos.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.duo.configuration" $ | nindent 6 }} + shared: + {{- include "gitlab.appConfig.gitaly" . | nindent 6 }} + {{- include "gitlab.appConfig.repositories" . | nindent 6 }} + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + {{- include "gitlab.appConfig.kas" . | nindent 6 }} + {{- include "gitlab.appConfig.suggested_reviewers" . | nindent 6 }} + {{- include "gitlab.appConfig.zoekt" . | nindent 6 }} + {{- include "gitlab.appConfig.shell" . | nindent 6 }} + {{- include "gitlab.appConfig.shell.ssh_port" . | nindent 8 }} + {{- include "gitlab.appConfig.shell.secret_file" . | nindent 8 }} + workhorse: + git: + bin_path: /usr/bin/git + webpack: + monitoring: + ip_whitelist: + - 127.0.0.0/8 + sidekiq_exporter: + extra: + {{- if .Values.extra }} + {{- toYaml .Values.extra | nindent 8 }} + {{- end }} + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict "required" "shell gitaly registry rails-secrets") | nindent 4 }} + {{- include "gitlab.psql.ssl.initScript" . | nindent 4 }} + {{- include "gitlab.geo.psql.ssl.initScript" . | nindent 4 }} + + {{- if eq .Values.backups.objectStorage.backend "s3" }} + if [ ! -f "/${secret_dir}/objectstorage/.s3cfg" ]; then + cat < "/${secret_dir}/.s3cfg" + [default] + access_key = $(cat /init-secrets/minio/accesskey) + secret_key = $(cat /init-secrets/minio/secretkey) + bucket_location = us-east-1 + host_base = {{ template "gitlab.minio.hostname" . }} + host_bucket = {{ template "gitlab.minio.hostname" . }}/%(bucket) + default_mime_type = binary/octet-stream + enable_multipart = True + multipart_max_chunks = 10000 + multipart_chunk_size_mb = 128 + recursive = True + recv_chunk = 65536 + send_chunk = 65536 + server_side_encryption = False + signature_v2 = True + socket_timeout = 300 + use_mime_magic = False + verbosity = WARNING + website_endpoint = {{ template "gitlab.minio.url" . }} + EOF + else + mv "/${secret_dir}/objectstorage/.s3cfg" "/${secret_dir}/.s3cfg" + fi + {{- end }} + configure-gsutil: | + # The following script is used to configure gsutil when creating backups + # It provides inputs to the `gsutil config -e` prompt as follows: + # 1) Path to service account JSON key file + # 2) Do not set permissions for key file + # 3) GCP Project ID + # 4) Decline anonymous usage statistics + printf "$GOOGLE_APPLICATION_CREDENTIALS\nN\n{{ .Values.backups.objectStorage.config.gcpProject }}\nN\n" | gsutil config -e +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/deployment.yaml new file mode 100644 index 0000000..433f510 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -0,0 +1,281 @@ +{{- if .Values.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +{{- include "database.datamodel.prepare" . -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + replicas: {{ .Values.replicas | int }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + automountServiceAccountToken: false + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" . | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.psql.ssl.volumeMount" . | nindent 10 }} + {{- include "gitlab.geo.psql.ssl.volumeMount" . | nindent 10 }} + - name: toolbox-config + mountPath: /config + readOnly: true + - name: init-toolbox-secrets + mountPath: /init-config + readOnly: true + - name: toolbox-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + {{- if .Values.antiAffinityLabels.matchLabels }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- toYaml .Values.antiAffinityLabels.matchLabels | nindent 18 }} + release: {{ .Release.Name }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- toYaml .Values.antiAffinityLabels.matchLabels | nindent 18 }} + release: {{ .Release.Name }} + {{- end }} + {{- end }} + containers: + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + args: + - /bin/bash + - -c + {{- if eq .Values.backups.objectStorage.backend "s3" }} + - cp -v -r -L /etc/gitlab/.s3cfg $HOME/.s3cfg && while sleep 3600; do :; done # alpine sleep has no infinity + {{- else if eq .Values.backups.objectStorage.backend "gcs" }} + - sh /var/opt/gitlab/templates/configure-gsutil && while sleep 3600; do :; done + {{- else if eq .Values.backups.objectStorage.backend "azure" }} + - while sleep 3600; do :; done + {{- end }} + image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" . | indent 10 }} + env: + - name: ARTIFACTS_BUCKET_NAME + value: {{ .Values.global.appConfig.artifacts.bucket }} + - name: REGISTRY_BUCKET_NAME + value: {{ .Values.global.registry.bucket }} + - name: LFS_BUCKET_NAME + value: {{ .Values.global.appConfig.lfs.bucket }} + - name: UPLOADS_BUCKET_NAME + value: {{ .Values.global.appConfig.uploads.bucket }} + - name: PACKAGES_BUCKET_NAME + value: {{ .Values.global.appConfig.packages.bucket }} + - name: EXTERNAL_DIFFS_BUCKET_NAME + value: {{ .Values.global.appConfig.externalDiffs.bucket }} + - name: TERRAFORM_STATE_BUCKET_NAME + value: {{ .Values.global.appConfig.terraformState.bucket }} + - name: CI_SECURE_FILES_BUCKET_NAME + value: {{ .Values.global.appConfig.ciSecureFiles.bucket }} + - name: BACKUP_BUCKET_NAME + value: {{ .Values.global.appConfig.backups.bucket }} + - name: BACKUP_BACKEND + value: {{ .Values.backups.objectStorage.backend }} + - name: TMP_BUCKET_NAME + value: {{ .Values.global.appConfig.backups.tmpBucket }} + - name: PAGES_BUCKET_NAME + value: {{ .Values.global.pages.objectStore.bucket }} + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + {{- if .Values.global.rails.bootsnap.enabled }} + - name: ENABLE_BOOTSNAP + value: "1" + {{- end }} + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + {{- if eq .Values.backups.objectStorage.backend "gcs" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' + {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} + - name: AZURE_CONFIG_FILE + value: '/etc/gitlab/objectstorage/azure_config' + {{- end }} + {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + - name: toolbox-config + mountPath: '/var/opt/gitlab/templates' + - name: toolbox-config + mountPath: '/etc/krb5.conf' + subPath: krb5.conf + {{- include "gitlab.appConfig.kerberos.volumeMount" $ | nindent 12 }} + - name: toolbox-config + mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb' + subPath: smtp_settings.rb + - name: toolbox-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: toolbox-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + - name: toolbox-tmp + mountPath: '/srv/gitlab/tmp' + {{- if and .Values.persistence.enabled .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" + {{- end }} + readOnly: false +{{- if .Values.global.email.smime.enabled }} + - name: smime-creds + mountPath: /home/git/gitlab + readOnly: true +{{- end }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 6 }} + {{- include "gitlab.psql.ssl.volume" . | nindent 6 }} + {{- include "gitlab.geo.psql.ssl.volume" . | nindent 6 }} + {{- include "gitlab.appConfig.kerberos.volume" $ | nindent 6 }} + - name: toolbox-config + projected: + sources: + - configMap: + name: {{ template "fullname" . }} + - name: toolbox-tmp + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ template "fullname" . }}-tmp + {{- else }} + emptyDir: {} + {{- end }} + - name: init-toolbox-secrets + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ template "gitlab.rails-secrets.secret" . }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} + path: shell/.gitlab_shell_secret + {{- include "gitlab.gitaly.clientSecrets" . | nindent 10 }} + {{- if $.Values.global.clickhouse.enabled }} + {{- include "gitlab.clickhouse.main.secrets" $ | nindent 10 }} + {{- end }} + {{- include "gitlab.redis.secrets" (dict "globalContext" $) | nindent 10 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 10 }} + {{- end }} + {{- if include "gitlab.geo.secondary" $ }} + - secret: + name: {{ template "gitlab.geo.psql.password.secret" . }} + items: + - key: {{ template "gitlab.geo.psql.password.key" . }} + path: postgres/geo-psql-password + {{- end }} + - secret: + name: {{ template "gitlab.registry.certificate.secret" . }} + items: + - key: registry-auth.key + path: registry/gitlab-registry.key + {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 -}} + {{- if or .Values.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) }} + {{- include "toolbox.backups.objectStorage.config.secret" .Values.backups.objectStorage | nindent 10 }} + {{- end }} + {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.kas.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.suggestedReviewers.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.zoekt.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.minio.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "ci_secure_files" "config" $.Values.global.appConfig.ciSecureFiles) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 }} + {{- include "gitlab.appConfig.ldap.servers.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.duo.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.omniauth.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.microsoftGraphMailer.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.smtp.mountSecrets" $ | nindent 10 }} +{{- if .Values.global.email.smime.enabled }} + - name: smime-creds + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ .Values.global.email.smime.secretName }} + items: + - key: {{ .Values.global.email.smime.keyName }} + path: .gitlab_smime_key + - key: {{ .Values.global.email.smime.certName }} + path: .gitlab_smime_cert +{{- end }} + - name: toolbox-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/pvc.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/pvc.yaml new file mode 100644 index 0000000..cc74867 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/pvc.yaml @@ -0,0 +1,44 @@ +{{- if and .Values.enabled .Values.persistence.enabled }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "fullname" . }}-tmp + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.volumeName }} + volumeName: {{ .Values.persistence.volumeName }} +{{- end }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end -}} +{{- end }} + selector: +{{- if .Values.persistence.matchLabels }} + matchLabels: + {{- toYaml .Values.persistence.matchLabels | nindent 6 }} +{{- end -}} +{{- if .Values.persistence.matchExpressions }} + matchExpressions: + {{- toYaml .Values.persistence.matchExpressions | nindent 6 }} +{{- end -}} +{{- end }} +{{- if and .Values.enabled .Values.backups.cron.enabled .Values.backups.cron.persistence.enabled }} +{{- if not .Values.backups.cron.persistence.useGenericEphemeralVolume }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +{{ include "toolbox.backups.cron.persistence.persistentVolumeClaim" . }} +{{- end -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/serviceaccount.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/values.yaml new file mode 100644 index 0000000..e35be24 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/toolbox/values.yaml @@ -0,0 +1,274 @@ +image: {} + # pullPolicy: IfNotPresent + # pullSecrets: [] + # repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee + # tag: master + +init: + image: {} + # repository: + # tag: + # pullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + containerSecurityContext: {} + +# Tolerations for pod scheduling +tolerations: [] + +extraEnv: {} + +antiAffinityLabels: + matchLabels: {} + +affinity: + podAntiAffinity: + topologyKey: + +common: + labels: {} + +enabled: true +replicas: 1 +annotations: {} +podLabels: {} + +# Priority class assigned to pods +priorityClassName: "" + +psql: {} + # port: 5432 + +global: + hosts: + domain: example.com + hostSuffix: + https: true + gitlab: {} + registry: {} + minio: {} + psql: + # host: '0.0.0.0' + # port: '5432' + # database: 'gitlabhq_production' + # username: 'gitlab' + # applicationName: + # preparedStatements: false + # databaseTasks: true + # ssl: + # secret: gitlab-ssl-secret + # clientKey: client-key.pem + # clientCertificate: client-cert.pem + # serverCA: server-ca.pem + password: {} + redis: + auth: {} + gitaly: + internal: + names: ["default"] + external: [] + authToken: {} + minio: + enabled: + credentials: {} + webservice: {} + appConfig: + lfs: + enabled: true + proxy_download: true + bucket: + connection: {} + artifacts: + enabled: true + proxy_download: true + bucket: + connection: {} + uploads: + enabled: true + proxy_download: true + bucket: + connection: {} + packages: + enabled: true + proxy_download: true + bucket: + connection: {} + externalDiffs: + when: + proxy_download: true + bucket: + connection: {} + terraformState: + enabled: false + bucket: + connection: {} + dependencyProxy: + enabled: false + proxy_download: true + bucket: + connection: {} + ldap: + servers: {} + # 'main' is the GitLab 'provider ID' of this LDAP server + # main: + # label: 'LDAP' + # host: '_your_ldap_server' + # port: 636 + # uid: 'sAMAccountName' + # bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' + # password: '_the_password_of_the_bind_user' + # encryption: 'plain' + omniauth: + enabled: false + autoSignInWithProvider: + syncProfileFromProvider: [] + syncProfileAttributes: ['email'] + allowSingleSignOn: ['saml'] + blockAutoCreatedUsers: true + autoLinkLdapUser: false + autoLinkSamlUser: false + autoLinkUser: [] + externalProviders: [] + allowBypassTwoFactor: [] + providers: [] + # - secret: gitlab-google-oauth2 + # key: provider +backups: + cron: + enabled: false + concurrencyPolicy: Replace + failedJobsHistoryLimit: 1 + schedule: "0 1 * * *" + startingDeadlineSeconds: null + successfulJobsHistoryLimit: 3 + suspend: false + backoffLimit: 6 + # activeDeadlineSeconds: + safeToEvict: false + restartPolicy: "OnFailure" + extraArgs: "" + resources: + # limits: + # cpu: 1 + # memory: 2G + requests: + cpu: 50m + memory: 350M + persistence: + enabled: false + ## Use a generic ephemeral volume. + ## This kind of volume will exist only as long as the pod exists. + ## Requires at least Kubernetes version 1.23. + ## https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes + useGenericEphemeralVolume: false + ## toolbox temporarily Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 10Gi + subPath: "" + ## if volumeName is set, use this existing PersistentVolume + # volumeName: + matchLabels: {} + matchExpressions: [] + objectStorage: + backend: s3 + config: {} + # secret: my-backup-secret + # key: config + # gcpProject: my-gcp-project-id +extra: {} + +rack_attack: + git_basic_auth: + enabled: false + # enabled: true + # ip_whitelist: ["127.0.0.1"] + # maxretry: 10 + # findtime: 60 + # bantime: 3600 + +trusted_proxies: [] + +redis: + auth: {} +gitaly: + # host: '0.0.0.0' + # port: 8075 + # serviceName: 'gitaly' + authToken: {} + # secret: gitaly-secret + # key: token +minio: + bucket: git-lfs + serviceName: 'minio-svc' + port: 9000 +resources: + # limits: + # cpu: 1 + # memory: 2G + requests: + cpu: 50m + memory: 350M + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + enabled: false + + ## toolbox temporarily Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 10Gi + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + ## + subPath: "" + + ## if volumeName is set, use this existing PersistentVolume + # volumeName: + + ## Only bind to a volume with the following exactly matched labels with values. + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + + ## Only bind to a volume with the following exppression matched labels. + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchExpressions: [] + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +## Enable deployment to use a serviceAccount +serviceAccount: + enabled: false + create: false + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + +deployment: + strategy: + type: Recreate + rollingUpdate: null diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/Chart.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/Chart.yaml new file mode 100644 index 0000000..d036fa2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: v16.6.0 +description: HTTP server for Gitlab +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +keywords: +- gitlab +- webservice +- puma +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: webservice +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/webservice +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-webservice +version: 7.6.0 diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_datamodel.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_datamodel.tpl new file mode 100644 index 0000000..26ee271 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_datamodel.tpl @@ -0,0 +1,166 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +webservice.datamodel.prepare + +!! To be run against $ + +Walks `deployments` and merges `webservice.datamodel.blank` into each +item, ensuring presence of all keys. +*/}} +{{- define "webservice.datamodel.prepare" -}} +{{- $fullname := include "fullname" $ -}} +{{- $blank := dict -}} +{{/* make sure we always have at least one */}} +{{- if not $.Values.deployments -}} +{{- $blank := fromYaml (include "webservice.datamodel.blank" $) -}} +{{- $_ := set $blank.ingress "path" (coalesce $.Values.ingress.path $.Values.global.ingress.path) -}} +{{- $_ := set $blank.extraIngress "path" (coalesce $.Values.extraIngress.path $.Values.global.ingress.path) -}} +{{- $_ := set $.Values "deployments" (dict "default" (dict)) -}} +{{- $_ := set $.Values.deployments "default" $blank -}} +{{- end -}} +{{/* walk all entries, ensure default properties populated */}} +{{- $checks := dict "hasBasePath" false -}} +{{- range $deployment, $values := $.Values.deployments -}} +{{- $filledValues := fromYaml (include "webservice.datamodel.blank" $) -}} +{{- $_ := include "gitlab.merge.overwriteEmpty" (dict "dst" $filledValues "src" $values) -}} +{{/* mergeOverwrite does not support overlaying empty values */}} +{{/* - $_ := mergeOverwrite $filledValues $values - */}} +{{- $_ := set $filledValues "name" $deployment -}} +{{- $_ := set $filledValues "fullname" $fullname -}} +{{- $_ := set $.Values.deployments $deployment $filledValues -}} +{{- if has ($filledValues.ingress.path | toString ) (list "/" "/*") -}} +{{- $_ := set $checks "hasBasePath" true -}} +{{- end -}} +{{- end -}} +{{- if and (not $.Values.ingress.requireBaseBath) (not $checks.hasBasePath) -}} +{{- fail "FATAL: Webservice: no deployment with ingress.path '/' or '/*' specified." -}} +{{- end -}} +{{- end -}} + +{{/* +webservice.datamodel.blank + +!! To be run against $ + +Creates a copy of the data model expected for `deployments` entries, +pulling default values from the appropriate items in `.Values.xyz`. +This is output as YAML, it can be read back in as a dict via `toYaml`. +*/}} +{{- define "webservice.datamodel.blank" -}} +{{- range $k, $v := (dict "ingress" .Values.ingress "extraIngress" .Values.extraIngress) }} +{{ $k }}: + path: # intentionally not setting a value. User must set. + pathType: Prefix + annotations: + {{- $v.annotations | toYaml | nindent 4 }} + proxyConnectTimeout: {{ $v.proxyConnectTimeout }} + proxyReadTimeout: {{ $v.proxyReadTimeout }} + proxyBodySize: {{ $v.proxyBodySize | quote }} + useGeoClass: {{ $v.useGeoClass }} +{{- end }} +common: + labels: {{ mergeOverwrite (deepCopy .Values.global.common.labels) (deepCopy .Values.common.labels) | toYaml | nindent 4 }} +deployment: + annotations: + {{- if .Values.deployment.annotations }} + {{- toYaml .Values.deployment.annotations | nindent 4 }} + {{- end }} + labels: + {{- .Values.deployment | toYaml | nindent 2 }} +pod: + labels: # additional labels to .podLabels + annotations: # inherit from .Values.annotations + {{- if .Values.annotations }} + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} +service: + labels: # additional labels to .serviceLabels + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range .Values.service.loadBalancerSourceRanges }} + - {{ . | quote }} + {{- end }} + {{- end }} + annotations: # additional annotations to .service.annotations + {{- if .Values.service.annotations }} + {{ toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +hpa: + minReplicas: {{ .Values.minReplicas }} # defaults to .minReplicas + maxReplicas: {{ .Values.maxReplicas }} # defaults to .maxReplicas + {{- .Values.hpa | toYaml | nindent 2 }} +keda: + {{- .Values.keda | toYaml | nindent 2 }} +pdb: + maxUnavailable: {{ .Values.maxUnavailable }} # defaults to .maxUnavailable +resources: # resources for `webservice` container + {{- .Values.resources | toYaml | nindent 2 }} +sharedTmpDir: {{ .Values.sharedTmpDir | toYaml | nindent 2 }} +sharedUploadDir: {{ .Values.sharedUploadDir | toYaml | nindent 2 }} +workhorse: + {{- .Values.workhorse | toYaml | nindent 2 }} +extraEnv: + {{- .Values.extraEnv | toYaml | nindent 2 }} +extraEnvFrom: + {{- .Values.extraEnvFrom | toYaml | nindent 2 }} +puma: + {{- .Values.puma | toYaml | nindent 2 }} +workerProcesses: {{ .Values.workerProcesses | int }} +shutdown: + {{- .Values.shutdown | toYaml | nindent 2 }} +nodeSelector: # map + {{- if .Values.nodeSelector }} + {{- .Values.nodeSelector | toYaml | nindent 2 }} + {{- end }} +tolerations: # array + {{- if .Values.tolerations }} + {{- .Values.tolerations | toYaml | nindent 2 }} + {{- end }} +sshHostKeys: # map + {{- .Values.sshHostKeys | toYaml | nindent 2 }} +{{- end -}} + +{{/* +gitlab.merge.overwriteEmpty + +Call: include "gitlab.merge.overwriteEmpty" (dict "dst" .model "src" .values) +Input: (dict "dst" (&dict) "src" (&dict)) + +Operate on two dictionary, performing effectively "merge", but always +take the value of src if present, even if empty. + +- `dst` should be a complete model map +- `src` should have keys on which to overwrite +- A given Map can be emptied by supplying `item: null`, but will otherwise be merged (inherit). + +Intended to be recursion capable, implementing deepMerge WithOverwriteWithEmptyValue. +`mergeOverwrite` uses deepMerge WithOverwrite. + +See: https://godoc.org/github.com/imdario/mergo#WithOverwriteWithEmptyValue +*/}} +{{- define "gitlab.merge.overwriteEmpty" -}} +{{/* Get a unique list of all keys in both maps */}} +{{- $cache_keys := keys $.src -}} +{{/* Walk all keys in both maps */}} +{{- range $key := $cache_keys -}} +{{/* If dst and src both have this key, walk */}} +{{- if and (hasKey $.dst $key) (hasKey $.src $key) -}} +{{/* If both values are maps, go deeper */}} +{{- if and (kindIs "map" (index $.src $key)) (kindIs "map" (index $.dst $key)) -}} +{{- include "gitlab.merge.overwriteEmpty" (dict "dst" (index $.dst $key) "src" (index $.src $key)) -}} +{{- else -}} +{{/* If values are not both maps, overwrite with src's value */}} +{{- $_ := set $.dst $key (index $.src $key) -}} +{{- end -}} +{{- end -}} +{{/* If dst does not have the key in src, add it to dst */}} +{{- if not (hasKey $.dst $key) -}} +{{- $_ := set $.dst $key (index $.src $key) -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_geo.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_geo.tpl new file mode 100644 index 0000000..c5ff320 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_geo.tpl @@ -0,0 +1,29 @@ +{{/* +Renders the ingress class annotation for Ingresses to handle Geo traffic. + +It expects a dictionary with two entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "webservice.geo.ingress.class.annotation" -}} +{{- $apiVersion := include "gitlab.ingress.apiVersion" . -}} +{{- $class := include "gitlab.geo.ingress.class.name" .context -}} +{{- if and (not (eq $apiVersion "networking.k8s.io/v1")) (not (eq $class "none")) -}} +kubernetes.io/ingress.class: {{ $class | quote }} +{{- end -}} +{{- end -}} + +{{/* +Renders the ingress class field for Ingresses to handle Geo traffic. + +It expects a dictionary with two entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "webservice.geo.ingress.class.field" -}} +{{- $apiVersion := include "gitlab.ingress.apiVersion" . -}} +{{- $class := include "gitlab.geo.ingress.class.name" .context -}} +{{- if and (eq $apiVersion "networking.k8s.io/v1") (not (eq $class "none")) -}} +ingressClassName: {{ $class | quote }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_helpers.tpl new file mode 100644 index 0000000..db33c0f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_helpers.tpl @@ -0,0 +1,297 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create the fullname, with suffix of deployment.name +Unless `ingress.path: /` or `name: default` + +!! to be called from scope of a `deployment.xyz` entry. +*/}} +{{- define "webservice.fullname.withSuffix" -}} +{{- printf "%s-%s" .fullname .name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Returns the secret name for the Secret containing the TLS certificate and key. +Uses `ingress.tls.secretName` first and falls back to `global.ingress.tls.secretName` +if there is a shared tls secret for all ingresses. + +It expects a dictionary with two entries: + `root`: the root context + `local`: the ingress context +*/}} +{{- define "webservice.tlsSecret" -}} +{{- $defaultName := (dict "secretName" "") -}} +{{- if .root.Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "secretName" (printf "%s-gitlab-tls" .root.Release.Name) -}} +{{- else -}} +{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .root) -}} +{{- end -}} +{{- pluck "secretName" .local.tls .root.Values.global.ingress.tls $defaultName | first -}} +{{- end -}} + +{{/* +Returns the secret name for the Secret containing the TLS certificate and key for +the smartcard host. +Uses `ingress.tls.secretName` first and falls back to `global.ingress.tls.secretName` +if there is a shared tls secret for all ingresses. +*/}} +{{- define "smartcard.tlsSecret" -}} +{{- $defaultName := (dict "secretName" "") -}} +{{- if $.Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "secretName" (printf "%s-gitlab-tls-smartcard" $.Release.Name) -}} +{{- else -}} +{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}} +{{- end -}} +{{- coalesce $.Values.ingress.tls.smartcardSecretName (pluck "secretName" $.Values.global.ingress.tls $defaultName | first) -}} +{{- end -}} + +{{/* +Returns the workhorse image repository depending on the value of global.edition. + +Used to switch the deployment from Enterprise Edition (default) to Community +Edition. If global.edition=ce, returns the Community Edition image repository +set in the Gitlab values.yaml, otherwise returns the Enterprise Edition +image repository. +*/}} +{{- define "workhorse.repository" -}} +{{- if eq "ce" $.Values.global.edition -}} +{{ index $.Values "global" "communityImages" "workhorse" "repository" }} +{{- else -}} +{{ index $.Values "global" "enterpriseImages" "workhorse" "repository" }} +{{- end -}} +{{- end -}} + +{{/* +Returns the webservice image depending on the value of global.edition. + +Used to switch the deployment from Enterprise Edition (default) to Community +Edition. If global.edition=ce, returns the Community Edition image repository +set in the Gitlab values.yaml, otherwise returns the Enterprise Edition +image repository. +*/}} +{{- define "webservice.image" -}} +{{ coalesce $.Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }} +{{- end -}} + +{{/* +Returns gomplate section for Workhorse direct object storage configuration. + +If Minio in use, set AWS and keys. +If consolidated object storage is in use, read the connection YAML + If provider is AWS, render enabled as true. +*/}} +{{- define "workhorse.object_storage.config" -}} +{%- $supported_providers := slice "AWS" "AzureRM" "Google" -%} +{%- $connection := coll.Dict "provider" "" -%} +{%- if file.Exists "/etc/gitlab/minio/accesskey" %} + {%- $aws_access_key_id := file.Read "/etc/gitlab/minio/accesskey" | strings.TrimSpace -%} + {%- $aws_secret_access_key := file.Read "/etc/gitlab/minio/secretkey" | strings.TrimSpace -%} + {%- $connection = coll.Dict "provider" "AWS" "aws_access_key_id" $aws_access_key_id "aws_secret_access_key" $aws_secret_access_key -%} +{%- end %} +{%- if file.Exists "/etc/gitlab/objectstorage/object_store" %} + {%- $connection = file.Read "/etc/gitlab/objectstorage/object_store" | strings.TrimSpace | data.YAML -%} +{%- end %} +{%- if has $supported_providers $connection.provider %} +[object_storage] +provider = "{% $connection.provider %}" +{%- if eq $connection.provider "AWS" %} +{%- $connection = coll.Merge $connection (coll.Dict "aws_access_key_id" "" "aws_secret_access_key" "" ) %} +# AWS / S3 object storage configuration. +[object_storage.s3] +# access/secret can be blank! +aws_access_key_id = {% $connection.aws_access_key_id | strings.TrimSpace | data.ToJSON %} +aws_secret_access_key = {% $connection.aws_secret_access_key | strings.TrimSpace | data.ToJSON %} +{%- else if eq $connection.provider "AzureRM" %} +{%- $connection = coll.Merge $connection (coll.Dict "azure_storage_account_name" "" "azure_storage_account_name" "" ) %} +# Azure Blob storage configuration. +[object_storage.azurerm] +azure_storage_account_name = {% $connection.azure_storage_account_name | strings.TrimSpace | data.ToJSON %} +azure_storage_access_key = {% $connection.azure_storage_access_key | strings.TrimSpace | data.ToJSON %} +{%- else if eq $connection.provider "Google" %} +# Google storage configuration. +[object_storage.google] +{% $connection | coll.Omit "provider" | data.ToTOML %} +{%- end %} +{%- end %} +{{- end -}} + +{{/* +Returns the extraEnv keys and values to inject into containers. Allows +pod-level values for extraEnv. + +Takes a dict with `local` being the pod-level configuration and `parent` +being the chart-level configuration. + +Pod values take precedence, then chart values, and finally global +values. +*/}} +{{- define "webservice.podExtraEnv" -}} +{{- $allExtraEnv := merge (default (dict) .local.extraEnv) (default (dict) .context.Values.extraEnv) .context.Values.global.extraEnv -}} +{{- range $key, $value := $allExtraEnv }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} + +{{/* +Output a .spec.selector YAML section + +To be consumed by: Deployment and PodDisruptionBudget +*/}} +{{- define "webservice.spec.selector" -}} +matchLabels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + {{ template "webservice.labels" . | nindent 2 }} +{{- end -}} + +{{/* +Output labels specifically for webservice +*/}} +{{- define "webservice.labels" -}} +gitlab.com/webservice-name: {{ .name }} +{{- end -}} + +{{/* +Returns a list of _common_ labels to be shared across all +Webservice deployments and other shared objects. +*/}} +{{- define "webservice.commonLabels" -}} +{{- $commonLabels := default (dict) .common.labels -}} +{{- if $commonLabels }} +{{- range $key, $value := $commonLabels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Returns a list of _pod_ labels to be shared across all +Webservice deployments. +*/}} +{{- define "webservice.podLabels" -}} +{{- range $key, $value := .pod.labels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} + +{{/* +Returns the extraEnv keys and values to inject into containers. + +Global values will override any chart-specific values. +*/}} +{{- define "webservice.extraEnv" -}} +{{- $allExtraEnv := merge (default (dict) .local.extraEnv) .global.extraEnv -}} +{{- range $key, $value := $allExtraEnv }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} + +{{/* + +*/}} +{{/* +Defines a volume containing all public host SSH keys, fingerprints of which will become available +under /help/instance_configuration for users to be able to verify the server + +It expects a dictionary with three entries: +- `local` which contains sshHostKeys configuration of a single webservice Deployment +- `Release` being a copy of .Release +- `Values` being a copy of .Values + +The `Release` and `Values` keys are needed because of the usage of the +`gitlab.gitlab-shell.hostKeys.secret` helper. +*/}} +{{- define "webservice.sshHostKeys.volume" -}} +- name: {{ .local.sshHostKeys.mountName }} + secret: + secretName: {{ template "gitlab.gitlab-shell.hostKeys.secret" . }} + items: + {{- range .local.sshHostKeys.types }} + - key: ssh_host_{{ . }}_key.pub + path: ssh_host_{{ . }}_key.pub + {{- end -}} +{{- end -}} + +{{/* +Return the webservice TLS secret name +*/}} +{{- define "webservice.tls.secret" -}} +{{- default (printf "%s-webservice-tls" .Release.Name) $.Values.tls.secretName | quote -}} +{{- end -}} + +{{/* +Return the webservice-metrics TLS secret name. +*/}} +{{- define "webservice-metrics.tls.secret" -}} +{{- $.Values.metrics.tls.secretName | default (include "webservice.tls.secret" .) }} +{{- end -}} + +{{/* +Return whether the webservice has TLS for metrics enabled. +*/}} +{{- define "webservice-metrics.tls.enabled" -}} +{{- if hasKey $.Values.metrics.tls "enabled" }} +{{- $.Values.metrics.tls.enabled }} +{{- else }} +{{- $.Values.tls.enabled }} +{{- end }} +{{- end -}} + +{{/* +Return the Workhorse TLS Secret name +*/}} +{{- define "workhorse.tls.secret" -}} +{{- default (printf "%s-workhorse-tls" .Release.Name) $.Values.workhorse.tls.secretName | quote -}} +{{- end -}} + +{{/* +Return whether the Workhorse exporter has TLS enabled. +*/}} +{{- define "workhorse.monitoring.exporter.tls.enabled" -}} +{{- if hasKey $.Values.workhorse.monitoring.exporter.tls "enabled" }} +{{- $.Values.workhorse.monitoring.exporter.tls.enabled }} +{{- else }} +{{- $.Values.global.workhorse.tls.enabled }} +{{- end }} +{{- end -}} + + +{{/* +Return the workhorse redis configuration. +*/}} +{{- define "workhorse.redis.config" -}} +{{- if $.Values.global.redis.workhorse }} +{{- $_ := set $ "redisConfigName" "workhorse" }} +{{- end }} +{{- include "gitlab.redis.selectedMergedConfig" . -}} +[redis] +{{- if not .redisMergedConfig.sentinels }} +URL = "{{ template "gitlab.redis.scheme" $ }}://{{ template "gitlab.redis.host" $ }}:{{ template "gitlab.redis.port" $ }}" +{{- else }} +SentinelMaster = "{{ template "gitlab.redis.host" $ }}" +Sentinel = [ {{ template "gitlab.redis.workhorse.sentinel-list" $ }} ] +{{- end }} +{{- if .redisMergedConfig.password.enabled }} +{{- $passwordPath := printf "%s-password" (default "redis" .redisConfigName) }} +Password = {% file.Read "/etc/gitlab/redis/{{ $passwordPath }}" | strings.TrimSpace | data.ToJSON %} +{{- end }} +{{- $_ := set . "redisConfigName" "" }} +{{- end -}} + +{{/* +Return the bash setup commands for redis secrets. +*/}} +{{- define "workhorse.redis.secret-setup" -}} +{{- if $.Values.global.redis.workhorse -}} +{{- $_ := set $ "redisConfigName" "workhorse" }} +{{- end -}} +{{- include "gitlab.redis.selectedMergedConfig" . -}} +{{- if .redisMergedConfig.password.enabled -}} +{{- $passwordPath := printf "%s-password" (default "redis" .redisConfigName) -}} +mkdir -p /init-secrets-workhorse/redis +cp -v -r -L /init-config/redis/{{ $passwordPath }} /init-secrets-workhorse/redis/ +{{- end -}} +{{- $_ := set . "redisConfigName" "" }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_ingress.tpl b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_ingress.tpl new file mode 100644 index 0000000..dca9bfd --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/_ingress.tpl @@ -0,0 +1,82 @@ +{{/* +Renders a Ingress for the webservice + +It expects a dictionary with three entries: + - `name` the Ingress name to use + - `root` the root context + - `deployment` the context of the deployment to render the Ingress for + - `host` the host to use in the Ingress rule and TLS config + - `tlsSecret` the tls secret to use +*/}} +{{- define "webservice.ingress.template" -}} +{{- $global := .root.Values.global }} +{{- if .ingressCfg.local.path }} +--- +apiVersion: {{ template "gitlab.ingress.apiVersion" .ingressCfg }} +kind: Ingress +metadata: + name: {{ .name }} + namespace: {{ .root.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" .root | nindent 4 }} + {{- include "webservice.labels" .deployment | nindent 4 }} + {{- include "webservice.commonLabels" .deployment | nindent 4 }} + annotations: + {{- if .ingressCfg.local.useGeoClass }} + {{- include "webservice.geo.ingress.class.annotation" .ingressCfg | nindent 4 }} + {{- else }} + {{- include "ingress.class.annotation" .ingressCfg | nindent 4 }} + {{- end }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" .ingressCfg }}" + {{- if eq "nginx" (default $global.ingress.provider .ingressCfg.local.provider) }} + {{- if $global.workhorse.tls.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: https + {{- if pluck "verify" .deployment.workhorse.tls (dict "verify" true) | first }} + nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' + nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "webservice.fullname.withSuffix" .deployment }}.{{ .root.Release.Namespace }}.svc + {{- if .deployment.workhorse.tls.caSecretName }} + nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ .root.Release.Namespace }}/{{ .deployment.workhorse.tls.caSecretName }} + {{- end }} + {{- end }} + {{- end }} + nginx.ingress.kubernetes.io/proxy-body-size: {{ .ingressCfg.local.proxyBodySize | quote }} + nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .ingressCfg.local.proxyReadTimeout | quote }} + nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .ingressCfg.local.proxyConnectTimeout | quote }} + {{- end }} + {{- include "gitlab.certmanager_annotations" .root | nindent 4 }} + {{- range $key, $value := merge .ingressCfg.local.annotations $global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{- if .ingressCfg.local.useGeoClass }} + {{- include "webservice.geo.ingress.class.field" .ingressCfg | nindent 2 }} + {{- else }} + {{- include "ingress.class.field" .ingressCfg | nindent 2 }} + {{- end }} + rules: + - host: {{ .host }} + http: + paths: + - path: {{ .deployment.ingress.path }} + {{ if or (.root.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default .deployment.ingress.pathType $global.ingress.pathType }} + backend: + service: + name: {{ template "webservice.fullname.withSuffix" .deployment }} + port: + number: {{ .root.Values.service.workhorseExternalPort }} + {{- else -}} + backend: + serviceName: {{ template "webservice.fullname.withSuffix" .deployment }} + servicePort: {{ .root.Values.service.workhorseExternalPort }} + {{- end -}} + {{- if (and .tlsSecret (eq (include "gitlab.ingress.tls.enabled" .root) "true" )) }} + tls: + - hosts: + - {{ .host }} + secretName: {{ .tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/configmap.yml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/configmap.yml new file mode 100644 index 0000000..c4436e5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/configmap.yml @@ -0,0 +1,252 @@ +{{- if .Values.enabled -}} +{{- include "database.datamodel.prepare" $ -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + {{- if $.Values.debugDatamodel }} + # gitlab.webservice.debugDatamodel + # helm template . -f test_values.yaml | yq -r '.data.deployments | select(. != null)' + {{- include "webservice.datamodel.prepare" $ -}} + deployments: | + blank: + {{- include "webservice.datamodel.blank" $ | nindent 6 }} + {{- toYaml .Values.deployments | nindent 4 }} + {{- end }} + installation_type: | + gitlab-helm-chart + database.yml.erb: | + {{- include "gitlab.database.yml" . | nindent 4 }} + {{- if $.Values.global.clickhouse.enabled }} + click_house.yml.erb: | + {{- include "gitlab.clickhouse.yml" . | nindent 4 }} + {{- end }} + krb5.conf: | + {{- .Values.global.appConfig.kerberos.krb5Config | nindent 4 }} + smtp_settings.rb: | + {{- include "gitlab.smtp_settings" . | nindent 4 }} + {{- include "gitlab.rails.redis.all" . | nindent 2 }} + gitlab.yml.erb: | + production: &base + gitlab: + host: {{ template "gitlab.gitlab.hostname" . }} + https: {{ hasPrefix "https://" (include "gitlab.gitlab.url" .) }} + {{- with .Values.global.hosts.ssh }} + ssh_host: {{ . | quote }} + {{- end }} + {{- with .Values.global.appConfig }} + {{- if .cdnHost }} + cdn_host: {{ .cdnHost | quote }} + {{- end }} + max_request_duration_seconds: {{ default (include "gitlab.appConfig.maxRequestDurationSeconds" $) .maxRequestDurationSeconds }} + impersonation_enabled: {{ .enableImpersonation }} + application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} + usage_ping_enabled: {{ eq .enableUsagePing true }} + seat_link_enabled: {{ eq .enableSeatLink true }} + username_changing_enabled: {{ eq .usernameChangingEnabled true }} + issue_closing_pattern: {{ .issueClosingPattern | quote }} + default_theme: {{ .defaultTheme }} + {{- include "gitlab.appConfig.defaultProjectsFeatures.configuration" $ | nindent 8 }} + {{- if hasKey .initialDefaults "signupEnabled" }} + signup_enabled: {{ .initialDefaults.signupEnabled }} + {{- end }} + graphql_timeout: {{ .graphQlTimeout }} + webhook_timeout: {{ .webhookTimeout }} + {{- end }} + trusted_proxies: + {{- if .Values.trusted_proxies }} + {{- toYaml .Values.trusted_proxies | nindent 10 }} + {{- end }} + time_zone: {{ .Values.global.time_zone | quote }} + {{- include "gitlab.outgoing_email_settings" . | indent 8 }} + {{- with .Values.global.appConfig }} + {{- if eq .contentSecurityPolicy.enabled true }} + {{- include "gitlab.appConfig.content_security_policy" . | nindent 8 }} + {{- end }} + {{- if .microsoft_graph_mailer.enabled }} + {{- include "gitlab.appConfig.microsoft_graph_mailer" . | nindent 6 }} + {{- end }} + {{- if .incomingEmail.enabled }} + {{- include "gitlab.appConfig.incoming_email" . | nindent 6 }} + {{- end }} + {{- if .serviceDeskEmail.enabled }} + {{- include "gitlab.appConfig.service_desk_email" . | nindent 6 }} + {{- end }} + {{- include "gitlab.appConfig.cronJobs" . | nindent 6 }} + gravatar: + plain_url: {{ .gravatar.plainUrl }} + ssl_url: {{ .gravatar.sslUrl }} + {{- include "gitlab.appConfig.extra" . | nindent 6 }} + {{- end }} + + {{- if $.Values.global.appConfig.object_store.enabled }} + # Consolidated object storage configuration + ## property local configuration will override object_store + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store "context" $) | nindent 6 }} + objects: + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 10 -}} + {{- include "gitlab.appConfig.objectStorage.object" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 -}} + {{- end }} + {{- include "gitlab.appConfig.artifacts.configuration" (dict "config" $.Values.global.appConfig.artifacts "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.lfs.configuration" (dict "config" $.Values.global.appConfig.lfs "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.uploads.configuration" (dict "config" $.Values.global.appConfig.uploads "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.packages.configuration" (dict "config" $.Values.global.appConfig.packages "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.external_diffs.configuration" (dict "config" $.Values.global.appConfig.externalDiffs "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.terraformState.configuration" (dict "config" $.Values.global.appConfig.terraformState "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.ciSecureFiles.configuration" (dict "config" $.Values.global.appConfig.ciSecureFiles "context" $) | nindent 6 }} + {{- include "gitlab.appConfig.dependencyProxy.configuration" (dict "config" $.Values.global.appConfig.dependencyProxy "context" $) | nindent 6 }} + {{- include "gitlab.geo.config" $ | nindent 6 }} + {{- include "gitlab.appConfig.sentry.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.gitlab_docs.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.sidekiq.configuration" $ | nindent 6 }} + {{- include "gitlab.pages.config" $ | nindent 6 }} + mattermost: + enabled: false + gitlab_ci: + {{- include "gitlab.appConfig.ldap.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.omniauth.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.kerberos.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.duo.configuration" $ | nindent 6 }} + shared: + {{- include "gitlab.appConfig.gitaly" . | nindent 6 }} + {{- include "gitlab.appConfig.repositories" . | nindent 6 }} + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + {{- include "gitlab.appConfig.kas" . | nindent 6 }} + {{- include "gitlab.appConfig.suggested_reviewers" . | nindent 6 }} + {{- include "gitlab.appConfig.zoekt" . | nindent 6 }} + {{- include "gitlab.appConfig.shell" . | nindent 6 }} + {{- include "gitlab.appConfig.shell.ssh_port" . | nindent 8 }} + {{- include "gitlab.appConfig.shell.secret_file" . | nindent 8 }} + workhorse: + secret_file: /etc/gitlab/gitlab-workhorse/secret + git: + bin_path: /usr/bin/git + webpack: + monitoring: + ip_whitelist: + {{- if kindIs "slice" .Values.monitoring.ipWhitelist }} + {{ toYaml .Values.monitoring.ipWhitelist | nindent 10 | trim }} + {{- end }} + web_exporter: + enabled: {{ or .Values.monitoring.exporter.enabled (and .Values.metrics.enabled (eq .Values.metrics.port .Values.monitoring.exporter.port)) }} + address: 0.0.0.0 + port: {{ .Values.monitoring.exporter.port }} + {{- if eq (include "webservice-metrics.tls.enabled" $) "true" }} + tls_enabled: true + tls_cert_path: "/etc/gitlab/webservice-metrics/webservice-metrics.crt" + tls_key_path: "/etc/gitlab/webservice-metrics/webservice-metrics.key" + {{- end }} + sidekiq_exporter: + shutdown: + blackout_seconds: <%= ENV["SHUTDOWN_BLACKOUT_SECONDS"] %> + {{- include "gitlab.appConfig.rackAttack" . | nindent 6 }} + ## Registry Integration + {{- include "gitlab.appConfig.registry.configuration" $ | nindent 6 }} + {{- include "gitlab.appConfig.smartcard.configuration" $ | nindent 6 }} + configure: | + {{- include "gitlab.scripts.configure.secrets" (dict) | nindent 4 }} + {{- include "gitlab.psql.ssl.initScript" . | nindent 4 }} + {{- include "gitlab.geo.psql.ssl.initScript" . | nindent 4 }} + {{- if $.Values.tls.enabled }} + mkdir -p /init-secrets/puma + cp -v -L /init-config/puma/puma.crt /init-secrets/puma/puma.crt + cp -v -L /init-config/puma/puma.key /init-secrets/puma/puma.key + {{- end }} + {{- if eq (include "webservice-metrics.tls.enabled" $) "true" }} + mkdir -p /init-secrets/webservice-metrics + cp -v -L /init-config/webservice-metrics/webservice-metrics.crt /init-secrets/webservice-metrics/webservice-metrics.crt + cp -v -L /init-config/webservice-metrics/webservice-metrics.key /init-secrets/webservice-metrics/webservice-metrics.key + {{- end }} + +{{- include "webservice.datamodel.prepare" $ -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $.Release.Name }}-workhorse-{{ .name }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.commonLabels" $ | nindent 4 }} +data: + installation_type: | + gitlab-helm-chart + workhorse-config.toml.tpl: | + shutdown_timeout = "{{ template "gitlab.workhorse.shutdownTimeout" $ }}" + {{- if $.Values.workhorse.trustedCIDRsForPropagation }} + trusted_cidrs_for_propagation = {{ $.Values.workhorse.trustedCIDRsForPropagation | toStrings | toJson }} + {{- end }} + {{- if $.Values.workhorse.trustedCIDRsForXForwardedFor }} + trusted_cidrs_for_x_forwarded_for = {{ $.Values.workhorse.trustedCIDRsForXForwardedFor | toStrings | toJson }} + {{- end }} + + {{- if .workhorse.keywatcher }} + {{- include "workhorse.redis.config" $ | nindent 4 }} + {{- end }} + {{- include "workhorse.object_storage.config" $ | nindent 4 }} + [image_resizer] + max_scaler_procs = {{ $.Values.workhorse.imageScaler.maxProcs | int }} + max_filesize = {{ $.Values.workhorse.imageScaler.maxFileSizeBytes | int }} + [[listeners]] + network = "tcp" + addr = "0.0.0.0:{{ default 8181 $.Values.service.workhorseInternalPort | int }}" + {{- if $.Values.global.workhorse.tls.enabled }} + [listeners.tls] + certificate = "/etc/gitlab/gitlab-workhorse/tls.crt" + key = "/etc/gitlab/gitlab-workhorse/tls.key" + {{- end }} + {{- if or $.Values.workhorse.monitoring.exporter.enabled $.Values.workhorse.metrics.enabled }} + [metrics_listener] + network = "tcp" + addr = "0.0.0.0:{{ $.Values.workhorse.monitoring.exporter.port }}" + {{- $workhorseExporterTlsEnabled := eq (include "workhorse.monitoring.exporter.tls.enabled" $ ) "true" }} + {{- if $workhorseExporterTlsEnabled }} + [metrics_listener.tls] + certificate = "/etc/gitlab/gitlab-workhorse/tls.crt" + key = "/etc/gitlab/gitlab-workhorse/tls.key" + {{- end }} + {{- end }} + configure: | + set -e + mkdir -p /init-secrets-workhorse/gitlab-workhorse + cp -v -r -L /init-config/gitlab-workhorse/secret /init-secrets-workhorse/gitlab-workhorse/secret + {{- include "workhorse.redis.secret-setup" $ | nindent 6 -}} + {{- if $.Values.global.minio.enabled }} + if [ -d /init-config/minio ]; then + mkdir -p /init-secrets-workhorse/minio + cp -v -r -L /init-config/minio/* /init-secrets-workhorse/minio/ + fi + {{- end }} + {{- if $.Values.global.appConfig.object_store.connection }} + if [ -f /init-config/objectstorage/object_store ]; then + mkdir -p /init-secrets-workhorse/objectstorage + cp -v -r -L /init-config/objectstorage/object_store /init-secrets-workhorse/objectstorage/ + fi + {{- end }} + {{- if $.Values.global.workhorse.tls.enabled }} + cp -v -L /init-config/gitlab-workhorse/tls.crt /init-secrets-workhorse/gitlab-workhorse/tls.crt + cp -v -L /init-config/gitlab-workhorse/tls.key /init-secrets-workhorse/gitlab-workhorse/tls.key + {{- end }} + +# Leave this here - This line denotes end of block to the parser. +{{- end }}{{/* END range deployments */}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/deployment.yaml new file mode 100644 index 0000000..24c24b5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/deployment.yaml @@ -0,0 +1,564 @@ +{{- if $.Values.enabled }} +{{- $imageCfg := dict "global" $.Values.global.image "local" $.Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" $.Values | fromYaml -}} +{{- include "database.datamodel.prepare" $ -}} +{{- include "webservice.datamodel.prepare" $ -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "webservice.fullname.withSuffix" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "webservice.labels" . | nindent 4 }} + {{- include "webservice.commonLabels" . | nindent 4 }} + {{- if .deployment.labels -}} + {{- toYaml .deployment.labels | nindent 4 }} + {{- end }} + annotations: + {{- include "gitlab.deploymentAnnotations" $ | nindent 4 }} + {{- if .deployment.annotations -}} + {{- toYaml .deployment.annotations | nindent 4 }} + {{- end }} +spec: + # Don't provide replicas when HPA are present + # replicas: {{ .hpa.minReplicas }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 6 }} + {{ include "webservice.labels" . | nindent 6 }} + {{- if .deployment.strategy }} + strategy: + {{- .deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" $ | nindent 8 }} + {{- include "webservice.labels" . | nindent 8 }} + {{- include "gitlab.podLabels" $ | nindent 8 }} + {{- include "webservice.commonLabels" . | nindent 8 }} + {{- include "webservice.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .pod.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if and $.Values.metrics.enabled (not $.Values.metrics.serviceMonitor.enabled) }} + {{- if $.Values.metrics.annotations }} + {{- toYaml $.Values.metrics.annotations | nindent 8 }} + {{- else }} + {{- if eq (include "webservice-metrics.tls.enabled" $) "true" }} + gitlab.com/prometheus_scheme: "https" + prometheus.io/scheme: "https" + {{- end }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ $.Values.metrics.port | quote }} + gitlab.com/prometheus_path: {{ $.Values.metrics.path }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ $.Values.metrics.port | quote }} + prometheus.io/path: {{ $.Values.metrics.path }} + {{- end }} + {{- end }} + spec: + {{- if .tolerations }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + {{- end }} + {{- $nodeSelectors := dict "Values" (dict "global" (dict "nodeSelector" $.Values.global.nodeSelector) "nodeSelector" .nodeSelector) -}} + {{- include "gitlab.nodeSelector" $nodeSelectors | nindent 6 }} + {{- $priorityClassName := dict "Values" (dict "global" (dict "priorityClassName" $.Values.global.priorityClassName) "priorityClassName" $.Values.priorityClassName) -}} + {{- include "gitlab.priorityClassName" $priorityClassName | nindent 6 }} + {{- include "gitlab.podSecurityContext" $.Values.securityContext | nindent 6 }} + {{- if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default $.Values.global.affinity.podAntiAffinity.topologyKey $.Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 18 }} + {{- include "webservice.labels" . | nindent 18}} + {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default $.Values.global.affinity.podAntiAffinity.topologyKey $.Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 18 }} + {{- include "webservice.labels" . | nindent 18}} + {{- end }} + {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} + {{- end }} + automountServiceAccountToken: false + initContainers: + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh'] + args: [ '-c', 'sh -x /config-webservice/configure ; sh -x /config-workhorse/configure ; mkdir -p -m 3770 /tmp/gitlab'] + image: {{ include "gitlab.configure.image" (dict "root" $ "image" $.Values.init.image ) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + env: + {{- include "webservice.extraEnv" (dict "global" $.Values.global "local" .) | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + {{- include "gitlab.psql.ssl.volumeMount" $ | nindent 10 }} + {{- include "gitlab.geo.psql.ssl.volumeMount" $ | nindent 10 }} + - name: webservice-config + mountPath: /config-webservice + readOnly: true + - name: workhorse-config + mountPath: /config-workhorse + readOnly: true + - name: init-webservice-secrets + mountPath: /init-config + readOnly: true + - name: webservice-secrets + mountPath: /init-secrets + readOnly: false + - name: workhorse-secrets + mountPath: /init-secrets-workhorse + readOnly: false + - name: shared-tmp + mountPath: /tmp + readOnly: false + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + - name: dependencies + image: {{ include "webservice.image" $ }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + args: + - /scripts/wait-for-deps + env: + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + - name: WORKHORSE_ARCHIVE_CACHE_DISABLED + value: "1" + {{- if $.Values.global.rails.bootsnap.enabled }} + - name: ENABLE_BOOTSNAP + value: "1" + {{- end }} + {{- include "webservice.extraEnv" (dict "global" $.Values.global "local" .) | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} + - name: webservice-config + mountPath: '/var/opt/gitlab/templates' + - name: webservice-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: webservice-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + readOnly: true + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + {{- include "gitlab.extraContainers" $ | nindent 8 }} + - name: {{ $.Chart.Name }} + image: {{ include "webservice.image" $ }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + ports: + {{- if $.Values.http.enabled }} + - containerPort: {{ $.Values.service.internalPort }} + name: http-webservice + {{- end }} + {{- if $.Values.tls.enabled }} + - containerPort: {{ $.Values.service.tls.internalPort }} + name: https-ws + {{- end }} + {{- if or $.Values.monitoring.exporter.enabled (and $.Values.metrics.enabled (eq $.Values.metrics.port $.Values.monitoring.exporter.port)) }} + - containerPort: {{ $.Values.monitoring.exporter.port }} + name: http-metrics-ws + {{- end }} + env: + - name: GITLAB_WEBSERVER + value: {{ $.Values.webServer }} + - name: TMPDIR + value: "/tmp/gitlab" + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + {{- if $.Values.metrics.enabled }} + - name: prometheus_multiproc_dir + value: /metrics + {{- end }} + {{- if $.Values.global.rails.bootsnap.enabled }} + - name: ENABLE_BOOTSNAP + value: "1" + {{- end }} + - name: WORKER_PROCESSES + value: "{{ .workerProcesses }}" + - name: WORKER_TIMEOUT + value: "{{ $.Values.global.webservice.workerTimeout }}" + {{- if $.Values.http.enabled }} + - name: INTERNAL_PORT + value: "{{ $.Values.service.internalPort }}" + {{- end }} + {{- if $.Values.tls.enabled }} + - name: SSL_INTERNAL_PORT + value: {{ $.Values.service.tls.internalPort | quote }} + - name: PUMA_SSL_KEY + value: "/srv/gitlab/config/puma.key" + - name: PUMA_SSL_CERT + value: "/srv/gitlab/config/puma.crt" + {{- end }} + {{- if eq $.Values.webServer "puma" }} + - name: PUMA_THREADS_MIN + value: "{{ .puma.threads.min }}" + - name: PUMA_THREADS_MAX + value: "{{ .puma.threads.max }}" + - name: PUMA_WORKER_MAX_MEMORY + value: "{{ .puma.workerMaxMemory }}" + - name: DISABLE_PUMA_WORKER_KILLER + value: "{{ .puma.disableWorkerKiller }}" + {{- end }} + - name: SHUTDOWN_BLACKOUT_SECONDS + value: "{{ .shutdown.blackoutSeconds }}" + {{- include "gitlab.tracing.env" $ | nindent 12 }} + {{- if $.Values.global.tracing.urlTemplate }} + - name: GITLAB_TRACING_URL + value: {{ $.Values.global.tracing.urlTemplate | quote }} + {{- end }} + - name: WORKHORSE_ARCHIVE_CACHE_DISABLED + value: "true" + {{- include "webservice.extraEnv" (dict "global" $.Values.global "local" .) | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} + volumeMounts: + {{- if .sshHostKeys.mount }} + - name: {{ .sshHostKeys.mountName }} + mountPath: /etc/ssh + {{- end }} + {{- if $.Values.metrics.enabled }} + - name: webservice-metrics + mountPath: '/metrics' + {{- end }} + - name: webservice-config + mountPath: '/var/opt/gitlab/templates' + - name: webservice-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: webservice-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + {{- if $.Values.tls.enabled }} + - name: webservice-secrets + mountPath: /srv/gitlab/config/puma.crt + subPath: puma/puma.crt + - name: webservice-secrets + mountPath: /srv/gitlab/config/puma.key + subPath: puma/puma.key + {{- end }} + - name: webservice-config + mountPath: '/etc/krb5.conf' + subPath: krb5.conf + {{- include "gitlab.appConfig.kerberos.volumeMount" $ | nindent 12 }} + - name: webservice-config + mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb' + subPath: smtp_settings.rb + - name: webservice-config + mountPath: '/srv/gitlab/INSTALLATION_TYPE' + subPath: installation_type + - name: shared-upload-directory + mountPath: /srv/gitlab/public/uploads/tmp + readOnly: false + - name: shared-tmp + mountPath: '/tmp' + readOnly: false + {{- if $.Values.global.email.smime.enabled }} + - name: smime-creds + mountPath: /home/git/gitlab + readOnly: true + {{- end }} + {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} + {{- if .deployment.startupProbe }} + startupProbe: + {{- toYaml .deployment.startupProbe | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /-/liveness + {{- if and (not $.Values.http.enabled) $.Values.tls.enabled }} + scheme: HTTPS + port: {{ $.Values.service.tls.internalPort }} + {{- else }} + port: {{ $.Values.service.internalPort }} + {{- end }} + initialDelaySeconds: {{ .deployment.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .deployment.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .deployment.livenessProbe.timeoutSeconds }} + successThreshold: {{ .deployment.livenessProbe.successThreshold }} + failureThreshold: {{ .deployment.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /-/readiness + {{- if and (not $.Values.http.enabled) $.Values.tls.enabled }} + scheme: HTTPS + port: {{ $.Values.service.tls.internalPort }} + {{- else }} + port: {{ $.Values.service.internalPort }} + {{- end }} + initialDelaySeconds: {{ .deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ .deployment.readinessProbe.successThreshold }} + failureThreshold: {{ .deployment.readinessProbe.failureThreshold }} + lifecycle: + preStop: + exec: + command: ["/bin/bash", "-c", "pkill -SIGINT -o ruby"] + resources: + {{- toYaml .resources | nindent 12 }} + - name: gitlab-workhorse + image: "{{ coalesce $.Values.workhorse.image (include "workhorse.repository" $) }}:{{ coalesce $.Values.workhorse.tag (include "gitlab.versionTag" $ ) }}{{ include "gitlab.image.tagSuffix" $ }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- if $.Values.workhorse.containerSecurityContext }} + securityContext: + {{- toYaml $.Values.workhorse.containerSecurityContext | nindent 12 }} + {{- end }} + ports: + - containerPort: {{ $.Values.service.workhorseInternalPort }} + name: http-workhorse + {{- if or $.Values.workhorse.monitoring.exporter.enabled $.Values.workhorse.metrics.enabled }} + - containerPort: {{ $.Values.workhorse.monitoring.exporter.port }} + name: http-metrics-wh + {{- end }} + env: + - name: TMPDIR + value: "/tmp/gitlab" + - name: GITLAB_WORKHORSE_AUTH_BACKEND + value: "http://localhost:{{ $.Values.service.internalPort }}" + - name: GITLAB_WORKHORSE_EXTRA_ARGS + value: {{ .workhorse.extraArgs | quote }} + - name: GITLAB_WORKHORSE_LISTEN_PORT + value: {{ default 8181 $.Values.service.workhorseInternalPort | int | quote }} + - name: GITLAB_WORKHORSE_LOG_FORMAT + value: {{ .workhorse.logFormat | quote }} + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + {{- if .workhorse.sentryDSN }} + - name: GITLAB_WORKHORSE_SENTRY_DSN + value: {{ .workhorse.sentryDSN }} + {{- end }} + - name: SHUTDOWN_BLACKOUT_SECONDS + value: "{{ .shutdown.blackoutSeconds }}" + {{- include "gitlab.tracing.env" $ | nindent 12 }} + {{- include "webservice.extraEnv" (dict "global" $.Values.global "local" .) | nindent 12 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} + volumeMounts: + - name: workhorse-config + mountPath: '/var/opt/gitlab/templates' + - name: workhorse-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: shared-upload-directory + mountPath: /srv/gitlab/public/uploads/tmp + readOnly: false + - name: shared-tmp + mountPath: '/tmp' + readOnly: false + {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} + {{- include "gitlab.appConfig.kerberos.volumeMount" $ | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} + {{- if .workhorse.startupProbe }} + startupProbe: + {{- toYaml .workhorse.startupProbe | nindent 12 }} + {{- end }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - sleep $SHUTDOWN_BLACKOUT_SECONDS + livenessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: {{ .workhorse.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .workhorse.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .workhorse.livenessProbe.timeoutSeconds }} + successThreshold: {{ .workhorse.livenessProbe.successThreshold }} + failureThreshold: {{ .workhorse.livenessProbe.failureThreshold }} + readinessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: {{ .workhorse.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .workhorse.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .workhorse.readinessProbe.timeoutSeconds }} + successThreshold: {{ .workhorse.readinessProbe.successThreshold }} + failureThreshold: {{ .workhorse.readinessProbe.failureThreshold }} + resources: + {{- toYaml .workhorse.resources | nindent 12 }} + {{- if .deployment.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .deployment.terminationGracePeriodSeconds | int }} + {{- end }} + volumes: + {{- if .sshHostKeys.mount }} + {{- include "webservice.sshHostKeys.volume" (dict "local" . "Release" $.Release "Values" $.Values) | nindent 6 }} + {{- end }} + {{- include "gitlab.extraVolumes" $ | nindent 6 }} + {{- include "gitlab.psql.ssl.volume" $ | nindent 6 }} + {{- include "gitlab.geo.psql.ssl.volume" $ | nindent 6 }} + {{- include "gitlab.appConfig.kerberos.volume" $ | nindent 6 }} + - name: shared-tmp + {{- include "gitlab.volume.emptyDir" .sharedTmpDir | nindent 8 }} + {{- if $.Values.metrics.enabled }} + - name: webservice-metrics + emptyDir: + medium: "Memory" + {{- end }} + - name: webservice-config + configMap: + name: {{ .fullname }} + - name: workhorse-config + configMap: + name: {{ $.Release.Name }}-workhorse-{{ .name }} + - name: init-webservice-secrets + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ template "gitlab.rails-secrets.secret" $ }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" $ }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" $ }} + path: shell/.gitlab_shell_secret + {{- if $.Values.tls.enabled }} + - secret: + name: {{ template "webservice.tls.secret" $ }} + items: + - key: "tls.crt" + path: "puma/puma.crt" + - key: "tls.key" + path: "puma/puma.key" + {{- end }} + {{- if $.Values.global.workhorse.tls.enabled }} + - secret: + name: {{ include "workhorse.tls.secret" $ }} + items: + - key: "tls.crt" + path: "gitlab-workhorse/tls.crt" + - key: "tls.key" + path: "gitlab-workhorse/tls.key" + {{- end }} + {{- if eq (include "webservice-metrics.tls.enabled" $) "true" }} + - secret: + name: {{ template "webservice-metrics.tls.secret" $ }} + items: + - key: "tls.crt" + path: "webservice-metrics/webservice-metrics.crt" + - key: "tls.key" + path: "webservice-metrics/webservice-metrics.key" + {{- end }} + {{- include "gitlab.appConfig.microsoftGraphMailer.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.incomingEmail.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.serviceDeskEmail.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.gitaly.clientSecrets" $ | nindent 10 }} + {{- if $.Values.global.clickhouse.enabled }} + {{- include "gitlab.clickhouse.main.secrets" $ | nindent 10 }} + {{- end }} + {{- include "gitlab.redis.secrets" (dict "globalContext" $) | nindent 10 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 10 }} + {{- end }} + {{- if include "gitlab.geo.secondary" $ }} + - secret: + name: {{ template "gitlab.geo.psql.password.secret" $ }} + items: + - key: {{ template "gitlab.geo.psql.password.key" $ }} + path: postgres/geo-psql-password + {{- end }} + - secret: + name: {{ template "gitlab.registry.certificate.secret" $ }} + items: + - key: registry-auth.key + path: registry/gitlab-registry.key + {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 }} + - secret: + name: {{ template "gitlab.workhorse.secret" $ }} + items: + - key: {{ template "gitlab.workhorse.key" $ }} + path: gitlab-workhorse/secret + {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.kas.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.suggestedReviewers.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.zoekt.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.minio.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "ci_secure_files" "config" $.Values.global.appConfig.ciSecureFiles) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 10 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 10 }} + {{- include "gitlab.appConfig.ldap.servers.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.duo.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.appConfig.omniauth.mountSecrets" $ | nindent 10 }} + {{- include "gitlab.smtp.mountSecrets" $ | nindent 10 }} + {{- if and $.Values.global.appConfig.smartcard.enabled $.Values.global.appConfig.smartcard.CASecret }} + - secret: + name: {{ $.Values.global.appConfig.smartcard.CASecret }} + items: + - key: "ca.crt" + path: rails-secrets/smartcard-ca.crt + {{- end }} + {{- if $.Values.global.email.smime.enabled }} + - name: smime-creds + secret: + secretName: {{ $.Values.global.email.smime.secretName }} + items: + - key: {{ $.Values.global.email.smime.keyName }} + path: .gitlab_smime_key + - key: {{ $.Values.global.email.smime.certName }} + path: .gitlab_smime_cert + {{- end }} + - name: webservice-secrets + emptyDir: + medium: "Memory" + - name: workhorse-secrets + emptyDir: + medium: "Memory" + - name: shared-upload-directory + {{- include "gitlab.volume.emptyDir" .sharedUploadDir | nindent 8 }} + {{- include "gitlab.certificates.volumes" $ | nindent 6 }} +{{- end }}{{/* END range deployments */}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/hpa.yaml new file mode 100644 index 0000000..43a86c2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/hpa.yaml @@ -0,0 +1,34 @@ +{{- if .Values.enabled -}} +{{- include "webservice.datamodel.prepare" $ -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{- if not (default $.Values.global.keda.enabled .keda.enabled) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .hpa "context" $) -}} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "webservice.fullname.withSuffix" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "webservice.labels" . | nindent 4 }} + {{- include "webservice.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "webservice.fullname.withSuffix" . }} + minReplicas: {{ .hpa.minReplicas }} + maxReplicas: {{ .hpa.maxReplicas }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end -}} +{{- end -}} +{{/* END range deployments */}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/ingress.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/ingress.yaml new file mode 100644 index 0000000..30cb522 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/ingress.yaml @@ -0,0 +1,28 @@ +{{- if .Values.enabled -}}{{/* ENABLED */}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}}{{/* INGRESS ENABLED */}} +{{- include "webservice.datamodel.prepare" $ -}} +{{- range $.Values.deployments -}}{{/* RANGE DEPLOYMENTS */}} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +{{- $global := $.Values.global }} +{{- $hostname := $global.hosts.gitlab.hostnameOverride | default (include "gitlab.gitlab.hostname" $) -}} +{{- $ingressName := include "webservice.fullname.withSuffix" . -}} +{{- $tlsSecret := include "webservice.tlsSecret" (dict "root" $ "local" $.Values.ingress) -}} +{{- $ingressCfg := dict "global" $global.ingress "context" $ "local" .ingress -}} +{{- include "webservice.ingress.template" (dict "root" $ "deployment" . "ingressCfg" $ingressCfg "host" $hostname "name" $ingressName "tlsSecret" $tlsSecret) }} +{{- if $.Values.extraIngress.enabled }} +{{- $hostname = $.Values.extraIngress.hostname | default $hostname -}} +{{- $_ := set $ingressCfg "local" .extraIngress -}} +{{- $ingressName = printf "%s-extra" $ingressName -}} +{{- $tlsSecret = include "webservice.tlsSecret" (dict "root" $ "local" $.Values.extraIngress) -}} +{{- if $tlsSecret }} +{{- $tlsSecret = printf "%s-extra" $tlsSecret }} +{{- end }} +{{- include "webservice.ingress.template" (dict "root" $ "deployment" . "ingressCfg" $ingressCfg "host" $hostname "name" $ingressName "tlsSecret" $tlsSecret) }} +{{- end }} +{{- end -}}{{/* RANGE DEPLOYMENTS */}} +{{- end -}}{{/* INGRESS ENABLED */}} +{{- end -}}{{/* ENABLED */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/ingress_smartcard.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/ingress_smartcard.yaml new file mode 100644 index 0000000..2a4055c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/ingress_smartcard.yaml @@ -0,0 +1,80 @@ +{{- if $.Values.global.appConfig.smartcard.enabled -}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}} +{{- $smartcardHostname := include "gitlab.smartcard.hostname" . -}} +{{- $tlsSecret := include "smartcard.tlsSecret" . -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{- if has .ingress.path (list "/" "/*") }} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +{{- $ingressCfg := dict "global" $.Values.global.ingress "local" .ingress "context" $ -}} +--- +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "webservice.fullname.withSuffix" . }}-smartcard + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.commonLabels" $ | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if eq "nginx" $.Values.global.ingress.provider }} + {{- if $.Values.global.workhorse.tls.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: https + {{- if pluck "verify" .workhorse.tls (dict "verify" true) | first }} + nginx.ingress.kubernetes.io/proxy-ssl-verify: 'on' + nginx.ingress.kubernetes.io/proxy-ssl-name: {{ include "webservice.fullname.withSuffix" . }}.{{ $.Release.Namespace }}.svc + {{- if .workhorse.tls.caSecretName }} + nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace }}/{{ .workhorse.tls.caSecretName }} + {{- end }} + {{- end }} + {{- end }} + nginx.ingress.kubernetes.io/proxy-body-size: {{ $.Values.ingress.proxyBodySize | quote }} + nginx.ingress.kubernetes.io/proxy-read-timeout: {{ $.Values.ingress.proxyReadTimeout | quote }} + nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ $.Values.ingress.proxyConnectTimeout | quote }} + nginx.ingress.kubernetes.io/auth-tls-verify-client: 'on' + nginx.ingress.kubernetes.io/auth-tls-verify-depth: '2' + nginx.ingress.kubernetes.io/auth-tls-secret: '{{ $.Release.Namespace }}/{{ $.Values.global.appConfig.smartcard.CASecret }}' + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert; + {{- end }} + {{- include "gitlab.certmanager_annotations" $ | nindent 4 }} + {{- range $key, $value := merge $.Values.ingress.annotations $.Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ $smartcardHostname }} + http: + paths: + - path: {{ .ingress.path }} + {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default $.Values.global.ingress.pathType .ingress.pathType }} + backend: + service: + name: {{ template "webservice.fullname.withSuffix" . }} + port: + number: {{ $.Values.service.workhorseExternalPort }} + {{- else -}} + backend: + serviceName: {{ template "webservice.fullname.withSuffix" . }} + servicePort: {{ $.Values.service.workhorseExternalPort }} + {{- end -}} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} + tls: + - hosts: + - {{ $smartcardHostname }} + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}}{{/* SET .ingress.path */}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/keda.yaml new file mode 100644 index 0000000..67fcc13 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/keda.yaml @@ -0,0 +1,32 @@ +{{- if .Values.enabled -}} +{{- include "webservice.datamodel.prepare" $ -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{- $kedaCfg := (dict "global" $.Values.global "hpa" .hpa "keda" .keda "resources" .resources) }} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg }} +{{- if $kedaEnabled }} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "webservice.fullname.withSuffix" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "webservice.labels" . | nindent 4 }} + {{- include "webservice.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "webservice.fullname.withSuffix" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} +{{- end -}} +{{/* END range deployments */}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/networkpolicy.yaml new file mode 100644 index 0000000..7cc1c1e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/networkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.enabled -}} +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 6 }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{ toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{ toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/pdb.yaml new file mode 100644 index 0000000..59d5e0a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/pdb.yaml @@ -0,0 +1,29 @@ +{{- if .Values.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +{{- include "webservice.datamodel.prepare" $ -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +--- +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "webservice.fullname.withSuffix" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "webservice.labels" . | nindent 4 }} + {{- include "webservice.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .pdb.maxUnavailable }} + selector: + matchLabels: + {{- include "gitlab.selectorLabels" $ | nindent 6 }} + {{ include "webservice.labels" . | nindent 6 }} +{{- end }} +{{/* END range deployments */}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/service.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/service.yaml new file mode 100644 index 0000000..8162ca7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/service.yaml @@ -0,0 +1,78 @@ +{{- if .Values.enabled }} +{{- include "webservice.datamodel.prepare" $ -}} +{{/* BEGIN range deployments */}} +{{- range $.Values.deployments -}} +{{/* +From here on: +- `.` is `.deployments.xyz` value +- `.name` is the key (xyz) +*/}} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "webservice.fullname.withSuffix" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.serviceLabels" $ | nindent 4 }} + {{- include "webservice.labels" . | nindent 4 }} + {{- include "webservice.commonLabels" . | nindent 4 }} + {{- if .service.labels -}} + {{- toYaml .service.labels | nindent 4 }} + {{- end }} + annotations: + {{- include "gitlab.serviceAnnotations" $ | nindent 4 }} + {{- if .service.annotations -}} + {{- toYaml .service.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .service.type }} + {{- if (and (eq .service.type "LoadBalancer") (not (empty .service.loadBalancerIP))) }} + loadBalancerIP: {{ .service.loadBalancerIP }} + {{- end }} + {{- if (and (eq .service.type "LoadBalancer") (not (empty .service.loadBalancerSourceRanges))) }} + loadBalancerSourceRanges: + {{- range .service.loadBalancerSourceRanges }} + - {{ . | quote }} + {{- end }} + {{- end }} + ports: + {{- if $.Values.http.enabled }} + - port: {{ $.Values.service.externalPort }} + targetPort: http-webservice + protocol: TCP + name: http-webservice + {{- end }} + - port: {{ $.Values.service.workhorseExternalPort }} + targetPort: http-workhorse + protocol: TCP + name: {{ $.Values.global.workhorse.tls.enabled | ternary "https" "http" }}-workhorse + {{- if $.Values.tls.enabled }} + - port: {{ $.Values.service.tls.externalPort }} + targetPort: https-ws + protocol: TCP + name: https-ws + {{- end }} + + {{- if or $.Values.monitoring.exporter.enabled (and $.Values.metrics.enabled (eq $.Values.metrics.port $.Values.monitoring.exporter.port)) }} + - port: {{ $.Values.monitoring.exporter.port }} + targetPort: http-metrics-ws + protocol: TCP + {{- $metricsTlsEnabled := eq (include "webservice-metrics.tls.enabled" $) "true" }} + name: {{ $metricsTlsEnabled | ternary "https" "http" }}-metrics-ws + {{- end }} + {{- if or $.Values.workhorse.monitoring.exporter.enabled $.Values.workhorse.metrics.enabled }} + - port: {{ $.Values.workhorse.monitoring.exporter.port }} + targetPort: http-metrics-wh + protocol: TCP + {{- $exporterTlsEnabled := eq (include "workhorse.monitoring.exporter.tls.enabled" $) "true" }} + name: {{ $exporterTlsEnabled | ternary "https" "http" }}-metrics-wh + {{- end }} + selector: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + {{ include "webservice.labels" . | nindent 4 }} +{{- end }} +{{/* END range deployments */}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/serviceaccount.yaml new file mode 100644 index 0000000..16435d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "gitlab.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 -}} + {{- include "gitlab.commonLabels" . | nindent 4 -}} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/servicemonitor-workhorse.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/servicemonitor-workhorse.yaml new file mode 100644 index 0000000..d95583f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/servicemonitor-workhorse.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.enabled .Values.workhorse.metrics.enabled .Values.workhorse.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "fullname" . }}-workhorse + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.workhorse.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + endpoints: + - port: http-metrics-wh + path: {{ .Values.workhorse.metrics.path }} + {{- with .Values.workhorse.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/servicemonitor.yaml new file mode 100644 index 0000000..5e86693 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/servicemonitor.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.enabled .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + endpoints: + - port: http-metrics-ws + path: {{ .Values.metrics.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/tests/test-runner.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/tests/test-runner.yaml new file mode 100644 index 0000000..e7b6667 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/tests/test-runner.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.enabled .Values.helmTests.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "fullname" . }}-test-runner-{{ randAlphaNum 5 | lower }} + namespace: {{ $.Release.Namespace }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + containers: + - name: test-runner + image: {{ include "webservice.image" . }} + command: ['sh', '/tests/test_login'] + volumeMounts: + - name: tests + mountPath: '/tests' + - name: root-password + readOnly: true + mountPath: /initial_root_password + subPath: initial_root_password + volumes: + - name: tests + configMap: + name: {{ template "fullname" . }}-tests + - name: root-password + secret: + secretName: {{ template "gitlab.migrations.initialRootPassword.secret" . }} + items: + - key: {{ template "gitlab.migrations.initialRootPassword.key" . }} + path: initial_root_password + restartPolicy: Never + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/tests/tests.yaml b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/tests/tests.yaml new file mode 100644 index 0000000..609c571 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/charts/webservice/templates/tests/tests.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.enabled .Values.helmTests.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-tests + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + test_login: | + set -e + echo 'Start Test' + endpoint="{{ template "gitlab.gitlab.url" . }}" + cookie_read="-c /tmp/test_login.cookie" + cookie_readwrite="$cookie_read -b /tmp/test_login.cookie" + + signin_url="$endpoint/users/sign_in" + echo "Login to create a session: $signin_url" + csrf=$(curl -L $signin_url --fail -s $cookie_read | grep -Po ' + variables: + enable_http_compression: 1 + date_time_input_format: basic # needed for CH cloud +{{- end -}} + +{{- define "gitlab.clickhouse.main.secrets" -}} +- secret: + name: {{ include "gitlab.clickhouse.main.password.secret" . }} + items: + - key: {{ include "gitlab.clickhouse.main.password.key" . }} + path: clickhouse/.main_password +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_configure.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_configure.tpl new file mode 100644 index 0000000..1087913 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_configure.tpl @@ -0,0 +1,39 @@ +{{/* + Include using: + {{ include "gitlab.scripts.configure.secrets" ( + dict + "required" "your required secrets dirs" // optional, for defaults, see `$required` below + "optional" "your optional secrets dirs" // optional, for defaults, see `$optional` below + ) }} + + - Either can be disabled with "none" + - Duplicates from required will be removed from optional +*/}} +{{- define "gitlab.scripts.configure.secrets" -}} +{{- $required := default "shell gitaly registry rails-secrets gitlab-workhorse" $.required | splitList " " -}} +{{- $optional := default "redis minio objectstorage postgres ldap duo omniauth smtp kas pages oauth-secrets mailroom gitlab-exporter microsoft_graph_mailer suggested_reviewers zoekt clickhouse" $.optional | splitList " " -}} +{{- range (without $required "none") -}} +{{- $optional = without $optional . -}} +{{- end -}} +# BEGIN gitlab.scripts.configure.secrets +set -e +config_dir="/init-config" +secret_dir="/init-secrets" +{{- if len (without $required "none") }} +# required +for secret in {{ without $required "none" | join " " }} ; do + mkdir -p "${secret_dir}/${secret}" + cp -f -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/" +done +{{- end }} +{{- if len (without $optional "none") }} +# optional +for secret in {{ without $optional "none" | join " " }} ; do + if [ -e "${config_dir}/${secret}" ]; then + mkdir -p "${secret_dir}/${secret}" + cp -f -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/" + fi +done +{{- end }} +# END gitlab.scripts.configure.secrets +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_contentSecurityPolicy.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_contentSecurityPolicy.tpl new file mode 100644 index 0000000..177fada --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_contentSecurityPolicy.tpl @@ -0,0 +1,14 @@ +{{/* +Generates Content Security Policy configuration. + +Usage: +{{ include "gitlab.appConfig.content_security_policy" . }} +*/}} +{{- define "gitlab.appConfig.content_security_policy" -}} +content_security_policy: + {{- with .contentSecurityPolicy }} + enabled: {{ eq .enabled true }} + report_only: {{ .report_only }} + directives: {{ toJson .directives }} + {{- end -}} +{{- end -}}{{/* "gitlab.appConfig.content_security_policy" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_database.yml.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_database.yml.tpl new file mode 100644 index 0000000..999d753 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_database.yml.tpl @@ -0,0 +1,130 @@ +{{/* ######## Rails database related templates */}} +{{/* +Returns the contents of the `database.yml` blob for Rails pods +*/}} +{{- define "gitlab.database.yml" -}} +{{- include "database.datamodel.prepare" . -}} +{{- include "gitlab.database.setDefaultForDatabaseTasks" . -}} +{{- if .Values.global.debugDatabaseDatamodel }} +# global.debugDatabaseDatamodel=true +# helm template . -f test_values.yml | yq -r '.data."database.yml.erb" | select(. != null)' +datamodel: {{ .Values.local | toYaml | nindent 4 }} +{{- end }} +production: +{{- range $database := without (keys .Values.local.psql) "main" | sortAlpha | concat (list "main") }} +{{- $context := get $.Values.local.psql $database }} +{{- if eq (include "gitlab.psql.database.enabled" $context) "true" }} + {{ $database }}: + adapter: postgresql + encoding: unicode + database: {{ template "gitlab.psql.database" $context }} + username: {{ template "gitlab.psql.username" $context }} + password: <%= File.read({{ template "gitlab.psql.password.file" $context }}).strip.to_json %> + host: {{ include "gitlab.psql.host" $context | quote }} + port: {{ template "gitlab.psql.port" $context }} + connect_timeout: {{ template "gitlab.psql.connectTimeout" $context }} + keepalives: {{ template "gitlab.psql.keepalives" $context }} + keepalives_idle: {{ template "gitlab.psql.keepalivesIdle" $context }} + keepalives_interval: {{ template "gitlab.psql.keepalivesInterval" $context }} + keepalives_count: {{ template "gitlab.psql.keepalivesCount" $context }} + tcp_user_timeout: {{ template "gitlab.psql.tcpUserTimeout" $context }} + application_name: {{ template "gitlab.psql.applicationName" $context }} + prepared_statements: {{ template "gitlab.psql.preparedStatements" $context }} + database_tasks: {{ template "gitlab.psql.databaseTasks" $context }} + {{- include "gitlab.database.loadBalancing" $context | nindent 4 }} + {{- include "gitlab.psql.ssl.config" $context | nindent 4 }} +{{- end -}} +{{- end }} +{{- if include "gitlab.geo.secondary" . }} +{{- include "gitlab.geo.database.yml" . | nindent 2 }} +{{- end }} +{{- end -}} + +{{/* +Return if the database is enabled +Returns psql.enabled if it is a boolean, +otherwise it will fallback to "true" default +*/}} +{{- define "gitlab.psql.database.enabled" -}} +{{- $globalSet := and (hasKey .Values.global.psql "enabled") (kindIs "bool" .Values.global.psql.enabled) -}} +{{- if $globalSet }} +{{- .Values.global.psql.enabled }} +{{- else }} +{{- true }} +{{- end -}} +{{- end -}} + +{{/* +Sets 'databaseTasks: false' if the additional database points to the same database +as 'main:', where the db, host and port do match. +*/}} +{{- define "gitlab.database.setDefaultForDatabaseTasks" -}} +{{- $mainDB := include "gitlab.psql.database" $.Values.local.psql.main -}} +{{- $mainHost := include "gitlab.psql.host" $.Values.local.psql.main -}} +{{- $mainPort := include "gitlab.psql.port" $.Values.local.psql.main -}} +{{- range $database := without (keys $.Values.local.psql) "main" -}} +{{- $context := get $.Values.local.psql $database -}} +{{- $currentDB := include "gitlab.psql.database" $context -}} +{{- $currentHost := include "gitlab.psql.host" $context -}} +{{- $currentPort := include "gitlab.psql.port" $context -}} +{{- if and (not (hasKey $context.Values.psql "databaseTasks")) (not (hasKey $context.Values.global.psql "databaseTasks")) -}} +{{- if and (eq $currentDB $mainDB) (eq $currentHost $mainHost) (eq $currentPort $mainPort) -}} +{{- $_ := set $context.Values.global.psql "databaseTasks" false -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the contents of `load_balancing` section of database.yml + +See https://docs.gitlab.com/ee/administration/database_load_balancing.html#enabling-load-balancing + +Note: Many `if` used here, allowing Rails to provide defaults inside the codebase. +*/}} +{{- define "gitlab.database.loadBalancing" -}} +{{- with default .Values.global.psql .Values.psql -}} +{{- if kindIs "map" .load_balancing -}} +load_balancing: + {{- if kindIs "slice" .load_balancing.hosts }} + hosts: + {{- toYaml .load_balancing.hosts | nindent 2 }} + {{- else if kindIs "map" .load_balancing.discover }} + discover: + {{- with .load_balancing.discover -}} + {{- if index . "nameserver" }} + nameserver: {{ .nameserver }} + {{- end }} + record: {{ .record | required "`psql.load_balancing.discover` requires `record` to be provided." | quote }} + {{- if index . "record_type" }} + record_type: {{ .record_type | quote }} + {{- end }} + {{- if index . "port" }} + port: {{ .port | int }} + {{- end }} + {{- if index . "interval" }} + interval: {{ .interval | int }} + {{- end }} + {{- if index . "disconnect_timeout" }} + disconnect_timeout: {{ .disconnect_timeout | int }} + {{- end }} + {{- if index . "use_tcp" }} + use_tcp: {{ empty .use_tcp | not }} + {{- end -}} + {{- if index . "max_replica_pools" }} + max_replica_pools: {{ .max_replica_pools | int }} + {{- end }} + {{- end -}} + {{- end }} + {{- if index .load_balancing "max_replication_difference" }} + max_replication_difference: {{ .load_balancing.max_replication_difference | int }} + {{- end }} + {{- if index .load_balancing "max_replication_lag_time" }} + max_replication_lag_time: {{ .load_balancing.max_replication_lag_time | int }} + {{- end }} + {{- if index .load_balancing "replica_check_interval" }} + replica_check_interval: {{ .load_balancing.replica_check_interval | int }} + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_databaseDatamodel.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_databaseDatamodel.tpl new file mode 100644 index 0000000..89d923b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_databaseDatamodel.tpl @@ -0,0 +1,76 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +database.datamodel.blank + +Called with context of `.Values[.global].psql`. + +Returns a deepCopy of context, with some keys removed. + +Removed: + - all .knownDecompositions [main, ci, ...] +*/}} +{{- define "database.datamodel.blank" -}} +{{- $psql := deepCopy . -}} +{{- $_ := unset $psql "knownDecompositions" -}} +{{- range $decomposedDatabase := .knownDecompositions -}} +{{- $_ := unset $psql $decomposedDatabase -}} +{{- end -}} +{{ $psql | toYaml }} +{{- end -}} + +{{/* +database.datamodel.prepare + +Result: + `.Values.local.psql` contains a fully composed datamodel of psql properties + to be passed as the context to other helpers. Which Schema you are in can + be found via `.Schema`. + +How: + - mergeOverwrite `main` into `x.psql` (if present), so that `main` is the base of future blank + - ensure `main` exists in both global and local from future blank, if not present. + - ensure `ci` exists in both global and local from future blank, if not present. + - mergeOverwrite `.global.psql` `.global.psql.x` + - mergeOverwrite `.psql` `.psql.x` + - build $context dict, with .Release .Values.global.psql .Values.psql + +Example object - + local: + psql: + main: + Schema: main + Release: # pointer to $.Release + Values: + global: + psql: # mirrored from .Values.global.psql + psql: # mirrored from .Values.psql + ci: + Schema: ci + Release: # pointer to $.Release + Values: + global: + psql: # mirrored from .Values.global.psql + psql: # mirrored from .Values.psql +*/}} +{{- define "database.datamodel.prepare" -}} +{{- if not (hasKey (get $.Values "local" | default (dict)) "psql") -}} +{{- $_ := set $.Values "local" (dict "psql" (dict)) -}} +{{- $global := mergeOverwrite (deepCopy $.Values.global.psql) (deepCopy (get $.Values.global.psql "main" | default (dict))) -}} +{{- $globalBlank := fromYaml (include "database.datamodel.blank" $global) -}} +{{- $_ := set $global "main" (deepCopy (get $.Values.global.psql "main" | default $globalBlank)) -}} +{{- $_ := set $global "ci" (deepCopy (get $.Values.global.psql "ci" | default $globalBlank)) -}} +{{- $local := mergeOverwrite (deepCopy $.Values.psql) (deepCopy (get $.Values.psql "main") | default (dict)) -}} +{{- $localBlank := fromYaml (include "database.datamodel.blank" $local) -}} +{{- $_ := set $local "main" (deepCopy (get $.Values.psql "main" | default $localBlank)) -}} +{{- $_ := set $local "ci" (deepCopy (get $.Values.psql "ci" | default $localBlank)) -}} +{{- range $decomposedDatabase := $global.knownDecompositions -}} +{{- if or (hasKey $global $decomposedDatabase) (hasKey $local $decomposedDatabase) -}} +{{- $globalSchema := mergeOverwrite (deepCopy $globalBlank) (get $global $decomposedDatabase | default (dict)) -}} +{{- $localSchema := mergeOverwrite (deepCopy $localBlank) (get $local $decomposedDatabase | default (dict)) -}} +{{- $context := dict "Schema" $decomposedDatabase "Release" $.Release "Values" (dict "global" (dict "psql" $globalSchema) "psql" ($localSchema) ) -}} +{{- $_ := set $.Values.local.psql $decomposedDatabase $context -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_defaultProjectsFeatures.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_defaultProjectsFeatures.tpl new file mode 100644 index 0000000..7554e00 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_defaultProjectsFeatures.tpl @@ -0,0 +1,11 @@ +{{- define "gitlab.appConfig.defaultProjectsFeatures.configuration" -}} +{{- with .Values.global.appConfig -}} +default_projects_features: + issues: {{ eq .defaultProjectsFeatures.issues true }} + merge_requests: {{ eq .defaultProjectsFeatures.mergeRequests true }} + wiki: {{ eq .defaultProjectsFeatures.wiki true }} + snippets: {{ eq .defaultProjectsFeatures.snippets true }} + builds: {{ eq .defaultProjectsFeatures.builds true }} + container_registry: {{ or (not (kindIs "bool" .defaultProjectsFeatures.containerRegistry)) .defaultProjectsFeatures.containerRegistry }} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.defaultProjectsFeatures.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_dependencyProxy.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_dependencyProxy.tpl new file mode 100644 index 0000000..37b4c9b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_dependencyProxy.tpl @@ -0,0 +1,17 @@ +{{/* +Generates a templated config for dependencyProxy keys in gitlab.yml. + +Usage: +{{ include "gitlab.appConfig.dependencyProxy.configuration" ( \ + dict \ + "config" .Values.path.to.dependencyProxy.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.dependencyProxy.configuration" -}} +dependency_proxy: + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + {{- if not .context.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "dependency_proxy" "config" .config "context" .context) | nindent 2 }} + {{- end }} +{{- end -}}{{/* "gitlab.appConfig.dependencyProxy.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_duo_auth.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_duo_auth.tpl new file mode 100644 index 0000000..2e5aee3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_duo_auth.tpl @@ -0,0 +1,38 @@ + +{{- define "gitlab.appConfig.duo.secretKey.key" -}} +{{ with $.Values.global.appConfig }} +{{- if .duoAuth.secretKey }} +{{- default "secretKey" $.Values.global.appConfig.duoAuth.secretKey.key -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.duo.secretKey.path" -}} +{{ with $.Values.global.appConfig }} +{{- if .duoAuth.secretKey }} + {{- printf "/etc/gitlab/duo/%s/%s" .duoAuth.secretKey.secret ( include "gitlab.appConfig.duo.secretKey.key" $) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.appConfig.duo.configuration" -}} +{{ with $.Values.global.appConfig }} +duo_auth: + enabled: {{ eq .duoAuth.enabled true }} + hostname: {{ .duoAuth.hostname }} + integration_key: {{ .duoAuth.integrationKey }} + secret_key: {{ .duoAuth.enabled | ternary (printf "<%= File.read('%s').strip.to_json() %>" (include "gitlab.duo.secretKey.path" $)) "" }} +{{- end -}} +{{- end -}} + +{{- define "gitlab.appConfig.duo.mountSecrets" -}} +{{- with $.Values.global.appConfig -}} +{{- if .duoAuth.secretKey }} +- secret: + name: {{ .duoAuth.secretKey.secret }} + items: + - key: {{ include "gitlab.appConfig.duo.secretKey.key" $ }} + path: {{ printf "duo/%s/%s" .duoAuth.secretKey.secret (include "gitlab.appConfig.duo.secretKey.key" $) }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_externaldiffs.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_externaldiffs.tpl new file mode 100644 index 0000000..e255df4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_externaldiffs.tpl @@ -0,0 +1,18 @@ +{{/* +Generates a templated config for external_diffs key in gitlab.yml. + +Usage: +{{ include "gitlab.appConfig.external_diffs.configuration" ( \ + dict \ + "config" .Values.path.to.external_diffs.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.external_diffs.configuration" -}} +external_diffs: + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + when: {{ .config.when }} + {{- if not .context.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "external_diffs" "config" .config "context" .context) | nindent 2 }} + {{- end -}} +{{- end -}}{{/* "gitlab.appConfig.external_diffs.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_geo.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_geo.tpl new file mode 100644 index 0000000..2ac73a2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_geo.tpl @@ -0,0 +1,109 @@ +{{/* ######## Geo related templates */}} +{{/* +Returns "secondary" if geo.enabled & geo.role: secondary +*/}} +{{- define "gitlab.geo.secondary" -}} +{{- with .Values.global.geo -}} +{{- if and (eq true (default false .enabled)) ( eq "secondary" (default "primary" (lower .role))) -}} +secondary +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.geo.config" -}} +{{- if .Values.global.geo.enabled -}} +geo: + node_name: {{ default "" .Values.global.geo.nodeName }} + registry_replication: + enabled: {{ eq true (default false .Values.global.geo.registry.replication.enabled) }} + primary_api_url: {{ .Values.global.geo.registry.replication.primaryApiUrl | quote }} +{{- end -}} +{{- end -}} + +{{/* +Returns the contents of the `database_geo.yml` blob + +As the Rails application checks for the existance of `database_geo.yml`, +this should not be included _at all_ unless `gitlab.geo.secondary`. As +such, we don't check that state here. +*/}} +{{- define "gitlab.geo.database.yml" -}} +geo: + adapter: postgresql + encoding: unicode + database_tasks: true + database: {{ template "gitlab.geo.psql.database" . }} + username: {{ template "gitlab.geo.psql.username" . }} + password: <%= File.read("/etc/gitlab/postgres/geo-psql-password").strip.to_json %> + host: {{ template "gitlab.geo.psql.host" . }} + port: {{ template "gitlab.geo.psql.port" . }} + # load_balancing: + # hosts: + # - host1.example.com + # - host2.example.com + {{- include "gitlab.geo.psql.ssl.config" . | nindent 2 }} +{{- end -}} + +{{/* +Returns parts for a Gitlab configuration to setup a mutual TLS connection +with the Geo PostgreSQL database. + +Consumed as part of "gitlab.geo.database.yml", no check of `global.geo.secondary` +*/}} +{{- define "gitlab.geo.psql.ssl.config" -}} +{{- if .Values.global.geo.psql.ssl }} +sslmode: verify-ca +sslrootcert: '/etc/gitlab/postgres/ssl/geo-server-ca.pem' +sslcert: '/etc/gitlab/postgres/ssl/geo-client-certificate.pem' +sslkey: '/etc/gitlab/postgres/ssl/geo-client-key.pem' +{{- end -}} +{{- end -}} + +{{/* +Returns volume definition of a secret containing information required for +a mutual TLS connection to the Geo Secondary DB. +*/}} +{{- define "gitlab.geo.psql.ssl.volume" -}} +{{- if and ( include "gitlab.geo.secondary" $ ) .Values.global.geo.psql.ssl }} +- name: geo-postgresql-ssl-secrets + projected: + defaultMode: 400 + sources: + - secret: + name: {{ .Values.global.geo.psql.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `global.geo.psql.ssl.secret`" }} + items: + - key: {{ .Values.global.geo.psql.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `global.geo.psql.ssl.serverCA`" }} + path: geo-server-ca.pem + - key: {{ .Values.global.geo.psql.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `global.geo.psql.ssl.clientCertificate`" }} + path: geo-client-certificate.pem + - key: {{ .Values.global.geo.psql.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `global.geo.psql.ssl.clientKey`" }} + path: geo-client-key.pem +{{- end -}} +{{- end -}} + +{{/* +Returns mount definition for the volume mount definition above. +*/}} +{{- define "gitlab.geo.psql.ssl.volumeMount" -}} +{{- if and ( include "gitlab.geo.secondary" $ ) .Values.global.geo.psql.ssl }} +- name: geo-postgresql-ssl-secrets + mountPath: '/etc/postgresql/geo/ssl/' + readOnly: true +{{- end -}} +{{- end -}} + +{{/* +Returns a shell script snippet, which extends the script of a configure +container to copy the mutual TLS files to the proper location. Further +it sets the permissions correctly. +*/}} +{{- define "gitlab.geo.psql.ssl.initScript" -}} +{{- if and ( include "gitlab.geo.secondary" $ ) .Values.global.geo.psql.ssl }} +if [ -d /etc/postgresql/geo/ssl ]; then + mkdir -p /${secret_dir}/postgres/ssl + cp -v -r -L /etc/postgresql/geo/ssl/* /${secret_dir}/postgres/ssl/ + chmod 600 /${secret_dir}/postgres/ssl/* + chmod 700 /${secret_dir}/postgres/ssl +fi +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_gitaly.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_gitaly.tpl new file mode 100644 index 0000000..604f47f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_gitaly.tpl @@ -0,0 +1,87 @@ +{{/* ######### Gitaly related templates */}} + +{{/* +Return gitaly host for internal statefulsets +*/}} +{{- define "gitlab.gitaly.storage.internal" -}} +{{- $releaseName := .Release.Name -}} +{{- range $i, $storage := .Values.global.gitaly.internal.names -}} +{{- $qualServiceName := (include "gitlab.gitaly.qualifiedServiceName" (dict "index" $i "context" $ ) ) -}} +{{- printf "%s:\n" $storage -}} +{{- printf "path: /var/opt/gitlab/repo\n" | indent 2 -}} +{{- if $.Values.global.gitaly.tls.enabled }} +{{- printf "gitaly_address: tls://%s.%s.svc:%d\n" $qualServiceName $.Release.Namespace 8076 -}} +{{- else }} +{{- printf "gitaly_address: tcp://%s.%s.svc:%d\n" $qualServiceName $.Release.Namespace 8075 -}} +{{- end -}} +{{- end -}} +{{- end }} + + +{{/* +Return gitaly storage for external hosts +*/}} +{{- define "gitlab.gitaly.storage.external" -}} +{{- range $i, $storage := .Values.global.gitaly.external -}} +{{- printf "%s:\n" $storage.name -}} +{{- printf "path: /var/opt/gitlab/repo\n" | indent 2 -}} +{{- if include "gitlab.boolean.local" (dict "global" $.Values.global.gitaly.tls.enabled "local" $storage.tlsEnabled "default" false) }} +{{- printf "gitaly_address: tls://%s:%d\n" $storage.hostname (default 8076 $storage.port | int64) -}} +{{- else }} +{{- printf "gitaly_address: tcp://%s:%d\n" $storage.hostname (default 8075 $storage.port | int64) -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{/* +Return the gitaly storages list +*/}} +{{- define "gitlab.gitaly.storages" -}} +{{- /* Create default entry when gitaly host specified */ -}} +{{- if .Values.global.gitaly.host -}} +default: + path: /var/opt/gitlab/repo + {{- if $.Values.global.gitaly.tls.enabled }} + gitaly_address: {{ printf "tls://%s:%d" .Values.global.gitaly.host (default 8076 .Values.global.gitaly.port | int64 ) }} + {{- else }} + gitaly_address: {{ printf "tcp://%s:%d" .Values.global.gitaly.host (default 8075 .Values.global.gitaly.port | int64 ) }} + {{- end -}} +{{- else -}} +{{- /* global.gitaly host is not specified */ -}} +{{- if eq (include "gitlab.gitaly.includeInternalResources" $) "true" -}} +{{- /* Internal default repo */ -}} +{{ template "gitlab.gitaly.storage.internal" . }} +{{- end -}} +{{- if .Values.global.gitaly.external -}} +{{- /* External repos */ -}} +{{ template "gitlab.gitaly.storage.external" . }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the number of replicas set for Gitaly statefulset +*/}} +{{- define "gitlab.gitaly.replicas" -}} +{{- if .Values.global.gitaly.host }}0{{- else }}{{ len .Values.global.gitaly.internal.names }}{{- end }} +{{- end -}} + +{{/* +Return the appropriate block for the Gitaly client secret. +This differs depending on whether or not Praefect is enabled +*/}} +{{- define "gitlab.gitaly.clientSecrets" -}} +- secret: + name: {{ include "gitlab.gitaly.authToken.secret" . }} + items: + - key: {{ include "gitlab.gitaly.authToken.key" . }} + path: gitaly/gitaly_token +{{- if .Values.global.praefect.enabled }} +- secret: + name: {{ include "gitlab.praefect.authToken.secret" . }} + items: + - key: {{ include "gitlab.praefect.authToken.key" . }} + path: gitaly/gitaly_token_praefect +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_gitlab.yaml.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_gitlab.yaml.tpl new file mode 100644 index 0000000..006400f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_gitlab.yaml.tpl @@ -0,0 +1,174 @@ +{{- define "gitlab.appConfig.gitaly" -}} +gitaly: + client_path: /home/git/gitaly/bin + token: <%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.to_json %> +{{- end -}} + +{{- define "gitlab.appConfig.repositories" -}} +repositories: + storages: # You must have at least a `default` storage path. + {{- if .Values.global.praefect.enabled }} + {{- include "gitlab.praefect.storages" . | nindent 4 }} + {{- end }} + {{- include "gitlab.gitaly.storages" . | nindent 4 }} +{{- end -}} + + +{{- define "gitlab.appConfig.microsoft_graph_mailer" -}} +microsoft_graph_mailer: + enabled: {{ eq .microsoft_graph_mailer.enabled true }} + user_id: {{ .microsoft_graph_mailer.user_id | quote }} + tenant: {{ .microsoft_graph_mailer.tenant | quote }} + client_id: {{ .microsoft_graph_mailer.client_id | quote }} + client_secret: <%= File.read('/etc/gitlab/microsoft_graph_mailer/client_secret').strip.to_json %> + azure_ad_endpoint: {{ .microsoft_graph_mailer.azure_ad_endpoint | quote }} + graph_endpoint: {{ .microsoft_graph_mailer.graph_endpoint | quote }} +{{- end -}} + +{{- define "gitlab.appConfig.incoming_email" -}} +incoming_email: + enabled: {{ eq .incomingEmail.enabled true }} + address: {{ .incomingEmail.address | quote }} + {{- if eq .incomingEmail.deliveryMethod "webhook" }} + secret_file: /etc/gitlab/mailroom/incoming_email_webhook_secret + {{- end }} +{{- end -}} + +{{- define "gitlab.appConfig.service_desk_email" -}} +service_desk_email: + enabled: {{ eq .serviceDeskEmail.enabled true }} + address: {{ .serviceDeskEmail.address | quote }} + {{- if eq .serviceDeskEmail.deliveryMethod "webhook" }} + secret_file: /etc/gitlab/mailroom/service_desk_email_webhook_secret + {{- end }} +{{- end -}} + +{{- define "gitlab.appConfig.kas" -}} +{{- if (or .Values.global.kas.enabled .Values.global.appConfig.gitlab_kas.enabled) -}} +gitlab_kas: + enabled: true + secret_file: /etc/gitlab/kas/.gitlab_kas_secret + external_url: {{ include "gitlab.appConfig.kas.externalUrl" . | quote }} + internal_url: {{ include "gitlab.appConfig.kas.internalUrl" . | quote }} +{{- end -}} +{{- end -}} + +{{- define "gitlab.appConfig.suggested_reviewers" -}} +suggested_reviewers: + secret_file: /etc/gitlab/suggested_reviewers/.gitlab_suggested_reviewers_secret +{{- end -}} + +{{- define "gitlab.appConfig.zoekt" -}} +# Zoekt secrets are present, load them. +zoekt: + username_file: /etc/gitlab/zoekt/.gitlab_zoekt_username + password_file: /etc/gitlab/zoekt/.gitlab_zoekt_password +{{- end -}} + +{{- define "gitlab.appConfig.shell" -}} +gitlab_shell: + path: /home/git/gitlab-shell/ + hooks_path: /home/git/gitlab-shell/hooks/ + upload_pack: true + receive_pack: true +{{- end -}} + +{{- define "gitlab.appConfig.shell.ssh_port" -}} +ssh_port: {{ include "gitlab.shell.port" . | int }} +{{- end -}} + +{{- define "gitlab.appConfig.shell.secret_file" -}} +secret_file: /etc/gitlab/shell/.gitlab_shell_secret +{{- end -}} + +{{- define "gitlab.appConfig.extra" -}} +extra: + {{ if .extra.googleAnalyticsId }} + google_analytics_id: {{ .extra.googleAnalyticsId | quote }} + {{- end }} + {{ if .extra.matomoUrl }} + matomo_url: {{ .extra.matomoUrl | quote }} + {{- end }} + {{ if .extra.matomoSiteId }} + matomo_site_id: {{ .extra.matomoSiteId | quote }} + {{- end }} + {{- if .extra.matomoDisableCookies }} + matomo_disable_cookies: {{ eq true .extra.matomoDisableCookies }} + {{- end }} + {{ if .extra.oneTrustId }} + one_trust_id: {{ .extra.oneTrustId | quote }} + {{- end }} + {{ if .extra.googleTagManagerNonceId }} + google_tag_manager_nonce_id: {{ .extra.googleTagManagerNonceId | quote }} + {{- end }} + {{ if .extra.bizible }} + bizible: {{ eq true .extra.bizible }} + {{- end }} +{{- end -}} + +{{- define "gitlab.appConfig.rackAttack" -}} +rack_attack: + git_basic_auth: + {{- if .Values.rack_attack.git_basic_auth.enabled }} + {{- toYaml .Values.rack_attack.git_basic_auth | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "gitlab.appConfig.cronJobs" -}} +{{- if .cron_jobs }} +cron_jobs: + {{- toYaml .cron_jobs | nindent 2 }} +{{- end }} +{{- end }} + +{{- define "gitlab.appConfig.maxRequestDurationSeconds" -}} +{{/* + Unless explicitly provided, we need to set maxRequestDurationSeconds to 95% of the + workerTimeout value specified for webservice (and use its ceiling value). + However, sprig's `mul` function does not work with floats, so a + multiplication with `0.95` is not possible. To workaround this, we do the + following + 1. Scale up the value to the order of 10000 by multiplying it + with (95 * 100). + 2. Divide the scaled up value by 10000, and the result will be an integer. + 3. If a reminder was present during the division (this is checked using + modular division), we increment the result by 1. This does the function + of `ceil` in Ruby. + 4. For example, if webservice's timeout is the default value of 60, the result + we need is 57. The various values in this workaround will be + (i) $workerTimeout = 60 + (ii) $scaledResult = 570000 + (iii) $reminder = 0 + (iv) $result = 57 + 5. Another example, if webservice's timeout is 61, the result we need is + 58 (ceiling of 0.95 * 61 = 57.95). The various values in this workaround + will be + (i) $workerTimeout = 61 + (ii) $scaledResult = 579500 + (iii) $reminder = 9500 + (iv) $result = 57 + (v) $result = 58 (because there was a remainder, result got incremented) +*/}} +{{- $workerTimeout := $.Values.global.webservice.workerTimeout }} +{{- $scaledResult := mul $workerTimeout 100 95 }} +{{- $remainder := mod $scaledResult 10000 }} +{{- $doCeil := gt $remainder 0 }} +{{- $result := div $scaledResult 10000 }} +{{- if $doCeil }} +{{- $result = add1 $result }} +{{- end }} +{{- $result }} +{{- end }} +{{/* END gitlab.appConfig.maxRequestDurationSeconds */}} + +{{/* +Generates gitlab_docs configuration. + +Usage: +{{ include "gitlab.appConfig.gitlab_docs.configuration" $ }} +*/}} +{{- define "gitlab.appConfig.gitlab_docs.configuration" -}} +gitlab_docs: + enabled: {{ eq $.Values.global.appConfig.gitlab_docs.enabled true }} + host: {{ $.Values.global.appConfig.gitlab_docs.host | quote }} +{{- end -}}{{/* "gitlab.appConfig.gitlab_docs.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_helpers.tpl new file mode 100644 index 0000000..e949239 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "gitlab.extraContainers" -}} +{{ tpl (default "" .Values.extraContainers) . }} +{{- end -}} + +{{- define "gitlab.extraInitContainers" -}} +{{ tpl (default "" .Values.extraInitContainers) . }} +{{- end -}} + +{{- define "gitlab.extraVolumes" -}} +{{ tpl (default "" .Values.extraVolumes) . }} +{{- end -}} + +{{- define "gitlab.extraVolumeMounts" -}} +{{ tpl (default "" .Values.extraVolumeMounts) . }} +{{- end -}} + +{{- define "gitlab.extraEnvFrom" -}} +{{- $global := deepCopy (get .root.Values.global "extraEnvFrom" | default (dict)) -}} +{{- $values := deepCopy (get .root.Values "extraEnvFrom" | default (dict)) -}} +{{- $local := deepCopy (get .local "extraEnvFrom" | default (dict)) -}} +{{- $allExtraEnvFrom := mergeOverwrite $global $values $local -}} +{{- range $key, $value := $allExtraEnvFrom }} +- name: {{ $key }} + valueFrom: +{{ toYaml $value | nindent 4 }} +{{- end -}} +{{- end -}} + +{{/* +Returns the extraEnv keys and values to inject into containers. + +Global values will override any chart-specific values. +*/}} +{{- define "gitlab.extraEnv" -}} +{{- $allExtraEnv := merge (default (dict) .Values.extraEnv) .Values.global.extraEnv -}} +{{- range $key, $value := $allExtraEnv }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} + +{{/* +Detect whether to include internal Gitaly resources. +Returns `true` when: + - Internal Gitaly is on + AND + - Either: + - Praefect is off, or + - Praefect is on, but replaceInternalGitaly is off +*/}} +{{- define "gitlab.gitaly.includeInternalResources" -}} +{{- if and .Values.global.gitaly.enabled (or (not .Values.global.praefect.enabled) (and .Values.global.praefect.enabled (not .Values.global.praefect.replaceInternalGitaly))) -}} +{{- true }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_kas.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_kas.tpl new file mode 100644 index 0000000..3ba8339 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_kas.tpl @@ -0,0 +1,76 @@ +{{/* ######### KAS related templates */}} + +{{- define "gitlab.kas.mountSecrets" -}} +{{- if (or .Values.global.kas.enabled .Values.global.appConfig.gitlab_kas.enabled) -}} +# mount secret for kas +- secret: + name: {{ template "gitlab.kas.secret" . }} + items: + - key: {{ template "gitlab.kas.key" . }} + path: kas/.gitlab_kas_secret +{{- end -}} +{{- end -}}{{/* "gitlab.kas.mountSecrets" */}} + +{{/* +Returns the KAS external hostname (for agentk connections) +If the hostname is set in `global.hosts.kas.name`, that will be returned, +otherwise the hostname will be assembed using `kas` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "gitlab.kas.hostname" -}} +{{- coalesce $.Values.global.hosts.kas.name (include "gitlab.assembleHost" (dict "name" "kas" "context" . )) -}} +{{- end -}} + +{{/* +Returns the KAS external URL (for external agentk connections) +*/}} +{{- define "gitlab.appConfig.kas.externalUrl" -}} +{{- if .Values.global.appConfig.gitlab_kas.externalUrl -}} +{{- .Values.global.appConfig.gitlab_kas.externalUrl -}} +{{- else -}} +{{- $hostname := include "gitlab.kas.hostname" . -}} +{{- if or .Values.global.hosts.https .Values.global.hosts.kas.https -}} +{{- printf "wss://%s" $hostname -}} +{{- else -}} +{{- printf "ws://%s" $hostname -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.kas.internal.scheme" -}} +{{- $tlsEnabled := "" -}} +{{- if eq .Chart.Name "kas" -}} +{{- $tlsEnabled = .Values.privateApi.tls.enabled -}} +{{- printf "%s" (ternary "grpcs" "grpc" (or (eq $tlsEnabled true) (eq $.Values.global.kas.tls.enabled true))) -}} +{{- else -}} +{{- printf "%s" (ternary "grpcs" "grpc" (eq $.Values.global.kas.tls.enabled true)) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the KAS internal URL (for GitLab backend connections) +*/}} +{{- define "gitlab.appConfig.kas.internalUrl" -}} +{{- if .Values.global.appConfig.gitlab_kas.internalUrl -}} +{{- .Values.global.appConfig.gitlab_kas.internalUrl -}} +{{- else -}} +{{- $serviceHost := include "gitlab.kas.serviceHost" . -}} +{{- $scheme := include "gitlab.kas.internal.scheme" . -}} +{{- $port := .Values.global.kas.service.apiExternalPort -}} +{{- printf "%s://%s:%s" $scheme $serviceHost (toString $port) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the KAS service host +*/}} +{{- define "gitlab.kas.serviceHost" -}} +{{- $serviceName := include "gitlab.kas.serviceName" . -}} +{{- printf "%s.%s.svc" $serviceName $.Release.Namespace -}} +{{- end -}} + +{{/* +Return the KAS service name +*/}} +{{- define "gitlab.kas.serviceName" -}} +{{- include "gitlab.other.fullname" (dict "context" . "chartName" "kas") -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_kerberos.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_kerberos.tpl new file mode 100644 index 0000000..86ab763 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_kerberos.tpl @@ -0,0 +1,31 @@ +{{- define "gitlab.appConfig.kerberos.configuration" -}} +kerberos: + enabled: {{ .Values.global.appConfig.kerberos.enabled }} + keytab: /etc/krb5.keytab +{{- if .Values.global.appConfig.kerberos.servicePrincipalName }} + service_principal_name: {{ .Values.global.appConfig.kerberos.servicePrincipalName | quote }} +{{- end }} + use_dedicated_port: {{ .Values.global.appConfig.kerberos.dedicatedPort.enabled }} + port: {{ .Values.global.appConfig.kerberos.dedicatedPort.port }} + https: {{ .Values.global.appConfig.kerberos.dedicatedPort.https }} + simple_ldap_linking_allowed_realms: {{ toJson .Values.global.appConfig.kerberos.simpleLdapLinkingAllowedRealms }} +{{- end -}}{{/* "gitlab.appConfig.kerberos.configuration" */}} + +{{- define "gitlab.appConfig.kerberos.volume" -}} +{{- if .Values.global.appConfig.kerberos.keytab.secret }} +# volume for kerberos +- name: kerberos-keytab + secret: + secretName: {{ .Values.global.appConfig.kerberos.keytab.secret }} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.kerberos.volume" */}} + +{{- define "gitlab.appConfig.kerberos.volumeMount" -}} +{{- if .Values.global.appConfig.kerberos.keytab.secret }} +# volume mount for kerberos +- mountPath: "/etc/krb5.keytab" + subPath: {{ .Values.global.appConfig.kerberos.keytab.key }} + name: kerberos-keytab + readOnly: true +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.kerberos.volumeMount" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_ldap.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_ldap.tpl new file mode 100644 index 0000000..be56c87 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_ldap.tpl @@ -0,0 +1,46 @@ +{{- define "gitlab.appConfig.ldap.configuration" -}} +{{- if not .Values.global.appConfig.ldap.servers -}} +ldap: + enabled: false +{{- else -}} +ldap: + enabled: true + prevent_ldap_sign_in: {{ eq true ( default false .Values.global.appConfig.ldap.preventSignin ) }} + servers: + {{- range $serverName, $serverConfig := .Values.global.appConfig.ldap.servers -}} + {{- include "gitlab.appConfig.ldap.servers.configuration" (dict "name" $serverName "config" $serverConfig) | nindent 4 -}} + {{- end -}} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.ldap.configuration" */}} + +{{/* +Usage example: + +{{ include "gitlab.appConfig.ldap.servers.configuration" (\ + dict \ + "name" + "config" + ) }} +*/}} +{{- define "gitlab.appConfig.ldap.servers.configuration" -}} +{{- $.name }}: +{{- toYaml (omit $.config "password") | replace "\r\n" "\n" | trimSuffix "\n" | nindent 2 -}} +{{- if and $.config.password (not (kindIs "string" $.config.password ))}} + password: <%= File.read('/etc/gitlab/ldap/{{ $.name }}/password').strip.to_json %> +{{- end -}} +{{- end -}}{{/* gitlab.appConfig.ldap.servers.configuration */}} + +{{- define "gitlab.appConfig.ldap.servers.mountSecrets" -}} +# mount secrets for LDAP +{{- if .Values.global.appConfig.ldap.servers -}} +{{- range $name, $config := .Values.global.appConfig.ldap.servers -}} +{{- if and $config.password (not (kindIs "string" $config.password ))}} +- secret: + name: {{ $config.password.secret }} + items: + - key: {{ default "password" $config.password.key }} + path: ldap/{{ $name }}/password +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.ldap.servers.mountSecrets" "*/}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_lfs.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_lfs.tpl new file mode 100644 index 0000000..50e26f6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_lfs.tpl @@ -0,0 +1,17 @@ +{{/* +Generates a templated config for lfs key in gitlab.yml. + +Usage: +{{ include "gitlab.appConfig.lfs.configuration" ( \ + dict \ + "config" .Values.path.to.lfs.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.lfs.configuration" -}} +lfs: + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + {{- if not .context.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "lfs" "config" .config "context" .context) | nindent 2 }} + {{- end }} +{{- end -}}{{/* "gitlab.appConfig.lfs.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_mailroom.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_mailroom.tpl new file mode 100644 index 0000000..6a14440 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_mailroom.tpl @@ -0,0 +1,43 @@ +{{/* ######### mailroom templates */}} + +{{- define "gitlab.appConfig.incomingEmail.mountSecrets" -}} +# mount secrets for incomingEmail +{{- if and $.Values.global.appConfig.incomingEmail.enabled (eq $.Values.global.appConfig.incomingEmail.deliveryMethod "webhook") }} +- secret: + name: {{ template "gitlab.appConfig.incomingEmail.authToken.secret" . }} + items: + - key: {{ template "gitlab.appConfig.incomingEmail.authToken.key" . }} + path: mailroom/incoming_email_webhook_secret +{{- end }} +{{- end -}}{{/* "gitlab.appConfig.incomingEmail.mountSecrets" "*/}} + +{{- define "gitlab.appConfig.serviceDeskEmail.mountSecrets" -}} +# mount secrets for serviceDeskEmail +{{- if and $.Values.global.appConfig.serviceDeskEmail.enabled (eq $.Values.global.appConfig.serviceDeskEmail.deliveryMethod "webhook") }} +- secret: + name: {{ template "gitlab.appConfig.serviceDeskEmail.authToken.secret" . }} + items: + - key: {{ template "gitlab.appConfig.serviceDeskEmail.authToken.key" . }} + path: mailroom/service_desk_email_webhook_secret +{{- end }} +{{- end -}}{{/* "gitlab.appConfig.serviceDeskEmail.mountSecrets" "*/}} + +{{/* +Return the gitlab-mailroom webhook secrets +*/}} + +{{- define "gitlab.appConfig.incomingEmail.authToken.secret" -}} +{{- default (printf "%s-incoming-email-auth-token" .Release.Name) $.Values.global.appConfig.incomingEmail.authToken.secret | quote -}} +{{- end -}} + +{{- define "gitlab.appConfig.incomingEmail.authToken.key" -}} +{{- default "authToken" $.Values.global.appConfig.incomingEmail.authToken.key | quote -}} +{{- end -}} + +{{- define "gitlab.appConfig.serviceDeskEmail.authToken.secret" -}} +{{- default (printf "%s-service-desk-email-auth-token" .Release.Name) $.Values.global.appConfig.serviceDeskEmail.authToken.secret | quote -}} +{{- end -}} + +{{- define "gitlab.appConfig.serviceDeskEmail.authToken.key" -}} +{{- default "authToken" $.Values.global.appConfig.serviceDeskEmail.authToken.key | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_minio.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_minio.tpl new file mode 100644 index 0000000..e66e35d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_minio.tpl @@ -0,0 +1,26 @@ +{{/* ######### Minio related templates */}} + +{{/* +Return the minio service endpoint +*/}} +{{- define "gitlab.minio.endpoint" -}} +{{- $name := default "minio-svc" .Values.minio.serviceName -}} +{{- $port := default 9000 .Values.minio.port | int -}} +{{- printf "http://%s-%s.%s.svc:%d" .Release.Name $name .Release.Namespace $port -}} +{{- end -}} + +{{/* +Minio has it's own secret mounting procedure, so it receives more special attention compared to normal objectStorage secret mounting. +*/}} +{{- define "gitlab.minio.mountSecrets" -}} +# mount secret for minio +{{- if .Values.global.minio.enabled }} +- secret: + name: {{ template "gitlab.minio.credentials.secret" . }} + items: + - key: accesskey + path: minio/accesskey + - key: secretkey + path: minio/secretkey +{{- end -}} +{{- end -}}{{/* "gitlab.minio.mountSecrets" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_objectStorage.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_objectStorage.tpl new file mode 100644 index 0000000..e5348e8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_objectStorage.tpl @@ -0,0 +1,110 @@ +{{/* +Generates a templated object storage config. + +Usage: +{{ include "gitlab.appConfig.objectStorage.configuration" ( \ + dict \ + "name" "STORAGE_NAME" \ + "config" .Values.path.to.objectstorage.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.objectStorage.configuration" -}} +object_store: + {{- if eq .name "object_store" }} + enabled: {{ ne (default false .config.enabled) false }} + {{- else }} + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + remote_directory: {{ .config.bucket }} + {{- end }} + {{- if ne .name "pages" }} + proxy_download: {{ or (not (kindIs "bool" .config.proxy_download)) .config.proxy_download }} + {{- end }} + {{- if and .config.enabled .config.storage_options }} + storage_options: + server_side_encryption: {{ .config.storage_options.server_side_encryption }} + server_side_encryption_kms_key_id: {{ .config.storage_options.server_side_encryption_kms_key_id }} + {{- end -}} + {{- if and .config.enabled .config.connection }} + connection: <%= YAML.load_file("/etc/gitlab/objectstorage/{{ .name }}").to_json() %> + {{- else if and .config.enabled .context.Values.global.minio.enabled }} + {{- include "gitlab.appConfig.objectStorage.connection.minio" . | nindent 2 }} + {{- end -}} + {{- if and .config.enabled .config.cdn (eq .name "artifacts") }} + cdn: <%= YAML.load_file("/etc/gitlab/objectstorage/cdn/{{ .name }}").to_json %> + {{- end -}} +{{- end -}}{{/* "gitlab.appConfig.objectStorage.configuration" */}} + +{{/* +Generates a templated object storage connection settings for Minio. + +Usage: +{{ include "gitlab.appConfig.objectStorage.connection.minio" ( \ + dict \ + "name" "STORAGE_NAME" \ + "config" .Values.path.to.objectstorage.config \ + ) }} +*/}} +{{- define "gitlab.appConfig.objectStorage.connection.minio" -}} +connection: + provider: AWS + region: us-east-1 + host: {{ template "gitlab.minio.hostname" .context }} + endpoint: {{ template "gitlab.minio.endpoint" .context }} + path_style: true + aws_access_key_id: <%= File.read('/etc/gitlab/minio/accesskey').strip.to_json %> + aws_secret_access_key: <%= File.read('/etc/gitlab/minio/secretkey').strip.to_json %> +{{- end }} + + +{{/* +Generates a templated object storage secrets mounts. + +Usage: +{{ include "gitlab.appConfig.objectStorage.mountSecrets" ( \ + dict \ + "name" "STORAGE_NAME" \ + "config" .Values.path.to.objectstorage.config \ + ) }} +*/}} +{{- define "gitlab.appConfig.objectStorage.mountSecrets" -}} +# mount secret for {{ .name }} +{{- if .config.connection }} +- secret: + name: {{ .config.connection.secret }} + items: + - key: {{ default "connection" .config.connection.key }} + path: objectstorage/{{ .name }} +{{- end -}} +{{- if and .config.cdn (eq .name "artifacts") }} +- secret: + name: {{ .config.cdn.secret }} + items: + - key: {{ default "cdn" .config.cdn.key }} + path: objectstorage/cdn/{{ .name }} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.objectStorage.mountSecrets" */}} + + +{{/* +Generates a templated object storage bucket config + +Usage: +{{ include "gitlab.appConfig.objectStorage.object" ( \ + dict \ + "name" "STORAGE_NAME" \ + "config" .Values.path.to.objectstorage.config \ + ) }} +*/}} +{{- define "gitlab.appConfig.objectStorage.object" -}} +{{- if default false .config.enabled -}} +{{ .name }}: + bucket: {{ .config.bucket }} +{{- if kindIs "bool" .config.proxy_download }} + proxy_download: {{ .config.proxy_download }} +{{- end -}} +{{- if and .config.cdn (eq .name "artifacts") }} + cdn: <%= YAML.load_file("/etc/gitlab/objectstorage/cdn/{{ .name }}").to_json %> +{{- end -}} +{{- end -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_omniauth.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_omniauth.tpl new file mode 100644 index 0000000..9f4c2c5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_omniauth.tpl @@ -0,0 +1,48 @@ +{{- define "gitlab.appConfig.omniauth.configuration" -}} +{{ with $.Values.global.appConfig }} +omniauth: + enabled: {{ .omniauth.enabled }} + {{- if .omniauth.autoSignInWithProvider }} + auto_sign_in_with_provider: {{ .omniauth.autoSignInWithProvider | quote }} + {{- end }} + sync_profile_from_provider: {{ toJson .omniauth.syncProfileFromProvider }} + sync_profile_attributes: {{ toJson .omniauth.syncProfileAttributes }} + allow_single_sign_on: {{ toJson .omniauth.allowSingleSignOn }} + block_auto_created_users: {{ .omniauth.blockAutoCreatedUsers }} + auto_link_ldap_user: {{ .omniauth.autoLinkLdapUser }} + auto_link_saml_user: {{ .omniauth.autoLinkSamlUser }} + {{- if .omniauth.autoLinkUser }} + auto_link_user: {{ toJson .omniauth.autoLinkUser }} + {{- end }} + external_providers: {{ .omniauth.externalProviders }} + {{- if .omniauth.allowBypassTwoFactor }} + allow_bypass_two_factor: {{ toJson .omniauth.allowBypassTwoFactor }} + {{- end -}} + {{- if .omniauth.providers }} + providers: + {{- range $index, $entry := .omniauth.providers }} + {{- if $entry.secret }} + - <%= YAML.load_file({{ printf "/etc/gitlab/omniauth/%s/%s" $entry.secret (default "provider" $entry.key) | quote }}).to_json() %> + {{- else }} + - {{ toJson $entry }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.omniauth.configuration" */}} + +{{- define "gitlab.appConfig.omniauth.mountSecrets" -}} +{{- with $.Values.global.appConfig -}} +{{- if .omniauth.providers }} +{{- range $index, $entry := .omniauth.providers }} +{{- if hasKey $entry "secret" }} +- secret: + name: {{ $entry.secret }} + items: + - key: {{ default "provider" $entry.key }} + path: {{ printf "omniauth/%s/%s" $entry.secret (default "provider" $entry.key) | quote }} +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.omniauth.mountSecrets" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_packages.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_packages.tpl new file mode 100644 index 0000000..5f67568 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_packages.tpl @@ -0,0 +1,17 @@ +{{/* +Generates a templated config for packages key in gitlab.yml. + +Usage: +{{ include "gitlab.appConfig.packages.configuration" ( \ + dict \ + "config" .Values.path.to.packages.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.packages.configuration" -}} +packages: + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + {{- if not .context.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "packages" "config" .config "context" .context) | nindent 2 }} + {{- end }} +{{- end -}}{{/* "gitlab.appConfig.packages.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_pages.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_pages.tpl new file mode 100644 index 0000000..72ee056 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_pages.tpl @@ -0,0 +1,99 @@ +{{/* ######## GitLab Pages related templates */}} + +{{/* +Returns the pages entry for gitlab.yml of Rails-based containers. +*/}} +{{- define "gitlab.pages.config" -}} +pages: + enabled: {{ or (eq $.Values.global.pages.enabled true) (not (empty $.Values.global.pages.host)) }} + access_control: {{ eq $.Values.global.pages.accessControl true }} + artifacts_server: {{ eq $.Values.global.pages.artifactsServer true }} + path: {{ default "/srv/gitlab/shared/pages" $.Values.global.pages.path }} + host: {{ template "gitlab.pages.hostname" $ }} + port: {{ default ( eq "true" (include "gitlab.pages.https" $) | ternary 443 80 ) $.Values.global.pages.port | int }} + https: {{ eq "true" (include "gitlab.pages.https" $) }} + secret_file: /etc/gitlab/pages/secret + external_http: {{ not (empty $.Values.global.pages.externalHttp) }} + external_https: {{ not (empty $.Values.global.pages.externalHttps) }} + {{- if not $.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "pages" "config" $.Values.global.pages.objectStore "context" $ ) | nindent 2 }} + {{- end }} + local_store: + enabled: {{ $.Values.global.pages.localStore.enabled }} + path: {{ $.Values.global.pages.localStore.path }} +{{- end -}} + +{{- define "gitlab.pages.mountSecrets" }} +{{- if or (eq $.Values.global.pages.enabled true) (not (empty $.Values.global.pages.host)) }} +- secret: + name: {{ template "gitlab.pages.apiSecret.secret" . }} + items: + - key: {{ template "gitlab.pages.apiSecret.key" . }} + path: pages/secret +{{- end -}} +{{- end -}} + +{{/* +Returns the Pages hostname. +If the hostname is set in `global.hosts.pages.name`, that will be returned, +otherwise the hostname will be assembed using `pages` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "gitlab.pages.hostname" -}} +{{- coalesce $.Values.global.pages.host $.Values.global.hosts.pages.name (include "gitlab.assembleHost" (dict "name" "pages" "context" . )) -}} +{{- end -}} + +{{/* +Returns consolidated `pages.https` as "true" or "" + +This pulls together, in this order, accounting for `false` boolean values: +- if global.pages.https is set, use that. +- if global.hosts.pages.https is set, use that. +- if global.hosts.https is set use that. +- if somehow all are unset, return `true` + +See gitlab.boolean.local @ /templates/_boolean.tpl +*/}} +{{- define "gitlab.pages.https" -}} +{{- $global := pluck "https" $.Values.global.hosts.pages $.Values.global.hosts | first -}} +{{- include "gitlab.boolean.local" (dict "global" $global "local" $.Values.global.pages.https "default" true) -}} +{{- end -}} + +{{/* +Return the Pages artifacts server URL. +If the chart Pages artifacts server URL is provided, it will use that, +otherwise it will fallback to the API v4 endpoint of GitLab domain. +*/}} +{{- define "gitlab.pages.artifactsServer" -}} +{{- if .Values.artifactsServerUrl -}} +{{ .Values.artifactsServerUrl }} +{{- else -}} +{{ template "gitlab.pages.internalGitlabServer" . }}/api/v4 +{{- end -}} +{{- end -}} + +{{/* +Return the GitLab server URL Pages should contact. +If the chart Pages GitLab server URL is provided, it will use that, +otherwise it will fallback to the public GitLab URL of GitLab. +*/}} +{{- define "gitlab.pages.gitlabServer" -}} +{{- if .Values.gitlabServer -}} +{{ .Values.gitlabServer }} +{{- else -}} +{{- template "gitlab.gitlab.url" . }} +{{- end -}} +{{- end -}} + +{{/* +Return the Internal GitLab server URL Pages should contact. +If the chart Pages GitLab server URL is provided, it will use that, +otherwise it will fallback to the Service of the GitLab Workhorse deployed in the +cluster. +*/}} +{{- define "gitlab.pages.internalGitlabServer" -}} +{{- if .Values.internalGitlabServer -}} +{{ .Values.internalGitlabServer }} +{{- else -}} +{{ template "gitlab.workhorse.url" . }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_postgresql.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_postgresql.tpl new file mode 100644 index 0000000..0f6074e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_postgresql.tpl @@ -0,0 +1,86 @@ +{{/* +Returns parts for a Gitlab configuration to setup a mutual TLS connection +with the PostgreSQL database. +*/}} +{{- define "gitlab.psql.ssl.config" -}} +{{- if .Values.global.psql.ssl }} +sslmode: verify-ca +sslrootcert: '/etc/gitlab/postgres/ssl/server-ca.pem' +sslcert: '/etc/gitlab/postgres/ssl/client-certificate.pem' +sslkey: '/etc/gitlab/postgres/ssl/client-key.pem' +{{- end -}} +{{- end -}} + +{{/* +Returns volume definition of a secret containing information required for +a mutual TLS connection. +*/}} +{{- define "gitlab.psql.ssl.volume" -}} +{{- if .Values.global.psql.ssl }} +- name: postgresql-ssl-secrets + projected: + defaultMode: 400 + sources: + - secret: + name: {{ .Values.global.psql.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `global.psql.ssl.secret`" }} + items: + - key: {{ .Values.global.psql.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `global.psql.ssl.serverCA`" }} + path: server-ca.pem + - key: {{ .Values.global.psql.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `global.psql.ssl.clientCertificate`" }} + path: client-certificate.pem + - key: {{ .Values.global.psql.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `global.psql.ssl.clientKey`" }} + path: client-key.pem +{{- end -}} +{{- end -}} + +{{/* +Returns mount definition for the volume mount definition above. +*/}} +{{- define "gitlab.psql.ssl.volumeMount" -}} +{{- if .Values.global.psql.ssl }} +- name: postgresql-ssl-secrets + mountPath: '/etc/postgresql/ssl/' + readOnly: true +{{- end -}} +{{- end -}} + +{{/* +Returns a shell script snippet, which extends the script of a configure +container to copy the mutual TLS files to the proper location. Further +it sets the permissions correctly. +*/}} +{{- define "gitlab.psql.ssl.initScript" -}} +{{- if .Values.global.psql.ssl }} +if [ -d /etc/postgresql/ssl ]; then + mkdir -p /${secret_dir}/postgres/ssl + cp -v -r -L /etc/postgresql/ssl/* /${secret_dir}/postgres/ssl/ + chmod 600 /${secret_dir}/postgres/ssl/* + chmod 700 /${secret_dir}/postgres/ssl +fi +{{- end -}} +{{- end -}} +{{/* +Returns the K8s Secret definition for the PostgreSQL password. +*/}} +{{- define "gitlab.psql.secret" -}} +{{- $useSecret := include "gitlab.boolean.local" (dict "local" (pluck "useSecret" (index .Values.psql "password") | first) "global" .Values.global.psql.password.useSecret "default" true) -}} +{{- if $useSecret -}} +- secret: + name: {{ template "gitlab.psql.password.secret" . }} + items: + - key: {{ template "gitlab.psql.password.key" . }} + path: postgres/psql-password-{{ .Schema }} +{{- end -}} +{{- end -}} + +{{/* +Returns the single-quoted path to the file where the PostgreSQL password is stored. +*/}} +{{- define "gitlab.psql.password.file" -}} +{{- $useSecret := include "gitlab.boolean.local" (dict "local" (pluck "useSecret" (index .Values.psql "password") | first) "global" .Values.global.psql.password.useSecret "default" true) -}} +{{- if not $useSecret -}} +{{- pluck "file" (index .Values.psql "password") (.Values.global.psql.password) | first | squote -}} +{{- else -}} +{{- printf "/etc/gitlab/postgres/psql-password-%s" .Schema | squote -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_praefect.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_praefect.tpl new file mode 100644 index 0000000..c0f9345 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_praefect.tpl @@ -0,0 +1,51 @@ +{{/* +Return the default praefect storage line for gitlab.yml +*/}} +{{- define "gitlab.praefect.storages" -}} +{{- $scheme := "tcp" -}} +{{- $port := include "gitlab.praefect.externalPort" $ -}} +{{- if $.Values.global.praefect.tls.enabled -}} +{{- $scheme = "tls" -}} +{{- $port = include "gitlab.praefect.tls.externalPort" $ -}} +{{- end }} +{{- range $.Values.global.praefect.virtualStorages }} +{{ .name }}: + path: /var/opt/gitlab/repo + gitaly_address: {{ printf "%s" $scheme }}://{{ template "gitlab.praefect.serviceName" $ }}.{{$.Release.Namespace}}.svc:{{ $port }} + gitaly_token: <%= File.read('/etc/gitlab/gitaly/gitaly_token_praefect').strip.to_json %> +{{- end }} +{{- end -}} + +{{/* +Return the resolvable name of the praefect service +*/}} +{{- define "gitlab.praefect.serviceName" -}} +{{- coalesce .Values.serviceName .Values.global.praefect.serviceName (printf "%s-praefect" $.Release.Name) -}} +{{- end -}} + +{{/* +Return the service name for Gitaly when Praefect is enabled + +Call: + +``` +include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) +``` +*/}} +{{- define "gitlab.praefect.gitaly.serviceName" -}} +{{ include "gitlab.gitaly.serviceName" .context }}-{{ .name }} +{{- end -}} + +{{/* +Return the qualified service name for a given Gitaly pod. + +Call: + +``` +include "gitlab.praefect.gitaly.qualifiedServiceName" (dict "context" $ "index" $i "name" .name) +``` +*/}} +{{- define "gitlab.praefect.gitaly.qualifiedServiceName" -}} +{{- $name := include "gitlab.praefect.gitaly.serviceName" (dict "context" .context "name" .name) -}} +{{ $name }}-{{ .index }}.{{ $name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_rails.redis.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_rails.redis.tpl new file mode 100644 index 0000000..f0cbc92 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_rails.redis.tpl @@ -0,0 +1,156 @@ +{{/* ######### Redis related templates for Rails consumption */}} + +{{/* +Render a Redis `resque` format configuration for Rails. +Input: dict "context" $ "name" string +*/}} +{{- define "gitlab.rails.redis.yaml" -}} +{{- if $cluster := include "gitlab.redis.cluster" .context -}} +{{ .name }}.yml.erb: | + production: + {{- include "gitlab.redis.cluster.user" .context | nindent 4 }} + {{- include "gitlab.redis.cluster.password" .context | nindent 4 }} + {{- $cluster | nindent 4 }} + id: +{{- else -}} +{{ .name }}.yml.erb: | + production: + url: {{ template "gitlab.redis.url" .context }} + {{- include "gitlab.redis.sentinels" .context | nindent 4 }} + id: + {{- if eq .name "cable" }} + adapter: redis + {{- if index .context.Values.global.redis "actioncable" }} + channel_prefix: {{ .context.Values.global.redis.actioncable.channelPrefix }} + {{- end }} + {{- end }} +{{- end -}} +{{- $_ := set .context "redisConfigName" "" }} +{{- end -}} + +{{- define "gitlab.rails.redis.resque" -}} +{{- $_ := set $ "redisConfigName" "" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "resque") -}} +{{- end -}} + +{{- define "gitlab.rails.redis.cache" -}} +{{- if .Values.global.redis.cache -}} +{{- $_ := set $ "redisConfigName" "cache" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.cache") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.clusterCache" -}} +{{- if .Values.global.redis.clusterCache -}} +{{- $_ := set $ "redisConfigName" "clusterCache" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.cluster_cache") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.sharedState" -}} +{{- if .Values.global.redis.sharedState -}} +{{- $_ := set $ "redisConfigName" "sharedState" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.shared_state") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.traceChunks" -}} +{{- if .Values.global.redis.traceChunks -}} +{{- $_ := set $ "redisConfigName" "traceChunks" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.trace_chunks") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.queues" -}} +{{- if .Values.global.redis.queues -}} +{{- $_ := set $ "redisConfigName" "queues" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.queues") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.rateLimiting" -}} +{{- if .Values.global.redis.rateLimiting -}} +{{- $_ := set $ "redisConfigName" "rateLimiting" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.rate_limiting") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.clusterRateLimiting" -}} +{{- if .Values.global.redis.clusterRateLimiting -}} +{{- $_ := set $ "redisConfigName" "clusterRateLimiting" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.cluster_rate_limiting") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.sessions" -}} +{{- if .Values.global.redis.sessions -}} +{{- $_ := set $ "redisConfigName" "sessions" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.sessions") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.repositoryCache" -}} +{{- if .Values.global.redis.repositoryCache -}} +{{- $_ := set $ "redisConfigName" "repositoryCache" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.repository_cache") -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.workhorse" -}} +{{- if .Values.global.redis.workhorse -}} +{{- $_ := set $ "redisConfigName" "workhorse" }} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "redis.workhorse") -}} +{{- end -}} +{{- end -}} + +{{/* +cable.yml configuration +If no `global.redis.actioncable`, use `global.redis` +*/}} +{{- define "gitlab.rails.redis.cable" -}} +{{- if .Values.global.redis.actioncable -}} +{{- $_ := set $ "redisConfigName" "actioncable" }} +{{- end -}} +{{- include "gitlab.rails.redis.yaml" (dict "context" $ "name" "cable") -}} +{{- end -}} + +{{- define "gitlab.rails.redisYmlOverride" -}} +{{- if .Values.global.redis.redisYmlOverride -}} +{{- $redisYmlOverride := deepCopy .Values.global.redis.redisYmlOverride -}} +{{- range $redis, $settings := $redisYmlOverride -}} +{{- if kindIs "map" $settings -}} +{{- $_ := set $ "redisConfigName" $redis -}} +{{- $_ := set $ "usingOverride" true -}} +{{- $password := include "gitlab.redis.url.password" $ | trimPrefix ":" | trimSuffix "@" -}} +{{- if kindIs "map" (dig $.redisConfigName "password" "" $.Values.global.redis.redisYmlOverride) -}} +{{- if dig "password" "enabled" true $settings -}} +{{- $_ := set $settings "password" $password -}} +{{- else -}} +{{- $_ := unset $settings "password" -}} +{{- end -}} +{{- end -}} +{{- $_ := set $redisYmlOverride $redis $settings -}} +{{- $_ := set $ "redisConfigName" "" -}} +{{- $_ := set $ "usingOverride" false -}} +{{- end -}} +{{- end -}} +redis.yml.erb: | + production: {{ toYaml $redisYmlOverride | nindent 4 }} +{{- end -}} +{{- end -}} + +{{- define "gitlab.rails.redis.all" -}} +{{ include "gitlab.rails.redis.resque" . }} +{{ include "gitlab.rails.redis.cache" . }} +{{ include "gitlab.rails.redis.clusterCache" . }} +{{ include "gitlab.rails.redis.sharedState" . }} +{{ include "gitlab.rails.redis.queues" . }} +{{ include "gitlab.rails.redis.cable" . }} +{{ include "gitlab.rails.redis.traceChunks" . }} +{{ include "gitlab.rails.redis.rateLimiting" . }} +{{ include "gitlab.rails.redis.clusterRateLimiting" . }} +{{ include "gitlab.rails.redis.sessions" . }} +{{ include "gitlab.rails.redis.repositoryCache" . }} +{{ include "gitlab.rails.redis.workhorse" . }} +{{ include "gitlab.rails.redisYmlOverride" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_redis.cluster.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_redis.cluster.tpl new file mode 100644 index 0000000..d615d91 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_redis.cluster.tpl @@ -0,0 +1,48 @@ +{{/* ######### Redis Cluster related templates */}} + +{{/* +Return redis cluster user +*/}} +{{- define "gitlab.redis.cluster.user" -}} +{{- include "gitlab.redis.clusterConfig" . -}} +{{- if .redisClusterConfig.user -}} +username: {{ .redisClusterConfig.user }} +{{- end -}} +{{- end -}} + +{{/* +Return redis cluster password +*/}} +{{- define "gitlab.redis.cluster.password" -}} +{{- include "gitlab.redis.clusterConfig" . -}} +{{- if .redisClusterConfig.password -}} +{{- if .redisClusterConfig.password.enabled -}} +password: <%= File.read("/etc/gitlab/redis/{{ printf "%s-password" (default "redis" .redisConfigName) }}").strip.to_json %> +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Build the structure describing redis cluster +*/}} +{{- define "gitlab.redis.cluster" -}} +{{- include "gitlab.redis.clusterConfig" . -}} +{{- if .redisClusterConfig.cluster -}} +cluster: +{{- range $i, $entry := .redisClusterConfig.cluster }} + - host: {{ $entry.host }} + port: {{ default 6379 $entry.port }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Set redisClusterConfig, we do _not_ support inheriting from global config if the `cluster` key is set. +*/}} +{{- define "gitlab.redis.clusterConfig" -}} +{{- if .redisConfigName }} +{{- $_ := set . "redisClusterConfig" ( index .Values.global.redis .redisConfigName | default (dict) ) -}} +{{- else -}} +{{- $_ := set . "redisClusterConfig" (dict) -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_redis.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_redis.tpl new file mode 100644 index 0000000..4c6a126 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_redis.tpl @@ -0,0 +1,168 @@ +{{/* ######### Redis related templates */}} + +{{/* +Return the redis hostname +If the redis host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "gitlab.redis.host" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- if .redisMergedConfig.host -}} +{{- .redisMergedConfig.host -}} +{{- else -}} +{{- $name := default "redis" .Values.redis.serviceName -}} +{{- $redisRelease := .Release.Name -}} +{{- if contains $name $redisRelease -}} +{{- $redisRelease = .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $redisRelease = printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- printf "%s-master.%s.svc" $redisRelease .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Return the redis port +If the redis port is provided, it will use that, otherwise it will fallback +to 6379 default +*/}} +{{- define "gitlab.redis.port" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- default 6379 .redisMergedConfig.port -}} +{{- end -}} + +{{/* +Return the redis scheme, or redis. Allowing people to use rediss clusters +*/}} +{{- define "gitlab.redis.scheme" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- $valid := list "redis" "rediss" "tcp" -}} +{{- $name := default "redis" .redisMergedConfig.scheme -}} +{{- if has $name $valid -}} +{{ $name }} +{{- else -}} +{{ cat "Invalid redis scheme" $name | fail }} +{{- end -}} +{{- end -}} + +{{/* +Return the redis url. +*/}} +{{- define "gitlab.redis.url" -}} +{{ template "gitlab.redis.scheme" . }}://{{ template "gitlab.redis.url.user" . }}{{ template "gitlab.redis.url.password" . }}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }} +{{- end -}} + +{{/* +Return the user section of the Redis URI, if needed. +*/}} +{{- define "gitlab.redis.url.user" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{ .redisMergedConfig.user }} +{{- end -}} + +{{/* +Return the password section of the Redis URI, if needed. +*/}} +{{- define "gitlab.redis.url.password" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- $password := printf "%s-%spassword" (default "redis" .redisConfigName) (ternary "override-" "" (default false .usingOverride)) -}} +{{- if .redisMergedConfig.password.enabled -}}:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/{{ $password }}").strip) %>@{{- end -}} +{{- end -}} + +{{/* +Build the structure describing sentinels +*/}} +{{- define "gitlab.redis.sentinels" -}} +{{- include "gitlab.redis.selectedMergedConfig" . -}} +{{- if .redisMergedConfig.sentinels -}} +sentinels: +{{- range $i, $entry := .redisMergedConfig.sentinels }} + - host: {{ $entry.host }} + port: {{ default 26379 $entry.port }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/*Set redisMergedConfig*/}} +{{- define "gitlab.redis.selectedMergedConfig" -}} +{{- if .redisConfigName }} +{{- $_ := set . "redisMergedConfig" ( index .Values.global.redis .redisConfigName ) -}} +{{- else -}} +{{- $_ := set . "redisMergedConfig" .Values.global.redis -}} +{{- end -}} +{{- if not (kindIs "map" (get $.redisMergedConfig "password")) -}} +{{- $_ := set $.redisMergedConfig "password" $.Values.global.redis.auth -}} +{{- end -}} +{{- range $key := keys $.Values.global.redis.auth -}} +{{- if not (hasKey $.redisMergedConfig.password $key) -}} +{{- $_ := set $.redisMergedConfig.password $key (index $.Values.global.redis.auth $key) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return Sentinel list in format for Workhorse +*/}} +{{- define "gitlab.redis.workhorse.sentinel-list" }} +{{- include "gitlab.redis.selectedMergedConfig" . -}} +{{- $sentinelList := list }} +{{- range $i, $entry := .redisMergedConfig.sentinels }} + {{- $sentinelList = append $sentinelList (quote (print "tcp://" (trim $entry.host) ":" ( default 26379 $entry.port | int ) ) ) }} +{{- end }} +{{- $sentinelList | join "," }} +{{- end -}} + + +{{/* +Takes a dict with `globalContext` and `instances` as keys. The former specifies +the root context `$`, and the latter a list of instances to mount secrets for. +If instances is not specified, we mount secrets for all enabled Redis +instances. +*/}} +{{- define "gitlab.redis.secrets" -}} +{{- $ := .globalContext }} +{{- $mountRedisYmlOverrideSecrets := true }} +{{- if hasKey . "mountRedisYmlOverrideSecrets" }} +{{- $mountRedisYmlOverrideSecrets = .mountRedisYmlOverrideSecrets }} +{{- end }} +{{- $redisInstances := list "cache" "clusterCache" "sharedState" "queues" "actioncable" "traceChunks" "rateLimiting" "clusterRateLimiting" "sessions" "repositoryCache" "workhorse" }} +{{- if .instances }} +{{- $redisInstances = splitList " " .instances }} +{{- end }} +{{- range $redis := $redisInstances -}} +{{- if index $.Values.global.redis $redis -}} +{{- $_ := set $ "redisConfigName" $redis }} +{{ include "gitlab.redis.secret" $ }} +{{- end }} +{{- end -}} + +{{/* Include `global.redis.redisYmlOverride`'s secrets */}} +{{/* reset 'redisConfigName', to get global.redis.redisYmlOverride's Secret item */}} +{{- $_ := set $ "redisConfigName" "" }} +{{- if and $mountRedisYmlOverrideSecrets $.Values.global.redis.redisYmlOverride -}} +{{- $_ := set $ "usingOverride" true }} +{{- range $key, $redis := $.Values.global.redis.redisYmlOverride }} +{{- $_ := set $ "redisConfigName" $key }} +{{ include "gitlab.redis.secret" $ }} +{{- end }} +{{- end -}} +{{- $_ := set $ "usingOverride" false }} +{{/* Include global Redis secrets */}} +{{/* reset 'redisConfigName', to get global.redis.auth's Secret item */}} +{{- $_ := set $ "redisConfigName" "" }} +{{- if eq (include "gitlab.redis.password.enabled" $) "true" }} +{{ include "gitlab.redis.secret" $ }} +{{- end }} +{{- end -}} + +{{- define "gitlab.redis.secret" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- if .redisMergedConfig.password.enabled }} +{{- $passwordPath := printf "%s-%spassword" (default "redis" .redisConfigName) (ternary "override-" "" (default false .usingOverride)) -}} +- secret: + name: {{ template "gitlab.redis.password.secret" . }} + items: + - key: {{ template "gitlab.redis.password.key" . }} + path: redis/{{ $passwordPath }} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_registry.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_registry.tpl new file mode 100644 index 0000000..6680086 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_registry.tpl @@ -0,0 +1,82 @@ +{{/* ######### Registry related templates */}} + +{{/* +Returns the Registry hostname. +If the hostname is set in `global.hosts.registry.name`, that will be returned, +otherwise the hostname will be assembed using `registry` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "gitlab.registry.hostname" -}} +{{- $registryHost := pluck "host" (default (dict) .Values.registry) .Values.global.registry | first -}} +{{- coalesce $registryHost .Values.global.hosts.registry.name (include "gitlab.assembleHost" (dict "name" "registry" "context" . )) -}} +{{- end -}} + +{{/* +Return the registry api hostname +If the registry api host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "gitlab.registry.api.host" -}} +{{- $localRegistry := default (dict) .Values.registry -}} +{{- $localRegistryApi := dig "api" (dict) $localRegistry -}} +{{- $globalRegistryApi := dig "registry" "api" (dict) .Values.global -}} +{{- if or $localRegistryApi.host $globalRegistryApi.host -}} +{{- coalesce $localRegistryApi.host $globalRegistryApi.host -}} +{{- else -}} +{{- $name := coalesce $localRegistryApi.serviceName $globalRegistryApi.serviceName .Values.global.hosts.registry.serviceName -}} +{{- $name = printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s.%s.svc" $name .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Return the registry api port +If the registry api port is provided, it will use that, otherwise it will fallback +to the service default +*/}} +{{- define "gitlab.registry.api.port" -}} +{{- $localRegistry := default (dict) .Values.registry -}} +{{- $localRegistryApi := dig "api" (dict) $localRegistry -}} +{{- $globalRegistryApi := dig "registry" "api" (dict) .Values.global -}} +{{- coalesce .Values.global.hosts.registry.servicePort $localRegistryApi.port $globalRegistryApi.port "5000" -}} +{{- end -}} + +{{/* +Return the registry api protocol +If the registry api protocol is provided, it will use that, otherwise it will fallback +to the service default +*/}} +{{- define "gitlab.registry.api.protocol" -}} +{{- $localRegistry := default (dict) .Values.registry -}} +{{- $localRegistryApi := dig "api" (dict) $localRegistry -}} +{{- $globalRegistryApi := dig "registry" "api" (dict) .Values.global -}} +{{- coalesce .Values.global.hosts.registry.protocol $localRegistryApi.protocol $globalRegistryApi.protocol "http" -}} +{{- end -}} + + +{{/* +Return the registry api url +*/}} +{{- define "gitlab.registry.api.url" -}} +{{- $scheme := include "gitlab.registry.api.protocol" . -}} +{{- $host := include "gitlab.registry.api.host" . -}} +{{- $port := include "gitlab.registry.api.port" . -}} +{{ printf "%s://%s:%s" $scheme $host $port }} +{{- end -}} + +{{- define "gitlab.appConfig.registry.configuration" -}} +{{- $registryPort := pluck "port" (default (dict) .Values.registry) .Values.global.registry | first -}} +{{- $localRegistry := default (dict) .Values.registry -}} +{{- $localRegistryEnabled := dig "enabled" false $localRegistry -}} +{{- $globalRegistryEnabled := dig "registry" "enabled" false .Values.global -}} +{{- $registryTokenIssuer := pluck "tokenIssuer" (default (dict) .Values.registry) .Values.global.registry | first -}} +registry: + enabled: {{ or (not (kindIs "bool" $localRegistryEnabled )) (not (kindIs "bool" $globalRegistryEnabled )) $localRegistryEnabled $globalRegistryEnabled }} + host: {{ template "gitlab.registry.hostname" . }} + {{- if $registryPort }} + port: {{ $registryPort }} + {{- end }} + api_url: {{ template "gitlab.registry.api.url" . }} + key: /etc/gitlab/registry/gitlab-registry.key + issuer: {{ default "gitlab-issuer" $registryTokenIssuer }} + notification_secret: <%= YAML.load_file("/etc/gitlab/registry/notificationSecret").flatten.first %> +{{- end -}}{{/* "gitlab.appConfig.registry.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_sentry.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_sentry.tpl new file mode 100644 index 0000000..dd919b5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_sentry.tpl @@ -0,0 +1,13 @@ +{{/* +Generates sentry configuration. + +Usage: +{{ include "gitlab.appConfig.sentry.configuration" $ }} +*/}} +{{- define "gitlab.appConfig.sentry.configuration" -}} +sentry: + enabled: {{ eq $.Values.global.appConfig.sentry.enabled true }} + dsn: {{ $.Values.global.appConfig.sentry.dsn }} + clientside_dsn: {{ $.Values.global.appConfig.sentry.clientside_dsn }} + environment: {{ $.Values.global.appConfig.sentry.environment }} +{{- end -}}{{/* "gitlab.appConfig.sentry.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_serviceAccount.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_serviceAccount.tpl new file mode 100644 index 0000000..322f9a5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_serviceAccount.tpl @@ -0,0 +1,10 @@ +{{/* ######### serviceAccount template */}} + +{{/* +Return the sub-chart serviceAccount name +If that is not present it will use the global chart serviceAccount name +Failing that a serviceAccount will be generated automatically +*/}} +{{- define "gitlab.serviceAccount.name" -}} +{{- coalesce .Values.serviceAccount.name .Values.global.serviceAccount.name ( include "fullname" . ) -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_sidekiq.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_sidekiq.tpl new file mode 100644 index 0000000..4301f9d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_sidekiq.tpl @@ -0,0 +1,21 @@ +{{/* +Generates sidekiq (client) configuration. + +Usage: +{{ include "gitlab.appConfig.sidekiq.configuration" $ }} +*/}} +{{- define "gitlab.appConfig.sidekiq.configuration" -}} +{{- with $.Values.global.appConfig.sidekiq }} +sidekiq: +{{- $loggingFormat := default "json" (pluck "format" (default (dict) $.Values.logging) | first) }} + log_format: {{ $loggingFormat }} +{{- if kindIs "slice" .routingRules }} + {{- if gt (len .routingRules) 0 }} + routing_rules: + {{- range $rule := .routingRules }} + - {{ toJson $rule }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}}{{/* "gitlab.appConfig.sidekiq.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_smartcard.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_smartcard.tpl new file mode 100644 index 0000000..7b436f0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_smartcard.tpl @@ -0,0 +1,23 @@ +{{/* ######### Smartcard related templates */}} + +{{/* +Returns the Smartcard hostname. +If the hostname is set in `global.hosts.smartcard.name`, that will be returned, +otherwise the hostname will be assembed using `smartcard` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "gitlab.smartcard.hostname" -}} +{{- coalesce .Values.global.appConfig.smartcard.clientCertificateRequiredHost .Values.global.hosts.smartcard.name (include "gitlab.assembleHost" (dict "name" "smartcard" "context" . )) -}} +{{- end -}} + + +{{- define "gitlab.appConfig.smartcard.configuration" -}} +smartcard: +{{- with $.Values.global.appConfig.smartcard }} + enabled: {{ eq true .enabled }} + ca_file: '/etc/gitlab/rails-secrets/smartcard-ca.crt' + client_certificate_required_host: {{ template "gitlab.smartcard.hostname" $ }} + client_certificate_required_port: 443 + san_extensions: {{ eq true .sanExtensions }} + required_for_git_access: {{ eq true .requiredForGitAccess }} +{{- end -}} +{{- end -}}{{/* "gitlab.appConfig.smartcard.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_smtp.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_smtp.tpl new file mode 100644 index 0000000..bf3002e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_smtp.tpl @@ -0,0 +1,110 @@ +{{/* ######### SMTP templates */}} + +{{/* + Generates smtp settings for ActionMailer to be used in webservice and sidekiq +*/}} +{{- define "gitlab.smtp_settings" -}} +{{- if .Values.global.smtp.enabled -}} +smtp_settings = { + address: {{ .Values.global.smtp.address | quote }}, + port: {{ .Values.global.smtp.port | int }}, + ca_file: "/etc/ssl/certs/ca-certificates.crt", + {{- if .Values.global.smtp.domain }} + domain: {{ .Values.global.smtp.domain | quote }}, + {{- end }} + {{ if has .Values.global.smtp.authentication (list "login" "plain" "cram_md5") }} + authentication: :{{.Values.global.smtp.authentication}}, + user_name: {{ .Values.global.smtp.user_name | quote }}, + password: File.read("/etc/gitlab/smtp/smtp-password").strip, + {{- end }} + {{- if .Values.global.smtp.starttls_auto }} + enable_starttls_auto: true, + {{- else }} + enable_starttls_auto: false, + {{- end }} + {{- if has .Values.global.smtp.tls (list true false) }} + tls: {{ .Values.global.smtp.tls }}, + {{- end }} + {{- if .Values.global.smtp.openssl_verify_mode }} + openssl_verify_mode: {{ .Values.global.smtp.openssl_verify_mode | quote }}, + {{- end }} + {{- if .Values.global.smtp.open_timeout }} + open_timeout: {{ .Values.global.smtp.open_timeout | int }}, + {{- end }} + {{- if .Values.global.smtp.read_timeout }} + read_timeout: {{ .Values.global.smtp.read_timeout | int }} + {{- end }} +} + +{{ if eq .Values.global.smtp.pool true -}} +require 'mail/smtp_pool' + +ActionMailer::Base.add_delivery_method :smtp_pool, Mail::SMTPPool + +Gitlab::Application.config.action_mailer.delivery_method = :smtp_pool +ActionMailer::Base.delivery_method = :smtp_pool + +ActionMailer::Base.smtp_pool_settings = { + pool: Mail::SMTPPool.create_pool( + smtp_settings.merge(pool_size: Gitlab::Runtime.max_threads) + ) +} +{{- else -}} +Rails.application.config.action_mailer.delivery_method = :smtp +ActionMailer::Base.delivery_method = :smtp + +ActionMailer::Base.smtp_settings = smtp_settings +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Default from address for emails based on domain */}} +{{- define "gitlab.email.from" -}} +{{ .Values.global.email.from | default (printf "gitlab@%s" .Values.global.hosts.domain ) | quote -}} +{{- end -}} + +{{/* Default replyto address for emails based on domain */}} +{{- define "gitlab.email.reply_to" -}} +{{ .Values.global.email.reply_to | default (printf "noreply@%s" .Values.global.hosts.domain ) | quote -}} +{{- end -}} + +{{/* Outgoing email settings */}} +{{- define "gitlab.outgoing_email_settings" }} +email_from: {{ template "gitlab.email.from" . }} +email_display_name: {{ .Values.global.email.display_name | quote }} +email_reply_to: {{ template "gitlab.email.reply_to" . }} +email_subject_suffix: {{ .Values.global.email.subject_suffix | quote }} +{{- if .Values.global.email.smime.enabled }} +email_smime: + enabled: true + key_file: /home/git/gitlab/.gitlab_smime_key + cert_file: /home/git/gitlab/.gitlab_smime_cert +{{- end }} +{{- end }} + +{{/* microsoftGraphMailer secrets */}} +{{- define "gitlab.appConfig.microsoftGraphMailer.mountSecrets" -}} +# mount secrets for microsoftGraphMailer +{{- if $.Values.global.appConfig.microsoft_graph_mailer.enabled }} +- secret: + name: {{ $.Values.global.appConfig.microsoft_graph_mailer.client_secret.secret | required "Missing required secret containing the OAuth2 Client ID for outgoing email. Make sure to set `global.appConfig.microsoft_graph_mailer.client_secret.secret`" }} + items: + - key: {{ $.Values.global.appConfig.microsoft_graph_mailer.client_secret.key }} + path: microsoft_graph_mailer/client_secret +{{- end }} +{{- end -}}{{/* "gitlab.appConfig.microsoftGraphMailer.mountSecrets" "*/}} + +{{/* SMTP authentication secret */}} +{{- define "gitlab.smtp.mountSecrets" -}} +# mount secrets for SMTP +{{- with $.Values.global.smtp }} +{{- $isNoneAuth := eq "none" (.authentication | default "none") }} +{{- if and .enabled (not $isNoneAuth) }} +- secret: + name: {{ .password.secret | required "Missing required secret containing the SMTP password. Make sure to set `global.smtp.password.secret`" }} + items: + - key: {{ .password.key }} + path: smtp/smtp-password +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_spamcheck.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_spamcheck.tpl new file mode 100644 index 0000000..071eb68 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_spamcheck.tpl @@ -0,0 +1,7 @@ +{{/* ######### Spamcheck related templates */}} +{{/* +Return the Spamcheck service name +*/}} +{{- define "gitlab.spamcheck.serviceName" -}} +{{- include "gitlab.other.fullname" (dict "context" . "chartName" "spamcheck") -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_suggested_reviewers.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_suggested_reviewers.tpl new file mode 100644 index 0000000..b552858 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_suggested_reviewers.tpl @@ -0,0 +1,10 @@ +{{/* ######### Suggested Reviewers related templates */}} + +{{- define "gitlab.suggestedReviewers.mountSecrets" -}} +# mount secret for suggested reviewers +- secret: + name: {{ template "gitlab.suggested-reviewers.secret" . }} + items: + - key: {{ template "gitlab.suggested-reviewers.key" . }} + path: suggested_reviewers/.gitlab_suggested_reviewers_secret +{{- end -}}{{/* "gitlab.suggestedReviewers.mountSecrets" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_terraformState.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_terraformState.tpl new file mode 100644 index 0000000..0250e65 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_terraformState.tpl @@ -0,0 +1,17 @@ +{{/* +Generates a templated config for terraform_state key in gitlab.yml. + +Usage: +{{ include "gitlab.appConfig.terraformState.configuration" ( \ + dict \ + "config" .Values.path.to.terraform_state.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.terraformState.configuration" -}} +terraform_state: + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + {{- if not .context.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "terraform_state" "config" .config "context" .context) | nindent 2 }} + {{- end }} +{{- end -}}{{/* "gitlab.appConfig.terraformState.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_tracing.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_tracing.tpl new file mode 100644 index 0000000..16269cb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_tracing.tpl @@ -0,0 +1,8 @@ +{{/* ######### Tracing templates */}} + +{{- define "gitlab.tracing.env" -}} +{{- if .Values.global.tracing.connection.string }} +- name: GITLAB_TRACING + value: {{ .Values.global.tracing.connection.string | quote }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_uploads.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_uploads.tpl new file mode 100644 index 0000000..ffdb524 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_uploads.tpl @@ -0,0 +1,17 @@ +{{/* +Generates a templated config for uploads key in gitlab.yml. + +Usage: +{{ include "gitlab.appConfig.uploads.configuration" ( \ + dict \ + "config" .Values.path.to.uploads.config \ + "context" $ \ + ) }} +*/}} +{{- define "gitlab.appConfig.uploads.configuration" -}} +uploads: + enabled: {{ if kindIs "bool" .config.enabled }}{{ eq .config.enabled true }}{{ end }} + {{- if not .context.Values.global.appConfig.object_store.enabled }} + {{- include "gitlab.appConfig.objectStorage.configuration" (dict "name" "uploads" "config" .config "context" .context) | nindent 2 }} + {{- end }} +{{- end -}}{{/* "gitlab.appConfig.uploads.configuration" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_workhorse.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_workhorse.tpl new file mode 100644 index 0000000..ba43643 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_workhorse.tpl @@ -0,0 +1,40 @@ +{{/* ######### workhorse templates */}} + +{{/* +Return the workhorse url +*/}} +{{- define "gitlab.workhorse.url" -}} +{{ template "gitlab.workhorse.scheme" . }}://{{ template "gitlab.workhorse.host" . }}:{{ template "gitlab.workhorse.port" . }} +{{- end -}} + +{{- define "gitlab.workhorse.scheme" -}} +{{- $scheme := "http" -}} +{{- if .Values.global.workhorse.tls.enabled -}} +{{- $scheme = "https" -}} +{{- end -}} +{{- coalesce .Values.workhorse.scheme .Values.global.workhorse.scheme $scheme -}} +{{- end -}} + +{{/* +Return the workhorse hostname +If the workhorse host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "gitlab.workhorse.host" -}} +{{- $hostname := default .Values.global.workhorse.host .Values.workhorse.host -}} +{{- if empty $hostname -}} +{{- $name := default .Values.global.workhorse.serviceName .Values.workhorse.serviceName -}} +{{- $hostname = printf "%s-%s.%s.svc" .Release.Name $name .Release.Namespace -}} +{{- end -}} +{{- $hostname -}} +{{- end -}} + +{{- define "gitlab.workhorse.port" -}} +{{- coalesce .Values.workhorse.port .Values.global.workhorse.port "8181" -}} +{{- end -}} + +{{- define "gitlab.workhorse.shutdownTimeout" -}} +{{- $timeout := add 1 $.Values.global.webservice.workerTimeout -}} +{{- $shutdownTimeout := printf "%ss" ($timeout | toString) -}} +{{- coalesce $.Values.workhorse.shutdownTimeout $shutdownTimeout -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/templates/_zoekt.tpl b/kubernetes/Charts/gitlab/charts/gitlab/templates/_zoekt.tpl new file mode 100644 index 0000000..e3f8a7e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/templates/_zoekt.tpl @@ -0,0 +1,13 @@ +{{/* ######### Zoekt related templates */}} + +{{- define "gitlab.zoekt.mountSecrets" -}} +# mount secret for zoekt +- secret: + name: {{ template "gitlab.zoekt.gateway.basicAuth.secretName" . }} + optional: true + items: + - key: gitlab_username + path: zoekt/.gitlab_zoekt_username + - key: gitlab_password + path: zoekt/.gitlab_zoekt_password +{{- end -}}{{/* "gitlab.zoekt.mountSecrets" */}} diff --git a/kubernetes/Charts/gitlab/charts/gitlab/values.yaml b/kubernetes/Charts/gitlab/charts/gitlab/values.yaml new file mode 100644 index 0000000..50836c1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/gitlab/values.yaml @@ -0,0 +1,55 @@ +# Default values for gitlab-chart. +# This is a YAML-formatted file. + +global: + edition: ee + hosts: + domain: example.com + https: true + enterpriseImages: + # Default repositories used to pull Gitlab Enterprise Edition images. + # See the image.repository and workhorse.repository template helpers. + migrations: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee + sidekiq: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee + toolbox: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee + webservice: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee + workhorse: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee + geo-logcursor: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-geo-logcursor + communityImages: + # Default repositories used to pull Gitlab Community Edition images. + # See the image.repository and workhorse.repository template helpers. + migrations: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce + sidekiq: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ce + toolbox: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce + webservice: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce + workhorse: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce + # This exists to support template handling + psql: + knownDecompositions: + - main + - ci + - embedding + clickhouse: + enabled: false + # main: + # username: gitlab + # password: + # secret: + # key: + # database: gitlab_clickhouse_main_production + # url: + + +gitlab-runner: + enabled: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/.helmignore b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/Chart.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/Chart.yaml new file mode 100644 index 0000000..fead79e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/Chart.yaml @@ -0,0 +1,21 @@ +annotations: + artifacthub.io/changes: | + - Allow the release namespace to be overridden (#195) + - Add missing RBAC rules for customresourcedefinitions (#196) +apiVersion: v2 +appVersion: 1.10.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: kubernetes-ingress +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.32.0 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/README.md b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/README.md new file mode 100644 index 0000000..19d1e3f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/chart-icon.png b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/chart-icon.png new file mode 100644 index 0000000..1c7acc4 Binary files /dev/null and b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/chart-icon.png differ diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-customconfig-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000..116158a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-customnodeport-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000..c9de04c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-default-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-default-values.yaml new file mode 100644 index 0000000..ddb2562 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-disableddefaultbackend-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000..3a1687a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-disabledsecretconfig-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000..362fbb9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-enableports-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000..9a41dac --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-extraargs-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000..691acbc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-extraenvs-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000..35294fa --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-hostport-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000..45042ea --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-ingressclass-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000..15b3dae --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-ipfamily-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000..cc8a976 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-kubernetesgateway-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000..026f75b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-nodeport-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000..ebc8f10 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-privileged-ports.values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000..1efe9a7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-publishservice-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000..b538cb5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-serviceannotation-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000..b538cb5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-strategy-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000..ed45d7a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-customconfig-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000..12c48d2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-customnodeport-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000..f044362 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-default-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-default-values.yaml new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-disableddefaultbackend-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000..ba2a61e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-disabledsecretconfig-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000..7676459 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-enableports-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000..03ff297 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-extraargs-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000..d0e1dbe --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-extraenvs-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000..1f9e30c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-hpa-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000..f3a5701 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-ingressclass-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000..6f4f1fc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-ipfamily-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000..6776d90 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-kubernetesgateway-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000..c78bea2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-nodeport-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000..ffdc47b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-privileged-ports.values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000..b1dc2bb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-publishservice-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000..6d8bf9b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-replicacount-unset.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000..78ee300 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-strategy-values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000..939312a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_backends.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000..43c74e6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,716 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + hash_type: + type: object + properties: + method: + type: string + enum: + - map-based + - consistent + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + modifier: + type: string + enum: + - avalanche + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + allbackups: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + check_timeout: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + queue_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + retries: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + server_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + stick_table: + type: object + properties: + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + keylen: + type: integer + nullable: true + size: + type: integer + nullable: true + expire: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + store: + type: string + pattern: ^[^\s]+$ + http-use-htx: + type: string + enum: + - enabled + - disabled + pattern: ^[^\s]+$ + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000..fa9b2cf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,741 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + mode: + type: string + enum: + - tcp + - http + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + maxconn: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + httplog: + type: boolean + clflog: + type: boolean + tcplog: + type: boolean + log_format: + type: string + log_format_sd: + type: string + log_tag: + type: string + pattern: ^[^\s]+$ + log_separate_errors: + type: string + enum: + - enabled + - disabled + clitcpka: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + check_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + client_timeout: + type: integer + nullable: true + client_fin_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + server_timeout: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + queue_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + unique_id_format: + type: string + unique_id_header: + type: string + logasap: + type: string + enum: + - enabled + - disabled + allbackups: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_globals.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000..6b842a5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Global + description: HAProxy global configuration + type: object + properties: + chroot: + type: string + pattern: '^[^\s]+$' + group: + type: string + pattern: '^[^\s]+$' + hard_stop_after: + type: integer + user: + type: string + pattern: '^[^\s]+$' + daemon: + type: string + enum: [enabled, disabled] + nbproc: + type: integer + nbthread: + type: integer + master-worker: + type: boolean + external_check: + type: boolean + pidfile: + type: string + maxconn: + type: integer + server_state_base: + type: string + pattern: '^[^\s]+$' + tune_ssl_default_dh_param: + type: integer + ssl_default_bind_options: + type: string + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_mode_async: + type: string + enum: [enabled, disabled] + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + process: + type: string + cpu_set: + type: string + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + stats_timeout: + type: integer + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: '^[^\s]+$' + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: [enabled, disabled] + param: + type: string + pattern: '^[^\s]+$' + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/NOTES.txt new file mode 100644 index 0000000..6028ea0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/_helpers.tpl new file mode 100644 index 0000000..556b32e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/clusterrole.yaml new file mode 100644 index 0000000..12de84d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..74c13de --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/clusterrolebinding.yaml @@ -0,0 +1,36 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-configmap.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-configmap.yaml new file mode 100644 index 0000000..d50399b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-daemonset.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-daemonset.yaml new file mode 100644 index 0000000..bf07d60 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-defaultcertsecret.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000..8237989 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-deployment.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-deployment.yaml new file mode 100644 index 0000000..50e0bf1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-hpa.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-hpa.yaml new file mode 100644 index 0000000..22d06f6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-ingressclass.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-ingressclass.yaml new file mode 100644 index 0000000..0567fe8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-keda.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-keda.yaml new file mode 100644 index 0000000..78487ce --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000..4fe27fb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000..317ee78 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-pullsecret.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-pullsecret.yaml new file mode 100644 index 0000000..d9a0ec9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-role.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-role.yaml new file mode 100644 index 0000000..3b29557 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-rolebinding.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-rolebinding.yaml new file mode 100644 index 0000000..db44752 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-service-metrics.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-service-metrics.yaml new file mode 100644 index 0000000..2c0f52a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-service.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-service.yaml new file mode 100644 index 0000000..4e44eb6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000..a15bded --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000..87529fc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/namespace.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/namespace.yaml new file mode 100644 index 0000000..5b7713a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/kubernetes-ingress/values.yaml b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/values.yaml new file mode 100644 index 0000000..abdaefb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/kubernetes-ingress/values.yaml @@ -0,0 +1,526 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/kubernetes/Charts/gitlab/charts/minio/Chart.yaml b/kubernetes/Charts/gitlab/charts/minio/Chart.yaml new file mode 100644 index 0000000..3625799 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: RELEASE.2017-12-28T01-21-00Z +description: Object storage server built for cloud applications and devops. +home: https://minio.io +icon: https://www.minio.io/img/logo_160x160.png +keywords: +- S3 +- gitlab +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: minio +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/charts/minio +- https://github.com/minio/minio +version: 0.4.3 diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/minio/templates/NOTES.txt new file mode 100644 index 0000000..6e60bcb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/NOTES.txt @@ -0,0 +1,48 @@ +{{- if .Values.enabled }} +{{- if eq .Values.serviceType "ClusterIP" }} +Minio can be accessed via port {{ .Values.servicePort }} on the following DNS name from within your cluster: +{{ template "minio.fullname" . }}-svc.{{ .Release.Namespace }}.svc.cluster.local + +To access Minio from localhost, run the below commands: + + 1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "minio.fullname" . }}" -o jsonpath="{.items[0].metadata.name}") + + 2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }} + +Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/ + +You can now access Minio server on http://localhost:9000. Follow the below steps to connect to Minio server with mc client: + + 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide + + 2. mc config host add {{ template "minio.fullname" . }}-local http://localhost:9000 {{ .Values.accessKey }} {{ .Values.secretKey }} S3v4 + + 3. mc ls {{ template "minio.fullname" . }}-local + +Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17 +{{- end }} +{{- if eq .Values.serviceType "LoadBalancer" }} +Minio can be accessed via port {{ .Values.servicePort }} on an external IP address. Get the service external IP address by: +kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }} + +Note that the public IP may take a couple of minutes to be available. + +You can now access Minio server on http://:9000. Follow the below steps to connect to Minio server with mc client: + + 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide + + 2. mc config host add {{ template "minio.fullname" . }}-local http://:{{ .Values.servicePort }} {{ .Values.accessKey }} {{ .Values.secretKey }} S3v4 + + 3. mc ls {{ template "minio.fullname" . }}-local + +Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17 +{{- end }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label +{{ template "minio.fullname" . }}-client=true" +will be able to connect to this minio cluster. +{{- end }} +{{- else }} +Minio not enabled: `enabled: {{ .Values.enabled }}`. Please set to `true` to use Minio +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/_helper_create_buckets.sh b/kubernetes/Charts/gitlab/charts/minio/templates/_helper_create_buckets.sh new file mode 100644 index 0000000..3cabb5f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/_helper_create_buckets.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# minio/mc container has Busybox Ash, be sure to be POSIX compliant and avoid Bash-isms +set -e ; # Have script exit in the event of a failed command. + +# connectToMinio +# Use a check-sleep-check loop to wait for Minio service to be available +connectToMinio() { + set -e ; # fail if we can't read the keys. + ACCESS=$(cat /config/accesskey) ; SECRET=$(cat /config/secretkey) ; + set +e ; # The connections to minio are allowed to fail. + echo "Connecting to Minio server: http://$MINIO_ENDPOINT:$MINIO_PORT" ; + MC_COMMAND="mc config host add myminio http://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; + $MC_COMMAND ; + STATUS=$? ; + until [ $STATUS -eq 0 ] ; + do + sleep 1 ; # 1 second intervals between attempts + $MC_COMMAND ; + STATUS=$? ; + done ; + set -e ; # reset `e` as active + return 0 +} + +# checkBucketExists ($bucket) +# Check if the bucket exists, by using the exit code of `mc ls` +checkBucketExists() { + BUCKET=$1 + CMD=$(/usr/bin/mc ls myminio/$BUCKET > /dev/null 2>&1) + return $? +} + +# createBucket ($bucket, $policy, $purge) +# Ensure bucket exists, purging if asked to +createBucket() { + BUCKET=$1 + POLICY=$2 + PURGE=$3 + + + # Purge the bucket, if set & exists + # Since PURGE is user input, check explicitly for `true` + if [ $PURGE = true ]; then + if checkBucketExists $BUCKET ; then + echo "Purging bucket '$BUCKET'." + set +e ; # don't exit if this fails + /usr/bin/mc rm -r --force myminio/$BUCKET + set -e ; # reset `e` as active + else + echo "Bucket '$BUCKET' does not exist, skipping purge." + fi + fi + + # Create the bucket if it does not exist + if ! checkBucketExists $BUCKET ; then + echo "Creating bucket '$BUCKET'" + /usr/bin/mc mb myminio/$BUCKET + else + echo "Bucket '$BUCKET' already exists." + fi + + # At this point, the bucket should exist, skip checking for existance + # Set policy on the bucket + echo "Setting policy of bucket '$BUCKET' to '$POLICY'." + /usr/bin/mc policy $POLICY myminio/$BUCKET +} + +connectToMinio +{{- range $bucket := .Values.defaultBuckets }} +createBucket {{ .name }} {{ default "none" .policy }} {{ default false .purge }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/minio/templates/_helpers.tpl new file mode 100644 index 0000000..83dc6b1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/_helpers.tpl @@ -0,0 +1,54 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "minio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "minio.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "minio.networkPolicy.apiVersion" -}} +{{- if and (ge .Capabilities.KubeVersion.Minor "4") (le .Capabilities.KubeVersion.Minor "6") -}} +{{- print "extensions/v1beta1" -}} +{{- else if ge .Capabilities.KubeVersion.Minor "7" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified job name for creating default buckets. +Due to the job only being allowed to run once, we add the chart revision so helm +upgrades don't cause errors trying to create the already ran job. +Due to the helm delete not cleaning up these jobs, we add a random value to +reduce collision +*/}} +{{- define "minio.createBucketsJobName" -}} +{{- $name := include "minio.fullname" . | trunc 40 | trimSuffix "-" -}} +{{- printf "%s-create-buckets-%d" $name .Release.Revision -}} +{{- end -}} + +{{/* +Returns the secret name for the Secret containing the TLS certificate and key. +Uses `ingress.tls.secretName` first and falls back to `global.ingress.tls.secretName` +if there is a shared tls secret for all ingresses. +*/}} +{{- define "minio.tlsSecret" -}} +{{- $defaultName := (dict "secretName" "") -}} +{{- if .Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "secretName" (printf "%s-minio-tls" .Release.Name) -}} +{{- else -}} +{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}} +{{- end -}} +{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/create-buckets-job.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/create-buckets-job.yaml new file mode 100644 index 0000000..d960488 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/create-buckets-job.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.global.minio.enabled .Values.defaultBuckets }} +{{- /* Placeholder to bridge MinIO chart values with "gitlab.image.*" helper templates */ -}} +{{- $minioMcImageCfg := dict "pullPolicy" .Values.imagePullPolicy "pullSecrets" .Values.pullSecrets -}} +{{- $imageCfg := dict "global" .Values.global.image "local" $minioMcImageCfg -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "minio.createBucketsJobName" . }} + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 600 + template: + metadata: + labels: + component: create-buckets + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + {{- if .Values.jobAnnotations }} + annotations: + {{- range $key, $value := .Values.jobAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + + spec: + automountServiceAccountToken: false + restartPolicy: OnFailure + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{ toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + volumes: + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }}-config-cm + - secret: + name: {{ template "gitlab.minio.credentials.secret" . }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6}} + containers: + - name: minio-mc + image: {{ .Values.minioMc.image }}:{{ .Values.minioMc.tag }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 8 }} + command: ["/bin/sh", "/config/initialize"] + env: + - name: MINIO_ENDPOINT + value: {{ printf "%s-svc.%s.svc" (include "minio.fullname" .) .Release.Namespace }} + - name: MINIO_PORT + value: {{ .Values.servicePort | quote }} + volumeMounts: + - name: minio-configuration + mountPath: /config + resources: +{{ toYaml .Values.init.resources | indent 10 }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/ingress.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/ingress.yaml new file mode 100644 index 0000000..1bba5cb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if .Values.global.minio.enabled -}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}} +{{- $minioHostname := include "gitlab.minio.hostname" . -}} +{{- $tlsSecret := include "minio.tlsSecret" . -}} +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} + +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if eq "nginx" .Values.global.ingress.provider }} + nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.ingress.proxyBodySize | quote }} + nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.ingress.proxyReadTimeout | quote }} + nginx.ingress.kubernetes.io/proxy-request-buffering: {{ .Values.ingress.proxyBuffering | quote }} + nginx.ingress.kubernetes.io/proxy-buffering: {{ .Values.ingress.proxyBuffering | quote }} + {{- end }} + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ $minioHostname }} + http: + paths: + - path: {{ coalesce $.Values.ingress.path $.Values.global.ingress.path }} + {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} + backend: + service: + name: {{ template "minio.fullname" . }}-svc + port: + number: {{ .Values.servicePort }} + {{- else -}} + backend: + serviceName: {{ template "minio.fullname" . }}-svc + servicePort: {{ .Values.servicePort }} + {{- end -}} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} + tls: + - hosts: + - {{ $minioHostname }} + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/minio_deployment.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/minio_deployment.yaml new file mode 100644 index 0000000..64f46bb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/minio_deployment.yaml @@ -0,0 +1,109 @@ +{{- if .Values.global.minio.enabled -}} +{{- /* Placeholder to bridge MinIO chart values with "gitlab.image.*" helper templates */ -}} +{{- $minioImageCfg := dict "pullPolicy" .Values.imagePullPolicy "pullSecrets" .Values.pullSecrets -}} +{{- $imageCfg := dict "global" .Values.global.image "local" $minioImageCfg -}} +{{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: "{{ .Release.Name }}" + component: app + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + name: {{ template "minio.fullname" . }} + labels: + component: app + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: +{{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} +{{- end }} + spec: + automountServiceAccountToken: false + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + volumes: + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - name: export + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ template "minio.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} + - name: minio-configuration + projected: + sources: + - configMap: + name: {{ template "minio.fullname" . }}-config-cm + - secret: + name: {{ template "gitlab.minio.credentials.secret" . }} + - name: minio-server-config + emptyDir: + medium: "Memory" + initContainers: + - name: configure + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + command: ["sh", "/config/configure"] + volumeMounts: + - name: minio-configuration + mountPath: /config + - name: minio-server-config + mountPath: /minio + resources: +{{ toYaml .Values.init.resources | indent 12 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6}} + containers: + - name: minio + image: {{ .Values.image }}:{{ .Values.imageTag }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + args: ["-C", "{{ default "/tmp/.minio" .Values.configPath }}", "--quiet", "server", "{{ .Values.mountPath }}"] + volumeMounts: + - name: export + mountPath: {{ .Values.mountPath }} + {{- if and .Values.persistence.enabled .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" + {{- end }} + - name: minio-server-config + # this path altered from upstream, for use with `securityContext`/UID 1000 + mountPath: {{ default "/tmp/.minio" .Values.configPath | quote }} + - name: podinfo + mountPath: /podinfo + readOnly: false + ports: + - name: service + containerPort: 9000 + livenessProbe: + tcpSocket: + port: 9000 + timeoutSeconds: 1 + resources: +{{ toYaml .Values.resources | indent 12 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/minio_networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/minio_networkpolicy.yaml new file mode 100644 index 0000000..7d6ed35 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/minio_networkpolicy.yaml @@ -0,0 +1,24 @@ +{{- if .Values.networkPolicy.enabled | and .Values.global.minio.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + ingress: + - ports: + - port: {{ .Values.servicePort }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "minio.fullname" . }}-client: "true" + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/minio_pvc.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/minio_pvc.yaml new file mode 100644 index 0000000..bfbc0f4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/minio_pvc.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.global.minio.enabled .Values.persistence.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "minio.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.volumeName }} + volumeName: {{ .Values.persistence.volumeName }} +{{- end }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end -}} +{{- end }} + selector: +{{- if .Values.persistence.matchLabels }} + matchLabels: +{{ toYaml .Values.persistence.matchLabels | indent 6 }} +{{- end -}} +{{- if .Values.persistence.matchExpressions }} + matchExpressions: +{{ toYaml .Values.persistence.matchExpressions | indent 6 }} +{{- end -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/minio_svc.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/minio_svc.yaml new file mode 100644 index 0000000..4b5e2d4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/minio_svc.yaml @@ -0,0 +1,26 @@ +{{- if .Values.global.minio.enabled -}} +kind: Service +apiVersion: v1 +metadata: + name: {{ template "minio.fullname" . }}-svc + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: +{{ include "gitlab.serviceAnnotations" . | indent 4 }} +spec: + type: {{ .Values.serviceType }} + {{- if eq .Values.serviceType "LoadBalancer" }} + loadBalancerIP: {{ default "" .Values.minioLoadBalancerIP }} + {{- end }} + selector: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + component: app + ports: + - name: http + port: 9000 + targetPort: {{ .Values.servicePort }} + protocol: TCP +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/minioconfig_configmap.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/minioconfig_configmap.yaml new file mode 100644 index 0000000..b8bb02b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/minioconfig_configmap.yaml @@ -0,0 +1,140 @@ +{{- if .Values.global.minio.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "minio.fullname" . }}-config-cm + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} +data: + initialize: |- +{{ include (print $.Template.BasePath "/_helper_create_buckets.sh") . | indent 4 }} + configure: |- + {{ .Values.init.script }} + config.json: |- + { + "version": "20", + "credential": { + "accessKey": "ACCESS_KEY", + "secretKey": "SECRET_KEY" + }, + "region": {{ .Values.minioConfig.region | quote }}, + "browser": {{ .Values.minioConfig.browser | quote }}, + "domain": {{ .Values.minioConfig.domain | quote }}, + "logger": { + "console": { + "enable": {{ .Values.minioConfig.logger.console.enable }} + }, + "file": { + "enable": {{ .Values.minioConfig.logger.file.enable }}, + "fileName": {{ .Values.minioConfig.logger.file.filename | quote }} + } + }, + "notify": { + "amqp": { + "1": { + "enable": {{ .Values.minioConfig.aqmp.enable }}, + "url": {{ .Values.minioConfig.aqmp.url | quote }}, + "exchange": {{ .Values.minioConfig.aqmp.exchange | quote }}, + "routingKey": {{ .Values.minioConfig.aqmp.routingKey | quote }}, + "exchangeType": {{ .Values.minioConfig.aqmp.exchangeType | quote }}, + "deliveryMode": {{ .Values.minioConfig.aqmp.deliveryMode }}, + "mandatory": {{ .Values.minioConfig.aqmp.mandatory }}, + "immediate": {{ .Values.minioConfig.aqmp.immediate }}, + "durable": {{ .Values.minioConfig.aqmp.durable }}, + "internal": {{ .Values.minioConfig.aqmp.internal }}, + "noWait": {{ .Values.minioConfig.aqmp.noWait }}, + "autoDeleted": {{ .Values.minioConfig.aqmp.autoDeleted }} + } + }, + "nats": { + "1": { + "enable": {{ .Values.minioConfig.nats.enable }}, + "address": {{ .Values.minioConfig.nats.address | quote }}, + "subject": {{ .Values.minioConfig.nats.subject | quote }}, + "username": {{ .Values.minioConfig.nats.username | quote }}, + "password": {{ .Values.minioConfig.nats.password | quote }}, + "token": {{ .Values.minioConfig.nats.token | quote }}, + "secure": {{ .Values.minioConfig.nats.secure }}, + "pingInterval": {{ .Values.minioConfig.nats.pingInterval | int64 }}, + "streaming": { + "enable": {{ .Values.minioConfig.nats.enableStreaming }}, + "clusterID": {{ .Values.minioConfig.nats.clusterID | quote }}, + "clientID": {{ .Values.minioConfig.nats.clientID | quote }}, + "async": {{ .Values.minioConfig.nats.async }}, + "maxPubAcksInflight": {{ .Values.minioConfig.nats.maxPubAcksInflight | int }} + } + } + }, + "elasticsearch": { + "1": { + "enable": {{ .Values.minioConfig.elasticsearch.enable }}, + "format": {{ .Values.minioConfig.elasticsearch.format | quote }}, + "url": {{ .Values.minioConfig.elasticsearch.url | quote }}, + "index": {{ .Values.minioConfig.elasticsearch.index | quote }} + } + }, + "redis": { + "1": { + "enable": {{ .Values.minioConfig.redis.enable }}, + "format": {{ .Values.minioConfig.redis.format | quote }}, + "address": {{ .Values.minioConfig.redis.address | quote }}, + "password": {{ .Values.minioConfig.redis.password | quote }}, + "key": {{ .Values.minioConfig.redis.key | quote }} + } + }, + "postgresql": { + "1": { + "enable": {{ .Values.minioConfig.postgresql.enable }}, + "format": {{ .Values.minioConfig.postgresql.format | quote }}, + "connectionString": {{ .Values.minioConfig.postgresql.connectionString | quote }}, + "table": {{ .Values.minioConfig.postgresql.table | quote }}, + "host": {{ .Values.minioConfig.postgresql.host | quote }}, + "port": {{ .Values.minioConfig.postgresql.port | quote }}, + "user": {{ .Values.minioConfig.postgresql.user | quote }}, + "password": {{ .Values.minioConfig.postgresql.password | quote }}, + "database": {{ .Values.minioConfig.postgresql.database | quote }} + } + }, + "kafka": { + "1": { + "enable": {{ .Values.minioConfig.kafka.enable }}, + "brokers": {{ .Values.minioConfig.kafka.brokers }}, + "topic": {{ .Values.minioConfig.kafka.topic | quote }} + } + }, + "webhook": { + "1": { + "enable": {{ .Values.minioConfig.webhook.enable }}, + "endpoint": {{ .Values.minioConfig.webhook.endpoint | quote }} + } + }, + "mysql": { + "1": { + "enable": {{ .Values.minioConfig.mysql.enable }}, + "format": {{ .Values.minioConfig.mysql.format | quote }}, + "dsnString": {{ .Values.minioConfig.mysql.dsnString | quote }}, + "table": {{ .Values.minioConfig.mysql.table | quote }}, + "host": {{ .Values.minioConfig.mysql.host | quote }}, + "port": {{ .Values.minioConfig.mysql.port | quote }}, + "user": {{ .Values.minioConfig.mysql.user | quote }}, + "password": {{ .Values.minioConfig.mysql.password | quote }}, + "database": {{ .Values.minioConfig.mysql.database | quote }} + } + }, + "mqtt": { + "1": { + "enable": {{ .Values.minioConfig.mqtt.enable }}, + "broker": {{ .Values.minioConfig.mqtt.broker | quote }}, + "topic": {{ .Values.minioConfig.mqtt.topic | quote }}, + "qos": {{ .Values.minioConfig.mqtt.qos | int }}, + "clientId": {{ .Values.minioConfig.mqtt.clientId | quote }}, + "username": {{ .Values.minioConfig.mqtt.username | quote }}, + "password": {{ .Values.minioConfig.mqtt.password | quote }} + } + } + } + } +# Blank line to signal end of Block +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/minio/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/minio/templates/pdb.yaml new file mode 100644 index 0000000..5355c01 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.minio.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "minio.fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: +{{- include "gitlab.standardLabels" . | nindent 4 }} +{{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + app: {{ template "minio.name" . }} + release: {{ .Release.Name }} + component: app +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/minio/values.yaml b/kubernetes/Charts/gitlab/charts/minio/values.yaml new file mode 100644 index 0000000..1f3a8b7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/minio/values.yaml @@ -0,0 +1,263 @@ +## Set default image, imageTag, and imagePullPolicy. +## Distributed Minio ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide +## +image: "minio/minio" +imageTag: "RELEASE.2017-12-28T01-21-00Z" +# imagePullPolicy: IfNotPresent +# pullSecrets: [] + +minioMc: + image: minio/mc + tag: "RELEASE.2018-07-13T00-53-22Z" + +ingress: + apiVersion: + enabled: + proxyReadTimeout: 900 + proxyBodySize: "0" + proxyBuffering: "off" + tls: {} + # secretName: + # enabled: true + annotations: {} + configureCertmanager: + path: # / + +## Support for tolerations for pod scheduling +tolerations: [] + +# Priority class assigned to pods +priorityClassName: "" + +global: + ingress: + enabled: + annotations: {} + tls: {} + # secretName: + # enabled: true + hosts: + domain: example.com + hostSuffix: + https: true + tls: {} + # secretName: + minio: {} + #name: minio.example.com + #https: false + minio: + enabled: true + +common: + labels: {} + +## Control the InitContainer behaviors. +init: + image: {} + # repository: + # tag: + # pullPolicy: IfNotPresent + script: |- + sed -e 's@ACCESS_KEY@'"$(cat /config/accesskey)"'@' -e 's@SECRET_KEY@'"$(cat /config/secretkey)"'@' /config/config.json > /minio/config.json + resources: + requests: + cpu: 50m +## Set default Minio config file path, volume mount path and +## number of nodes (only used for Minio distributed mode) +## Distributed Minio ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide +## +configPath: "" +mountPath: "/export" +replicas: 4 + +## loadBalancerIP for the Minio Service (optional, cloud specific) +## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer +## +# minioLoadBalancerIP: + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + enabled: true + + ## minio data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 10Gi + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + ## + subPath: "" + + ## if volumeName is set, use this existing PersistentVolume + # volumeName: + + ## Only bind to a volume with the following exactly matched labels with values. + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + + ## Only bind to a volume with the following exppression matched labels. + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchExpressions: [] + +## Expose the Minio service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +serviceType: ClusterIP +servicePort: 9000 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 128Mi + cpu: 100m + +# Additational pod annotations +podAnnotations: {} + +# Additional pod labels +podLabels: {} + +# Additional job annotations +jobAnnotations: {} + +## Create a buckets after minio install +## An array of items, with name, policy, and purge +defaultBuckets: + - name: registry + - name: git-lfs + - name: runner-cache + - name: gitlab-uploads + - name: gitlab-artifacts + - name: gitlab-backups + - name: gitlab-packages + - name: tmp + - name: gitlab-mr-diffs + - name: gitlab-terraform-state + - name: gitlab-ci-secure-files + - name: gitlab-dependency-proxy + - name: gitlab-pages + # + ## If enabled, must be a string with length > 0 + # - name: example + ## Can be one of none|download|upload|public, defaults to `none` + # policy: none + ## Can be omitted. If present, and `true`, will `rm -rf` the bucket + # purge: false + +## https://docs.minio.io/docs/minio-bucket-notification-guide +## +minioConfig: + region: "us-east-1" + browser: "on" + domain: "" + logger: + console: + enable: true + file: + enable: false + filename: "" + aqmp: + enable: false + url: "" + exchange: "" + routingKey: "" + exchangeType: "" + deliveryMode: 0 + mandatory: false + immediate: false + durable: false + internal: false + noWait: false + autoDeleted: false + nats: + enable: false + address: "" + subject: "" + username: "" + password: "" + token: "" + secure: false + pingInterval: 0 + enableStreaming: false + clusterID: "" + clientID: "" + async: false + maxPubAcksInflight: 0 + elasticsearch: + enable: false + format: "namespace" + url: "" + index: "" + redis: + enable: false + format: "namespace" + address: "" + password: "" + key: "" + postgresql: + enable: false + format: "namespace" + connectionString: "" + table: "" + host: "" + port: "" + user: "" + password: "" + database: "" + kafka: + enable: false + brokers: "null" + topic: "" + webhook: + enable: false + endpoint: "" + mysql: + enable: false + format: "namespace" + dsnString: "" + table: "" + host: "" + port: "" + user: "" + password: "" + database: "" + mqtt: + enable: false + broker: "" + topic: "" + qos: 0 + clientId: "" + username: "" + password: "" +networkPolicy: + enabled: false + allowExternal: true +maxUnavailable: 1 + +## Allow to overwrite under which User and Group we're running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +deployment: + strategy: + type: Recreate + rollingUpdate: null diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/Chart.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000..ab2f487 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/changes: | + - Disable builtin ssl_session_cache + - Print warning only instead of error if no IngressClass permission is available + - Bump internal libraries versions + - Fix documentations + artifacthub.io/prerelease: "false" +apiVersion: v2 +appVersion: 1.0.4 +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and + load balancer +home: https://github.com/kubernetes/ingress-nginx +icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png +keywords: +- ingress +- nginx +kubeVersion: '>=1.19.0-0' +maintainers: +- name: ChiefAlexander +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/nginx-ingress +type: application +version: 4.0.6 diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/README.md b/kubernetes/Charts/gitlab/charts/nginx-ingress/README.md new file mode 100644 index 0000000..7f6157d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/README.md @@ -0,0 +1,227 @@ +# ingress-nginx + +[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer + +To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. + +This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes v1.19+ + +## Get Repo Info + +```console +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update +``` + +## Install Chart + +**Important:** only helm3 is supported + +```console +helm install [RELEASE_NAME] ingress-nginx/ingress-nginx +``` + +The command deploys ingress-nginx on the Kubernetes cluster in the default configuration. + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Upgrading With Zero Downtime in Production + +By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). + +### Migrating from stable/nginx-ingress + +There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: + +1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one +1. For critical services in production that require zero-downtime, you will want to: + 1. [Install](#install-chart) a second Ingress controller + 1. Redirect your DNS traffic from the old controller to the new controller + 1. Log traffic from both controllers during this changeover + 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it + 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) + +Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values ingress-nginx/ingress-nginx +``` + +### PodDisruptionBudget + +Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one, +else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info. + +### Prometheus Metrics + +The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. + +You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. +Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) + +### ingress-nginx nginx\_status page/stats server + +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: + +- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed +- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. + You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230) to re-enable the http server + +### ExternalDNS Service Configuration + +Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: + +```yaml +controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com. +``` + +### AWS L7 ELB with SSL Termination + +Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/main/deploy/aws/l7/service-l7.yaml): + +```yaml +controller: + service: + targetPorts: + http: http + https: http + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' +``` + +### AWS route53-mapper + +To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label: + +```yaml +controller: + service: + labels: + dns: "route53" + annotations: + domainName: "kubernetes-example.com" +``` + +### Additional Internal Load Balancer + +This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. + +By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL. + +You'll need to set both the following values: + +`controller.service.internal.enabled` +`controller.service.internal.annotations` + +If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken. + +`controller.service.internal.annotations` varies with the cloud service you're using. + +Example for AWS: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal ELB + service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +Example for GCE: + +```yaml +controller: + service: + internal: + enabled: true + annotations: + # Create internal LB. More informations: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing + # For GKE versions 1.17 and later + networking.gke.io/load-balancer-type: "Internal" + # For earlier versions + # cloud.google.com/load-balancer-type: "Internal" + + # Any other annotation can be declared here. +``` + +Example for Azure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +Example for Oracle Cloud Infrastructure: + +```yaml +controller: + service: + annotations: + # Create internal LB + service.beta.kubernetes.io/oci-load-balancer-internal: "true" + # Any other annotation can be declared here. +``` + +An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. + +Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. + +### Ingress Admission Webhooks + +With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +**This feature is enabled by default since 0.31.0.** + +With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) + +### Helm Error When Upgrading: spec.clusterIP: Invalid value: "" + +If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this: + +```console +Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable +``` + +Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error. + +As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/NOTES.txt new file mode 100644 index 0000000..29aeb11 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/NOTES.txt @@ -0,0 +1,74 @@ +The ingress-nginx controller has been installed. + +{{- if contains "NodePort" .Values.controller.service.type }} +Get the application URL by running these commands: + +{{- if (not (empty .Values.controller.service.nodePorts.http)) }} + export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} +{{- else }} + export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) +{{- end }} +{{- if (not (empty .Values.controller.service.nodePorts.https)) }} + export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} +{{- else }} + export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) +{{- end }} + export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") + + echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." + echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." +{{- else if contains "LoadBalancer" .Values.controller.service.type }} +It may take a few minutes for the LoadBalancer IP to be available. +You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}' +{{- else if contains "ClusterIP" .Values.controller.service.type }} +Get the application URL by running these commands: + export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 + echo "Visit http://127.0.0.1:8080 to access your application." +{{- end }} + +An example Ingress that makes use of the controller: + + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + kubernetes.io/ingress.class: {{ .Values.controller.ingressClassResource.name }} + name: example + namespace: foo + spec: + ingressClassName: example-class + rules: + - host: www.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: exampleService + port: 80 + # This section is only required if TLS is to be enabled for the Ingress + tls: + - hosts: + - www.example.com + secretName: example-tls + +If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided: + + apiVersion: v1 + kind: Secret + metadata: + name: example-tls + namespace: foo + data: + tls.crt: + tls.key: + type: kubernetes.io/tls + +{{- if .Values.controller.headers }} +################################################################################# +###### WARNING: `controller.headers` has been deprecated! ##### +###### It has been renamed to `controller.proxySetHeaders`. ##### +################################################################################# +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000..5036321 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* vim: set filetype=mustache: */}} +{{/* GitLab additions included at end of file */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "ingress-nginx.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ingress-nginx.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.controller.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. + +By convention this will simply use the / to match the name of the +service generated. + +Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` + +*/}} +{{- define "ingress-nginx.controller.publishServicePath" -}} +{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "ingress-nginx.labels" -}} +helm.sh/chart: {{ include "ingress-nginx.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +Previous values from the upstream chart: + app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + +Per-component label: + component: "{{ .Values.{controller,defaultBackend}.name }}" +*/}} +{{- define "ingress-nginx.selectorLabels" -}} +app: {{ include "ingress-nginx.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "ingress-nginx.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} +{{- if .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +IngressClass parameters. +*/}} +{{- define "ingressClass.parameters" -}} + {{- if .Values.controller.ingressClassResource.parameters -}} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} + {{ end }} +{{- end -}} + +{{/* GitLab-provided partials starting below */}} + +{{- define "ingress-nginx.tcp-configmap" -}} +{{ default (printf "%s-%s" (include "ingress-nginx.fullname" .) "tcp") .Values.tcpExternalConfig }} +{{- end -}} + +{{/* + Returns the load balancer IP sourced .Values.externalIpTPl. + By default this template renders the value of .Values.global.hosts.externalIP. +*/}} +{{- define "ingress-nginx.controller.service.globalLoadBalancerIP" -}} +{{ tpl .Values.externalIpTpl . }} +{{- end -}} + +{{/* +Returns the load balancer IP for the controller service. + +Uses the value rendered from `externalIpTPl` and falls back +to the .Values.controller.service.loadBalancerIP. +Ensures that the Geo Ingress Controller does not attempt to +use the same IP address as the main ingress. +*/}} +{{- define "ingress-nginx.controller.service.loadBalancerIP" -}} +{{- $globalLbIp := include "ingress-nginx.controller.service.globalLoadBalancerIP" . -}} +{{- $lbIp := coalesce $globalLbIp .Values.controller.service.loadBalancerIP -}} +{{- if $lbIp -}} +loadBalancerIP: {{ $lbIp }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml new file mode 100644 index 0000000..fd762f9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + {{- with .Values.controller.admissionWebhooks.existingPsp }} + - {{ . }} + {{- else }} + - {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml new file mode 100644 index 0000000..4990fb1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ingress-nginx.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml new file mode 100644 index 0000000..f3050d3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -0,0 +1,69 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + spec: + {{- if or $.Values.global.priorityClassName .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ default $.Values.global.priorityClassName .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: create + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - create + - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }} + resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} + {{- end }} + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- else if include "gitlab.nodeSelector" . }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml new file mode 100644 index 0000000..1716b42 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + spec: + {{- if or .Values.global.priorityClassName .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ default .Values.global.priorityClassName .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: patch + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - patch + - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }} + resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} + {{- end }} + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- else if include "gitlab.nodeSelector" . }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml new file mode 100644 index 0000000..d2c7de6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml new file mode 100644 index 0000000..9b083ee --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml new file mode 100644 index 0000000..edda07f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-admission +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml new file mode 100644 index 0000000..1ff0f7f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml new file mode 100644 index 0000000..712f74f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml @@ -0,0 +1,45 @@ +{{- if .Values.controller.admissionWebhooks.enabled -}} +# before changing this value, check the required kubernetes version +# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + {{- if .Values.controller.admissionWebhooks.annotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + name: {{ include "ingress-nginx.fullname" . }}-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: {{ .Values.controller.admissionWebhooks.failurePolicy | default "Fail" }} + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + namespace: {{ .Release.Namespace | quote }} + name: {{ include "ingress-nginx.controller.fullname" . }}-admission + path: /networking/v1/ingresses + {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} + timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.admissionWebhooks.namespaceSelector | nindent 6 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.objectSelector }} + objectSelector: {{ toYaml .Values.controller.admissionWebhooks.objectSelector | nindent 6 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/clusterrole.yaml new file mode 100644 index 0000000..fa60134 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/clusterrole.yaml @@ -0,0 +1,83 @@ +{{- if and .Values.rbac.create (not .Values.rbac.scope) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: {{ include "ingress-nginx.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }} + - apiGroups: + - "" + resources: + - namespaces + resourceNames: + - "{{ .Values.controller.scope.namespace }}" + verbs: + - get +{{- end }} + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..79253e2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.rbac.create (not .Values.rbac.scope) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + name: {{ include "ingress-nginx.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ingress-nginx.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-addheaders.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-addheaders.yaml new file mode 100644 index 0000000..c05db45 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-addheaders.yaml @@ -0,0 +1,15 @@ +{{/* GitLab labels included below */}} +{{- if .Values.controller.addHeaders -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers + namespace: {{ .Release.Namespace }} +data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-proxyheaders.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-proxyheaders.yaml new file mode 100644 index 0000000..dbc32a9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-proxyheaders.yaml @@ -0,0 +1,20 @@ +{{/* GitLab labels included below */}} +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers + namespace: {{ .Release.Namespace }} +data: +{{- if .Values.controller.proxySetHeaders }} +{{ toYaml .Values.controller.proxySetHeaders | indent 2 }} +{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }} +{{ toYaml .Values.controller.headers | indent 2 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-tcp.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-tcp.yaml new file mode 100644 index 0000000..cd299fa --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-tcp.yaml @@ -0,0 +1,18 @@ +{{/* GitLab labels included below */}} +{{- if and .Values.tcp (not .Values.tcpExternalConfig) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.tcp.annotations }} + annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} +{{- end }} + name: {{ template "ingress-nginx.tcp-configmap" . }} + namespace: {{ .Release.Namespace }} +data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-udp.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-udp.yaml new file mode 100644 index 0000000..0ca58ea --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap-udp.yaml @@ -0,0 +1,18 @@ +{{/* GitLab labels included below */}} +{{- if .Values.udp -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.udp.annotations }} + annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.fullname" . }}-udp + namespace: {{ .Release.Namespace }} +data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap.yaml new file mode 100644 index 0000000..8921a0d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-configmap.yaml @@ -0,0 +1,29 @@ +{{/* GitLab labels included below */}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +{{- if .Values.controller.configAnnotations }} + annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} +{{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" +{{- if .Values.controller.addHeaders }} + add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers +{{- end }} +{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} + proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers +{{- end }} +{{- if .Values.dhParam }} + ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }} +{{- end }} +{{- range $key, $value := .Values.controller.config }} + {{ $key | nindent 2 }}: {{ $value | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-daemonset.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-daemonset.yaml new file mode 100644 index 0000000..5288d45 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -0,0 +1,267 @@ +{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + component: "{{ .Values.controller.name }}" + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.updateStrategy }} + updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + component: "{{ .Values.controller.name }}" + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.dnsConfig }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostname }} + hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if or .Values.global.priorityClassName .Values.controller.priorityClassName }} + priorityClassName: {{ default .Values.global.priorityClassName .Values.controller.priorityClassName }} + {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + containers: + - name: {{ .Values.controller.containerName }} + {{- with .Values.controller.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{ include "gitlab.image.tagSuffix" $ }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.lifecycle }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + {{- if .Values.defaultBackend.enabled }} + - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} + {{- end }} + {{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} + {{- end }} + - --election-id={{ .Values.controller.electionID }} + - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }} + - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "ingress-nginx.tcp-configmap" . }} + {{- else if .Values.tcp }} + - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} + {{- end }} + {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }} + - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }} + {{- end }} + {{- if .Values.controller.maxmindMirror }} + - --maxmind-mirror={{ .Values.controller.maxmindMirror }} + {{- end}} + {{- if .Values.controller.maxmindLicenseKey }} + - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} + {{- end }} + {{- if not (eq .Values.controller.healthCheckPath "/healthz") }} + - --health-check-path={{ .Values.controller.healthCheckPath }} + {{- end }} + {{- if .Values.controller.healthCheckHost }} + - --healthz-host={{ .Values.controller.healthCheckHost }} + {{- end }} + {{- if .Values.controller.ingressClassByName }} + - --ingress-class-by-name=true + {{- end }} + {{- if .Values.controller.watchIngressWithoutClass }} + - --watch-ingress-without-class=true + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.enableMimalloc }} + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + {{- end }} + {{- if .Values.controller.extraEnvs }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} + {{- end }} + {{- if .Values.controller.startupProbe }} + startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} + {{- end }} + livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} + readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} + - name: gitlab-shell + containerPort: {{ include "gitlab.shell.port" . | int }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + containerPort: {{ $key }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + containerPort: {{ $key }} + protocol: UDP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: + {{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraInitContainers }} + initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- else if include "gitlab.nodeSelector" . -}} + {{- include "gitlab.nodeSelector" . | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: + {{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-deployment.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-deployment.yaml new file mode 100644 index 0000000..18af1cd --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-deployment.yaml @@ -0,0 +1,273 @@ +{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + annotations: + {{- if include "gitlab.deploymentAnnotations" . }} + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} + {{- end }} + {{- if .Values.controller.annotations }} + {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + component: "{{ .Values.controller.name }}" + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.controller.updateStrategy }} + strategy: + {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + template: + metadata: + {{- if .Values.controller.podAnnotations }} + annotations: + {{- range $key, $value := .Values.controller.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + component: "{{ .Values.controller.name }}" + {{- include "gitlab.podLabels" . | nindent 8 }} + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.dnsConfig }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostname }} + hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if or $.Values.global.priorityClassName .Values.controller.priorityClassName }} + priorityClassName: {{ default $.Values.global.priorityClassName .Values.controller.priorityClassName }} + {{- end }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + securityContext: + {{- end }} + {{- if .Values.controller.podSecurityContext }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.controller.sysctls }} + sysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + containers: + - name: {{ .Values.controller.containerName }} + {{- with .Values.controller.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{ include "gitlab.image.tagSuffix" $ }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.lifecycle }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- end }} + args: + - /nginx-ingress-controller + {{- if .Values.defaultBackend.enabled }} + - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} + {{- end }} + {{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }} + {{- end }} + - --election-id={{ .Values.controller.electionID }} + - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }} + - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} + - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "ingress-nginx.tcp-configmap" . }} + {{- else if .Values.tcp }} + - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp + {{- end }} + {{- if .Values.udp }} + - --udp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp + {{- end }} + {{- if .Values.controller.scope.enabled }} + - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} + {{- end }} + {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} + - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }} + - --validating-webhook-certificate={{ .Values.controller.admissionWebhooks.certificate }} + - --validating-webhook-key={{ .Values.controller.admissionWebhooks.key }} + {{- end }} + {{- if .Values.controller.maxmindLicenseKey }} + - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }} + {{- end }} + {{- if .Values.controller.healthCheckHost }} + - --healthz-host={{ .Values.controller.healthCheckHost }} + {{- end }} + {{- if not (eq .Values.controller.healthCheckPath "/healthz") }} + - --health-check-path={{ .Values.controller.healthCheckPath }} + {{- end }} + {{- if .Values.controller.ingressClassByName }} + - --ingress-class-by-name=true + {{- end }} + {{- if .Values.controller.watchIngressWithoutClass }} + - --watch-ingress-without-class=true + {{- end }} + {{- range $key, $value := .Values.controller.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: {{ .Values.controller.image.runAsUser }} + allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.controller.enableMimalloc }} + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + {{- end }} + {{- if .Values.controller.extraEnvs }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} + {{- end }} + {{- if .Values.controller.startupProbe }} + startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} + {{- end }} + livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} + readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.controller.metrics.port }} + protocol: TCP + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook + containerPort: {{ .Values.controller.admissionWebhooks.port }} + protocol: TCP + {{- end }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} + - name: gitlab-shell + containerPort: {{ include "gitlab.shell.port" $ | int }} + protocol: TCP + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + containerPort: {{ $key }} + protocol: TCP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + containerPort: {{ $key }} + protocol: UDP + {{- if $.Values.controller.hostPort.enabled }} + hostPort: {{ $key }} + {{- end }} + {{- end }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }} + volumeMounts: + {{- if .Values.controller.customTemplate.configMapName }} + - mountPath: /etc/nginx/template + name: nginx-template-volume + readOnly: true + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + {{- end }} + {{- if .Values.controller.extraVolumeMounts }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.extraInitContainers }} + initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- end }} + {{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- else if include "gitlab.nodeSelector" . }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }} + volumes: + {{- if .Values.controller.customTemplate.configMapName }} + - name: nginx-template-volume + configMap: + name: {{ .Values.controller.customTemplate.configMapName }} + items: + - key: {{ .Values.controller.customTemplate.configMapKey }} + path: nginx.tmpl + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - name: webhook-cert + secret: + secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} + {{- if .Values.controller.extraVolumes }} + {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-hpa.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-hpa.yaml new file mode 100644 index 0000000..0875565 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-hpa.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} +{{- if not .Values.controller.keda.enabled }} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.controller.autoscaling "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + annotations: + {{- with .Values.controller.autoscaling.annotations }} + {{- toYaml . | trimSuffix "\n" | nindent 4 }} + {{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "ingress-nginx.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + {{- if (include "gitlab.hpa.supportsV2MetricsSpec" $hpaCfg) }} + target: + type: Utilization + averageUtilization: {{ . }} + {{- else }} + targetAverageUtilization: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + {{- if (include "gitlab.hpa.supportsV2MetricsSpec" $hpaCfg) }} + target: + type: Utilization + averageUtilization: {{ . }} + {{- else }} + targetAverageUtilization: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.controller.autoscalingTemplate }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-ingressclass.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-ingressclass.yaml new file mode 100644 index 0000000..fce3eed --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-ingressclass.yaml @@ -0,0 +1,24 @@ +{{- if .Values.controller.ingressClassResource.enabled -}} +# We don't support namespaced ingressClass yet +# So a ClusterRole and a ClusterRoleBinding is required +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ tpl .Values.controller.ingressClassResource.name . }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: {{ .Values.controller.ingressClassResource.controllerValue }} + {{ template "ingressClass.parameters" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-keda.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-keda.yaml new file mode 100644 index 0000000..f1beb5c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-keda.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} +# https://keda.sh/docs/ + +apiVersion: {{ .Values.controller.keda.apiVersion }} +kind: ScaledObject +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: +{{- if eq .Values.controller.keda.apiVersion "keda.k8s.io/v1alpha1" }} + deploymentName: {{ include "ingress-nginx.controller.fullname" . }} +{{- else if eq .Values.controller.keda.apiVersion "keda.sh/v1alpha1" }} + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- end }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} + +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000..fc4cdce --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (and (not .Values.controller.autoscaling.enabled) (gt (.Values.controller.replicaCount | int) 1)) }} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + component: "{{ .Values.controller.name }}" + {{- if .Values.controller.maxUnavailable }} + maxUnavailable: {{ .Values.controller.maxUnavailable }} + {{- else }} + minAvailable: {{ .Values.controller.minAvailable }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-prometheusrules.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-prometheusrules.yaml new file mode 100644 index 0000000..4d31a4e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- if .Values.controller.metrics.prometheusRule.namespace }} + namespace: {{ .Values.controller.metrics.prometheusRule.namespace | quote }} +{{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.prometheusRule.additionalLabels }} + {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }} + {{- end }} +spec: +{{- if .Values.controller.metrics.prometheusRule.rules }} + groups: + - name: {{ template "ingress-nginx.name" . }} + rules: {{- toYaml .Values.controller.metrics.prometheusRule.rules | nindent 4 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-psp.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-psp.yaml new file mode 100644 index 0000000..2bf0c07 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-psp.yaml @@ -0,0 +1,89 @@ +{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +spec: + allowedCapabilities: + - NET_BIND_SERVICE +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} + privileged: false + allowPrivilegeEscalation: true + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + #- 'projected' + - 'secret' + #- 'downwardAPI' +{{- if .Values.controller.hostNetwork }} + hostNetwork: {{ .Values.controller.hostNetwork }} +{{- end }} +{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} + hostPorts: +{{- if .Values.controller.hostNetwork }} +{{- range $key, $value := .Values.controller.containerPort }} + # {{ $key }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- else if .Values.controller.hostPort.enabled }} +{{- range $key, $value := .Values.controller.hostPort.ports }} + # {{ $key }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- end }} +{{- if .Values.controller.metrics.enabled }} + # metrics + - min: {{ .Values.controller.metrics.port }} + max: {{ .Values.controller.metrics.port }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.enabled }} + # admission webhooks + - min: {{ .Values.controller.admissionWebhooks.port }} + max: {{ .Values.controller.admissionWebhooks.port }} +{{- end }} +{{- range $key, $value := .Values.tcp }} + # {{ $key }}-tcp + - min: {{ $key }} + max: {{ $key }} +{{- end }} +{{- range $key, $value := .Values.udp }} + # {{ $key }}-udp + - min: {{ $key }} + max: {{ $key }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + seLinux: + rule: 'RunAsAny' +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-role.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-role.yaml new file mode 100644 index 0000000..9924d61 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-role.yaml @@ -0,0 +1,108 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }} + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - {{ .Values.controller.electionID }} + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.electionID }} + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + {{- with .Values.controller.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.fullname" . }}] + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-rolebinding.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-rolebinding.yaml new file mode 100644 index 0000000..ef6708f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-internal.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-internal.yaml new file mode 100644 index 0000000..5feacaf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-internal.yaml @@ -0,0 +1,86 @@ +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $value := .Values.controller.service.internal.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.service.labels }} + {{- toYaml .Values.controller.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }}-internal + namespace: {{ .Release.Namespace }} +spec: + type: "{{ .Values.controller.service.type }}" +{{- if .Values.controller.service.internal.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.service.internal.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.internal.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if (and .Values.controller.service.internal.enableShell (include "gitlab.shell.port" $)) }} + - name: gitlab-shell + port: {{ include "gitlab.shell.port" $ | int }} + protocol: TCP + targetPort: gitlab-shell + {{- $nodePort := coalesce (index .Values.controller.service.nodePorts "gitlab-shell") .Values.global.shell.port }} + {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty $nodePort))) }} + nodePort: {{ $nodePort }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + port: {{ $key }} + protocol: TCP + targetPort: {{ $key }}-tcp + {{- if $.Values.controller.service.nodePorts.tcp }} + {{- if index $.Values.controller.service.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + port: {{ $key }} + protocol: UDP + targetPort: {{ $key }}-udp + {{- if $.Values.controller.service.nodePorts.udp }} + {{- if index $.Values.controller.service.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- end }} + {{- end }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-metrics.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-metrics.yaml new file mode 100644 index 0000000..d785c63 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-metrics.yaml @@ -0,0 +1,48 @@ +{{- if .Values.controller.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.metrics.service.annotations }} + annotations: {{ toYaml .Values.controller.metrics.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.service.labels }} + {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }}-metrics + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.controller.metrics.service.type }} +{{- if .Values.controller.metrics.service.clusterIP }} + clusterIP: {{ .Values.controller.metrics.service.clusterIP }} +{{- end }} +{{- if .Values.controller.metrics.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.metrics.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.metrics.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.metrics.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }} +{{- end }} + ports: + - name: metrics + port: {{ .Values.controller.metrics.service.servicePort }} + protocol: TCP + targetPort: metrics + {{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }} + {{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }} + nodePort: {{ .Values.controller.metrics.service.nodePort }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-webhook.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-webhook.yaml new file mode 100644 index 0000000..75340ab --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service-webhook.yaml @@ -0,0 +1,37 @@ +{{- if .Values.controller.admissionWebhooks.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.controller.admissionWebhooks.service.annotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ include "ingress-nginx.controller.fullname" . }}-admission + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.controller.admissionWebhooks.service.type }} +{{- if .Values.controller.admissionWebhooks.service.clusterIP }} + clusterIP: {{ .Values.controller.admissionWebhooks.service.clusterIP }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.admissionWebhooks.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.admissionWebhooks.service.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} + ports: + - name: https-webhook + port: 443 + targetPort: webhook + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service.yaml new file mode 100644 index 0000000..3ef20d1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-service.yaml @@ -0,0 +1,106 @@ +{{- if .Values.controller.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.service.labels }} + {{- toYaml .Values.controller.service.labels | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.controller.service.type }} +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if .Values.controller.service.externalIPs }} + externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }} +{{- end }} +{{- include "ingress-nginx.controller.service.loadBalancerIP" . | nindent 2 }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} +{{- end }} +{{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} +{{- end }} +{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} +{{- end }} +{{- end }} +{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version -}} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- end }} + ports: + {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} + {{- if .Values.controller.service.enableHttp }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enableHttps }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} + - name: gitlab-shell + port: {{ include "gitlab.shell.port" $ | int }} + protocol: TCP + targetPort: gitlab-shell + {{- $nodePort := coalesce (index .Values.controller.service.nodePorts "gitlab-shell") .Values.global.shell.port }} + {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty $nodePort))) }} + nodePort: {{ $nodePort }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - name: {{ $key }}-tcp + port: {{ $key }} + protocol: TCP + targetPort: {{ $key }}-tcp + {{- if $.Values.controller.service.nodePorts.tcp }} + {{- if index $.Values.controller.service.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - name: {{ $key }}-udp + port: {{ $key }} + protocol: UDP + targetPort: {{ $key }}-udp + {{- if $.Values.controller.service.nodePorts.udp }} + {{- if index $.Values.controller.service.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- end }} + {{- end }} + {{- end }} + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000..b811d01 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + name: {{ template "ingress-nginx.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000..9705189 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/controller-servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "ingress-nginx.controller.fullname" . }} +{{- if .Values.controller.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} +{{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }} + {{- end }} +{{- if .Values.controller.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }} +{{- end }} +{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} + namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} +{{ else }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.controller.metrics.serviceMonitor.targetLabels }} + targetLabels: + {{- range .Values.controller.metrics.serviceMonitor.targetLabels }} + - {{ . }} + {{- end }} +{{- end }} + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + component: "{{ .Values.controller.name }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-deployment.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-deployment.yaml new file mode 100644 index 0000000..45fff9f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-deployment.yaml @@ -0,0 +1,122 @@ +{{- if .Values.defaultBackend.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + {{- if include "gitlab.deploymentAnnotations" . }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + component: "{{ .Values.defaultBackend.name }}" +{{- if not .Values.defaultBackend.autoscaling.enabled }} + replicas: {{ .Values.defaultBackend.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + {{- if .Values.defaultBackend.podAnnotations }} + annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "gitlab.podLabels" . | nindent 8 }} + {{- if .Values.defaultBackend.podLabels }} + {{- toYaml .Values.defaultBackend.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if or .Values.global.priorityClassName .Values.defaultBackend.priorityClassName }} + priorityClassName: {{ default .Values.global.priorityClassName .Values.defaultBackend.priorityClassName }} + {{- end }} + {{- if .Values.defaultBackend.podSecurityContext }} + securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ template "ingress-nginx.name" . }}-default-backend + {{- with .Values.defaultBackend.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{ include "gitlab.image.tagSuffix" $ }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} + {{- if .Values.defaultBackend.extraArgs }} + args: + {{- range $key, $value := .Values.defaultBackend.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + runAsUser: {{ .Values.defaultBackend.image.runAsUser }} + runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} + allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} + {{- if .Values.defaultBackend.extraEnvs }} + env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.readinessProbe.failureThreshold }} + ports: + - name: http + containerPort: {{ .Values.defaultBackend.port }} + protocol: TCP + {{- if .Values.defaultBackend.extraVolumeMounts }} + volumeMounts: {{- toYaml .Values.defaultBackend.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.defaultBackend.resources }} + resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }} + {{- end }} + {{- if .Values.defaultBackend.nodeSelector }} + nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} + {{- else if include "gitlab.nodeSelector" . }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + {{- if .Values.defaultBackend.tolerations }} + tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.affinity }} + affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 60 + {{- if .Values.defaultBackend.extraVolumes }} + volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-hpa.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-hpa.yaml new file mode 100644 index 0000000..4df8851 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-hpa.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.backendConfig.autoscaling "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} + maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} + metrics: + {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + {{- if (include "gitlab.hpa.supportsV2MetricsSpec" $hpaCfg) }} + target: + type: Utilization + averageUtilization: {{ . }} + {{- else }} + targetAverageUtilization: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + {{- if (include "gitlab.hpa.supportsV2MetricsSpec" $hpaCfg) }} + target: + type: Utilization + averageUtilization: {{ . }} + {{- else }} + targetAverageUtilization: {{ . }} + {{- end }} + {{- end }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml new file mode 100644 index 0000000..ba21656 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + component: "{{ .Values.defaultBackend.name }}" + {{- if .Values.defaultBackend.maxUnavailable }} + maxUnavailable: {{ .Values.defaultBackend.maxUnavailable }} + {{- else }} + minAvailable: {{ .Values.defaultBackend.minAvailable }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-psp.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-psp.yaml new file mode 100644 index 0000000..5151068 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-psp.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-backend + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-role.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-role.yaml new file mode 100644 index 0000000..2c1b954 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-role.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.fullname" . }}-backend + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] + {{- with .Values.defaultBackend.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-rolebinding.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-rolebinding.yaml new file mode 100644 index 0000000..6a7b4ba --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.fullname" . }}-backend + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-backend +subjects: + - kind: ServiceAccount + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-service.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-service.yaml new file mode 100644 index 0000000..ced88be --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-service.yaml @@ -0,0 +1,38 @@ +{{- if .Values.defaultBackend.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.defaultBackend.service.annotations }} + annotations: {{ toYaml .Values.defaultBackend.service.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.defaultBackend.service.type }} +{{- if .Values.defaultBackend.service.clusterIP }} + clusterIP: {{ .Values.defaultBackend.service.clusterIP }} +{{- end }} +{{- if .Values.defaultBackend.service.externalIPs }} + externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.defaultBackend.service.loadBalancerIP }} +{{- end }} +{{- if .Values.defaultBackend.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} + ports: + - name: http + port: {{ .Values.defaultBackend.service.servicePort }} + protocol: TCP + targetPort: http + selector: + {{- include "ingress-nginx.selectorLabels" . | nindent 4 }} + component: "{{ .Values.defaultBackend.name }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml new file mode 100644 index 0000000..c01f2c5 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/dh-param-secret.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/dh-param-secret.yaml new file mode 100644 index 0000000..bed6f5e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/templates/dh-param-secret.yaml @@ -0,0 +1,13 @@ +{{- with .Values.dhParam -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "ingress-nginx.controller.fullname" $ }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + component: "{{ .Values.controller.name }}" + {{- include "ingress-nginx.labels" $ | nindent 4 }} +data: + dhparam.pem: {{ . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/nginx-ingress/values.yaml b/kubernetes/Charts/gitlab/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000..c0e60d1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/nginx-ingress/values.yaml @@ -0,0 +1,887 @@ +## nginx configuration +## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md +## + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: + +controller: + name: controller + image: + registry: registry.gitlab.com + image: gitlab-org/cloud-native/mirror/images/ingress-nginx/controller + tag: "v1.3.1" + digest: sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974 + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + + # Use an existing PSP instead of creating one + existingPsp: "" + + # Configures the controller container name + containerName: controller + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} + + # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers + proxySetHeaders: {} + + # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # Optionally customize the pod dnsConfig. + dnsConfig: {} + + # Optionally customize the pod hostname. + hostname: {} + + # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + + # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + # Process Ingress objects without ingressClass annotation/ingressClassName field + # Overrides value for --watch-ingress-without-class flag of the controller binary + # Defaults to false + watchIngressWithoutClass: false + + # Process IngressClass per name (additionally as per spec.controller) + ingressClassByName: false + + # This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: + http: 80 + https: 443 + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + # This section refers to the creation of the IngressClass resource + # IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + ingressClassResource: + name: nginx + enabled: true + default: false + controllerValue: "k8s.io/ingress-nginx" + + # Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Security Context policies for controller pods + ## + podSecurityContext: {} + + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. + publishService: + enabled: true + ## Allows overriding of the publish service to bind to + ## Must be / + ## + pathOverride: "" + + ## Limit the scope of the controller + ## + scope: + enabled: false + namespace: "" # defaults to $(POD_NAMESPACE) + + ## Allows customization of the configmap / nginx-configmap namespace + ## + configMapNamespace: "" # defaults to $(POD_NAMESPACE) + + ## Allows customization of the tcp-services-configmap + ## + tcp: + configMapNamespace: "" # defaults to $(POD_NAMESPACE) + ## Annotations to be added to the tcp config configmap + annotations: {} + + ## Allows customization of the udp-services-configmap + ## + udp: + configMapNamespace: "" # defaults to $(POD_NAMESPACE) + ## Annotations to be added to the udp config configmap + annotations: {} + + # Maxmind license key to download GeoLite2 Databases + # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + + ## Additional command line arguments to pass to nginx-ingress-controller + ## E.g. to specify the default SSL certificate you can use + ## extraArgs: + ## default-ssl-certificate: "/" + extraArgs: {} + + ## Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + ## DaemonSet or Deployment + ## + kind: Deployment + + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + + # The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # minReadySeconds to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Affinity and anti-affinity + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" + + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 + + ## Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + ## GitLab change: disable default nodeSelector + # nodeSelector: + # kubernetes.io/os: linux + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + # startupProbe: + # httpGet: + # # should match container.healthCheckPath + # path: "/healthz" + # port: 10254 + # scheme: HTTP + # initialDelaySeconds: 5 + # periodSeconds: 5 + # timeoutSeconds: 2 + # successThreshold: 1 + # failureThreshold: 5 + livenessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + + + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + + # Address to bind the health check endpoint. + # It is better to set this option to the internal node address + # if the ingress nginx controller is running in the hostNetwork: true mode. + healthCheckHost: "" + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + # maxUnavailable: + + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + # limits: + # cpu: 100m + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + + # Mutually exclusive with keda autoscaling + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + # Custom annotations for ScaledObject resource + # annotations: + # key: value + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + annotations: {} + labels: {} + # clusterIP: "" + + ## List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + enableShell: true + + ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + ## the service controller allocates a port from your cluster’s NodePort range. + ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + ## Represents the dual-stack-ness requested or required by this Service. Possible values are + ## SingleStack, PreferDualStack or RequireDualStack. + ## The ipFamilies and clusterIPs fields depend on the value of this field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilyPolicy: "SingleStack" + + ## List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically + ## based on cluster configuration and the ipFamilyPolicy field. + ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipFamilies: + - IPv4 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + type: LoadBalancer + + # type: NodePort + # nodePorts: + # http: 32080 + # https: 32443 + # tcp: + # 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + + annotations: {} + + enableShell: false + + # loadBalancerIP: "" + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + extraVolumeMounts: [] + ## Additional volumeMounts to the controller main container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the controller pod. + # - name: copy-portal-skins + # emptyDir: {} + + extraInitContainers: [] + ## Containers, which are run before the app containers are started. + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + admissionWebhooks: + annotations: {} + enabled: true + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + + # Use an existing PSP instead of creating one + existingPsp: "" + + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + createSecretJob: + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + patchWebhookJob: + resources: {} + + patch: + enabled: true + image: + registry: registry.k8s.io + image: ingress-nginx/kube-webhook-certgen + # for backwards compatibility consider setting the full image url via the repository value below + # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # repository: + tag: v1.1.1 + digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 + pullPolicy: IfNotPresent + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + ## GitLab change: disable default nodeSelector + # nodeSelector: + # kubernetes.io/os: linux + tolerations: [] + runAsUser: 2000 + + metrics: + port: 10254 + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + ## List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 10254 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + + serviceMonitor: + enabled: false + additionalLabels: {} + # The label to use to retrieve the job name from. + # jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + # Default: scrape .Release.Namespace only + # To scrape all, use the following: + # namespaceSelector: + # any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + metricRelabelings: [] + + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + + priorityClassName: "" + +## Rollback limit +## +revisionHistoryLimit: 10 + +## Default 404 backend +## +defaultBackend: + ## + enabled: false + + name: defaultbackend + image: + repository: registry.gitlab.com/gitlab-org/cloud-native/mirror/images/defaultbackend-amd64 + tag: "1.5" + digest: sha256:4dc5e07c8ca4e23bddb3153737d7b8c556e5fb2f29c4558b7cd6e6df99c512c7 + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # Use an existing PSP instead of creating one + existingPsp: "" + + extraArgs: {} + + serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + ## Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + ## GitLab change: disable default nodeSelector + # nodeSelector: + # kubernetes.io/os: linux + + ## Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + # maxUnavailable: + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + extraVolumeMounts: [] + ## Additional volumeMounts to the default backend container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the default backend pod. + # - name: copy-portal-skins + # emptyDir: {} + + autoscaling: + annotations: {} + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + behavior: {} + + service: + annotations: {} + + # clusterIP: "" + + ## List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + +## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266 +rbac: + create: true + scope: false + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +# TCP service key:value pairs +# Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md +## +tcp: {} +# 8080: "default/example-tcp-svc:9000" + +# UDP service key:value pairs +# Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md +## +udp: {} +# 53: "kube-system/kube-dns:53" + +# A base64ed Diffie-Hellman parameter +# This can be generated with: openssl dhparam 4096 2> /dev/null | base64 +# Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param +dhParam: + +## GitLab-provided values starting below + +# Use an external configmap instead of generating the configmap from this chart. +# Contents must match spec format for ingress-nginx and tcp ports must still be specified +# using `tcp` setting above (although service name is meaningless with an external config) +# e.g +# --set tcp.22=ssh --set tcpExternalConfig=mynamespace/customconfigmap +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcpExternalConfig: "" + +common: + labels: {} + +externalIpTpl: '{{ .Values.global.hosts.externalIP }}' diff --git a/kubernetes/Charts/gitlab/charts/postgresql/.helmignore b/kubernetes/Charts/gitlab/charts/postgresql/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/Charts/gitlab/charts/postgresql/Chart.lock b/kubernetes/Charts/gitlab/charts/postgresql/Chart.lock new file mode 100644 index 0000000..424a235 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.2.5 +digest: sha256:318f438acfeaced11d9060877d615caf1985417d2865810defaa886d3496f8d3 +generated: "2023-05-08T19:26:58.084687094Z" diff --git a/kubernetes/Charts/gitlab/charts/postgresql/Chart.yaml b/kubernetes/Charts/gitlab/charts/postgresql/Chart.yaml new file mode 100644 index 0000000..38b285b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + category: Database + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 15.3.0 +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: PostgreSQL (Postgres) is an open source object-relational database known + for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, + views, triggers and stored procedures. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- name: VMware, Inc. + url: https://github.com/bitnami/charts +name: postgresql +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/postgresql +version: 12.5.2 diff --git a/kubernetes/Charts/gitlab/charts/postgresql/README.md b/kubernetes/Charts/gitlab/charts/postgresql/README.md new file mode 100644 index 0000000..9894741 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/README.md @@ -0,0 +1,683 @@ + + +# PostgreSQL packaged by Bitnami + +PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures. + +[Overview of PostgreSQL](http://www.postgresql.org) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha) + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```console +kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` | + +### PostgreSQL common parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `image.registry` | PostgreSQL image registry | `docker.io` | +| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r0` | +| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | +| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` | +| `auth.database` | Name for a custom database to create | `""` | +| `auth.replicationUsername` | Name of the replication user | `repl_user` | +| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` | +| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` | +| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` | +| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` | +| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` | +| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` | +| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `containerPorts.postgresql` | PostgreSQL container port | `5432` | +| `audit.logHostname` | Log client hostnames | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | +| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | +| `audit.clientMinMessages` | Message log level to share with the user | `error` | +| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | +| `audit.logTimezone` | Timezone for the log timestamps | `""` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.server` | IP address or name of the LDAP server. | `""` | +| `ldap.port` | Port number on the LDAP server to connect to | `""` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | +| `ldap.basedn` | Root DN to begin the search for the user in | `""` | +| `ldap.binddn` | DN of user to bind to LDAP | `""` | +| `ldap.bindpw` | Password for the user to bind to LDAP | `""` | +| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` | +| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | +| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` | +| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` | +| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | + +### PostgreSQL Primary parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | +| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | +| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | +| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | +| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | +| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | +| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | +| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | +| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | +| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | +| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | +| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | +| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | +| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | +| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | +| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.command` | Override default container command (useful when using custom images) | `[]` | +| `primary.args` | Override default container args (useful when using custom images) | `[]` | +| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | +| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` | +| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | +| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | +| `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `primary.containerSecurityContext.enabled` | Enable container security context | `true` | +| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | +| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | +| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | +| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | +| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | +| `primary.service.type` | Kubernetes Service type | `ClusterIP` | +| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | +| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` | +| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | +| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | +| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `primary.persistence.annotations` | Annotations for the PVC | `{}` | +| `primary.persistence.labels` | Labels for the PVC | `{}` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `primary.persistence.dataSource` | Custom PVC data source | `{}` | + +### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) + +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | +| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | +| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | +| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | +| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | +| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | +| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | +| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | +| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` | +| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | +| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | +| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` | +| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | +| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | +| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | +| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | +| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | +| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | +| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | +| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | +| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | +| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | +| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | +| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | +| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | +| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` | +| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | +| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | +| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | +| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | +| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | + +### NetworkPolicy parameters + +| Name | Description | Value | +| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable network policies | `false` | +| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` | +| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | +| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` | +| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` | + +### Volume Permissions parameters + +| Name | Description | Value | +| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r115` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | + +### Metrics Parameters + +| Name | Description | Value | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.12.0-debian-11-r86` | +| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | +| `metrics.customMetrics` | Define additional custom metrics | `{}` | +| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | +| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` | +| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.postgresPassword=secretpassword + oci://registry-1.docker.io/bitnamicharts/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. +> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. + +You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. + +In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +- First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +- Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +```text + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +```text +postgresql.auth.username=testuser +subchart1.postgresql.auth.username=testuser +subchart2.postgresql.auth.username=testuser +postgresql.auth.password=testpass +subchart1.postgresql.auth.password=testpass +subchart2.postgresql.auth.password=testpass +postgresql.auth.database=testdb +subchart1.postgresql.auth.database=testdb +subchart2.postgresql.auth.database=testdb +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +```text +global.postgresql.auth.username=testuser +global.postgresql.auth.password=testpass +global.postgresql.auth.database=testdb +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false +- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. + podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 12.0.0 + +This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x. + +### To any previous version + +Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/). + +## License + +Copyright © 2023 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/.helmignore b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/Chart.yaml b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 0000000..8f0fff6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 2.2.5 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/main/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 2.2.5 diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/README.md b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/README.md new file mode 100644 index 0000000..6381c3b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/README.md @@ -0,0 +1,233 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2023 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_affinities.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 0000000..81902a6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,106 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_capabilities.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 0000000..9d9b760 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,154 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_errors.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 0000000..a79cc2e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_images.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 0000000..2e7b151 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,80 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_ingress.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 0000000..831da9c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_labels.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 0000000..252066c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_names.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 0000000..617a234 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,66 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_secrets.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 0000000..a1708b2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,165 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | quote }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else -}} + {{- $value = $defaultValue | toString | b64enc -}} +{{- end -}} +{{- printf "%s" $value -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_storage.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 0000000..60e2a84 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_tplvalues.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 0000000..2db1668 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_utils.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 0000000..5b5c96e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_warnings.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 0000000..ae10fa4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000..ded1ae3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000..b6906ff --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000..f820ec1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mysql.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000..74472a0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000..164ec0d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_redis.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 0000000..dcccfc1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_validations.tpl b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 0000000..9a814cf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/charts/common/values.yaml b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/values.yaml new file mode 100644 index 0000000..f2df68e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/postgresql/templates/NOTES.txt new file mode 100644 index 0000000..21b3d29 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,91 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh + +{{- else }} + +PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster: + + {{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection + +{{- if eq .Values.architecture "replication" }} + + {{ include "postgresql.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection + +{{- end }} + +{{- $customUser := include "postgresql.username" . }} +{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.adminPasswordKey" .}}}" | base64 -d) + +To get the password for "{{ $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.userPasswordKey" .}}}" | base64 -d) + +{{- else }} + +To get the password for "{{ default "postgres" $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d) + +{{- end }} + +To connect to your database run the following command: + + kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \ + --command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} + + > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist" + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.primary.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }}) + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.primary.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.primary.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} & + PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} + +{{- end }} +{{- end }} + +WARNING: The configured password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. + +{{- include "postgresql.validateValues" . -}} +{{- include "common.warnings.rollingTag" .Values.image -}} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 0000000..8189380 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,399 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified app name for PostgreSQL Primary objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- if eq .Values.architecture "replication" }} + {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name for PostgreSQL read-only replicas objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.readReplica.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL primary headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.primary.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL read-only replicas headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.readReplica.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Return the name for a custom user to create +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.auth.username }} + {{- .Values.global.postgresql.auth.username -}} +{{- else -}} + {{- .Values.auth.username -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name for a custom database to create +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.auth.database }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}} +{{- else if .Values.auth.database -}} + {{- printf "%s" (tpl .Values.auth.database $) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.auth.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}} +{{- else if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the replication-password key. +*/}} +{{- define "postgresql.replicationPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }} + {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.replicationPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}} + {{- else -}} + {{- "replication-password" -}} + {{- end -}} +{{- else -}} + {{- "replication-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the admin-password key. +*/}} +{{- define "postgresql.adminPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }} + {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.adminPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}} + {{- end -}} +{{- else -}} + {{- "postgres-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the user-password key. +*/}} +{{- define "postgresql.userPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }} + {{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") }} + {{- printf "%s" (include "postgresql.adminPasswordKey" .) -}} + {{- else -}} + {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.userPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- ternary "password" "postgres-password" (and (not (empty (include "postgresql.username" .))) (ne (include "postgresql.username" .) "postgres")) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql }} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.primary.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.readReplica.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql }} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.readReplicas.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary configuration ConfigMap name. +*/}} +{{- define "postgresql.primary.configmapName" -}} +{{- if .Values.primary.existingConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the configuration +*/}} +{{- define "postgresql.primary.createConfigmap" -}} +{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary extended configuration ConfigMap name. +*/}} +{{- define "postgresql.primary.extendedConfigmapName" -}} +{{- if .Values.primary.existingExtendedConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}} +{{- else -}} + {{- printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL read replica extended configuration ConfigMap name. +*/}} +{{- define "postgresql.readReplicas.extendedConfigmapName" -}} + {{- printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the extended configuration +*/}} +{{- define "postgresql.primary.createExtendedConfigmap" -}} +{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration +*/}} +{{- define "postgresql.readReplicas.createExtendedConfigmap" -}} +{{- if .Values.readReplicas.extendedConfiguration }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "postgresql.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdb.scriptsCM" -}} +{{- if .Values.primary.initdb.scriptsConfigMap -}} + {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}} +{{- else -}} + {{- printf "%s-init-scripts" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{/* +Return true if TLS is enabled for LDAP connection +*/}} +{{- define "postgresql.ldap.tls.enabled" -}} +{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) }} + {{- true -}} +{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +{{- $customUser := include "postgresql.username" . }} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- else }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} +{{- else -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} +{{- else -}} + {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "postgresql.createTlsSecret" -}} +{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsSecretName" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- else -}} + {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/extra-list.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 0000000..9ac65f9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/networkpolicy-egress.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/networkpolicy-egress.yaml new file mode 100644 index 0000000..e862147 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/networkpolicy-egress.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-egress" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - namespaceSelector: {} + {{- end }} + {{- if .Values.networkPolicy.egressRules.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/configmap.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/configmap.yaml new file mode 100644 index 0000000..d654a22 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/configmap.yaml @@ -0,0 +1,24 @@ +{{- if (include "postgresql.primary.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .Values.primary.configuration }} + postgresql.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.pgHbaConfiguration }} + pg_hba.conf: | + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/extended-configmap.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/extended-configmap.yaml new file mode 100644 index 0000000..d129bd3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/extended-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "postgresql.primary.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/initialization-configmap.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/initialization-configmap.yaml new file mode 100644 index 0000000..d3d26cb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/initialization-configmap.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/metrics-configmap.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/metrics-configmap.yaml new file mode 100644 index 0000000..8ad2f35 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/metrics-configmap.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/metrics-svc.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/metrics-svc.yaml new file mode 100644 index 0000000..a38b52a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/metrics-svc.yaml @@ -0,0 +1,33 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/networkpolicy.yaml new file mode 100644 index 0000000..ce0052d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/networkpolicy.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + ingress: + {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} + - from: + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.metrics.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} + - from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + app.kubernetes.io/component: read + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/servicemonitor.yaml new file mode 100644 index 0000000..c4a19fe --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/statefulset.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/statefulset.yaml new file mode 100644 index 0000000..0e312ea --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/statefulset.yaml @@ -0,0 +1,640 @@ +{{- $customUser := include "postgresql.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.primary.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + replicas: 1 + serviceName: {{ include "postgresql.primary.svc.headless" . }} + {{- if .Values.primary.updateStrategy }} + updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + template: + metadata: + name: {{ include "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.primary.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if or (include "postgresql.primary.createConfigmap" .) (include "postgresql.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }} + annotations: + {{- if (include "postgresql.primary.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if (include "postgresql.primary.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.primary.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.primary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.serviceAccountName" . }} + {{- include "postgresql.imagePullSecrets" . | nindent 6 }} + {{- if .Values.primary.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + {{- if .Values.primary.schedulerName }} + schedulerName: {{ .Values.primary.schedulerName | quote }} + {{- end }} + {{- if .Values.primary.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.primary.podSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.primary.hostNetwork }} + hostIPC: {{ .Values.primary.hostIPC }} + {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.tlsCertKey" . }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.primary.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }} + {{- else }} + chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.primary.persistence.enabled }} + - name: data + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.primary.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.primary.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.primary.persistence.mountPath | quote }} + {{- if .Values.primary.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if and (not (empty $customUser)) (ne $customUser "postgres") }} + - name: POSTGRES_USER + value: {{ $customUser | quote }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.adminPasswordKey" . }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + # Replication + {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} + - name: POSTGRES_REPLICATION_MODE + value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }} + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.replicationPasswordKey" . }} + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off") }} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + # Initdb + {{- if .Values.primary.initdb.args }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.primary.initdb.args | quote }} + {{- end }} + {{- if .Values.primary.initdb.postgresqlWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.primary.initdb.postgresqlWalDir | quote }} + {{- end }} + {{- if .Values.primary.initdb.user }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.primary.initdb.user }} + {{- end }} + {{- if .Values.primary.initdb.password }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.primary.initdb.password | quote }} + {{- end }} + # Standby + {{- if .Values.primary.standby.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primary.standby.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primary.standby.primaryPort | quote }} + {{- end }} + # LDAP + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + {{- if or .Values.ldap.url .Values.ldap.uri }} + - name: POSTGRESQL_LDAP_URL + value: {{ coalesce .Values.ldap.url .Values.ldap.uri }} + {{- else }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if (include "postgresql.ldap.tls.enabled" .) }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}} + {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: ldap-password + {{- end }} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }} + {{- end }} + {{- end }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.primary.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} + envFrom: + {{- if .Values.primary.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.primary.extraEnvVarsCM }} + {{- end }} + {{- if .Values.primary.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.primary.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.primary.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.primary.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.primary.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + {{- end }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + {{- if .Values.primary.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.primary.persistence.enabled }} + - name: data + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.customMetrics }} + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + - name: DATA_SOURCE_USER + value: {{ default "postgres" $customUser | quote }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- end }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.primary.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + configMap: + name: {{ include "postgresql.primary.configmapName" . }} + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.primary.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.secretName" . }} + {{- end }} + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + configMap: + name: {{ include "postgresql.initdb.scriptsCM" . }} + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.primary.persistence.existingClaim $ }} + {{- else if not .Values.primary.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + {{- if .Values.primary.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.primary.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.primary.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.primary.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.primary.persistence.size | quote }} + {{- if .Values.primary.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/svc-headless.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/svc-headless.yaml new file mode 100644 index 0000000..684177a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/svc-headless.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.primary.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: primary + {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.primary.service.headless.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.service.headless.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.service.port" . }} + targetPort: tcp-postgresql + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/svc.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/svc.yaml new file mode 100644 index 0000000..6ddd55b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/primary/svc.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: primary + {{- if or .Values.commonAnnotations .Values.primary.service.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.primary.service.type }} + {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} + {{- end }} + {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }} + clusterIP: {{ .Values.primary.service.clusterIP }} + {{- end }} + {{- if .Values.primary.service.sessionAffinity }} + sessionAffinity: {{ .Values.primary.service.sessionAffinity }} + {{- end }} + {{- if .Values.primary.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.primary.service.nodePorts.postgresql }} + {{- else if eq .Values.primary.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.primary.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/prometheusrule.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 0000000..24be710 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.prometheusRule.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/psp.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/psp.yaml new file mode 100644 index 0000000..48d1175 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/psp.yaml @@ -0,0 +1,41 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.psp.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/extended-configmap.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/extended-configmap.yaml new file mode 100644 index 0000000..e329d13 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/extended-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/metrics-configmap.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/metrics-configmap.yaml new file mode 100644 index 0000000..b00a6ec --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/metrics-configmap.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/metrics-svc.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/metrics-svc.yaml new file mode 100644 index 0000000..6f54ed2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/metrics-svc.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics-read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/networkpolicy.yaml new file mode 100644 index 0000000..c969cd7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: read + ingress: + {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/servicemonitor.yaml new file mode 100644 index 0000000..d511d6b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics-read + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics-read + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/statefulset.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/statefulset.yaml new file mode 100644 index 0000000..6d35e47 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/statefulset.yaml @@ -0,0 +1,537 @@ +{{- if eq .Values.architecture "replication" }} +{{- $customUser := include "postgresql.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.readReplicas.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + replicas: {{ .Values.readReplicas.replicaCount }} + serviceName: {{ include "postgresql.readReplica.svc.headless" . }} + {{- if .Values.readReplicas.updateStrategy }} + updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: read + template: + metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if or (include "postgresql.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }} + annotations: + {{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ include (print $.Template.BasePath "/read/extended-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.readReplicas.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.readReplicas.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.serviceAccountName" . }} + {{- include "postgresql.imagePullSecrets" . | nindent 6 }} + {{- if .Values.readReplicas.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + {{- if .Values.readReplicas.schedulerName }} + schedulerName: {{ .Values.readReplicas.schedulerName | quote }} + {{- end }} + {{- if .Values.readReplicas.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.readReplicas.podSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.readReplicas.hostNetwork }} + hostIPC: {{ .Values.readReplicas.hostIPC }} + {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.tlsCertKey" . }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.readReplicas.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }} + {{- else }} + chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.readReplicas.persistence.enabled }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.readReplicas.persistence.mountPath | quote }} + {{- if .Values.readReplicas.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.adminPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + # Replication + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.replicationPasswordKey" . }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ include "postgresql.primary.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.service.port" . | quote }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.readReplicas.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }} + envFrom: + {{- if .Values.readReplicas.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.readReplicas.extraEnvVarsCM }} + {{- end }} + {{- if .Values.readReplicas.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.readReplicas.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.readReplicas.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.readReplicas.extendedConfiguration }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.readReplicas.persistence.enabled }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.customMetrics }} + args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ] + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + - name: DATA_SOURCE_USER + value: {{ default "postgres" $customUser | quote }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- end }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.readReplicas.extendedConfiguration }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.readReplicas.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.secretName" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }} + {{- else if not .Values.readReplicas.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + {{- if .Values.readReplicas.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.readReplicas.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.readReplicas.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.readReplicas.persistence.size | quote }} + {{- if .Values.readReplicas.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/svc-headless.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/svc-headless.yaml new file mode 100644 index 0000000..ee8f756 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/svc-headless.yaml @@ -0,0 +1,39 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.readReplica.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: read + {{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.readReplicas.service.headless.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.service.headless.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ include "postgresql.readReplica.service.port" . }} + targetPort: tcp-postgresql + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/read/svc.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/svc.yaml new file mode 100644 index 0000000..c308c3f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/read/svc.yaml @@ -0,0 +1,55 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: read + {{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.readReplicas.service.type }} + {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }} + {{- end }} + {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }} + clusterIP: {{ .Values.readReplicas.service.clusterIP }} + {{- end }} + {{- if .Values.readReplicas.service.sessionAffinity }} + sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }} + {{- end }} + {{- if .Values.readReplicas.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ include "postgresql.readReplica.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }} + {{- else if eq .Values.readReplicas.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.readReplicas.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/role.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/role.yaml new file mode 100644 index 0000000..00f9222 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +# yamllint disable rule:indentation +rules: + {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} + {{- if and $pspAvailable .Values.psp.create }} + - apiGroups: + - 'policy' + resources: + - 'podsecuritypolicies' + verbs: + - 'use' + resourceNames: + - {{ include "common.names.fullname" . }} + {{- end }} + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +# yamllint enable rule:indentation +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 0000000..0311c0e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + kind: Role + name: {{ include "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "postgresql.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/secrets.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/secrets.yaml new file mode 100644 index 0000000..e3d6e7a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,103 @@ +{{- $host := include "postgresql.primary.fullname" . }} +{{- $port := include "postgresql.service.port" . }} +{{- $postgresPassword := "" }} +{{- if .Values.auth.enablePostgresUser }} +{{- $postgresPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.adminPasswordKey "providedValues" (list "global.postgresql.auth.postgresPassword" "auth.postgresPassword") "context" $) | trimAll "\"" | b64dec }} +{{- end }} +{{- $replicationPassword := "" }} +{{- if eq .Values.architecture "replication" }} +{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.replicationPasswordKey "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }} +{{- end }} +{{- $ldapPassword := "" }} +{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} +{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }} +{{- end }} +{{- $customUser := include "postgresql.username" . }} +{{- $password := "" }} +{{- if not (empty (include "postgresql.username" .)) }} +{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.userPasswordKey "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }} +{{- end }} +{{- $database := include "postgresql.database" . }} +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if .Values.auth.enablePostgresUser }} + postgres-password: {{ $postgresPassword | b64enc | quote }} + {{- end }} + {{- if not (empty (include "postgresql.username" .)) }} + password: {{ $password | b64enc | quote }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + replication-password: {{ $replicationPassword | b64enc | quote }} + {{- end }} + # We don't auto-generate LDAP password when it's not provided as we do for other passwords + {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} + ldap-password: {{ $ldapPassword | b64enc | quote }} + {{- end }} +{{- end }} +{{- if .Values.serviceBindings.enabled }} +{{- if .Values.auth.enablePostgresUser }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-postgres + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/postgresql +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "postgresql" | b64enc | quote }} + host: {{ $host | b64enc | quote }} + port: {{ $port | b64enc | quote }} + username: {{ print "postgres" | b64enc | quote }} + database: {{ print "postgres" | b64enc | quote }} + password: {{ $postgresPassword | b64enc | quote }} + uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }} +{{- end }} +{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-custom-user + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/postgresql +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "postgresql" | b64enc | quote }} + host: {{ $host | b64enc | quote }} + port: {{ $port | b64enc | quote }} + username: {{ $customUser | b64enc | quote }} + password: {{ $password | b64enc | quote }} + {{- if $database }} + database: {{ $database | b64enc | quote }} + {{- end }} + uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 0000000..179f8f2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "postgresql.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/templates/tls-secrets.yaml b/kubernetes/Charts/gitlab/charts/postgresql/templates/tls-secrets.yaml new file mode 100644 index 0000000..482e298 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/templates/tls-secrets.yaml @@ -0,0 +1,28 @@ +{{- if (include "postgresql.createTlsSecret" . ) }} +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} +{{- $ca := genCA "postgresql-ca" 365 }} +{{- $fullname := include "common.names.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }} +{{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/values.schema.json b/kubernetes/Charts/gitlab/charts/postgresql/values.schema.json new file mode 100644 index 0000000..fc41483 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/values.schema.json @@ -0,0 +1,156 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "PostgreSQL architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enablePostgresUser": { + "type": "boolean", + "title": "Enable \"postgres\" admin user", + "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user", + "form": true + }, + "postgresPassword": { + "type": "string", + "title": "Password for the \"postgres\" admin user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "database": { + "type": "string", + "title": "PostgreSQL custom database", + "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL", + "form": true + }, + "username": { + "type": "string", + "title": "PostgreSQL custom user", + "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for the custom user to create", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "replicationUsername": { + "type": "string", + "title": "PostgreSQL replication user", + "description": "Name of user used to manage replication.", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "replicationPassword": { + "type": "string", + "title": "Password for PostgreSQL replication user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/kubernetes/Charts/gitlab/charts/postgresql/values.yaml b/kubernetes/Charts/gitlab/charts/postgresql/values.yaml new file mode 100644 index 0000000..ec802fe --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/postgresql/values.yaml @@ -0,0 +1,1425 @@ +## @section Global parameters +## Please, note that this will override the parameters, including dependencies, configured to use the global value +## +global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + storageClass: "" + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). + ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## + auth: + postgresPassword: "" + username: "" + password: "" + database: "" + existingSecret: "" + secretKeys: + adminPasswordKey: "" + userPasswordKey: "" + replicationPasswordKey: "" + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity + +## @section PostgreSQL common parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry PostgreSQL image registry +## @param image.repository PostgreSQL image repository +## @param image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 15.3.0-debian-11-r0 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run +## +auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided + ## + replicationPassword: "" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. + ## + existingSecret: "" + ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password + replicationPasswordKey: replication-password + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false +## @param architecture PostgreSQL architecture (`standalone` or `replication`) +## +architecture: standalone +## Replication configuration +## Ignored if `architecture` is `standalone` +## +replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: 0 + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing +## @param audit.logHostname Log client hostnames +## @param audit.logConnections Add client log-in operations to the log file +## @param audit.logDisconnections Add client log-outs operations to the log file +## @param audit.pgAuditLog Add operations to log using the pgAudit extension +## @param audit.pgAuditLogCatalog Log catalog using pgAudit +## @param audit.clientMinMessages Message log level to share with the user +## @param audit.logLinePrefix Template for log line prefix (default if not set) +## @param audit.logTimezone Timezone for the log timestamps +## +audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead +## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead +## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead +## @param ldap.basedn Root DN to begin the search for the user in +## @param ldap.binddn DN of user to bind to LDAP +## @param ldap.bindpw Password for the user to bind to LDAP +## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead +## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead +## @param ldap.searchAttribute Attribute to match against the user name in the search +## @param ldap.searchFilter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## DEPRECATED ldap.tls as string is deprecated,please use 'ldap.tls.enabled' instead +## @param ldap.tls.enabled Se to true to enable TLS encryption +## +ldap: + enabled: false + server: "" + port: "" + prefix: "" + suffix: "" + basedn: "" + binddn: "" + bindpw: "" + searchAttribute: "" + searchFilter: "" + scheme: "" + tls: + enabled: false + ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. + ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html + ## + uri: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## +postgresqlDataDir: /bitnami/postgresql/data +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## Start PostgreSQL pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` +## ref: https://github.com/docker-library/postgres/issues/416 +## ref: https://github.com/containerd/containerd/issues/3654 +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" + +## @section PostgreSQL Primary parameters +## +primary: + ## @param primary.name Name of the primary database (eg primary, master, leader, ...) + ## + name: primary + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers + ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers + ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enable container security context + ## @param primary.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) + ## + hostNetwork: false + ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service + ## + annotations: {} + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.labels Labels for the PVC + ## + labels: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) +## +readReplicas: + ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) + ## + name: read + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: 1 + ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enable container security context + ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) + ## + hostNetwork: false + ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service + ## + annotations: {} + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.labels Labels for the PVC + ## + labels: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section NetworkPolicy parameters +## + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## Ingress Rules + ## + ingressRules: + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node. + ## + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: [] + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes. + ## + readReplicasAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: [] + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: [] + +## @section Volume Permissions parameters +## + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r115 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + runAsUser: 0 + +## @section Other Parameters +## + +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false + +## Service account for PostgreSQL to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: false + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Creates role for ServiceAccount +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false + +## @section Metrics Parameters +## + +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository + ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.12.0-debian-11-r86 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container + ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## + resources: + limits: {} + requests: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/user-guide/services/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] diff --git a/kubernetes/Charts/gitlab/charts/prometheus/.helmignore b/kubernetes/Charts/gitlab/charts/prometheus/.helmignore new file mode 100644 index 0000000..825c007 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/kubernetes/Charts/gitlab/charts/prometheus/Chart.lock b/kubernetes/Charts/gitlab/charts/prometheus/Chart.lock new file mode 100644 index 0000000..e155027 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 4.22.1 +digest: sha256:04f11ab7b2ecb900626848ab03c1282138bf25129ead625dfc9ee2b691c64613 +generated: "2022-11-04T08:29:08.939956248Z" diff --git a/kubernetes/Charts/gitlab/charts/prometheus/Chart.yaml b/kubernetes/Charts/gitlab/charts/prometheus/Chart.yaml new file mode 100644 index 0000000..7905f2b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +appVersion: 2.39.1 +dependencies: +- condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 4.22.* +description: Prometheus is a monitoring system and time series database. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +maintainers: +- email: gianrubio@gmail.com + name: gianrubio +- email: zanhsieh@gmail.com + name: zanhsieh +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: naseem@transit.app + name: naseemkullah +name: prometheus +sources: +- https://github.com/prometheus/alertmanager +- https://github.com/prometheus/prometheus +- https://github.com/prometheus/pushgateway +- https://github.com/prometheus/node_exporter +- https://github.com/kubernetes/kube-state-metrics +type: application +version: 15.18.0 diff --git a/kubernetes/Charts/gitlab/charts/prometheus/README.md b/kubernetes/Charts/gitlab/charts/prometheus/README.md new file mode 100644 index 0000000..d8a1e9a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/README.md @@ -0,0 +1,226 @@ +# Prometheus + +[Prometheus](https://prometheus.io/), a [Cloud Native Computing Foundation](https://cncf.io/) project, is a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. + +This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.16+ +- Helm 3+ + +## Get Repo Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Dependencies + +By default this chart installs additional, dependent charts: + +- [kube-state-metrics](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) + +To disable the dependency during installation, set `kubeStateMetrics.enabled` to `false`. + +_See [helm dependency](https://helm.sh/docs/helm/helm_dependency/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### To 15.0 + +Version 15.0.0 changes the relabeling config, aligning it with the [Prometheus community conventions](https://github.com/prometheus/prometheus/pull/9832). If you've made manual changes to the relabeling config, you have to adapt your changes. + +Before you update please execute the following command, to be able to update kube-state-metrics: + +```bash +kubectl delete deployments.apps -l app.kubernetes.io/instance=prometheus,app.kubernetes.io/name=kube-state-metrics --cascade=orphan +``` + +### To 9.0 + +Version 9.0 adds a new option to enable or disable the Prometheus Server. This supports the use case of running a Prometheus server in one k8s cluster and scraping exporters in another cluster while using the same chart for each deployment. To install the server `server.enabled` must be set to `true`. + +### To 5.0 + +As of version 5.0, this chart uses Prometheus 2.x. This version of prometheus introduces a new data format and is not compatible with prometheus 1.x. It is recommended to install this as a new release, as updating existing releases will not work. See the [prometheus docs](https://prometheus.io/docs/prometheus/latest/migration/#storage) for instructions on retaining your old data. + +Prometheus version 2.x has made changes to alertmanager, storage and recording rules. Check out the migration guide [here](https://prometheus.io/docs/prometheus/2.0/migration/). + +Users of this chart will need to update their alerting rules to the new format before they can upgrade. + +### Example Migration + +Assuming you have an existing release of the prometheus chart, named `prometheus-old`. In order to update to prometheus 2.x while keeping your old data do the following: + +1. Update the `prometheus-old` release. Disable scraping on every component besides the prometheus server, similar to the configuration below: + + ```yaml + alertmanager: + enabled: false + alertmanagerFiles: + alertmanager.yml: "" + kubeStateMetrics: + enabled: false + nodeExporter: + enabled: false + pushgateway: + enabled: false + server: + extraArgs: + storage.local.retention: 720h + serverFiles: + alerts: "" + prometheus.yml: "" + rules: "" + ``` + +1. Deploy a new release of the chart with version 5.0+ using prometheus 2.x. In the values.yaml set the scrape config as usual, and also add the `prometheus-old` instance as a remote-read target. + + ```yaml + prometheus.yml: + ... + remote_read: + - url: http://prometheus-old/api/v1/read + ... + ``` + + Old data will be available when you query the new prometheus instance. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values prometheus-community/prometheus +``` + +You may similarly use the above configuration commands on each chart [dependency](#dependencies) to see it's configurations. + +### Scraping Pod Metrics via Annotations + +This chart uses a default configuration that causes prometheus to scrape a variety of kubernetes resource types, provided they have the correct annotations. In this section we describe how to configure pods to be scraped; for information on how other resource types can be scraped you can do a `helm template` to get the kubernetes resource definitions, and then reference the prometheus configuration in the ConfigMap against the prometheus documentation for [relabel_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) and [kubernetes_sd_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). + +In order to get prometheus to scrape pods, you must add annotations to the the pods as below: + +```yaml +metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: /metrics + prometheus.io/port: "8080" +``` + +You should adjust `prometheus.io/path` based on the URL that your pod serves metrics from. `prometheus.io/port` should be set to the port that your pod serves metrics from. Note that the values for `prometheus.io/scrape` and `prometheus.io/port` must be enclosed in double quotes. + +### Sharing Alerts Between Services + +Note that when [installing](#install-chart) or [upgrading](#upgrading-chart) you may use multiple values override files. This is particularly useful when you have alerts belonging to multiple services in the cluster. For example, + +```yaml +# values.yaml +# ... + +# service1-alert.yaml +serverFiles: + alerts: + service1: + - alert: anAlert + # ... + +# service2-alert.yaml +serverFiles: + alerts: + service2: + - alert: anAlert + # ... +``` + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus -f values.yaml -f service1-alert.yaml -f service2-alert.yaml +``` + +### RBAC Configuration + +Roles and RoleBindings resources will be created automatically for `server` service. + +To manually setup RBAC you need to set the parameter `rbac.create=false` and specify the service account to be used for each service by setting the parameters: `serviceAccounts.{{ component }}.create` to `false` and `serviceAccounts.{{ component }}.name` to the name of a pre-existing service account. + +> **Tip**: You can refer to the default `*-clusterrole.yaml` and `*-clusterrolebinding.yaml` files in [templates](templates/) to customize your own. + +### ConfigMap Files + +AlertManager is configured through [alertmanager.yml](https://prometheus.io/docs/alerting/configuration/). This file (and any others listed in `alertmanagerFiles`) will be mounted into the `alertmanager` pod. + +Prometheus is configured through [prometheus.yml](https://prometheus.io/docs/operating/configuration/). This file (and any others listed in `serverFiles`) will be mounted into the `server` pod. + +### Ingress TLS + +If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```console +kubectl create secret tls prometheus-server-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the alertmanager/server Ingress TLS section of your custom `values.yaml` file: + +```yaml +server: + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: true + + ## Prometheus server Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - prometheus.domain.com + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: prometheus-server-tls + hosts: + - prometheus.domain.com +``` + +### NetworkPolicy + +Enabling Network Policy for Prometheus will secure connections to Alert Manager and Kube State Metrics by only accepting connections from Prometheus Server. All inbound connections to Prometheus Server are still allowed. + +To enable network policy for Prometheus, install a networking plugin that implements the Kubernetes NetworkPolicy spec, and set `networkPolicy.enabled` to true. + +If NetworkPolicy is enabled for Prometheus' scrape targets, you may also need to manually create a networkpolicy which allows it. diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/.helmignore b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/Chart.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/Chart.yaml new file mode 100644 index 0000000..93c1197 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 2.6.0 +description: Install kube-state-metrics to generate and expose cluster-level metrics +home: https://github.com/kubernetes/kube-state-metrics/ +keywords: +- metric +- monitoring +- prometheus +- kubernetes +maintainers: +- email: tariq.ibrahim@mulesoft.com + name: tariq1890 +- email: manuel@rueg.eu + name: mrueg +- email: davidcalvertfr@gmail.com + name: dotdc +name: kube-state-metrics +sources: +- https://github.com/kubernetes/kube-state-metrics/ +type: application +version: 4.22.1 diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/README.md b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/README.md new file mode 100644 index 0000000..7c2e169 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/README.md @@ -0,0 +1,68 @@ +# kube-state-metrics Helm Chart + +Installs the [kube-state-metrics agent](https://github.com/kubernetes/kube-state-metrics). + +## Get Repo Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/kube-state-metrics [flags] +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] prometheus-community/kube-state-metrics [flags] +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Migrating from stable/kube-state-metrics and kubernetes/kube-state-metrics + +You can upgrade in-place: + +1. [get repo info](#get-repo-info) +1. [upgrade](#upgrading-chart) your existing release name using the new chart repo + + +## Upgrading to v3.0.0 + +v3.0.0 includes kube-state-metrics v2.0, see the [changelog](https://github.com/kubernetes/kube-state-metrics/blob/release-2.0/CHANGELOG.md) for major changes on the application-side. + +The upgraded chart now the following changes: +* Dropped support for helm v2 (helm v3 or later is required) +* collectors key was renamed to resources +* namespace key was renamed to namespaces + + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: + +```console +helm show values prometheus-community/kube-state-metrics +``` + +You may also run `helm show values` on this chart's [dependencies](#dependencies) for additional options. diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt new file mode 100644 index 0000000..fde0539 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt @@ -0,0 +1,9 @@ +kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. +The exposed metrics can be found here: +https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics + +The metrics are exported on the HTTP endpoint /metrics on the listening port. +In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-state-metrics.namespace" . }}.svc.cluster.local:{{ .Values.service.port }}/metrics + +They are served either as plaintext or protobuf depending on the Accept header. +They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl new file mode 100644 index 0000000..0d193fb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl @@ -0,0 +1,101 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kube-state-metrics.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kube-state-metrics.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kube-state-metrics.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kube-state-metrics.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kube-state-metrics.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kube-state-metrics.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "kube-state-metrics.labels" }} +helm.sh/chart: {{ template "kube-state-metrics.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: metrics +app.kubernetes.io/part-of: {{ template "kube-state-metrics.name" . }} +{{- include "kube-state-metrics.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- if .Values.releaseLabel }} +release: {{ .Release.Name }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kube-state-metrics.selectorLabels" }} +app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* Sets default scrape limits for servicemonitor */}} +{{- define "servicemonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..cf9f628 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.create .Values.rbac.useClusterRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if .Values.rbac.useExistingRole }} + name: {{ .Values.rbac.useExistingRole }} +{{- else }} + name: {{ template "kube-state-metrics.fullname" . }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml new file mode 100644 index 0000000..e529d3f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml @@ -0,0 +1,179 @@ +apiVersion: apps/v1 +{{- if .Values.autosharding.enabled }} +kind: StatefulSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + replicas: {{ .Values.replicas }} + {{- if .Values.autosharding.enabled }} + serviceName: {{ template "kube-state-metrics.fullname" . }} + volumeClaimTemplates: [] + {{- end }} + template: + metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 8 }} + {{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + hostNetwork: {{ .Values.hostNetwork }} + serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: {{ template "kube-state-metrics.name" . }} + {{- if .Values.autosharding.enabled }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + args: + {{- if .Values.extraArgs }} + {{- .Values.extraArgs | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.service.port }} + - --port={{ .Values.service.port | default 8080}} + {{- end }} + {{- if .Values.collectors }} + - --resources={{ .Values.collectors | join "," }} + {{- end }} + {{- if .Values.metricLabelsAllowlist }} + - --metric-labels-allowlist={{ .Values.metricLabelsAllowlist | join "," }} + {{- end }} + {{- if .Values.metricAnnotationsAllowList }} + - --metric-annotations-allowlist={{ .Values.metricAnnotationsAllowList | join "," }} + {{- end }} + {{- if .Values.metricAllowlist }} + - --metric-allowlist={{ .Values.metricAllowlist | join "," }} + {{- end }} + {{- if .Values.metricDenylist }} + - --metric-denylist={{ .Values.metricDenylist | join "," }} + {{- end }} + {{- $namespaces := list }} + {{- if .Values.namespaces }} + {{- range $ns := join "," .Values.namespaces | split "," }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end }} + {{- end }} + {{- if .Values.releaseNamespace }} + {{- $namespaces = append $namespaces ( include "kube-state-metrics.namespace" . ) }} + {{- end }} + {{- if $namespaces }} + - --namespaces={{ $namespaces | mustUniq | join "," }} + {{- end }} + {{- if .Values.namespacesDenylist }} + - --namespaces-denylist={{ tpl (.Values.namespacesDenylist | join ",") $ }} + {{- end }} + {{- if .Values.autosharding.enabled }} + - --pod=$(POD_NAME) + - --pod-namespace=$(POD_NAMESPACE) + {{- end }} + {{- if .Values.kubeconfig.enabled }} + - --kubeconfig=/opt/k8s/.kube/config + {{- end }} + {{- if .Values.selfMonitor.telemetryHost }} + - --telemetry-host={{ .Values.selfMonitor.telemetryHost }} + {{- end }} + {{- if .Values.selfMonitor.telemetryPort }} + - --telemetry-port={{ .Values.selfMonitor.telemetryPort | default 8081 }} + {{- end }} + {{- if or (.Values.kubeconfig.enabled) (.Values.volumeMounts) }} + volumeMounts: + {{- if .Values.kubeconfig.enabled }} + - name: kubeconfig + mountPath: /opt/k8s/.kube/ + readOnly: true + {{- end }} + {{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 8 }} + {{- end }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.image.sha }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}@sha256:{{ .Values.image.sha }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} + ports: + - containerPort: {{ .Values.service.port | default 8080}} + name: "http" + {{- if .Values.selfMonitor.enabled }} + - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + name: "metrics" + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.port | default 8080}} + initialDelaySeconds: 5 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: / + port: {{ .Values.service.port | default 8080}} + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.resources }} + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- end }} +{{- if .Values.containerSecurityContext }} + securityContext: +{{ toYaml .Values.containerSecurityContext | indent 10 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} + {{- end }} + {{- if or (.Values.kubeconfig.enabled) (.Values.volumes) }} + volumes: + {{- if .Values.kubeconfig.enabled}} + - name: kubeconfig + secret: + secretName: {{ template "kube-state-metrics.fullname" . }}-kubeconfig + {{- end }} + {{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 8 }} + {{- end }} + {{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml new file mode 100644 index 0000000..6af0084 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.kubeconfig.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-kubeconfig + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +type: Opaque +data: + config: '{{ .Values.kubeconfig.secret }}' +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml new file mode 100644 index 0000000..3771b51 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget -}} +{{ if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +apiVersion: policy/v1 +{{- else -}} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml new file mode 100644 index 0000000..8905e11 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + volumes: + - 'secret' +{{- if .Values.podSecurityPolicy.additionalVolumes }} +{{ toYaml .Values.podSecurityPolicy.additionalVolumes | indent 4 }} +{{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml new file mode 100644 index 0000000..654e4a3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: psp-{{ template "kube-state-metrics.fullname" . }} +rules: +{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }} +{{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "kube-state-metrics.fullname" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml new file mode 100644 index 0000000..5b62a18 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: psp-{{ template "kube-state-metrics.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp-{{ template "kube-state-metrics.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/role.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/role.yaml new file mode 100644 index 0000000..6474914 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/role.yaml @@ -0,0 +1,196 @@ +{{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}} +{{- range (ternary (join "," .Values.namespaces | split "," ) (list "") (eq $.Values.rbac.useClusterRole false)) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +{{- if eq $.Values.rbac.useClusterRole false }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: + labels: + {{- include "kube-state-metrics.labels" $ | indent 4 }} + name: {{ template "kube-state-metrics.fullname" $ }} +{{- if eq $.Values.rbac.useClusterRole false }} + namespace: {{ . }} +{{- end }} +rules: +{{ if has "certificatesigningrequests" $.Values.collectors }} +- apiGroups: ["certificates.k8s.io"] + resources: + - certificatesigningrequests + verbs: ["list", "watch"] +{{ end -}} +{{ if has "configmaps" $.Values.collectors }} +- apiGroups: [""] + resources: + - configmaps + verbs: ["list", "watch"] +{{ end -}} +{{ if has "cronjobs" $.Values.collectors }} +- apiGroups: ["batch"] + resources: + - cronjobs + verbs: ["list", "watch"] +{{ end -}} +{{ if has "daemonsets" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "deployments" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - deployments + verbs: ["list", "watch"] +{{ end -}} +{{ if has "endpoints" $.Values.collectors }} +- apiGroups: [""] + resources: + - endpoints + verbs: ["list", "watch"] +{{ end -}} +{{ if has "horizontalpodautoscalers" $.Values.collectors }} +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] +{{ end -}} +{{ if has "ingresses" $.Values.collectors }} +- apiGroups: ["extensions", "networking.k8s.io"] + resources: + - ingresses + verbs: ["list", "watch"] +{{ end -}} +{{ if has "jobs" $.Values.collectors }} +- apiGroups: ["batch"] + resources: + - jobs + verbs: ["list", "watch"] +{{ end -}} +{{ if has "leases" $.Values.collectors }} +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["list", "watch"] +{{ end -}} +{{ if has "limitranges" $.Values.collectors }} +- apiGroups: [""] + resources: + - limitranges + verbs: ["list", "watch"] +{{ end -}} +{{ if has "mutatingwebhookconfigurations" $.Values.collectors }} +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: ["list", "watch"] +{{ end -}} +{{ if has "namespaces" $.Values.collectors }} +- apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch"] +{{ end -}} +{{ if has "networkpolicies" $.Values.collectors }} +- apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: ["list", "watch"] +{{ end -}} +{{ if has "nodes" $.Values.collectors }} +- apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch"] +{{ end -}} +{{ if has "persistentvolumeclaims" $.Values.collectors }} +- apiGroups: [""] + resources: + - persistentvolumeclaims + verbs: ["list", "watch"] +{{ end -}} +{{ if has "persistentvolumes" $.Values.collectors }} +- apiGroups: [""] + resources: + - persistentvolumes + verbs: ["list", "watch"] +{{ end -}} +{{ if has "poddisruptionbudgets" $.Values.collectors }} +- apiGroups: ["policy"] + resources: + - poddisruptionbudgets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "pods" $.Values.collectors }} +- apiGroups: [""] + resources: + - pods + verbs: ["list", "watch"] +{{ end -}} +{{ if has "replicasets" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - replicasets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "replicationcontrollers" $.Values.collectors }} +- apiGroups: [""] + resources: + - replicationcontrollers + verbs: ["list", "watch"] +{{ end -}} +{{ if has "resourcequotas" $.Values.collectors }} +- apiGroups: [""] + resources: + - resourcequotas + verbs: ["list", "watch"] +{{ end -}} +{{ if has "secrets" $.Values.collectors }} +- apiGroups: [""] + resources: + - secrets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "services" $.Values.collectors }} +- apiGroups: [""] + resources: + - services + verbs: ["list", "watch"] +{{ end -}} +{{ if has "statefulsets" $.Values.collectors }} +- apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "storageclasses" $.Values.collectors }} +- apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + verbs: ["list", "watch"] +{{ end -}} +{{ if has "validatingwebhookconfigurations" $.Values.collectors }} +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - validatingwebhookconfigurations + verbs: ["list", "watch"] +{{ end -}} +{{ if has "volumeattachments" $.Values.collectors }} +- apiGroups: ["storage.k8s.io"] + resources: + - volumeattachments + verbs: ["list", "watch"] +{{ end -}} +{{ if has "verticalpodautoscalers" $.Values.collectors }} +- apiGroups: ["autoscaling.k8s.io"] + resources: + - verticalpodautoscalers + verbs: ["list", "watch"] +{{ end -}} +{{ if $.Values.rbac.extraRules }} +{{ toYaml $.Values.rbac.extraRules }} +{{ end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml new file mode 100644 index 0000000..330651b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}} +{{- range (join "," $.Values.namespaces) | split "," }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" $ | indent 4 }} + name: {{ template "kube-state-metrics.fullname" $ }} + namespace: {{ . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.rbac.useExistingRole) }} + name: {{ template "kube-state-metrics.fullname" $ }} +{{- else }} + name: {{ $.Values.rbac.useExistingRole }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" $ }} + namespace: {{ template "kube-state-metrics.namespace" $ }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/service.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/service.yaml new file mode 100644 index 0000000..92c6d4f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/service.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + annotations: + {{- if .Values.prometheusScrape }} + prometheus.io/scrape: '{{ .Values.prometheusScrape }}' + {{- end }} + {{- if .Values.service.annotations }} + {{- toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + type: "{{ .Values.service.type }}" + ports: + - name: "http" + protocol: TCP + port: {{ .Values.service.port | default 8080}} + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + targetPort: {{ .Values.service.port | default 8080}} + {{ if .Values.selfMonitor.enabled }} + - name: "metrics" + protocol: TCP + port: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + targetPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + {{- if .Values.selfMonitor.telemetryNodePort }} + nodePort: {{ .Values.selfMonitor.telemetryNodePort }} + {{- end }} + {{ end }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.service.clusterIP }} + clusterIP: "{{ .Values.service.clusterIP }}" +{{- end }} + selector: + {{- include "kube-state-metrics.selectorLabels" . | indent 4 }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml new file mode 100644 index 0000000..e1229eb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} +{{- end }} +imagePullSecrets: +{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml new file mode 100644 index 0000000..e93df4c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -0,0 +1,81 @@ +{{- if .Values.prometheus.monitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- with .Values.prometheus.monitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }} + selector: + matchLabels: + {{- with .Values.prometheus.monitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + {{- end }} + endpoints: + - port: http + {{- if .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.interval }} + {{- end }} + {{- if .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- if .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} + {{- end }} + {{- if .Values.prometheus.monitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.monitor.scheme }} + scheme: {{ .Values.prometheus.monitor.scheme }} + {{- end }} + {{- if .Values.prometheus.monitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} + {{- end }} + {{- if .Values.selfMonitor.enabled }} + - port: metrics + {{- if .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.interval }} + {{- end }} + {{- if .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- if .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} + {{- end }} + {{- if .Values.prometheus.monitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.monitor.scheme }} + scheme: {{ .Values.prometheus.monitor.scheme }} + {{- end }} + {{- if .Values.prometheus.monitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml new file mode 100644 index 0000000..489de14 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.autosharding.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resourceNames: + - {{ template "kube-state-metrics.fullname" . }} + resources: + - statefulsets + verbs: + - get + - list + - watch +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml new file mode 100644 index 0000000..73b37a4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.autosharding.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml new file mode 100644 index 0000000..e825e5c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml @@ -0,0 +1,34 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + resourcePolicy: + containerPolicies: + - containerName: {{ template "kube-state-metrics.name" . }} + {{- if .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: {{ .Values.verticalPodAutoscaler.controlledResources }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{ toYaml .Values.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{ toYaml .Values.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kube-state-metrics.fullname" . }} + {{- if .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- if .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + updateMode: {{ .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/values.yaml b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/values.yaml new file mode 100644 index 0000000..67e8bca --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/charts/kube-state-metrics/values.yaml @@ -0,0 +1,305 @@ +# Default values for kube-state-metrics. +prometheusScrape: true +image: + repository: registry.k8s.io/kube-state-metrics/kube-state-metrics + tag: v2.6.0 + sha: "" + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: "image-pull-secret" + +# If set to true, this will deploy kube-state-metrics as a StatefulSet and the data +# will be automatically sharded across <.Values.replicas> pods using the built-in +# autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding +# This is an experimental feature and there are no stability guarantees. +autosharding: + enabled: false + +replicas: 1 + +# List of additional cli arguments to configure kube-state-metrics +# for example: --enable-gzip-encoding, --log-file, etc. +# all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md +extraArgs: [] + +service: + port: 8080 + # Default to clusterIP for backward compatibility + type: ClusterIP + nodePort: 0 + loadBalancerIP: "" + clusterIP: "" + annotations: {} + +## Additional labels to add to all resources +customLabels: {} + # app: kube-state-metrics + +## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box +releaseLabel: false + +hostNetwork: false + +rbac: + # If true, create & use RBAC resources + create: true + + # Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to it, rolename set here. + # useExistingRole: your-existing-role + + # If set to false - Run without Cluteradmin privs needed - ONLY works if namespace is also set (if useExistingRole is set this name is used as ClusterRole or Role to bind to) + useClusterRole: true + + # Add permissions for CustomResources' apiGroups in Role/ClusterRole. Should be used in conjunction with Custom Resource State Metrics configuration + # Example: + # - apiGroups: ["monitoring.coreos.com"] + # resources: ["prometheuses"] + # verbs: ["list", "watch"] + extraRules: [] + +serviceAccount: + # Specifies whether a ServiceAccount should be created, require rbac true + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + # Reference to one or more secrets to be used when pulling images + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imagePullSecrets: [] + # ServiceAccount annotations. + # Use case: AWS EKS IAM roles for service accounts + # ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html + annotations: {} + +prometheus: + monitor: + enabled: false + additionalLabels: {} + namespace: "" + jobLabel: "" + interval: "" + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + scrapeTimeout: "" + proxyUrl: "" + selectorOverride: {} + honorLabels: false + metricRelabelings: [] + relabelings: [] + scheme: "" + tlsConfig: {} + +## Specify if a Pod Security Policy for kube-state-metrics must be created +## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + enabled: false + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + additionalVolumes: [] + +securityContext: + enabled: true + runAsGroup: 65534 + runAsUser: 65534 + fsGroup: 65534 + +## Specify security settings for a Container +## Allows overrides and additional options compared to (Pod) securityContext +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +containerSecurityContext: {} + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +## Affinity settings for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +affinity: {} + +## Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +## Topology spread constraints for pod assignment +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] + +# Annotations to be added to the deployment/statefulset +annotations: {} + +# Annotations to be added to the pod +podAnnotations: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: "" + +# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} + +# Comma-separated list of metrics to be exposed. +# This list comprises of exact metric names and/or regex patterns. +# The allowlist and denylist are mutually exclusive. +metricAllowlist: [] + +# Comma-separated list of metrics not to be enabled. +# This list comprises of exact metric names and/or regex patterns. +# The allowlist and denylist are mutually exclusive. +metricDenylist: [] + +# Comma-separated list of additional Kubernetes label keys that will be used in the resource's +# labels metric. By default the metric contains only name and namespace labels. +# To include additional labels, provide a list of resource names in their plural form and Kubernetes +# label keys you would like to allow for them (Example: '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. +# A single '*' can be provided per resource instead to allow any labels, but that has +# severe performance implications (Example: '=pods=[*]'). +metricLabelsAllowlist: [] + # - namespaces=[k8s-label-1,k8s-label-n] + +# Comma-separated list of Kubernetes annotations keys that will be used in the resource' +# labels metric. By default the metric contains only name and namespace labels. +# To include additional annotations provide a list of resource names in their plural form and Kubernetes +# annotation keys you would like to allow for them (Example: '=namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...)'. +# A single '*' can be provided per resource instead to allow any annotations, but that has +# severe performance implications (Example: '=pods=[*]'). +metricAnnotationsAllowList: [] + # - pods=[k8s-annotation-1,k8s-annotation-n] + +# Available collectors for kube-state-metrics. +# By default, all available resources are enabled, comment out to disable. +collectors: + - certificatesigningrequests + - configmaps + - cronjobs + - daemonsets + - deployments + - endpoints + - horizontalpodautoscalers + - ingresses + - jobs + - leases + - limitranges + - mutatingwebhookconfigurations + - namespaces + - networkpolicies + - nodes + - persistentvolumeclaims + - persistentvolumes + - poddisruptionbudgets + - pods + - replicasets + - replicationcontrollers + - resourcequotas + - secrets + - services + - statefulsets + - storageclasses + - validatingwebhookconfigurations + - volumeattachments + # - verticalpodautoscalers # not a default resource, see also: https://github.com/kubernetes/kube-state-metrics#enabling-verticalpodautoscalers + +# Enabling kubeconfig will pass the --kubeconfig argument to the container +kubeconfig: + enabled: false + # base64 encoded kube-config file + secret: + +# Enable only the release namespace for collecting resources. By default all namespaces are collected. +# If releaseNamespace and namespaces are both set a merged list will be collected. +releaseNamespace: false + +# Comma-separated list(string) or yaml list of namespaces to be enabled for collecting resources. By default all namespaces are collected. +namespaces: "" + +# Comma-separated list of namespaces not to be enabled. If namespaces and namespaces-denylist are both set, +# only namespaces that are excluded in namespaces-denylist will be used. +namespacesDenylist: "" + +## Override the deployment namespace +## +namespaceOverride: "" + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + +## Provide a k8s version to define apiGroups for podSecurityPolicy Cluster Role. +## For example: kubeTargetVersionOverride: 1.14.9 +## +kubeTargetVersionOverride: "" + +# Enable self metrics configuration for service and Service Monitor +# Default values for telemetry configuration can be overridden +# If you set telemetryNodePort, you must also set service.type to NodePort +selfMonitor: + enabled: false + # telemetryHost: 0.0.0.0 + # telemetryPort: 8081 + # telemetryNodePort: 0 + +# Enable vertical pod autoscaler support for kube-state-metrics +verticalPodAutoscaler: + enabled: false + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + # updatePolicy: + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + # updateMode: Auto + +# volumeMounts are used to add custom volume mounts to deployment. +# See example below +volumeMounts: [] +# - mountPath: /etc/config +# name: config-volume + +# volumes are used to add custom volumes to deployment +# See example below +volumes: [] +# - configMap: +# name: cm-for-volume +# name: config-volume diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/prometheus/templates/NOTES.txt new file mode 100644 index 0000000..0e8868f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/NOTES.txt @@ -0,0 +1,112 @@ +{{- if .Values.server.enabled -}} +The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.server.ingress.enabled -}} +From outside the cluster, the server URL(s) are: +{{- range .Values.server.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Prometheus server URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.server.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.server.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} +{{- else if contains "ClusterIP" .Values.server.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090 +{{- end }} +{{- end }} + +{{- if .Values.server.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Server pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{ if .Values.alertmanager.enabled }} +The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.alertmanager.ingress.enabled -}} +From outside the cluster, the alertmanager URL(s) are: +{{- range .Values.alertmanager.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Alertmanager URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.alertmanager.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }} +{{- else if contains "ClusterIP" .Values.alertmanager.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.alertmanager.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093 +{{- end }} +{{- end }} + +{{- if .Values.alertmanager.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the AlertManager pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} +{{- else }} +################################################################################# +###### WARNING: Pod Security Policy has been moved to a global property. ##### +###### use .Values.podSecurityPolicy.enabled with pod-based ##### +###### annotations ##### +###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) ##### +################################################################################# +{{- end }} + +{{ if .Values.pushgateway.enabled }} +The Prometheus PushGateway can be accessed via port {{ .Values.pushgateway.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.pushgateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.pushgateway.ingress.enabled -}} +From outside the cluster, the pushgateway URL(s) are: +{{- range .Values.pushgateway.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the PushGateway URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.pushgateway.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.pushgateway.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.pushgateway.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.pushgateway.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.pushgateway.service.servicePort }} +{{- else if contains "ClusterIP" .Values.pushgateway.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.pushgateway.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091 +{{- end }} +{{- end }} +{{- end }} + +For more information on running Prometheus, visit: +https://prometheus.io/ diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 0000000..00645db --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,287 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create unified labels for prometheus components +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ template "prometheus.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "prometheus.common.metaLabels" -}} +chart: {{ template "prometheus.chart" . }} +heritage: {{ .Release.Service }} +{{- end -}} + +{{- define "prometheus.alertmanager.labels" -}} +{{ include "prometheus.alertmanager.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.alertmanager.matchLabels" -}} +component: {{ .Values.alertmanager.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.labels" -}} +{{ include "prometheus.nodeExporter.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.matchLabels" -}} +component: {{ .Values.nodeExporter.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.labels" -}} +{{ include "prometheus.pushgateway.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.matchLabels" -}} +component: {{ .Values.pushgateway.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified alertmanager name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "prometheus.alertmanager.fullname" -}} +{{- if .Values.alertmanager.fullnameOverride -}} +{{- .Values.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified node-exporter name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.nodeExporter.fullname" -}} +{{- if .Values.nodeExporter.fullnameOverride -}} +{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.fullname" -}} +{{- if .Values.server.fullnameOverride -}} +{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified pushgateway name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.pushgateway.fullname" -}} +{{- if .Values.pushgateway.fullnameOverride -}} +{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "prometheus.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "prometheus.deployment.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "prometheus.daemonset.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "prometheus.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "prometheus.podDisruptionBudget.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "prometheus.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the alertmanager component +*/}} +{{- define "prometheus.serviceAccountName.alertmanager" -}} +{{- if .Values.serviceAccounts.alertmanager.create -}} + {{ default (include "prometheus.alertmanager.fullname" .) .Values.serviceAccounts.alertmanager.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.alertmanager.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the nodeExporter component +*/}} +{{- define "prometheus.serviceAccountName.nodeExporter" -}} +{{- if .Values.serviceAccounts.nodeExporter.create -}} + {{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.nodeExporter.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the pushgateway component +*/}} +{{- define "prometheus.serviceAccountName.pushgateway" -}} +{{- if .Values.serviceAccounts.pushgateway.create -}} + {{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.pushgateway.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the server component +*/}} +{{- define "prometheus.serviceAccountName.server" -}} +{{- if .Values.serviceAccounts.server.create -}} + {{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.server.name }} +{{- end -}} +{{- end -}} + +{{/* +Define the prometheus.namespace template if set with forceNamespace or .Release.Namespace is set +*/}} +{{- define "prometheus.namespace" -}} +{{- if .Values.forceNamespace -}} +{{ printf "namespace: %s" .Values.forceNamespace }} +{{- else -}} +{{ printf "namespace: %s" .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/clusterrole.yaml new file mode 100644 index 0000000..c732ff4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml new file mode 100644 index 0000000..6f13e98 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if (not .Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + name: {{ .Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/cm.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/cm.yaml new file mode 100644 index 0000000..2da8b1d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/cm.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: + allow-snippet-annotations: "false" +{{- $root := . -}} +{{- range $key, $value := .Values.alertmanagerFiles }} + {{- if $key | regexMatch ".*\\.ya?ml$" }} + {{ $key }}: | +{{ toYaml $value | default "{}" | indent 4 }} + {{- else }} + {{ $key }}: {{ toYaml $value | indent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/deploy.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/deploy.yaml new file mode 100644 index 0000000..c3b6e8f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/deploy.yaml @@ -0,0 +1,213 @@ +{{- if and .Values.alertmanager.enabled (not .Values.alertmanager.statefulSet.enabled) -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.alertmanager.deploymentAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + {{- if .Values.alertmanager.strategy }} + strategy: +{{ toYaml .Values.alertmanager.strategy | trim | indent 4 }} + {{ if eq .Values.alertmanager.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} + {{- if .Values.alertmanager.extraInitContainers }} + initContainers: +{{ toYaml .Values.alertmanager.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + {{- with .Values.alertmanager.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/{{ .Values.alertmanager.configFileName }} + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.service.enableMeshPeer }} + - --cluster.listen-address=0.0.0.0:6783 + - --cluster.advertise-address=[$(POD_IP)]:6783 + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + {{- range .Values.alertmanager.clusterPeers }} + - --cluster.peer={{ . }} + {{- end }} + + ports: + - containerPort: 9093 + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/-/ready + port: 9093 + {{- with .Values.alertmanager.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.alertmanager.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + {{- with .Values.configmapReload.alertmanager.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.alertmanager.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.alertmanager.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.alertmanager.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.alertmanager.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.alertmanager.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + - name: storage-volume + {{- if .Values.alertmanager.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.alertmanager.persistentVolume.existingClaim }}{{ .Values.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/headless-svc.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/headless-svc.yaml new file mode 100644 index 0000000..8c402c4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.statefulSet.headless.labels }} +{{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9093 +{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/ingress.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/ingress.yaml new file mode 100644 index 0000000..6e85636 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/ingress.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.alertmanager.fullname" . }} +{{- $servicePort := .Values.alertmanager.service.servicePort -}} +{{- $ingressPath := .Values.alertmanager.ingress.path -}} +{{- $ingressPathType := .Values.alertmanager.ingress.pathType -}} +{{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.alertmanager.ingress.annotations }} + annotations: +{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- range $key, $value := .Values.alertmanager.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.alertmanager.ingress.ingressClassName }} + ingressClassName: {{ .Values.alertmanager.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.alertmanager.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.alertmanager.ingress.tls }} + tls: +{{ toYaml .Values.alertmanager.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/netpol.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/netpol.yaml new file mode 100644 index 0000000..e44ade6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9093 +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/pdb.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/pdb.yaml new file mode 100644 index 0000000..75031da --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alertmanager.podDisruptionBudget.enabled }} +apiVersion: {{ template "prometheus.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.alertmanager.labels" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/psp.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/psp.yaml new file mode 100644 index 0000000..9e19958 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/psp.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + {{- with .Values.alertmanager.podSecurityPolicy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/pvc.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/pvc.yaml new file mode 100644 index 0000000..c2eec84 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/pvc.yaml @@ -0,0 +1,40 @@ +{{- if not .Values.alertmanager.statefulSet.enabled -}} +{{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}} +{{- if not .Values.alertmanager.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }} +{{- if .Values.alertmanager.persistentVolume.storageClass }} +{{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.alertmanager.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" +{{- if .Values.alertmanager.persistentVolume.selector }} + selector: + {{- toYaml .Values.alertmanager.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- if .Values.alertmanager.persistentVolume.volumeName }} + volumeName: "{{ .Values.alertmanager.persistentVolume.volumeName }}" +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/role.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/role.yaml new file mode 100644 index 0000000..ce60eaf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/role.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}} +{{- range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +rules: +{{- if $.Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + [] +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/rolebinding.yaml new file mode 100644 index 0000000..906d652 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}} +{{ range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + name: {{ $.Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} +{{ end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/service.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/service.yaml new file mode 100644 index 0000000..9edc9ac --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/service.yaml @@ -0,0 +1,53 @@ +{{- if .Values.alertmanager.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.service.annotations }} + annotations: +{{ toYaml .Values.alertmanager.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.service.labels }} +{{ toYaml .Values.alertmanager.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.alertmanager.service.clusterIP }} + clusterIP: {{ .Values.alertmanager.service.clusterIP }} +{{- end }} +{{- if .Values.alertmanager.service.externalIPs }} + externalIPs: +{{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.alertmanager.service.servicePort }} + protocol: TCP + targetPort: 9093 + {{- if .Values.alertmanager.service.nodePort }} + nodePort: {{ .Values.alertmanager.service.nodePort }} + {{- end }} +{{- if .Values.alertmanager.service.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- if .Values.alertmanager.service.sessionAffinity }} + sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }} +{{- end }} + type: "{{ .Values.alertmanager.service.type }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/serviceaccount.yaml new file mode 100644 index 0000000..a5d996a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.alertmanager.annotations | indent 4 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/sts.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/sts.yaml new file mode 100644 index 0000000..fe6bebf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/alertmanager/sts.yaml @@ -0,0 +1,200 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.alertmanager.statefulSet.annotations }} + annotations: + {{ toYaml .Values.alertmanager.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + {{- if .Values.alertmanager.statefulSet.labels}} + {{ toYaml .Values.alertmanager.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + podManagementPolicy: {{ .Values.alertmanager.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} +{{- end }} +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + {{- with .Values.alertmanager.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/alertmanager.yml + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - --cluster.advertise-address=[$(POD_IP)]:6783 + - --cluster.listen-address=0.0.0.0:6783 + {{- range $n := until (.Values.alertmanager.replicaCount | int) }} + - --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783 + {{- end }} + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - containerPort: 6783 + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/#/status + port: 9093 + {{- with .Values.alertmanager.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + {{- with .Values.configmapReload.alertmanager.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --volume-dir=/etc/config + - --webhook-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.port }} + ports: + - containerPort: {{ .Values.configmapReload.alertmanager.port }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.alertmanager.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.alertmanager.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/extra-manifests.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/extra-manifests.yaml new file mode 100644 index 0000000..567f7bf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraManifests }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/daemonset.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/daemonset.yaml new file mode 100644 index 0000000..38a7c25 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/daemonset.yaml @@ -0,0 +1,150 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: {{ template "prometheus.daemonset.apiVersion" . }} +kind: DaemonSet +metadata: +{{- if .Values.nodeExporter.deploymentAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.deploymentAnnotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }} + {{- if .Values.nodeExporter.updateStrategy }} + updateStrategy: +{{ toYaml .Values.nodeExporter.updateStrategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.nodeExporter.podAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} +{{- if .Values.nodeExporter.pod.labels }} +{{ toYaml .Values.nodeExporter.pod.labels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }} + {{- if .Values.nodeExporter.extraInitContainers }} + initContainers: +{{ toYaml .Values.nodeExporter.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.nodeExporter.priorityClassName }} + priorityClassName: "{{ .Values.nodeExporter.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.nodeExporter.name }} + image: "{{ .Values.nodeExporter.image.repository }}:{{ .Values.nodeExporter.image.tag }}" + imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}" + args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + {{- if .Values.nodeExporter.hostRootfs }} + - --path.rootfs=/host/root + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + - --web.listen-address=:{{ .Values.nodeExporter.service.hostPort }} + {{- end }} + {{- range $key, $value := .Values.nodeExporter.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + containerPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + containerPort: 9100 + {{- end }} + hostPort: {{ .Values.nodeExporter.service.hostPort }} + resources: +{{ toYaml .Values.nodeExporter.resources | indent 12 }} + {{- if .Values.nodeExporter.container.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.container.securityContext | indent 12 }} + {{- end }} + volumeMounts: + - name: proc + mountPath: /host/proc + readOnly: true + - name: sys + mountPath: /host/sys + readOnly: true + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + mountPath: /host/root + mountPropagation: HostToContainer + readOnly: true + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.nodeExporter.hostPID }} + hostPID: true + {{- end }} + {{- if .Values.nodeExporter.tolerations }} + tolerations: +{{ toYaml .Values.nodeExporter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeExporter.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.nodeExporter.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.securityContext | indent 8 }} + {{- end }} + volumes: + - name: proc + hostPath: + path: /proc + - name: sys + hostPath: + path: /sys + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + hostPath: + path: / + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/psp.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/psp.yaml new file mode 100644 index 0000000..7759bce --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/psp.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + {{- with .Values.nodeExporter.podSecurityPolicy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'hostPath' + - 'secret' + allowedHostPaths: + - pathPrefix: /proc + readOnly: true + - pathPrefix: /sys + readOnly: true + - pathPrefix: / + readOnly: true + {{- range .Values.nodeExporter.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: {{ .Values.nodeExporter.hostNetwork }} + hostPID: {{ .Values.nodeExporter.hostPID }} + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + hostPorts: + - min: 1 + max: 65535 +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/role.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/role.yaml new file mode 100644 index 0000000..d8ef3ed --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/role.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "prometheus.nodeExporter.fullname" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/rolebinding.yaml new file mode 100644 index 0000000..06914b7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +roleRef: + kind: Role + name: {{ template "prometheus.nodeExporter.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/serviceaccount.yaml new file mode 100644 index 0000000..0cf91af --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.nodeExporter.annotations | indent 4 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/svc.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/svc.yaml new file mode 100644 index 0000000..26d1eaa --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/node-exporter/svc.yaml @@ -0,0 +1,47 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.nodeExporter.service.annotations }} + annotations: +{{ toYaml .Values.nodeExporter.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{- if .Values.nodeExporter.service.labels }} +{{ toYaml .Values.nodeExporter.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.nodeExporter.service.clusterIP }} + clusterIP: {{ .Values.nodeExporter.service.clusterIP }} +{{- end }} +{{- if .Values.nodeExporter.service.externalIPs }} + externalIPs: +{{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + port: {{ .Values.nodeExporter.service.hostPort }} + protocol: TCP + targetPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + port: {{ .Values.nodeExporter.service.servicePort }} + protocol: TCP + targetPort: 9100 + {{- end }} + selector: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} + type: "{{ .Values.nodeExporter.service.type }}" +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/clusterrole.yaml new file mode 100644 index 0000000..76ecf05 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.pushgateway.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml new file mode 100644 index 0000000..15770ee --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.pushgateway.fullname" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/deploy.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/deploy.yaml new file mode 100644 index 0000000..92bed89 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/deploy.yaml @@ -0,0 +1,129 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.pushgateway.deploymentAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + replicas: {{ .Values.pushgateway.replicaCount }} + {{- if .Values.pushgateway.strategy }} + strategy: +{{ toYaml .Values.pushgateway.strategy | trim | indent 4 }} + {{ if eq .Values.pushgateway.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.pushgateway.podAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 8 }} + {{- if .Values.pushgateway.podLabels }} + {{ toYaml .Values.pushgateway.podLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} + {{- if .Values.pushgateway.extraInitContainers }} + initContainers: +{{ toYaml .Values.pushgateway.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.pushgateway.priorityClassName }} + priorityClassName: "{{ .Values.pushgateway.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.pushgateway.name }} + image: "{{ .Values.pushgateway.image.repository }}:{{ .Values.pushgateway.image.tag }}" + imagePullPolicy: "{{ .Values.pushgateway.image.pullPolicy }}" + securityContext: + {{- toYaml .Values.pushgateway.containerSecurityContext | nindent 12 }} + args: + {{- range $key, $value := .Values.pushgateway.extraArgs }} + {{- $stringvalue := toString $value }} + {{- if eq $stringvalue "true" }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + ports: + - containerPort: 9091 + livenessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy + {{- else }} + path: /-/healthy + {{- end }} + port: 9091 + {{- with .Values.pushgateway.probeHeaders }} + httpHeaders: + {{- toYaml . | nindent 16 }} + {{- end }} + initialDelaySeconds: 10 + timeoutSeconds: 10 + readinessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready + {{- else }} + path: /-/ready + {{- end }} + port: 9091 + {{- with .Values.pushgateway.probeHeaders }} + httpHeaders: + {{- toYaml . | nindent 16 }} + {{- end }} + initialDelaySeconds: 10 + timeoutSeconds: 10 + resources: +{{ toYaml .Values.pushgateway.resources | indent 12 }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumeMounts: + - name: storage-volume + mountPath: "{{ .Values.pushgateway.persistentVolume.mountPath }}" + subPath: "{{ .Values.pushgateway.persistentVolume.subPath }}" + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pushgateway.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.pushgateway.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.securityContext }} + securityContext: +{{ toYaml .Values.pushgateway.securityContext | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.tolerations }} + tolerations: +{{ toYaml .Values.pushgateway.tolerations | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.affinity }} + affinity: +{{ toYaml .Values.pushgateway.affinity | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumes: + - name: storage-volume + persistentVolumeClaim: + claimName: {{ if .Values.pushgateway.persistentVolume.existingClaim }}{{ .Values.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }} + {{- end -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/ingress.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/ingress.yaml new file mode 100644 index 0000000..5f176ae --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/ingress.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.pushgateway.fullname" . }} +{{- $servicePort := .Values.pushgateway.service.servicePort -}} +{{- $ingressPath := .Values.pushgateway.ingress.path -}} +{{- $ingressPathType := .Values.pushgateway.ingress.pathType -}} +{{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.pushgateway.ingress.annotations }} + annotations: +{{ toYaml .Values.pushgateway.ingress.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.pushgateway.ingress.ingressClassName }} + ingressClassName: {{ .Values.pushgateway.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.pushgateway.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.pushgateway.ingress.tls }} + tls: +{{ toYaml .Values.pushgateway.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/netpol.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/netpol.yaml new file mode 100644 index 0000000..c8d1fb3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9091 +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/pdb.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/pdb.yaml new file mode 100644 index 0000000..36543ba --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pushgateway.podDisruptionBudget.enabled }} +apiVersion: {{ template "prometheus.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.pushgateway.labels" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/psp.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/psp.yaml new file mode 100644 index 0000000..0b5a534 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/psp.yaml @@ -0,0 +1,44 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + {{- with .Values.pushgateway.podSecurityPolicy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'persistentVolumeClaim' + - 'secret' + allowedHostPaths: + - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/pvc.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/pvc.yaml new file mode 100644 index 0000000..fcb6efb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/pvc.yaml @@ -0,0 +1,34 @@ +{{- if .Values.pushgateway.persistentVolume.enabled -}} +{{- if not .Values.pushgateway.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.pushgateway.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} +{{- if .Values.pushgateway.persistentVolume.storageClass }} +{{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.pushgateway.persistentVolume.size }}" +{{- if .Values.pushgateway.persistentVolume.volumeName }} + volumeName: "{{ .Values.pushgateway.persistentVolume.volumeName }}" +{{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/service.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/service.yaml new file mode 100644 index 0000000..a49f47b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/service.yaml @@ -0,0 +1,44 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.pushgateway.service.annotations }} + annotations: +{{ toYaml .Values.pushgateway.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +{{- if .Values.pushgateway.service.labels }} +{{ toYaml .Values.pushgateway.service.labels | indent 4}} +{{- end }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.pushgateway.service.clusterIP }} + clusterIP: {{ .Values.pushgateway.service.clusterIP }} +{{- end }} +{{- if .Values.pushgateway.service.externalIPs }} + externalIPs: +{{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.pushgateway.service.servicePort }} + protocol: TCP + targetPort: 9091 + {{- if .Values.pushgateway.service.nodePort }} + nodePort: {{ .Values.pushgateway.service.nodePort }} + {{- end }} + selector: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} + type: "{{ .Values.pushgateway.service.type }}" +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/serviceaccount.yaml new file mode 100644 index 0000000..8c0b876 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.pushgateway.annotations | indent 4 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/vpa.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/vpa.yaml new file mode 100644 index 0000000..0ac54f9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/pushgateway/vpa.yaml @@ -0,0 +1,20 @@ +{{- if .Values.pushgateway.enabled -}} +{{- if .Values.pushgateway.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }}-vpa +{{ include "prometheus.namespace" . | indent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" + kind: Deployment + name: {{ template "prometheus.pushgateway.fullname" . }} + updatePolicy: + updateMode: {{ .Values.pushgateway.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.pushgateway.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} {{/* if .Values.pushgateway.verticalAutoscaler.enabled */}} +{{- end -}} {{/* .Values.pushgateway.enabled */}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/clusterrole.yaml new file mode 100644 index 0000000..2520235 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/clusterrole.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.server.fullname" . }} +{{- end }} + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/clusterrolebinding.yaml new file mode 100644 index 0000000..5a79611 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.namespaces) (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.server.fullname" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/cm.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/cm.yaml new file mode 100644 index 0000000..92693ed --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/cm.yaml @@ -0,0 +1,89 @@ +{{- if .Values.server.enabled -}} +{{- if (empty .Values.server.configMapOverrideName) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.server.extraConfigmapLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: + allow-snippet-annotations: "false" +{{- $root := . -}} +{{- range $key, $value := .Values.ruleFiles }} + {{ $key }}: {{- toYaml $value | indent 2 }} +{{- end }} +{{- range $key, $value := .Values.serverFiles }} + {{ $key }}: | +{{- if eq $key "prometheus.yml" }} + global: +{{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} +{{- if $root.Values.server.remoteWrite }} + remote_write: +{{ $root.Values.server.remoteWrite | toYaml | indent 4 }} +{{- end }} +{{- if $root.Values.server.remoteRead }} + remote_read: +{{ $root.Values.server.remoteRead | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if eq $key "alerts" }} +{{- if and (not (empty $value)) (empty $value.groups) }} + groups: +{{- range $ruleKey, $ruleValue := $value }} + - name: {{ $ruleKey -}}.rules + rules: +{{ $ruleValue | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} +{{- else }} +{{ toYaml $value | indent 4 }} +{{- end }} +{{- else }} +{{ toYaml $value | default "{}" | indent 4 }} +{{- end }} +{{- if eq $key "prometheus.yml" -}} +{{- if $root.Values.extraScrapeConfigs }} +{{ tpl $root.Values.extraScrapeConfigs $root | indent 4 }} +{{- end -}} +{{- if or ($root.Values.alertmanager.enabled) ($root.Values.server.alertmanagers) }} + alerting: +{{- if $root.Values.alertRelabelConfigs }} +{{ $root.Values.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} + alertmanagers: +{{- if $root.Values.server.alertmanagers }} +{{ toYaml $root.Values.server.alertmanagers | indent 8 }} +{{- else }} + - kubernetes_sd_configs: + - role: pod + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- if $root.Values.alertmanager.prefixURL }} + path_prefix: {{ $root.Values.alertmanager.prefixURL }} + {{- end }} + relabel_configs: + - source_labels: [__meta_kubernetes_namespace] + regex: {{ $root.Release.Namespace }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_app] + regex: {{ template "prometheus.name" $root }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_component] + regex: alertmanager + action: keep + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_probe] + regex: {{ index $root.Values.alertmanager.podAnnotations "prometheus.io/probe" | default ".*" }} + action: keep + - source_labels: [__meta_kubernetes_pod_container_port_number] + regex: "9093" + action: keep +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/deploy.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/deploy.yaml new file mode 100644 index 0000000..45de5d1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/deploy.yaml @@ -0,0 +1,324 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.server.deploymentAnnotations }} + annotations: + {{ toYaml .Values.server.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + {{- if .Values.server.strategy }} + strategy: +{{ toYaml .Values.server.strategy | trim | indent 4 }} + {{ if eq .Values.server.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + {{- with .Values.configmapReload.prometheus.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + {{- if .Values.server.startupProbe.enabled }} + startupProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + failureThreshold: {{ .Values.server.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- with .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.hostNetwork }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- else }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- with .Values.server.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} + - name: storage-volume + {{- if .Values.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/extra-manifests.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/extra-manifests.yaml new file mode 100644 index 0000000..7560f5a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/extra-manifests.yaml @@ -0,0 +1,9 @@ +{{ range .Values.server.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} + +{{- range .Values.server.extraTemplates }} +--- +{{ tpl . $ -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/headless-svc.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/headless-svc.yaml new file mode 100644 index 0000000..d519f4e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/headless-svc.yaml @@ -0,0 +1,37 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.statefulSet.headless.labels }} +{{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.server.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.statefulSet.headless.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.statefulSet.headless.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.statefulSet.headless.gRPC.nodePort }} + nodePort: {{ .Values.server.statefulSet.headless.gRPC.nodePort }} + {{- end }} + {{- end }} + + selector: + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/ingress.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/ingress.yaml new file mode 100644 index 0000000..000f39c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/ingress.yaml @@ -0,0 +1,59 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.server.fullname" . }} +{{- $servicePort := .Values.server.service.servicePort -}} +{{- $ingressPath := .Values.server.ingress.path -}} +{{- $ingressPathType := .Values.server.ingress.pathType -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: +{{ toYaml .Values.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- range $key, $value := .Values.server.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.server.ingress.tls }} + tls: +{{ toYaml .Values.server.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/netpol.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/netpol.yaml new file mode 100644 index 0000000..c8870e9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/netpol.yaml @@ -0,0 +1,18 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.networkPolicy.enabled }} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + ingress: + - ports: + - port: 9090 +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/pdb.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/pdb.yaml new file mode 100644 index 0000000..5a6ab42 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.server.podDisruptionBudget.enabled }} +apiVersion: {{ template "prometheus.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.server.labels" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/psp.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/psp.yaml new file mode 100644 index 0000000..e2e926e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/psp.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.server.podSecurityPolicy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: + - 'CHOWN' + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} + {{- range .Values.server.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/pvc.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/pvc.yaml new file mode 100644 index 0000000..d86fdda --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/pvc.yaml @@ -0,0 +1,42 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +{{- if .Values.server.persistentVolume.enabled -}} +{{- if not .Values.server.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} +{{- if .Values.server.persistentVolume.storageClass }} +{{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.server.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.server.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" +{{- if .Values.server.persistentVolume.selector }} + selector: + {{- toYaml .Values.server.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- if .Values.server.persistentVolume.volumeName }} + volumeName: "{{ .Values.server.persistentVolume.volumeName }}" +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/rolebinding.yaml new file mode 100644 index 0000000..93ce3ee --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.server.useExistingClusterRoleName .Values.server.namespaces -}} +{{ range $.Values.server.namespaces -}} +--- +apiVersion: {{ template "rbac.apiVersion" $ }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" $ | nindent 4 }} + name: {{ template "prometheus.server.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.server.useExistingClusterRoleName }} +{{ end -}} +{{ end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/service.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/service.yaml new file mode 100644 index 0000000..01c5a4a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/service.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.server.enabled .Values.server.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.service.annotations }} + annotations: +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.service.labels }} +{{ toYaml .Values.server.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} +{{- end }} +{{- if .Values.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.server.service.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.service.nodePort }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + {{- if .Values.server.service.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.service.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.service.gRPC.nodePort }} + nodePort: {{ .Values.server.service.gRPC.nodePort }} + {{- end }} + {{- end }} + selector: + {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} + statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} + {{- else -}} + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- if .Values.server.service.sessionAffinity }} + sessionAffinity: {{ .Values.server.service.sessionAffinity }} +{{- end }} + {{- end }} + type: "{{ .Values.server.service.type }}" +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/serviceaccount.yaml new file mode 100644 index 0000000..9c0502a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.serviceAccounts.server.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/sts.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/sts.yaml new file mode 100644 index 0000000..f137d21 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/sts.yaml @@ -0,0 +1,344 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.server.statefulSet.annotations }} + annotations: + {{ toYaml .Values.server.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- if .Values.server.statefulSet.labels}} + {{ toYaml .Values.server.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.server.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + podManagementPolicy: {{ .Values.server.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + {{- with .Values.configmapReload.prometheus.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + {{- if .Values.server.startupProbe.enabled }} + startupProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + failureThreshold: {{ .Values.server.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- with .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- with .Values.server.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} +{{- if .Values.server.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} + {{- end }} + {{- if .Values.server.persistentVolume.labels }} + labels: +{{ toYaml .Values.server.persistentVolume.labels | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/templates/server/vpa.yaml b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/vpa.yaml new file mode 100644 index 0000000..981a9b4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/templates/server/vpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }}-vpa +{{ include "prometheus.namespace" . | indent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" +{{- if .Values.server.statefulSet.enabled }} + kind: StatefulSet +{{- else }} + kind: Deployment +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + updatePolicy: + updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} +{{- end -}} {{/* .Values.server.enabled */}} diff --git a/kubernetes/Charts/gitlab/charts/prometheus/values.yaml b/kubernetes/Charts/gitlab/charts/prometheus/values.yaml new file mode 100644 index 0000000..3b37382 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/prometheus/values.yaml @@ -0,0 +1,1915 @@ +rbac: + create: true + +podSecurityPolicy: + enabled: false + +imagePullSecrets: +# - name: "image-pull-secret" + +## Define serviceAccount names for components. Defaults to component's fully qualified name. +## +serviceAccounts: + alertmanager: + create: true + name: + annotations: {} + nodeExporter: + create: true + name: + annotations: {} + pushgateway: + create: true + name: + annotations: {} + server: + create: true + name: + annotations: {} + +alertmanager: + ## If false, alertmanager will not be installed + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY + ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. + useClusterRole: true + + ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + useExistingRole: false + + ## alertmanager container name + ## + name: alertmanager + + ## alertmanager container image + ## + image: + repository: quay.io/prometheus/alertmanager + tag: v0.24.0 + pullPolicy: IfNotPresent + + ## alertmanager priorityClassName + ## + priorityClassName: "" + + ## Custom HTTP headers for Readiness Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + + ## Additional alertmanager container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + baseURL: "http://localhost:9093" + + ## Additional alertmanager container environment variable + ## For instance to add a http_proxy + ## + extraEnv: {} + + ## Additional alertmanager Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + + ## Additional alertmanager Configmap mounts + extraConfigmapMounts: [] + # - name: template-files + # mountPath: /etc/config/templates.d + # configMap: alertmanager-template-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config + ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configFromSecret: "" + + ## The configuration file name to be loaded to alertmanager + ## Must match the key within configuration loaded from ConfigMap/Secret + ## + configFileName: alertmanager.yml + + ingress: + ## If true, alertmanager Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## alertmanager Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## alertmanager Ingress additional labels + ## + extraLabels: {} + + ## alertmanager Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - alertmanager.domain.com + # - domain.com/alertmanager + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## alertmanager Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - alertmanager.domain.com + + ## Alertmanager Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for alertmanager scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for alertmanager pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, alertmanager will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## alertmanager data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## alertmanager data Persistent Volume Claim annotations + ## + annotations: {} + + ## alertmanager data Persistent Volume existing claim name + ## Requires alertmanager.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## alertmanager data Persistent Volume mount root path + ## + mountPath: /data + + ## alertmanager data Persistent Volume size + ## + size: 2Gi + + ## alertmanager data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## alertmanager data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of alertmanager data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + ## Persistent Volume Name + ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one + ## + # volumeName: "" + + emptyDir: + ## alertmanager emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to alertmanager pods + ## + podAnnotations: {} + ## Tell prometheus to use a specific set of alertmanager pods + ## instead of all alertmanager pods found in the same namespace + ## Useful if you deploy multiple releases within the same namespace + ## + ## prometheus.io/probe: alertmanager-teamA + + ## Labels to be added to Prometheus AlertManager pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + enableMeshPeer: false + + servicePort: 80 + + ## alertmanager resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Custom DNS configuration to be added to alertmanager pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to alertmanager pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + ## Security context to be added to alertmanager container + ## + containerSecurityContext: {} + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + ## List of IP addresses at which the alertmanager service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + # nodePort: 30000 + sessionAffinity: None + type: ClusterIP + + ## List of initial peers + ## Ref: https://github.com/prometheus/alertmanager/blob/main/README.md#high-availability + clusterPeers: [] + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/jimmidyson/configmap-reload +## +configmapReload: + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + ## Security context to be added to configmap-reload container + containerSecurityContext: {} + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + alertmanager: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + ## Security context to be added to configmap-reload container + containerSecurityContext: {} + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + +kubeStateMetrics: + ## If false, kube-state-metrics sub-chart will not be installed + ## + enabled: true + +## kube-state-metrics sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics +## +# kube-state-metrics: + +nodeExporter: + ## If false, node-exporter will not be installed + ## + enabled: true + + ## If true, node-exporter pods share the host network namespace + ## + hostNetwork: true + + ## If true, node-exporter pods share the host PID namespace + ## + hostPID: true + + ## If true, node-exporter pods mounts host / at /host/root + ## + hostRootfs: true + + ## node-exporter container name + ## + name: node-exporter + + ## node-exporter container image + ## + image: + repository: quay.io/prometheus/node-exporter + tag: v1.3.1 + pullPolicy: IfNotPresent + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## node-exporter priorityClassName + ## + priorityClassName: "" + + ## Custom Update Strategy + ## + updateStrategy: + type: RollingUpdate + + ## Additional node-exporter container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional node-exporter hostPath mounts + ## + extraHostPathMounts: [] + # - name: textfile-dir + # mountPath: /srv/txt_collector + # hostPath: /var/lib/node-exporter + # readOnly: true + # mountPropagation: HostToContainer + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # configMap: certs-configmap + # readOnly: true + + ## Node tolerations for node-exporter scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for node-exporter pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to node-exporter pods + ## + podAnnotations: {} + + ## Labels to be added to node-exporter pods + ## + pod: + labels: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## node-exporter resource limits & requests + ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + container: + securityContext: + allowPrivilegeEscalation: false + # Custom DNS configuration to be added to node-exporter pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to node-exporter pods + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + + service: + annotations: + prometheus.io/scrape: "true" + labels: {} + + # Exposed as a headless service: + # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: "" + + ## List of IP addresses at which the node-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + hostPort: 9100 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9100 + type: ClusterIP + +server: + ## Prometheus server container name + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a RoleBinding in the defined namespaces ONLY + ## + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## + ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. + ## + # useExistingClusterRoleName: nameofclusterrole + + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + # namespaces: + # - yournamespace + + name: server + + # sidecarContainers - add more containers to prometheus server + # Key/Value where Key is the sidecar `- name: ` + # Example: + # sidecarContainers: + # webserver: + # image: nginx + sidecarContainers: {} + + # sidecarTemplateValues - context to be used in template for sidecarContainers + # Example: + # sidecarTemplateValues: *your-custom-globals + # sidecarContainers: + # webserver: |- + # {{ include "webserver-container-template" . }} + # Template for `webserver-container-template` might looks like this: + # image: "{{ .Values.server.sidecarTemplateValues.repository }}:{{ .Values.server.sidecarTemplateValues.tag }}" + # ... + # + sidecarTemplateValues: {} + + ## Prometheus server container image + ## + image: + repository: quay.io/prometheus/prometheus + tag: v2.39.1 + pullPolicy: IfNotPresent + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## EnableServiceLinks indicates whether information about services should be injected + ## into pod's environment variables, matching the syntax of Docker links. + ## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0. + ## + enableServiceLinks: true + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access prometheus + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + # List of flags to override default parameters, e.g: + # - --enable-feature=agent + # - --storage.agent.retention.max-time=30m + defaultFlagsOverride: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + + ### The data directory used by prometheus to set --storage.tsdb.path + ### When empty server.persistentVolume.mountPath is used instead + storagePath: "" + + global: + ## How frequently to scrape targets by default + ## + scrape_interval: 1m + ## How long until a scrape request times out + ## + scrape_timeout: 10s + ## How frequently to evaluate rules + ## + evaluation_interval: 1m + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: [] + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: [] + + ## Custom HTTP headers for Liveness/Readiness/Startup Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + # - name: "Authorization" + # value: "Bearer ABCDEabcde12345" + + ## Additional Prometheus server container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## Extra labels for Prometheus server ConfigMap (ConfigMap that holds serverFiles) + extraConfigmapLabels: {} + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + # strategy: + # type: Recreate + + ## hostAliases allows adding entries to /etc/hosts inside the containers + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "example.com" + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume labels + ## + labels: {} + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 8Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + ## Persistent Volume Name + ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one + ## + # volumeName: "" + + emptyDir: + ## Prometheus server emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + tcpSocketProbeEnabled: false + probeScheme: HTTP + readinessProbeInitialDelay: 30 + readinessProbePeriodSeconds: 5 + readinessProbeTimeout: 4 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbePeriodSeconds: 15 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + startupProbe: + enabled: false + periodSeconds: 5 + failureThreshold: 30 + timeoutSeconds: 10 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + # When hostNetwork is enabled, this will set to ClusterFirstWithHostNet automatically + dnsPolicy: ClusterFirst + + # Use hostPort + # hostPort: 9090 + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-server' + + # Custom DNS configuration to be added to prometheus server pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to server pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + ## Security context to be added to server container + ## + containerSecurityContext: {} + + service: + ## If false, no Service will be created for the Prometheus server + ## + enabled: true + + annotations: {} + labels: {} + clusterIP: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: "15d" + + ## Array of extra Kubernetes manifests, in form of YAML object, + ## if you want to deploy + extraObjects: [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: '{{ template "prometheus.name" . }}-extra-config' + + ## Array of extra Kubernetes manifest, in form of template string, + ## if you want to deploy + extraTemplates: [] + # - | + # apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: extra-config + # labels: + # {{- include "prometheus.server.labels" . | nindent 4 }} + +pushgateway: + ## If false, pushgateway will not be installed + ## + enabled: true + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## pushgateway container name + ## + name: pushgateway + + ## pushgateway container image + ## + image: + repository: prom/pushgateway + tag: v1.4.3 + pullPolicy: IfNotPresent + + ## pushgateway priorityClassName + ## + priorityClassName: "" + + ## Additional pushgateway container arguments + ## + ## for example: persistence.file: /data/pushgateway.data + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ingress: + ## If true, pushgateway Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## pushgateway Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## pushgateway Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - pushgateway.domain.com + # - domain.com/pushgateway + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## pushgateway Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - pushgateway.domain.com + + ## Node tolerations for pushgateway scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for pushgateway pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to pushgateway pods + ## + podAnnotations: {} + + ## Labels to be added to pushgateway pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## pushgateway resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-pushgateway' + + # Custom DNS configuration to be added to push-gateway pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to push-gateway pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + + ## Security context to be added to push-gateway container + containerSecurityContext: {} + + service: + annotations: + prometheus.io/probe: pushgateway + labels: {} + clusterIP: "" + + ## List of IP addresses at which the pushgateway service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9091 + type: ClusterIP + + ## pushgateway Deployment Strategy type + # strategy: + # type: Recreate + + ## Custom HTTP headers for Liveness/Readiness/Startup Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + # - name: "Authorization" + # value: "Bearer ABCDEabcde12345" + + persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## + enabled: false + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## pushgateway data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Name + ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one + ## + # volumeName: "" + +## alertmanager ConfigMap entries +## +alertmanagerFiles: + alertmanager.yml: + global: {} + # slack_api_url: '' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation) +ruleFiles: {} + +## Prometheus server ConfigMap entries +## +serverFiles: + + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + rules: {} + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + # Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: 'kubernetes-apiservers' + + kubernetes_sd_configs: + - role: endpoints + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of + # `true`, except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints' + honor_labels: true + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + # Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + - job_name: 'prometheus-pushgateway' + honor_labels: true + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: pushgateway + + # Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: 'kubernetes-services' + honor_labels: true + + metrics_path: /probe + params: + module: [http_2xx] + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: service + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true`, + # except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods' + honor_labels: true + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + + # Example Scrape config for pods which should be scraped slower. An useful example + # would be stackriver-exporter which queries an API on every scrape of the pod + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + +# adds additional scrape configs to prometheus.yml +# must be a string so you have to add a | after extraScrapeConfigs: +# example adds prometheus-blackbox-exporter scrape config +extraScrapeConfigs: + # - job_name: 'prometheus-blackbox-exporter' + # metrics_path: /probe + # params: + # module: [http_2xx] + # static_configs: + # - targets: + # - https://example.com + # relabel_configs: + # - source_labels: [__address__] + # target_label: __param_target + # - source_labels: [__param_target] + # target_label: instance + # - target_label: __address__ + # replacement: prometheus-blackbox-exporter:9115 + +# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager +# useful in H/A prometheus with different external labels but the same alerts +alertRelabelConfigs: + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + +# Force namespace of namespaced resources +forceNamespace: null + +# Extra manifests to deploy as an array +extraManifests: [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # labels: + # name: prometheus-extra + # data: + # extra-data: "value" diff --git a/kubernetes/Charts/gitlab/charts/redis/.helmignore b/kubernetes/Charts/gitlab/charts/redis/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/Charts/gitlab/charts/redis/Chart.lock b/kubernetes/Charts/gitlab/charts/redis/Chart.lock new file mode 100644 index 0000000..ced3e29 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.16.0 +digest: sha256:f41cb9ff725b7c9fa2725634196a6813566d630342f86a74903ed114b282c8c0 +generated: "2022-06-06T12:59:41.280407782Z" diff --git a/kubernetes/Charts/gitlab/charts/redis/Chart.yaml b/kubernetes/Charts/gitlab/charts/redis/Chart.yaml new file mode 100644 index 0000000..e89b016 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/Chart.yaml @@ -0,0 +1,28 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 6.2.7 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +description: Redis(R) is an open source, advanced key-value store. It is often referred + to as a data structure server since keys can contain strings, hashes, lists, sets + and sorted sets. +home: https://github.com/bitnami/charts/tree/master/bitnami/redis +icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png +keywords: +- redis +- keyvalue +- database +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +- email: cedric@desaintmartin.fr + name: desaintmartin +name: redis +sources: +- https://github.com/bitnami/bitnami-docker-redis +version: 16.13.2 diff --git a/kubernetes/Charts/gitlab/charts/redis/README.md b/kubernetes/Charts/gitlab/charts/redis/README.md new file mode 100644 index 0000000..66f267b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/README.md @@ -0,0 +1,898 @@ + + +# Bitnami package for Redis(R) + +Redis(R) is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. + +[Overview of Redis®](http://redis.io) + +Disclaimer: Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Bitnami is for referential purposes only and does not indicate any sponsorship, endorsement, or affiliation between Redis Ltd. + +## TL;DR + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/redis +``` + +## Introduction + +This chart bootstraps a [Redis®](https://github.com/bitnami/bitnami-docker-redis) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +### Choose between Redis® Helm Chart and Redis® Cluster Helm Chart + +You can choose any of the two Redis® Helm charts for deploying a Redis® cluster. + +1. [Redis® Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis) will deploy a master-replica cluster, with the [option](https://github.com/bitnami/charts/tree/master/bitnami/redis#redis-sentinel-configuration-parameters) of enabling using Redis® Sentinel. +2. [Redis® Cluster Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) will deploy a Redis® Cluster topology with sharding. + +The main features of each chart are the following: + +| Redis® | Redis® Cluster | +|--------------------------------------------------------|------------------------------------------------------------------------| +| Supports multiple databases | Supports only one database. Better if you have a big dataset | +| Single write point (single master) | Multiple write points (multiple masters) | +| ![Redis® Topology](img/redis-topology.png) | ![Redis® Cluster Topology](img/redis-cluster-topology.png) | + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/redis +``` + +The command deploys Redis® on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | ------------------------------------------------------ | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `secretAnnotations` | Annotations to add to secret | `{}` | +| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + + +### Redis® Image parameters + +| Name | Description | Value | +| ------------------- | ----------------------------------------------------- | --------------------- | +| `image.registry` | Redis® image registry | `docker.io` | +| `image.repository` | Redis® image repository | `bitnami/redis` | +| `image.tag` | Redis® image tag (immutable tags are recommended) | `6.2.7-debian-11-r11` | +| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Redis® image pull secrets | `[]` | +| `image.debug` | Enable image debug mode | `false` | + + +### Redis® common configuration parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | +| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | +| `auth.enabled` | Enable password authentication | `true` | +| `auth.sentinel` | Enable password authentication on sentinels too | `true` | +| `auth.password` | Redis® password | `""` | +| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | +| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | + + +### Redis® master configuration parameters + +| Name | Description | Value | +| ------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------ | +| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | +| `master.configuration` | Configuration for Redis® master nodes | `""` | +| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | +| `master.command` | Override default container command (useful when using custom images) | `[]` | +| `master.args` | Override default container args (useful when using custom images) | `[]` | +| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | +| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | +| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | +| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | +| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | +| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | +| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | +| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | +| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | +| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | +| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `master.resources.limits` | The resources limits for the Redis® master containers | `{}` | +| `master.resources.requests` | The requested resources for the Redis® master containers | `{}` | +| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | +| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | +| `master.kind` | Use either Deployment or StatefulSet (default) | `StatefulSet` | +| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | +| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | +| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.hostAliases` | Redis® master pods host aliases | `[]` | +| `master.podLabels` | Extra labels for Redis® master pods | `{}` | +| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | +| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | +| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | +| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | +| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | +| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | +| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | +| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | +| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | +| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | +| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | +| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | +| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | +| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | +| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | +| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | +| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | +| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.storageClass` | Persistent Volume storage class | `""` | +| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `master.persistence.size` | Persistent Volume size | `8Gi` | +| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `master.persistence.dataSource` | Custom PVC data source | `{}` | +| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `master.service.type` | Redis® master service type | `ClusterIP` | +| `master.service.ports.redis` | Redis® master service port | `6379` | +| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | +| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | +| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | +| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | +| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | +| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | + + +### Redis® replicas configuration parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------ | +| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | +| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | +| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | +| `replica.command` | Override default container command (useful when using custom images) | `[]` | +| `replica.args` | Override default container args (useful when using custom images) | `[]` | +| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | +| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | +| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | +| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | +| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | +| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `replica.externalMaster.host` | External master host to bootstrap from | `""` | +| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | +| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | +| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | +| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `replica.resources.limits` | The resources limits for the Redis® replicas containers | `{}` | +| `replica.resources.requests` | The requested resources for the Redis® replicas containers | `{}` | +| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | +| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | +| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | +| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | +| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | +| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | +| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | +| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | +| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | +| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | +| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | +| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | +| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | +| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | +| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | +| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | +| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | +| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | +| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | +| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | +| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | +| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | +| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | +| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | +| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | +| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `replica.persistence.size` | Persistent Volume size | `8Gi` | +| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `replica.persistence.dataSource` | Custom PVC data source | `{}` | +| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `replica.service.type` | Redis® replicas service type | `ClusterIP` | +| `replica.service.ports.redis` | Redis® replicas service port | `6379` | +| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | +| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | +| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | +| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | +| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | +| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | +| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | +| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | +| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | +| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | +| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | + + +### Redis® Sentinel configuration parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | +| `sentinel.image.registry` | Redis® Sentinel image registry | `docker.io` | +| `sentinel.image.repository` | Redis® Sentinel image repository | `bitnami/redis-sentinel` | +| `sentinel.image.tag` | Redis® Sentinel image tag (immutable tags are recommended) | `6.2.7-debian-11-r12` | +| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | +| `sentinel.image.debug` | Enable image debug mode | `false` | +| `sentinel.masterSet` | Master set name | `mymaster` | +| `sentinel.quorum` | Sentinel Quorum | `2` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `220` | +| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `18000` | +| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | +| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | +| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | +| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | +| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | +| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | +| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | +| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | +| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | +| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | +| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | +| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | +| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | +| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` | +| `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` | +| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | +| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | +| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | +| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | +| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | +| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | +| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | +| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | +| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | +| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | +| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | +| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | +| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | +| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | + + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | +| `tls.enabled` | Enable TLS traffic | `false` | +| `tls.authClients` | Require clients to authenticate | `true` | +| `tls.autoGenerated` | Enable autogenerated certificates | `false` | +| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | +| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate Key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | + + +### Metrics Parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------ | ------------------------ | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `docker.io` | +| `metrics.image.repository` | Redis® Exporter image repository | `bitnami/redis-exporter` | +| `metrics.image.tag` | Redis® Redis® Exporter image tag (immutable tags are recommended) | `1.43.0-debian-11-r4` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.port` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | + + +### Init Container Parameters + +| Name | Description | Value | +| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Bitnami Shell image registry | `docker.io` | +| `volumePermissions.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r11` | +| `volumePermissions.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | Bitnami Shell image registry | `docker.io` | +| `sysctl.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | +| `sysctl.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r11` | +| `sysctl.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resources.limits` | The resources limits for the init container | `{}` | +| `sysctl.resources.requests` | The requested resources for the init container | `{}` | + + +### useExternalDNS Parameters + +| Name | Description | Value | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | +| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | +| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. | `external-dns.alpha.kubernetes.io/` | +| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set auth.password=secretpassword \ + bitnami/redis +``` + +The above command sets the Redis® server password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/redis +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different Redis® version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/redis/configuration/change-image-version/). + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +replica: + externalMaster: + enabled: true + host: external-redis-0.internal +sentinel: + externalMaster: + enabled: true + host: external-redis-0.internal +``` + +:warning: This is currently limited to clusters in which Sentinel and Redis run on the same node! :warning: + +Please also note that the external sentinel must be listening on port `26379`, and this is currently not configurable. + +Once the Kubernetes Redis Deployment is online and confirmed to be working with the existing cluster, the configuration can then be removed and the cluster will remain connected. + +### External DNS + +This chart is equipped to allow leveraging the ExternalDNS project. Doing so will enable ExternalDNS to publish the FQDN for each instance, in the format of `..`. +Example, when using the following configuration: + +```yaml +useExternalDNS: + enabled: true + suffix: prod.example.org + additionalAnnotations: + ttl: 10 +``` + +On a cluster where the name of the Helm release is `a`, the hostname of a Pod is generated as: `a-redis-node-0.a-redis.prod.example.org`. The IP of that FQDN will match that of the associated Pod. This modifies the following parameters of the Redis/Sentinel configuration using this new FQDN: + +* `replica-announce-ip` +* `known-sentinel` +* `known-replica` +* `announce-ip` + +:warning: This requires a working installation of `external-dns` to be fully functional. :warning: + +See the [official ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns) for additional configuration options. + +### Cluster topologies + +#### Default: Master-Replicas + +When installing the chart with `architecture=replication`, it will deploy a Redis® master StatefulSet and a Redis® replicas StatefulSet. The replicas will be read-replicas of the master. Two services will be exposed: + +- Redis® Master service: Points to the master, where read-write operations can be performed +- Redis® Replicas service: Points to the replicas, where only read operations are allowed by default. + +In case the master crashes, the replicas will wait until the master node is respawned again by the Kubernetes Controller Manager. + +#### Standalone + +When installing the chart with `architecture=standalone`, it will deploy a standalone Redis® StatefulSet. A single service will be exposed: + +- Redis® Master service: Points to the master, where read-write operations can be performed + +#### Master-Replicas with Sentinel + +When installing the chart with `architecture=replication` and `sentinel.enabled=true`, it will deploy a Redis® master StatefulSet (only one master allowed) and a Redis® replicas StatefulSet. In this case, the pods will contain an extra container with Redis® Sentinel. This container will form a cluster of Redis® Sentinel nodes, which will promote a new master in case the actual one fails. In addition to this, only one service is exposed: + +- Redis® service: Exposes port 6379 for Redis® read-only operations and port 26379 for accessing Redis® Sentinel. + +For read-only operations, access the service using port 6379. For write operations, it's necessary to access the Redis® Sentinel cluster and query the current master using the command below (using redis-cli or similar): + +``` +SENTINEL get-master-addr-by-name +``` + +This command will return the address of the current master, which can be accessed from inside the cluster. + +In case the current master crashes, the Sentinel containers will elect a new master node. + +`master.count` greater than `1` is not designed for use when `sentinel.enabled=true`. + +### Multiple masters (experimental) + +When `master.count` is greater than `1`, special care must be taken to create a consistent setup. + +An example of use case is the creation of a redundant set of standalone masters or master-replicas per Kubernetes node where you must ensure: +- No more than `1` master can be deployed per Kubernetes node +- Replicas and writers can only see the single master of their own Kubernetes node + +One way of achieving this is by setting `master.service.internalTrafficPolicy=Local` in combination with a `master.affinity.podAntiAffinity` spec to never schedule more than one master per Kubernetes node. + +It's recommended to only change `master.count` if you know what you are doing. +`master.count` greater than `1` is not designed for use when `sentinel.enabled=true`. + +### Using a password file + +To use a password file for Redis® you need to create a secret containing the password and then deploy the chart using that secret. + +Refer to the chart documentation for more information on [using a password file for Redis®](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/use-password-file/). + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.existingSecret`: Name of the secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. +- `tls.certCAFilename`: CA Certificate filename. No defaults. + +Refer to the chart documentation for more information on [creating the secret and a TLS deployment example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/). + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9121) is exposed in the service. Metrics can be scraped from within the cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). If metrics are to be scraped from outside the cluster, the Kubernetes API proxy can be utilized to access the endpoint. + +If you have enabled TLS by specifying `tls.enabled=true` you also need to specify TLS option to the metrics exporter. You can do that via `metrics.extraArgs`. You can find the metrics exporter CLI flags for TLS [here](https://github.com/oliver006/redis_exporter#command-line-flags). For example: + +You can either specify `metrics.extraArgs.skip-tls-verification=true` to skip TLS verification or providing the following values under `metrics.extraArgs` for TLS client authentication: + +```console +tls-client-key-file +tls-client-cert-file +tls-ca-cert-file +``` + +### Host Kernel Settings + +Redis® may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. + +Refer to the chart documentation for more information on [configuring host kernel settings with an example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/configure-kernel-settings/). + +## Persistence + +By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```bash +$ helm install my-release --set master.persistence.existingClaim=PVC_NAME bitnami/redis +``` + +## Backup and restore + +Refer to the chart documentation for more information on [backing up and restoring Redis® deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/backup-restore/). + +## NetworkPolicy + +To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +Refer to the chart documenation for more information on [enabling the network policy in Redis® deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-network-policy/). + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. + +### To 16.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: +- `master.service.port` renamed as `master.service.ports.redis`. +- `master.service.nodePort` renamed as `master.service.nodePorts.redis`. +- `replica.service.port` renamed as `replica.service.ports.redis`. +- `replica.service.nodePort` renamed as `replica.service.nodePorts.redis`. +- `sentinel.service.port` renamed as `sentinel.service.ports.redis`. +- `sentinel.service.sentinelPort` renamed as `sentinel.service.ports.sentinel`. +- `master.containerPort` renamed as `master.containerPorts.redis`. +- `replica.containerPort` renamed as `replica.containerPorts.redis`. +- `sentinel.containerPort` renamed as `sentinel.containerPorts.sentinel`. +- `master.spreadConstraints` renamed as `master.topologySpreadConstraints` +- `replica.spreadConstraints` renamed as `replica.topologySpreadConstraints` + +### To 15.0.0 + +The parameter to enable the usage of StaticIDs was removed. The behavior is to [always use StaticIDs](https://github.com/bitnami/charts/pull/7278). + +### To 14.8.0 + +The Redis® sentinel exporter was removed in this version because the upstream project was deprecated. The regular Redis® exporter is included in the sentinel scenario as usual. + +### To 14.0.0 + +- Several parameters were renamed or disappeared in favor of new ones on this major version: + - The term *slave* has been replaced by the term *replica*. Therefore, parameters prefixed with `slave` are now prefixed with `replicas`. + - Credentials parameter are reorganized under the `auth` parameter. + - `cluster.enabled` parameter is deprecated in favor of `architecture` parameter that accepts two values: `standalone` and `replication`. + - `securityContext.*` is deprecated in favor of `XXX.podSecurityContext` and `XXX.containerSecurityContext`. + - `sentinel.metrics.*` parameters are deprecated in favor of `metrics.sentinel.*` ones. +- New parameters to add custom command, environment variables, sidecars, init containers, etc. were added. +- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). +- values.yaml metadata was adapted to follow the format supported by [Readme Generator for Helm](https://github.com/bitnami-labs/readme-generator-for-helm). + +Consequences: + +Backwards compatibility is not guaranteed. To upgrade to `14.0.0`, install a new release of the Redis® chart, and migrate the data from your previous release. You have 2 alternatives to do so: + +- Create a backup of the database, and restore it on the new release as explained in the [Backup and restore](#backup-and-restore) section. +- Reuse the PVC used to hold the master data on your previous release. To do so, use the `master.persistence.existingClaim` parameter. The following example assumes that the release name is `redis`: + +```bash +$ helm install redis bitnami/redis --set auth.password=[PASSWORD] --set master.persistence.existingClaim=[EXISTING_PVC] +``` + +| Note: you need to substitute the placeholder _[EXISTING_PVC]_ with the name of the PVC used on your previous release, and _[PASSWORD]_ with the password used in your previous release. + +### To 13.0.0 + +This major version updates the Redis® docker image version used from `6.0` to `6.2`, the new stable version. There are no major changes in the chart and there shouldn't be any breaking changes in it as `6.2` is basically a stricter superset of `6.0`. For more information, please refer to [Redis® 6.2 release notes](https://raw.githubusercontent.com/redis/redis/6.2/00-RELEASENOTES). + +### To 12.3.0 + +This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. + +### To 12.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +### To 11.0.0 + +When deployed with sentinel enabled, only a group of nodes is deployed and the master/slave role is handled in the group. To avoid breaking the compatibility, the settings for this nodes are given through the `slave.xxxx` parameters in `values.yaml` + +### To 9.0.0 + +The metrics exporter has been changed from a separate deployment to a sidecar container, due to the latest changes in the Redis® exporter code. Check the [official page](https://github.com/oliver006/redis_exporter/) for more information. The metrics container image was changed from oliver006/redis_exporter to bitnami/redis-exporter (Bitnami's maintained package of oliver006/redis_exporter). + +### To 7.0.0 + +In order to improve the performance in case of slave failure, we added persistence to the read-only slaves. That means that we moved from Deployment to StatefulSets. This should not affect upgrades from previous versions of the chart, as the deployments did not contain any persistence at all. + +This version also allows enabling Redis® Sentinel containers inside of the Redis® Pods (feature disabled by default). In case the master crashes, a new Redis® node will be elected as master. In order to query the current master (no redis master service is exposed), you need to query first the Sentinel cluster. Find more information [in this section](#master-slave-with-sentinel). + +### To 11.0.0 + +When using sentinel, a new statefulset called `-node` was introduced. This will break upgrading from a previous version where the statefulsets are called master and slave. Hence the PVC will not match the new naming and won't be reused. If you want to keep your data, you will need to perform a backup and then a restore the data in this new version. + +### To 10.0.0 + +For releases with `usePassword: true`, the value `sentinel.usePassword` controls whether the password authentication also applies to the sentinel port. This defaults to `true` for a secure configuration, however it is possible to disable to account for the following cases: + +- Using a version of redis-sentinel prior to `5.0.1` where the authentication feature was introduced. +- Where redis clients need to be updated to support sentinel authentication. + +If using a master/slave topology, or with `usePassword: false`, no action is required. + +### To 8.0.18 + +For releases with `metrics.enabled: true` the default tag for the exporter image is now `v1.x.x`. This introduces many changes including metrics names. You'll want to use [this dashboard](https://github.com/oliver006/redis_exporter/blob/master/contrib/grafana_prometheus_redis_dashboard.json) now. Please see the [redis_exporter github page](https://github.com/oliver006/redis_exporter#upgrading-from-0x-to-1x) for more details. + +### To 7.0.0 + +This version causes a change in the Redis® Master StatefulSet definition, so the command helm upgrade would not work out of the box. As an alternative, one of the following could be done: + +- Recommended: Create a clone of the Redis® Master PVC (for example, using projects like [this one](https://github.com/edseymour/pvc-transfer)). Then launch a fresh release reusing this cloned PVC. + + ``` + helm install my-release bitnami/redis --set persistence.existingClaim= + ``` + +- Alternative (not recommended, do at your own risk): `helm delete --purge` does not remove the PVC assigned to the Redis® Master StatefulSet. As a consequence, the following commands can be done to upgrade the release + + ``` + helm delete --purge + helm install bitnami/redis + ``` + +Previous versions of the chart were not using persistence in the slaves, so this upgrade would add it to them. Another important change is that no values are inherited from master to slaves. For example, in 6.0.0 `slaves.readinessProbe.periodSeconds`, if empty, would be set to `master.readinessProbe.periodSeconds`. This approach lacked transparency and was difficult to maintain. From now on, all the slave parameters must be configured just as it is done with the masters. + +Some values have changed as well: + +- `master.port` and `slave.port` have been changed to `redisPort` (same value for both master and slaves) +- `master.securityContext` and `slave.securityContext` have been changed to `securityContext`(same values for both master and slaves) + +By default, the upgrade will not change the cluster topology. In case you want to use Redis® Sentinel, you must explicitly set `sentinel.enabled` to `true`. + +### To 6.0.0 + +Previous versions of the chart were using an init-container to change the permissions of the volumes. This was done in case the `securityContext` directive in the template was not enough for that (for example, with cephFS). In this new version of the chart, this container is disabled by default (which should not affect most of the deployments). If your installation still requires that init container, execute `helm upgrade` with the `--set volumePermissions.enabled=true`. + +### To 5.0.0 + +The default image in this release may be switched out for any image containing the `redis-server` +and `redis-cli` binaries. If `redis-server` is not the default image ENTRYPOINT, `master.command` +must be specified. + +#### Breaking changes + +- `master.args` and `slave.args` are removed. Use `master.command` or `slave.command` instead in order to override the image entrypoint, or `master.extraFlags` to pass additional flags to `redis-server`. +- `disableCommands` is now interpreted as an array of strings instead of a string of comma separated values. +- `master.persistence.path` now defaults to `/data`. + +### To 4.0.0 + +This version removes the `chart` label from the `spec.selector.matchLabels` +which is immutable since `StatefulSet apps/v1beta2`. It has been inadvertently +added, causing any subsequent upgrade to fail. See https://github.com/helm/charts/issues/7726. + +It also fixes https://github.com/helm/charts/issues/7726 where a deployment `extensions/v1beta1` can not be upgraded if `spec.selector` is not explicitly set. + +Finally, it fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable. + +In order to upgrade, delete the Redis® StatefulSet before upgrading: + +```bash +kubectl delete statefulsets.apps --cascade=false my-release-redis-master +``` + +And edit the Redis® slave (and metrics if enabled) deployment: + +```bash +kubectl patch deployments my-release-redis-slave --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/.helmignore b/kubernetes/Charts/gitlab/charts/redis/charts/common/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/Chart.yaml b/kubernetes/Charts/gitlab/charts/redis/charts/common/Chart.yaml new file mode 100644 index 0000000..bd152e3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.16.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 1.16.0 diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/README.md b/kubernetes/Charts/gitlab/charts/redis/charts/common/README.md new file mode 100644 index 0000000..3b5e09c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/README.md @@ -0,0 +1,350 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|-----------------------------------|-----------------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_affinities.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_affinities.tpl new file mode 100644 index 0000000..e85b879 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_capabilities.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_capabilities.tpl new file mode 100644 index 0000000..9d9b760 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_capabilities.tpl @@ -0,0 +1,154 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_errors.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_errors.tpl new file mode 100644 index 0000000..a79cc2e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_images.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_images.tpl new file mode 100644 index 0000000..42ffbc7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_images.tpl @@ -0,0 +1,75 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_ingress.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_ingress.tpl new file mode 100644 index 0000000..8caf73a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_labels.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_labels.tpl new file mode 100644 index 0000000..252066c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_names.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_names.tpl new file mode 100644 index 0000000..1bdac8b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_names.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_secrets.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_secrets.tpl new file mode 100644 index 0000000..a53fb44 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_storage.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_storage.tpl new file mode 100644 index 0000000..60e2a84 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_tplvalues.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_tplvalues.tpl new file mode 100644 index 0000000..2db1668 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_utils.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_utils.tpl new file mode 100644 index 0000000..3625a07 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_warnings.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_warnings.tpl new file mode 100644 index 0000000..ae10fa4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_cassandra.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000..ded1ae3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mariadb.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000..b6906ff --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mongodb.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000..f820ec1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mysql.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000..74472a0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_postgresql.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000..164ec0d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_redis.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_redis.tpl new file mode 100644 index 0000000..dcccfc1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_validations.tpl b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_validations.tpl new file mode 100644 index 0000000..9a814cf --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/charts/common/values.yaml b/kubernetes/Charts/gitlab/charts/redis/charts/common/values.yaml new file mode 100644 index 0000000..f2df68e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/kubernetes/Charts/gitlab/charts/redis/img/redis-cluster-topology.png b/kubernetes/Charts/gitlab/charts/redis/img/redis-cluster-topology.png new file mode 100644 index 0000000..f0a02a9 Binary files /dev/null and b/kubernetes/Charts/gitlab/charts/redis/img/redis-cluster-topology.png differ diff --git a/kubernetes/Charts/gitlab/charts/redis/img/redis-topology.png b/kubernetes/Charts/gitlab/charts/redis/img/redis-topology.png new file mode 100644 index 0000000..3f5280f Binary files /dev/null and b/kubernetes/Charts/gitlab/charts/redis/img/redis-topology.png differ diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/NOTES.txt b/kubernetes/Charts/gitlab/charts/redis/templates/NOTES.txt new file mode 100644 index 0000000..2623ade --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/NOTES.txt @@ -0,0 +1,191 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + +For Redis: + + /opt/bitnami/scripts/redis/entrypoint.sh /opt/bitnami/scripts/redis/run.sh + +{{- if .Values.sentinel.enabled }} + +For Redis Sentinel: + + /opt/bitnami/scripts/redis-sentinel/entrypoint.sh /opt/bitnami/scripts/redis-sentinel/run.sh + +{{- end }} +{{- else }} + +{{- if contains .Values.master.service.type "LoadBalancer" }} +{{- if not .Values.auth.enabled }} +{{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }} + +------------------------------------------------------------------------------- + WARNING + + By specifying "master.service.type=LoadBalancer" and "auth.enabled=false" you have + most likely exposed the Redis® service externally without any authentication + mechanism. + + For security reasons, we strongly suggest that you switch to "ClusterIP" or + "NodePort". As alternative, you can also switch to "auth.enabled=true" + providing a valid password on "password" parameter. + +------------------------------------------------------------------------------- +{{- end }} +{{- end }} +{{- end }} + +{{- if eq .Values.architecture "replication" }} +{{- if .Values.sentinel.enabled }} + +Redis® can be accessed via port {{ .Values.sentinel.service.ports.redis }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations + +For read/write operations, first access the Redis® Sentinel cluster, which is available in port {{ .Values.sentinel.service.ports.sentinel }} using the same domain name above. + +{{- else }} + +Redis® can be accessed on the following DNS names from within your cluster: + + {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }}) + {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }}) + +{{- end }} +{{- else }} + +Redis® can be accessed via port {{ .Values.master.service.ports.redis }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{ if .Values.auth.enabled }} + +To get your password run: + + export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d) + +{{- end }} + +To connect to your Redis® server: + +1. Run a Redis® pod that you can use as a client: + + kubectl run --namespace {{ .Release.Namespace }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity + +{{- if .Values.tls.enabled }} + + Copy your TLS certificates to the pod: + + kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert redis-client:/tmp/client.cert + kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key redis-client:/tmp/client.key + kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert redis-client:/tmp/CA.cert + +{{- end }} + + Use the following command to attach to the pod: + + kubectl exec --tty -i redis-client \ + {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "common.names.fullname" . }}-client=true" \{{- end }} + --namespace {{ .Release.Namespace }} -- bash + +2. Connect using the Redis® CLI: + +{{- if eq .Values.architecture "replication" }} + {{- if .Values.sentinel.enabled }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }} -p {{ .Values.sentinel.service.ports.redis }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Read only operations + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }} -p {{ .Values.sentinel.service.ports.sentinel }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Sentinel access + {{- else }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ printf "%s-master" (include "common.names.fullname" .) }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ printf "%s-replicas" (include "common.names.fullname" .) }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + {{- end }} +{{- else }} + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }}-master{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} +{{- end }} + +{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + +Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to redis. + +{{- else }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} +{{- if contains "NodePort" .Values.sentinel.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "LoadBalancer" .Values.sentinel.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "ClusterIP" .Values.sentinel.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} & + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- end }} +{{- else }} +{{- if contains "NodePort" .Values.master.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "LoadBalancer" .Values.master.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- else if contains "ClusterIP" .Values.master.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} & + {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} + +{{- end }} +{{- end }} + +{{- end }} +{{- end }} +{{- include "redis.checkRollingTags" . }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.rollingTag" .Values.sysctl.image }} +{{- include "redis.validateValues" . }} + +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (not .Release.IsUpgrade ) }} +{{- if $.Values.sentinel.service.nodePorts.sentinel }} +No need to upgrade, ports and nodeports have been set from values +{{- else }} +#!#!#!#!#!#!#!# IMPORTANT #!#!#!#!#!#!#!# +YOU NEED TO PERFORM AN UPGRADE FOR THE SERVICES AND WORKLOAD TO BE CREATED +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/redis/templates/_helpers.tpl new file mode 100644 index 0000000..f6f47d9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/_helpers.tpl @@ -0,0 +1,291 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Redis image name +*/}} +{{- define "redis.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Redis Sentinel image name +*/}} +{{- define "redis.sentinel.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.sentinel.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "redis.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "redis.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return sysctl image +*/}} +{{- define "redis.sysctl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.sysctl.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "redis.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.sentinel.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctl.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "redis.createTlsSecret" -}} +{{- if and .Values.tls.enabled .Values.tls.autoGenerated (and (not .Values.tls.existingSecret) (not .Values.tls.certificatesSecret)) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing Redis TLS certificates +*/}} +{{- define "redis.tlsSecretName" -}} +{{- $secretName := coalesce .Values.tls.existingSecret .Values.tls.certificatesSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "redis.tlsCert" -}} +{{- if (include "redis.createTlsSecret" . ) -}} + {{- printf "/opt/bitnami/redis/certs/%s" "tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "redis.tlsCertKey" -}} +{{- if (include "redis.createTlsSecret" . ) -}} + {{- printf "/opt/bitnami/redis/certs/%s" "tls.key" -}} +{{- else -}} + {{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "redis.tlsCACert" -}} +{{- if (include "redis.createTlsSecret" . ) -}} + {{- printf "/opt/bitnami/redis/certs/%s" "ca.crt" -}} +{{- else -}} + {{- required "Certificate CA filename is required when TLS in enabled" .Values.tls.certCAFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the DH params file. +*/}} +{{- define "redis.tlsDHParams" -}} +{{- if .Values.tls.dhParamsFilename -}} +{{- printf "/opt/bitnami/redis/certs/%s" .Values.tls.dhParamsFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redis.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the configuration configmap name +*/}} +{{- define "redis.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "redis.createConfigmap" -}} +{{- if empty .Values.existingConfigmap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "redis.secretName" -}} +{{- if .Values.auth.existingSecret -}} +{{- printf "%s" .Values.auth.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password key to be retrieved from Redis® secret. +*/}} +{{- define "redis.secretPasswordKey" -}} +{{- if and .Values.auth.existingSecret .Values.auth.existingSecretPasswordKey -}} +{{- printf "%s" .Values.auth.existingSecretPasswordKey -}} +{{- else -}} +{{- printf "redis-password" -}} +{{- end -}} +{{- end -}} + + +{{/* +Returns the available value for certain key in an existing secret (if it exists), +otherwise it generates a random value. +*/}} +{{- define "getValueFromSecret" }} + {{- $len := (default 16 .Length) | int -}} + {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} + {{- if $obj }} + {{- index $obj .Key | b64dec -}} + {{- else -}} + {{- randAlphaNum $len -}} + {{- end -}} +{{- end }} + +{{/* +Return Redis® password +*/}} +{{- define "redis.password" -}} +{{- if not (empty .Values.global.redis.password) }} + {{- .Values.global.redis.password -}} +{{- else if not (empty .Values.auth.password) -}} + {{- .Values.auth.password -}} +{{- else -}} + {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "redis-password") -}} +{{- end -}} +{{- end -}} + +{{/* Check if there are rolling tags in the images */}} +{{- define "redis.checkRollingTags" -}} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.sentinel.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "redis.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "redis.validateValues.topologySpreadConstraints" .) -}} +{{- $messages := append $messages (include "redis.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "redis.validateValues.podSecurityPolicy.create" .) -}} +{{- $messages := append $messages (include "redis.validateValues.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis® - spreadConstrainsts K8s version */}} +{{- define "redis.validateValues.topologySpreadConstraints" -}} +{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.replica.topologySpreadConstraints -}} +redis: topologySpreadConstraints + Pod Topology Spread Constraints are only available on K8s >= 1.16 + Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis® - must provide a valid architecture */}} +{{- define "redis.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replication") -}} +redis: architecture + Invalid architecture selected. Valid values are "standalone" and + "replication". Please set a valid architecture (--set architecture="xxxx") +{{- end -}} +{{- if and .Values.sentinel.enabled (not (eq .Values.architecture "replication")) }} +redis: architecture + Using redis sentinel on standalone mode is not supported. + To deploy redis sentinel, please select the "replication" mode + (--set "architecture=replication,sentinel.enabled=true") +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis® - PodSecurityPolicy create */}} +{{- define "redis.validateValues.podSecurityPolicy.create" -}} +{{- if and .Values.podSecurityPolicy.create (not .Values.podSecurityPolicy.enabled) }} +redis: podSecurityPolicy.create + In order to create PodSecurityPolicy, you also need to enable + podSecurityPolicy.enabled field +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis® - TLS enabled */}} +{{- define "redis.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) (not .Values.tls.certificatesSecret) }} +redis: tls.enabled + In order to enable TLS, you also need to provide + an existing secret containing the TLS certificates or + enable auto-generated certificates. +{{- end -}} +{{- end -}} + +{{/* Define the suffix utilized for external-dns */}} +{{- define "redis.externalDNS.suffix" -}} +{{ printf "%s.%s" (include "common.names.fullname" .) .Values.useExternalDNS.suffix }} +{{- end -}} + +{{/* Compile all annotations utilized for external-dns */}} +{{- define "redis.externalDNS.annotations" -}} +{{- if .Values.useExternalDNS.enabled }} +{{ .Values.useExternalDNS.annotationKey }}hostname: {{ include "redis.externalDNS.suffix" . }} +{{- range $key, $val := .Values.useExternalDNS.additionalAnnotations }} +{{ $.Values.useExternalDNS.annotationKey }}{{ $key }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/configmap.yaml new file mode 100644 index 0000000..9e70a38 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/configmap.yaml @@ -0,0 +1,59 @@ +{{- if (include "redis.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + redis.conf: |- + # User-supplied common configuration: + {{- if .Values.commonConfiguration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonConfiguration "context" $ ) | nindent 4 }} + {{- end }} + # End of common configuration + master.conf: |- + dir {{ .Values.master.persistence.path }} + # User-supplied master configuration: + {{- if .Values.master.configuration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.master.disableCommands }} + {{- range .Values.master.disableCommands }} + rename-command {{ . }} "" + {{- end }} + {{- end }} + # End of master configuration + replica.conf: |- + dir {{ .Values.replica.persistence.path }} + # User-supplied replica configuration: + {{- if .Values.replica.configuration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.replica.disableCommands }} + {{- range .Values.replica.disableCommands }} + rename-command {{ . }} "" + {{- end }} + {{- end }} + # End of replica configuration + {{- if .Values.sentinel.enabled }} + sentinel.conf: |- + dir "/tmp" + port {{ .Values.sentinel.containerPorts.sentinel }} + sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }} + sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} + sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} + sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} + # User-supplied sentinel configuration: + {{- if .Values.sentinel.configuration }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.configuration "context" $ ) | nindent 4 }} + {{- end }} + # End of sentinel configuration + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/extra-list.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/extra-list.yaml new file mode 100644 index 0000000..9ac65f9 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/headless-svc.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/headless-svc.yaml new file mode 100644 index 0000000..d798a0b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/headless-svc.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-headless" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- include "redis.externalDNS.annotations" . | nindent 4 }} +spec: + type: ClusterIP + clusterIP: None + {{- if .Values.sentinel.enabled }} + publishNotReadyAddresses: true + {{- end }} + ports: + - name: tcp-redis + port: {{ if .Values.sentinel.enabled }}{{ .Values.sentinel.service.ports.redis }}{{ else }}{{ .Values.master.service.ports.redis }}{{ end }} + targetPort: redis + {{- if .Values.sentinel.enabled }} + - name: tcp-sentinel + port: {{ .Values.sentinel.service.ports.sentinel }} + targetPort: redis-sentinel + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/health-configmap.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/health-configmap.yaml new file mode 100644 index 0000000..41f3145 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/health-configmap.yaml @@ -0,0 +1,192 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + ping_readiness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_TLS_PORT \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_PORT \ +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_TLS_PORT \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_PORT \ +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') + if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ] && [ "$responseFirstWord" != "MASTERDOWN" ]; then + echo "$response" + exit 1 + fi +{{- if .Values.sentinel.enabled }} + ping_sentinel.sh: |- + #!/bin/bash + +{{- if .Values.auth.sentinel }} + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" +{{- end }} + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_SENTINEL_TLS_PORT_NUMBER \ + --tls \ + --cacert "$REDIS_SENTINEL_TLS_CA_FILE" \ + {{- if .Values.tls.authClients }} + --cert "$REDIS_SENTINEL_TLS_CERT_FILE" \ + --key "$REDIS_SENTINEL_TLS_KEY_FILE" \ + {{- end }} +{{- else }} + -p $REDIS_SENTINEL_PORT \ +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + parse_sentinels.awk: |- + /ip/ {FOUND_IP=1} + /port/ {FOUND_PORT=1} + /runid/ {FOUND_RUNID=1} + !/ip|port|runid/ { + if (FOUND_IP==1) { + IP=$1; FOUND_IP=0; + } + else if (FOUND_PORT==1) { + PORT=$1; + FOUND_PORT=0; + } else if (FOUND_RUNID==1) { + printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; + } + } +{{- end }} + ping_readiness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ +{{- if .Values.tls.enabled }} + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ +{{- if .Values.tls.enabled }} + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- end }} + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') + if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ]; then + echo "$response" + exit 1 + fi + ping_readiness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? + "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? + exit $exit_status + ping_liveness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? + "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? + exit $exit_status diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/master/application.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/master/application.yaml new file mode 100644 index 0000000..85d5847 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/master/application.yaml @@ -0,0 +1,473 @@ +{{- if or (not (eq .Values.architecture "replication")) (not .Values.sentinel.enabled) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: {{ .Values.master.kind }} +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.master.count }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: master + {{- if (eq .Values.master.kind "StatefulSet") }} + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- end }} + {{- if .Values.master.updateStrategy }} + {{- if (eq .Values.master.kind "Deployment") }} + strategy: {{- toYaml .Values.master.updateStrategy | nindent 4 }} + {{- else }} + updateStrategy: {{- toYaml .Values.master.updateStrategy | nindent 4 }} + {{- end }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: master + {{- if .Values.master.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.master.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.master.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.podSecurityContext.enabled }} + securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.master.priorityClassName }} + priorityClassName: {{ .Values.master.priorityClassName | quote }} + {{- end }} + {{- if .Values.master.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.master.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAffinityPreset "component" "master" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAntiAffinityPreset "component" "master" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.master.nodeAffinityPreset.type "key" .Values.master.nodeAffinityPreset.key "values" .Values.master.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.master.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.master.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.master.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.master.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.master.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.master.shareProcessNamespace }} + {{- end }} + {{- if .Values.master.schedulerName }} + schedulerName: {{ .Values.master.schedulerName | quote }} + {{- end }} + {{- if .Values.master.dnsPolicy }} + dnsPolicy: {{ .Values.master.dnsPolicy }} + {{- end }} + {{- if .Values.master.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.master.dnsConfig "context" $) | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.master.terminationGracePeriodSeconds }} + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.master.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.master.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.master.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.master.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.master.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.master.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.master.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-master.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: REDIS_REPLICATION_MODE + value: master + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.master.containerPorts.redis | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.master.containerPorts.redis | quote }} + {{- end }} + {{- if .Values.master.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.master.extraEnvVarsCM .Values.master.extraEnvVarsSecret }} + envFrom: + {{- if .Values.master.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.master.extraEnvVarsCM }} + {{- end }} + {{- if .Values.master.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.master.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.master.containerPorts.redis }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.master.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.master.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis + {{- else if .Values.master.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.master.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.master.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }} + # One second longer than command timeout should prevent generation of zombie processes. + timeoutSeconds: {{ add1 .Values.master.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} + {{- else if .Values.master.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.master.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.master.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.master.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh {{ .Values.master.readinessProbe.timeoutSeconds }} + {{- else if .Values.master.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.master.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.master.resources }} + resources: {{- toYaml .Values.master.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc/ + - name: tmp + mountPath: /tmp + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.master.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "common.names.fullname" . }} + {{- if .Values.auth.enabled }} + - name: REDIS_USER + value: default + {{- if (not .Values.auth.usePasswordFiles) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.master.containerPorts.redis }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9121 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.master.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.master.persistence.enabled .Values.master.podSecurityContext.enabled .Values.master.containerSecurityContext.enabled }} + {{- if or .Values.master.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.master.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.master.persistence.path }} + {{- else }} + chown -R {{ .Values.master.containerSecurityContext.runAsUser }}:{{ .Values.master.podSecurityContext.fsGroup }} {{ .Values.master.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + {{- if .Values.master.persistence.medium }} + emptyDir: + medium: {{ .Values.master.persistence.medium | quote }} + {{- if .Values.master.persistence.sizeLimit }} + sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + {{- if .Values.master.persistence.medium }} + emptyDir: + medium: {{ .Values.master.persistence.medium | quote }} + {{- if .Values.master.persistence.sizeLimit }} + sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if .Values.master.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if not .Values.master.persistence.enabled }} + - name: redis-data + {{- if .Values.master.persistence.medium }} + emptyDir: { + medium: {{ .Values.master.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.master.persistence.existingClaim }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.master.persistence.existingClaim .) }} + {{- else if (eq .Values.master.kind "Deployment") }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: master + {{- if .Values.master.persistence.annotations }} + annotations: {{- toYaml .Values.master.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.master.persistence.size | quote }} + {{- if .Values.master.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.master.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.master.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/master/psp.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/master/psp.yaml new file mode 100644 index 0000000..2ba93b6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/master/psp.yaml @@ -0,0 +1,46 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.master.podSecurityContext.fsGroup }} + max: {{ .Values.master.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.master.containerSecurityContext.runAsUser }} + max: {{ .Values.master.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.master.containerSecurityContext.runAsUser }} + max: {{ .Values.master.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/master/pvc.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/master/pvc.yaml new file mode 100644 index 0000000..e5fddb0 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/master/pvc.yaml @@ -0,0 +1,27 @@ +{{- if and (eq .Values.architecture "standalone") (eq .Values.master.kind "Deployment") (.Values.master.persistence.enabled) (not .Values.master.persistence.existingClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.master.persistence.annotations }} + annotations: {{- toYaml .Values.master.persistence.annotations | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.master.persistence.size | quote }} + {{- if .Values.master.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.selector "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.master.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.dataSource "context" $) | nindent 4 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.master.persistence "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/master/service.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/master/service.yaml new file mode 100644 index 0000000..92b513a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/master/service.yaml @@ -0,0 +1,58 @@ +{{- if not .Values.sentinel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.master.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.master.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.master.service.type }} + {{- if or (eq .Values.master.service.type "LoadBalancer") (eq .Values.master.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.master.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if (semverCompare ">=1.22-0" (include "common.capabilities.kubeVersion" .)) }} + internalTrafficPolicy: {{ .Values.master.service.internalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.master.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and .Values.master.service.clusterIP (eq .Values.master.service.type "ClusterIP") }} + clusterIP: {{ .Values.master.service.clusterIP }} + {{- end }} + {{- if .Values.master.service.sessionAffinity }} + sessionAffinity: {{ .Values.master.service.sessionAffinity }} + {{- end }} + {{- if .Values.master.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.master.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.master.service.ports.redis }} + targetPort: redis + {{- if and (or (eq .Values.master.service.type "NodePort") (eq .Values.master.service.type "LoadBalancer")) .Values.master.service.nodePorts.redis}} + nodePort: {{ .Values.master.service.nodePorts.redis}} + {{- else if eq .Values.master.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.master.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.master.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: master +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/metrics-svc.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/metrics-svc.yaml new file mode 100644 index 0000000..13c552f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/metrics-svc.yaml @@ -0,0 +1,41 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if eq .Values.metrics.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.port }} + protocol: TCP + targetPort: metrics + {{- if .Values.metrics.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/networkpolicy.yaml new file mode 100644 index 0000000..64c0505 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/networkpolicy.yaml @@ -0,0 +1,78 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + policyTypes: + - Ingress + {{- if or (eq .Values.architecture "replication") .Values.networkPolicy.extraEgress }} + - Egress + egress: + {{- if eq .Values.architecture "replication" }} + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.master.containerPorts.redis }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.containerPorts.sentinel }} + {{- end }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.master.containerPorts.redis }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.containerPorts.sentinel }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes for metrics + - ports: + - port: 9121 + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/pdb.yaml new file mode 100644 index 0000000..f82d278 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/prometheusrule.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/prometheusrule.yaml new file mode 100644 index 0000000..41cf6b8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "common.names.name" $ }} + rules: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/replicas/hpa.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/replicas/hpa.yaml new file mode 100644 index 0000000..67d1cc1 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/replicas/hpa.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.replica.autoscaling.enabled (not .Values.sentinel.enabled) }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: StatefulSet + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + minReplicas: {{ .Values.replica.autoscaling.minReplicas }} + maxReplicas: {{ .Values.replica.autoscaling.maxReplicas }} + metrics: + {{- if .Values.replica.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.replica.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.replica.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.replica.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.replica.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.replica.autoscaling.targetMemory }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/replicas/service.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/replicas/service.yaml new file mode 100644 index 0000000..f261926 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/replicas/service.yaml @@ -0,0 +1,58 @@ +{{- if and (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.replica.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.replica.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.replica.service.type }} + {{- if or (eq .Values.replica.service.type "LoadBalancer") (eq .Values.replica.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.replica.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if (semverCompare ">=1.22-0" (include "common.capabilities.kubeVersion" .)) }} + internalTrafficPolicy: {{ .Values.replica.service.internalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.replica.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.replica.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and .Values.replica.service.clusterIP (eq .Values.replica.service.type "ClusterIP") }} + clusterIP: {{ .Values.replica.service.clusterIP }} + {{- end }} + {{- if .Values.replica.service.sessionAffinity }} + sessionAffinity: {{ .Values.replica.service.sessionAffinity }} + {{- end }} + {{- if .Values.replica.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.replica.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.replica.service.ports.redis }} + targetPort: redis + {{- if and (or (eq .Values.replica.service.type "NodePort") (eq .Values.replica.service.type "LoadBalancer")) .Values.replica.service.nodePorts.redis}} + nodePort: {{ .Values.replica.service.nodePorts.redis}} + {{- else if eq .Values.replica.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.replica.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: replica +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/replicas/statefulset.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/replicas/statefulset.yaml new file mode 100644 index 0000000..8ddc86c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/replicas/statefulset.yaml @@ -0,0 +1,471 @@ +{{- if and (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.replica.autoscaling.enabled }} + replicas: {{ .Values.replica.replicaCount }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: replica + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- if .Values.replica.updateStrategy }} + updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} + {{- end }} + {{- if .Values.replica.podManagementPolicy }} + podManagementPolicy: {{ .Values.replica.podManagementPolicy | quote }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: replica + {{- if .Values.replica.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.replica.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.replica.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.podSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.replica.priorityClassName }} + priorityClassName: {{ .Values.replica.priorityClassName | quote }} + {{- end }} + {{- if .Values.replica.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "replica" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "replica" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.replica.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} + {{- end }} + {{- if .Values.replica.schedulerName }} + schedulerName: {{ .Values.replica.schedulerName | quote }} + {{- end }} + {{- if .Values.replica.dnsPolicy }} + dnsPolicy: {{ .Values.replica.dnsPolicy }} + {{- end }} + {{- if .Values.replica.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.replica.dnsConfig "context" $) | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.replica.terminationGracePeriodSeconds }} + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.replica.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.replica.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.replica.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.replica.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.replica.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-replica.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: REDIS_REPLICATION_MODE + value: slave + - name: REDIS_MASTER_HOST + {{- if and (eq (int64 .Values.master.count) 1) (ne .Values.master.kind "Deployment") }} + value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + {{- else }} + value: {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + {{- end }} + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.master.containerPorts.redis | quote }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + {{- end }} + {{- if .Values.replica.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.replica.extraEnvVarsCM .Values.replica.extraEnvVarsSecret }} + envFrom: + {{- if .Values.replica.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.replica.extraEnvVarsCM }} + {{- end }} + {{- if .Values.replica.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.replica.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.replica.containerPorts.redis }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.replica.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis + {{- else if .Values.replica.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.replica.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.livenessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.replica.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local_and_master.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} + {{- else if .Values.replica.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.replica.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.replica.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local_and_master.sh {{ .Values.replica.readinessProbe.timeoutSeconds }} + {{- else if .Values.replica.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.resources }} + resources: {{- toYaml .Values.replica.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: /data + subPath: {{ .Values.replica.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.replica.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "common.names.fullname" . }} + {{- if .Values.auth.enabled }} + - name: REDIS_USER + value: default + {{- if (not .Values.auth.usePasswordFiles) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.replica.containerPorts.redis }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + ports: + - name: metrics + containerPort: 9121 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} + {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.replica.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} + {{- else }} + chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + {{- if .Values.replica.persistence.medium }} + emptyDir: + medium: {{ .Values.replica.persistence.medium | quote }} + {{- if .Values.replica.persistence.sizeLimit }} + sizeLimit: {{ .Values.replica.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if .Values.replica.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if not .Values.replica.persistence.enabled }} + - name: redis-data + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.replica.persistence.existingClaim }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.replica.persistence.existingClaim .) }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: replica + {{- if .Values.replica.persistence.annotations }} + annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.replica.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.replica.persistence.size | quote }} + {{- if .Values.replica.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.replica.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.replica.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/role.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/role.yaml new file mode 100644 index 0000000..596466f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/role.yaml @@ -0,0 +1,28 @@ +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} + {{- if and $pspAvailable .Values.podSecurityPolicy.enabled }} + - apiGroups: + - '{{ template "podSecurityPolicy.apiGroup" . }}' + resources: + - 'podsecuritypolicies' + verbs: + - 'use' + resourceNames: [{{ printf "%s-master" (include "common.names.fullname" .) }}] + {{- end }} + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/rolebinding.yaml new file mode 100644 index 0000000..74968b8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "redis.serviceAccountName" . }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/scripts-configmap.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/scripts-configmap.yaml new file mode 100644 index 0000000..7447646 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/scripts-configmap.yaml @@ -0,0 +1,627 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} + start-node.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo {{ .Values.sentinel.containerPorts.sentinel }} + ;; + "REDIS") + echo {{ .Values.master.containerPorts.redis }} + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + if [ -n "$REDIS_EXTERNAL_MASTER_HOST" ]; then + REDIS_SERVICE="$REDIS_EXTERNAL_MASTER_HOST" + else + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + fi + + SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "TCP_SENTINEL") + validate_quorum() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + quorum_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel master {{ .Values.sentinel.masterSet }}" + else + quorum_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel master {{ .Values.sentinel.masterSet }}" + fi + info "about to run the command: $quorum_info_command" + eval $quorum_info_command | grep -Fq "s_down" + } + + trigger_manual_failover() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + failover_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel failover {{ .Values.sentinel.masterSet }}" + else + failover_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel failover {{ .Values.sentinel.masterSet }}" + fi + + info "about to run the command: $failover_command" + eval $failover_command + } + + get_sentinel_master_info() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout {{ .Values.sentinel.getMasterTimeout }} redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout {{ .Values.sentinel.getMasterTimeout }} redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + + info "about to run the command: $sentinel_info_command" + eval $sentinel_info_command + } + + {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.replica.persistence.path }} + {{- end }} + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + + # check if there is a master + master_in_persisted_conf="$(get_full_hostname "$HOSTNAME")" + master_port_in_persisted_conf="$REDIS_MASTER_PORT_NUMBER" + master_in_sentinel="$(get_sentinel_master_info)" + redisRetVal=$? + + {{- if .Values.sentinel.persistence.enabled }} + if [[ -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then + master_in_persisted_conf="$(awk '/monitor/ {print $4}' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + master_port_in_persisted_conf="$(awk '/monitor/ {print $5}' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + info "Found previous master ${master_in_persisted_conf}:${master_port_in_persisted_conf} in /opt/bitnami/redis-sentinel/etc/sentinel.conf" + debug "$(cat /opt/bitnami/redis-sentinel/etc/sentinel.conf | grep monitor)" + touch /opt/bitnami/redis-sentinel/etc/.node_read + fi + {{- end }} + + if [[ $redisRetVal -ne 0 ]]; then + if [[ "$master_in_persisted_conf" == "$(get_full_hostname "$HOSTNAME")" ]]; then + # Case 1: No active sentinel and in previous sentinel.conf we were the master --> MASTER + info "Configuring the node as master" + export REDIS_REPLICATION_MODE="master" + else + # Case 2: No active sentinel and in previous sentinel.conf we were not master --> REPLICA + info "Configuring the node as replica" + export REDIS_REPLICATION_MODE="slave" + REDIS_MASTER_HOST=${master_in_persisted_conf} + REDIS_MASTER_PORT_NUMBER=${master_port_in_persisted_conf} + fi + else + # Fetches current master's host and port + REDIS_SENTINEL_INFO=($(get_sentinel_master_info)) + info "Current master: REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" + REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} + REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} + + if [[ "$REDIS_MASTER_HOST" == "$(get_full_hostname "$HOSTNAME")" ]]; then + # Case 3: Active sentinel and master it is this node --> MASTER + info "Configuring the node as master" + export REDIS_REPLICATION_MODE="master" + else + # Case 4: Active sentinel and master is not this node --> REPLICA + info "Configuring the node as replica" + export REDIS_REPLICATION_MODE="slave" + + {{- if and .Values.sentinel.automateClusterRecovery (le (int .Values.sentinel.downAfterMilliseconds) 2000) }} + retry_count=1 + while validate_quorum + do + info "sleeping, waiting for Redis master to come up" + sleep 1s + if ! ((retry_count % 11)); then + info "Trying to manually failover" + failover_result=$(trigger_manual_failover) + + debug "Failover result: $failover_result" + fi + + ((retry_count+=1)) + done + info "Redis master is up now" + {{- end }} + fi + fi + + if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then + REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST" + REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}" + fi + + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + + echo "" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + ARGS+=("--tls-replication" "yes") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + + if [[ "$REDIS_REPLICATION_MODE" = "slave" ]]; then + ARGS+=("--replicaof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + fi + + {{- if .Values.auth.enabled }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + {{- if .Values.replica.extraFlags }} + {{- range .Values.replica.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + + {{- if .Values.replica.preExecCmds }} + {{- .Values.replica.preExecCmds | nindent 4 }} + {{- end }} + + {{- if .Values.replica.command }} + exec {{ .Values.replica.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + + start-sentinel.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libfile.sh + + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo {{ .Values.sentinel.containerPorts.sentinel }} + ;; + "REDIS") + echo {{ .Values.master.containerPorts.redis }} + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + + SERVPORT=$(get_port "$HOSTNAME" "SENTINEL") + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "TCP_SENTINEL") + + sentinel_conf_set() { + local -r key="${1:?missing key}" + local value="${2:-}" + + # Sanitize inputs + value="${value//\\/\\\\}" + value="${value//&/\\&}" + value="${value//\?/\\?}" + [[ "$value" = "" ]] && value="\"$value\"" + + replace_in_file "/opt/bitnami/redis-sentinel/etc/sentinel.conf" "^#*\s*${key} .*" "${key} ${value}" false + } + sentinel_conf_add() { + echo $'\n'"$@" >> "/opt/bitnami/redis-sentinel/etc/sentinel.conf" + } + host_id() { + echo "$1" | openssl sha1 | awk '{print $2}' + } + get_sentinel_master_info() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + info "about to run the command: $sentinel_info_command" + eval $sentinel_info_command + } + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + + master_in_persisted_conf="$(get_full_hostname "$HOSTNAME")" + + {{- if .Values.sentinel.persistence.enabled }} + if [[ -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then + check_lock_file() { + [[ -f /opt/bitnami/redis-sentinel/etc/.node_read ]] + } + retry_while "check_lock_file" + rm -f /opt/bitnami/redis-sentinel/etc/.node_read + master_in_persisted_conf="$(awk '/monitor/ {print $4}' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + info "Found previous master $master_in_persisted_conf in /opt/bitnami/redis-sentinel/etc/sentinel.conf" + debug "$(cat /opt/bitnami/redis-sentinel/etc/sentinel.conf | grep monitor)" + fi + {{- end }} + if ! get_sentinel_master_info && [[ "$master_in_persisted_conf" == "$(get_full_hostname "$HOSTNAME")" ]]; then + # No master found, lets create a master node + export REDIS_REPLICATION_MODE="master" + + REDIS_MASTER_HOST=$(get_full_hostname "$HOSTNAME") + REDIS_MASTER_PORT_NUMBER="$REDISPORT" + else + export REDIS_REPLICATION_MODE="slave" + + # Fetches current master's host and port + REDIS_SENTINEL_INFO=($(get_sentinel_master_info)) + info "printing REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" + REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} + REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} + fi + + if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then + REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST" + REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}" + fi + + cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.auth.enabled }} + printf "\nsentinel auth-pass %s %s" "{{ .Values.sentinel.masterSet }}" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if and .Values.auth.enabled .Values.auth.sentinel }} + printf "\nrequirepass %s" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + {{- end }} + printf "\nsentinel myid %s" "$(host_id "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + + sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" + + add_known_sentinel() { + hostname="$1" + ip="$2" + + if [[ -n "$hostname" && -n "$ip" && "$hostname" != "$HOSTNAME" ]]; then + sentinel_conf_add "sentinel known-sentinel {{ .Values.sentinel.masterSet }} $(get_full_hostname "$hostname") $(get_port "$hostname" "SENTINEL") $(host_id "$hostname")" + fi + } + add_known_replica() { + hostname="$1" + ip="$2" + + if [[ -n "$ip" && "$(get_full_hostname "$hostname")" != "$REDIS_MASTER_HOST" ]]; then + sentinel_conf_add "sentinel known-replica {{ .Values.sentinel.masterSet }} $(get_full_hostname "$hostname") $(get_port "$hostname" "REDIS")" + fi + } + + # Add available hosts on the network as known replicas & sentinels + for node in $(seq 0 $(({{ .Values.replica.replicaCount }}-1))); do + hostname="{{ template "common.names.fullname" . }}-node-$node" + ip="$(getent hosts "$hostname.$HEADLESS_SERVICE" | awk '{ print $1 }')" + add_known_sentinel "$hostname" "$ip" + add_known_replica "$hostname" "$ip" + done + + echo "" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel announce-hostnames yes" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel resolve-hostnames yes" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel announce-port $SERVPORT" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + echo "sentinel announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_SENTINEL_TLS_PORT_NUMBER}") + ARGS+=("--tls-cert-file" "${REDIS_SENTINEL_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_SENTINEL_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_SENTINEL_TLS_CA_FILE}") + ARGS+=("--tls-replication" "yes") + ARGS+=("--tls-auth-clients" "${REDIS_SENTINEL_TLS_AUTH_CLIENTS}") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_SENTINEL_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- end }} + {{- if .Values.sentinel.preExecCmds }} + {{ .Values.sentinel.preExecCmds | nindent 4 }} + {{- end }} + exec redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel {{- if .Values.tls.enabled }} "${ARGS[@]}" {{- end }} + prestop-sentinel.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libos.sh + + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + SENTINEL_SERVICE_ENV_NAME={{ printf "%s%s" (upper (include "common.names.fullname" .)| replace "-" "_") "_SERVICE_PORT_TCP_SENTINEL" }} + SENTINEL_SERVICE_PORT=${!SENTINEL_SERVICE_ENV_NAME} + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + run_sentinel_command() { + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + redis-cli -h "$REDIS_SERVICE" -p "$SENTINEL_SERVICE_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + else + redis-cli -h "$REDIS_SERVICE" -p "$SENTINEL_SERVICE_PORT" sentinel "$@" + fi + } + failover_finished() { + REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) + REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" + [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] + } + + REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + {{ if .Values.auth.sentinel -}} + # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" + {{- end }} + + if ! failover_finished; then + echo "I am the master pod and you are stopping me. Starting sentinel failover" + # if I am the master, issue a command to failover once and then wait for the failover to finish + run_sentinel_command failover "{{ .Values.sentinel.masterSet }}" + if retry_while "failover_finished" "{{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}" 1; then + echo "Master has been successfuly failed over to a different pod." + exit 0 + else + echo "Master failover failed" + exit 1 + fi + else + exit 0 + fi + prestop-redis.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libos.sh + + run_redis_command() { + if is_boolean_yes "$REDIS_TLS_ENABLED"; then + redis-cli -h 127.0.0.1 -p "$REDIS_TLS_PORT" --tls --cert "$REDIS_TLS_CERT_FILE" --key "$REDIS_TLS_KEY_FILE" --cacert "$REDIS_TLS_CA_FILE" "$@" + else + redis-cli -h 127.0.0.1 -p ${REDIS_PORT} "$@" + fi + } + failover_finished() { + REDIS_ROLE=$(run_redis_command role | head -1) + [[ "$REDIS_ROLE" != "master" ]] + } + + # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" + + if ! failover_finished; then + echo "Waiting for sentinel to run failover for up to {{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}s" + retry_while "failover_finished" "{{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}" 1 + else + exit 0 + fi + +{{- else }} + start-master.sh: | + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + {{- if and .Values.master.containerSecurityContext.runAsUser (eq (.Values.master.containerSecurityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.master.persistence.path }} + {{- end }} + if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + {{- if .Values.auth.enabled }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + {{- if .Values.master.extraFlags }} + {{- range .Values.master.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.master.preExecCmds }} + {{ .Values.master.preExecCmds | nindent 4 }} + {{- end }} + {{- if .Values.master.command }} + exec {{ .Values.master.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + {{- if eq .Values.architecture "replication" }} + start-replica.sh: | + #!/bin/bash + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo {{ .Values.sentinel.containerPorts.sentinel }} + ;; + "REDIS") + echo {{ .Values.master.containerPorts.redis }} + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + + {{- if .Values.useExternalDNS.enabled }} + echo "${hostname}.{{- include "redis.externalDNS.suffix" . }}" + {{- else if eq .Values.sentinel.service.type "NodePort" }} + echo "${hostname}.{{- .Release.Namespace }}" + {{- else }} + echo "${hostname}.${HEADLESS_SERVICE}" + {{- end }} + } + + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.replica.persistence.path }} + {{- end }} + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + + echo "" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + ARGS+=("--tls-replication" "yes") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + ARGS+=("--replicaof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + {{- if .Values.auth.enabled }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + {{- if .Values.replica.extraFlags }} + {{- range .Values.replica.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.replica.preExecCmds }} + {{ .Values.replica.preExecCmds | nindent 4 }} + {{- end }} + {{- if .Values.replica.command }} + exec {{ .Values.replica.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/secret.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/secret.yaml new file mode 100644 index 0000000..2edc0d8 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/secret.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.secretAnnotations .Values.commonAnnotations }} + annotations: + {{- if .Values.secretAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +type: Opaque +data: + redis-password: {{ include "redis.password" . | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/hpa.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/hpa.yaml new file mode 100644 index 0000000..69b36aa --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/hpa.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.replica.autoscaling.enabled .Values.sentinel.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ printf "%s-node" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: StatefulSet + name: {{ printf "%s-node" (include "common.names.fullname" .) }} + minReplicas: {{ .Values.replica.autoscaling.minReplicas }} + maxReplicas: {{ .Values.replica.autoscaling.maxReplicas }} + metrics: + {{- if .Values.replica.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.replica.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.replica.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.replica.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.replica.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.replica.autoscaling.targetMemory }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/node-services.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/node-services.yaml new file mode 100644 index 0000000..d3e635e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/node-services.yaml @@ -0,0 +1,70 @@ +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (or .Release.IsUpgrade .Values.sentinel.service.nodePorts.redis ) }} + +{{- range $i := until (int .Values.replica.replicaCount) }} + +{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} + +{{ $sentinelport := 0}} +{{ $redisport := 0}} +{{- if $portsmap }} +{{ $sentinelport = index $portsmap (printf "%s-node-%s-%s" (include "common.names.fullname" $) (toString $i) "sentinel") }} +{{ $redisport = index $portsmap (printf "%s-node-%s-%s" (include "common.names.fullname" $) (toString $i) "redis") }} +{{- else }} +{{- end }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" $ }}-node-{{ $i }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: node + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or $.Values.sentinel.service.annotations $.Values.commonAnnotations }} + annotations: + {{- if $.Values.sentinel.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.sentinel.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: NodePort + ports: + - name: sentinel + {{- if $.Values.sentinel.service.nodePorts.sentinel }} + nodePort: {{ (add $.Values.sentinel.service.nodePorts.sentinel $i 1) }} + port: {{ (add $.Values.sentinel.service.nodePorts.sentinel $i 1) }} + {{- else }} + nodePort: {{ $sentinelport }} + port: {{ $sentinelport }} + {{- end }} + protocol: TCP + targetPort: {{ $.Values.sentinel.containerPorts.sentinel }} + - name: redis + {{- if $.Values.sentinel.service.nodePorts.redis }} + nodePort: {{ (add $.Values.sentinel.service.nodePorts.redis $i 1) }} + port: {{ (add $.Values.sentinel.service.nodePorts.redis $i 1) }} + {{- else }} + nodePort: {{ $redisport }} + port: {{ $redisport }} + {{- end }} + protocol: TCP + targetPort: {{ $.Values.replica.containerPorts.redis }} + - name: sentinel-internal + nodePort: null + port: {{ $.Values.sentinel.containerPorts.sentinel }} + protocol: TCP + targetPort: {{ $.Values.sentinel.containerPorts.sentinel }} + - name: redis-internal + nodePort: null + port: {{ $.Values.replica.containerPorts.redis }} + protocol: TCP + targetPort: {{ $.Values.replica.containerPorts.redis }} + selector: + statefulset.kubernetes.io/pod-name: {{ template "common.names.fullname" $ }}-node-{{ $i }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/ports-configmap.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/ports-configmap.yaml new file mode 100644 index 0000000..f5e7b2a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/ports-configmap.yaml @@ -0,0 +1,100 @@ +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (not .Values.sentinel.service.nodePorts.redis ) }} +{{- /* create a list to keep track of ports we choose to use */}} +{{ $chosenports := (list ) }} + +{{- /* Get list of all used nodeports */}} +{{ $usedports := (list ) }} +{{- range $index, $service := (lookup "v1" "Service" "" "").items }} + {{- range.spec.ports }} + {{- if .nodePort }} + {{- $usedports = (append $usedports .nodePort) }} + {{- end }} + {{- end }} +{{- end }} + +{{- /* +comments that start with # are rendered in the output when you debug, so you can less and search for them +Vars in the comment will be rendered out, so you can check their value this way. +https://helm.sh/docs/chart_best_practices/templates/#comments-yaml-comments-vs-template-comments + +remove the template comments and leave the yaml comments to help debug +*/}} + +{{- /* Sort the list */}} +{{ $usedports = $usedports | sortAlpha }} +#usedports {{ $usedports }} + +{{- /* How many nodeports per service do we want to create, except for the main service which is always two */}} +{{ $numberofPortsPerNodeService := 2 }} + +{{- /* for every nodeport we want, loop though the used ports to get an unused port */}} +{{- range $j := until (int (add (mul (int .Values.replica.replicaCount) $numberofPortsPerNodeService) 2)) }} + {{- /* #j={{ $j }} */}} + {{- $nodeport := (add $j 30000) }} + {{- $nodeportfound := false }} + {{- range $i := $usedports }} + {{- /* #i={{ $i }} + #nodeport={{ $nodeport }} + #usedports={{ $usedports }} */}} + {{- if and (has (toString $nodeport) $usedports) (eq $nodeportfound false) }} + {{- /* nodeport conflicts with in use */}} + {{- $nodeport = (add $nodeport 1) }} + {{- else if and ( has $nodeport $chosenports) (eq $nodeportfound false) }} + {{- /* nodeport already chosen, try another */}} + {{- $nodeport = (add $nodeport 1) }} + {{- else if (eq $nodeportfound false) }} + {{- /* nodeport free to use: not already claimed and not in use */}} + {{- /* select nodeport, and place into usedports */}} + {{- $chosenports = (append $chosenports $nodeport) }} + {{- $nodeportfound = true }} + {{- else }} + {{- /* nodeport has already been chosen and locked in, just work through the rest of the list to get to the next nodeport selection */}} + {{- end }} + {{- end }} + {{- if (eq $nodeportfound false) }} + {{- $chosenports = (append $chosenports $nodeport) }} + {{- end }} + +{{- end }} + +{{- /* print the usedports and chosenports for debugging */}} +#usedports {{ $usedports }} +#chosenports {{ $chosenports }}}} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-ports-configmap + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} +{{- if $portsmap }} +{{- /* configmap already exists, do not install again */ -}} + {{- range $name, $value := $portsmap }} + "{{ $name }}": "{{ $value }}" + {{- end }} +{{- else }} +{{- /* configmap being set for first time */ -}} + {{- range $index, $port := $chosenports }} + {{- $nodenumber := (floor (div $index 2)) }} + {{- if (eq $index 0) }} + "{{ template "common.names.fullname" $ }}-sentinel": "{{ $port }}" + {{- else if (eq $index 1) }} + "{{ template "common.names.fullname" $ }}-redis": "{{ $port }}" + {{- else if (eq (mod $index 2) 0) }} + "{{ template "common.names.fullname" $ }}-node-{{ (sub $nodenumber 1) }}-sentinel": "{{ $port }}" + {{- else if (eq (mod $index 2) 1) }} + "{{ template "common.names.fullname" $ }}-node-{{ (sub $nodenumber 1) }}-redis": "{{ $port }}" + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/service.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/service.yaml new file mode 100644 index 0000000..362d681 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/service.yaml @@ -0,0 +1,103 @@ +{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} +{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} + +{{ $sentinelport := 0}} +{{ $redisport := 0}} +{{- if $portsmap }} +{{ $sentinelport = index $portsmap (printf "%s-%s" (include "common.names.fullname" $) "sentinel") }} +{{ $redisport = index $portsmap (printf "%s-%s" (include "common.names.fullname" $) "redis") }} +{{- else }} +{{- end }} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: node + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.sentinel.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.sentinel.service.type }} + {{- if or (eq .Values.sentinel.service.type "LoadBalancer") (eq .Values.sentinel.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.sentinel.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and .Values.sentinel.service.clusterIP (eq .Values.sentinel.service.type "ClusterIP") }} + clusterIP: {{ .Values.sentinel.service.clusterIP }} + {{- end }} + {{- if .Values.sentinel.service.sessionAffinity }} + sessionAffinity: {{ .Values.sentinel.service.sessionAffinity }} + {{- end }} + {{- if .Values.sentinel.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-redis + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + port: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "NodePort" }} + port: {{ $redisport }} + {{- else}} + port: {{ .Values.sentinel.service.ports.redis }} + {{- end }} + targetPort: {{ .Values.replica.containerPorts.redis }} + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} + nodePort: {{ .Values.sentinel.service.nodePorts.redis }} + {{- else if eq .Values.sentinel.service.type "ClusterIP" }} + nodePort: null + {{- else if eq .Values.sentinel.service.type "NodePort" }} + nodePort: {{ $redisport }} + {{- end }} + - name: tcp-sentinel + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.sentinel }} + port: {{ .Values.sentinel.service.nodePorts.sentinel }} + {{- else if eq .Values.sentinel.service.type "NodePort" }} + port: {{ $sentinelport }} + {{- else }} + port: {{ .Values.sentinel.service.ports.sentinel }} + {{- end }} + targetPort: {{ .Values.sentinel.containerPorts.sentinel }} + {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.sentinel }} + nodePort: {{ .Values.sentinel.service.nodePorts.sentinel }} + {{- else if eq .Values.sentinel.service.type "ClusterIP" }} + nodePort: null + {{- else if eq .Values.sentinel.service.type "NodePort" }} + nodePort: {{ $sentinelport }} + {{- end }} + {{- if eq .Values.sentinel.service.type "NodePort" }} + - name: sentinel-internal + nodePort: null + port: {{ .Values.sentinel.containerPorts.sentinel }} + protocol: TCP + targetPort: {{ .Values.sentinel.containerPorts.sentinel }} + - name: redis-internal + nodePort: null + port: {{ .Values.replica.containerPorts.redis }} + protocol: TCP + targetPort: {{ .Values.replica.containerPorts.redis }} + {{- end }} + {{- if .Values.sentinel.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: node +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/statefulset.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/statefulset.yaml new file mode 100644 index 0000000..666e9ed --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/sentinel/statefulset.yaml @@ -0,0 +1,688 @@ +{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-node" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: node + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replica.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: node + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- if .Values.replica.updateStrategy }} + updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} + {{- end }} + {{- if .Values.replica.podManagementPolicy }} + podManagementPolicy: {{ .Values.replica.podManagementPolicy | quote }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: node + {{- if .Values.replica.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.replica.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.replica.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.podSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.replica.priorityClassName }} + priorityClassName: {{ .Values.replica.priorityClassName | quote }} + {{- end }} + {{- if .Values.replica.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "node" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "node" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.replica.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} + {{- end }} + {{- if .Values.replica.schedulerName }} + schedulerName: {{ .Values.replica.schedulerName | quote }} + {{- end }} + {{- if .Values.replica.dnsPolicy }} + dnsPolicy: {{ .Values.replica.dnsPolicy }} + {{- end }} + {{- if .Values.replica.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.replica.dnsConfig "context" $) | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.sentinel.terminationGracePeriodSeconds }} + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.replica.lifecycleHooks "context" $) | nindent 12 }} + {{- else }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/prestop-redis.sh + {{- end }} + {{- end }} + {{- if .Values.replica.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.replica.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.replica.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.replica.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.replica.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-node.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.replica.containerPorts.redis | quote }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.replica.containerPorts.redis | quote }} + {{- end }} + - name: REDIS_DATA_DIR + value: {{ .Values.replica.persistence.path }} + {{- if .Values.replica.externalMaster.enabled }} + - name: REDIS_EXTERNAL_MASTER_HOST + value: {{ .Values.replica.externalMaster.host | quote }} + - name: REDIS_EXTERNAL_MASTER_PORT + value: {{ .Values.replica.externalMaster.port | quote }} + {{- end }} + {{- if .Values.replica.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraEnvVars "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.replica.extraEnvVarsCM .Values.replica.extraEnvVarsSecret }} + envFrom: + {{- if .Values.replica.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.replica.extraEnvVarsCM }} + {{- end }} + {{- if .Values.replica.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.replica.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.replica.containerPorts.redis }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.replica.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.replica.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis + {{- else if .Values.replica.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.replica.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.replica.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} + {{- else if .Values.replica.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.replica.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.replica.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.replica.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.replica.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.replica.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.replica.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh {{ .Values.replica.readinessProbe.timeoutSeconds }} + {{- else if .Values.replica.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.replica.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.resources }} + resources: {{- toYaml .Values.replica.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.sentinel.persistence.enabled }} + - name: sentinel-data + mountPath: /opt/bitnami/redis-sentinel/etc + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + - name: tmp + mountPath: /tmp + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.replica.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + - name: sentinel + image: {{ template "redis.sentinel.image" . }} + imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.lifecycleHooks "context" $) | nindent 12 }} + {{- else }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/prestop-sentinel.sh + {{- end }} + {{- end }} + {{- if .Values.sentinel.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.sentinel.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.sentinel.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.sentinel.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-sentinel.sh + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.sentinel.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_SENTINEL_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_SENTINEL_TLS_PORT_NUMBER + value: {{ .Values.sentinel.containerPorts.sentinel | quote }} + - name: REDIS_SENTINEL_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_SENTINEL_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_SENTINEL_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_SENTINEL_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE + value: {{ template "redis.tls.dhParamsFilename" . }} + {{- end }} + {{- else }} + - name: REDIS_SENTINEL_PORT + value: {{ .Values.sentinel.containerPorts.sentinel | quote }} + {{- end }} + {{- if .Values.sentinel.externalMaster.enabled }} + - name: REDIS_EXTERNAL_MASTER_HOST + value: {{ .Values.sentinel.externalMaster.host | quote }} + - name: REDIS_EXTERNAL_MASTER_PORT + value: {{ .Values.sentinel.externalMaster.port | quote }} + {{- end }} + {{- if .Values.sentinel.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraEnvVars "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.sentinel.extraEnvVarsCM .Values.sentinel.extraEnvVarsSecret }} + envFrom: + {{- if .Values.sentinel.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.sentinel.extraEnvVarsCM }} + {{- end }} + {{- if .Values.sentinel.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.sentinel.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis-sentinel + containerPort: {{ .Values.sentinel.containerPorts.sentinel }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.sentinel.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: redis-sentinel + {{- else if .Values.sentinel.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sentinel.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- else if .Values.sentinel.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- else if .Values.sentinel.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sentinel.resources }} + resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + - name: sentinel-data + mountPath: /opt/bitnami/redis-sentinel/etc + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis-sentinel/mounted-etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.sentinel.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "common.names.fullname" . }} + {{- if .Values.auth.enabled }} + - name: REDIS_USER + value: default + {{- if (not .Values.auth.usePasswordFiles) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.replica.containerPorts.redis }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9121 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} + {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.replica.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} + {{- else }} + chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + subPath: {{ .Values.replica.persistence.subPath }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + {{- if not .Values.sentinel.persistence.enabled }} + - name: sentinel-data + {{- if .Values.sentinel.persistence.medium }} + emptyDir: { + medium: {{ .Values.sentinel.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + - name: redis-tmp-conf + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.replica.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.sentinel.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if not .Values.replica.persistence.enabled }} + - name: redis-data + {{- if .Values.replica.persistence.medium }} + emptyDir: { + medium: {{ .Values.replica.persistence.medium | quote }} + } + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: node + {{- if .Values.replica.persistence.annotations }} + annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.replica.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.replica.persistence.size | quote }} + {{- if .Values.replica.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.sentinel.persistence.enabled }} + - metadata: + name: sentinel-data + labels: {{- include "common.labels.matchLabels" . | nindent 10 }} + app.kubernetes.io/component: node + {{- if .Values.sentinel.persistence.annotations }} + annotations: {{- toYaml .Values.sentinel.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.sentinel.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.sentinel.persistence.size | quote }} + {{- if .Values.sentinel.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.sentinel.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.sentinel.persistence "global" .Values.global) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/serviceaccount.yaml new file mode 100644 index 0000000..1ce68a7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "redis.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + annotations: + {{- if or .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/servicemonitor.yaml new file mode 100644 index 0000000..40754c2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/servicemonitor.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: metrics +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/templates/tls-secret.yaml b/kubernetes/Charts/gitlab/charts/redis/templates/tls-secret.yaml new file mode 100644 index 0000000..4ab7acb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/templates/tls-secret.yaml @@ -0,0 +1,29 @@ +{{- if (include "redis.createTlsSecret" .) }} +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} +{{- $existingCerts := (lookup "v1" "Secret" .Release.Namespace $secretName).data | default dict }} +{{- $ca := genCA "redis-ca" 365 }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $fullname := include "common.names.fullname" . }} +{{- $serviceName := include "common.names.fullname" . }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) "127.0.0.1" "localhost" $fullname }} +{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ (get $existingCerts "ca.crt") | default ($ca.Cert | b64enc | quote ) }} + tls.crt: {{ (get $existingCerts "tls.crt") | default ($crt.Cert | b64enc | quote) }} + tls.key: {{ (get $existingCerts "tls.key") | default ($crt.Key | b64enc | quote) }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/redis/values.schema.json b/kubernetes/Charts/gitlab/charts/redis/values.schema.json new file mode 100644 index 0000000..d6e226b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/values.schema.json @@ -0,0 +1,156 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "Redis architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`", + "enum": ["standalone", "replication"] + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Use password authentication" + }, + "password": { + "type": "string", + "title": "Redis password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + } + } + }, + "master": { + "type": "object", + "title": "Master replicas settings", + "form": true, + "properties": { + "kind": { + "type": "string", + "title": "Workload Kind", + "form": true, + "description": "Allowed values: `Deployment` or `StatefulSet`", + "enum": ["Deployment", "StatefulSet"] + }, + "persistence": { + "type": "object", + "title": "Persistence for master replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "master/persistence/enabled" + } + } + } + } + } + }, + "replica": { + "type": "object", + "title": "Redis replicas settings", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + }, + "properties": { + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of Redis replicas" + }, + "persistence": { + "type": "object", + "title": "Persistence for Redis replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "replica/persistence/enabled" + } + } + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/kubernetes/Charts/gitlab/charts/redis/values.yaml b/kubernetes/Charts/gitlab/charts/redis/values.yaml new file mode 100644 index 0000000..c25a3b2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/redis/values.yaml @@ -0,0 +1,1621 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.redis.password Global Redis® password (overrides `auth.password`) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + redis: + password: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param secretAnnotations Annotations to add to secret +## +secretAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section Redis® Image parameters +## + +## Bitnami Redis® image +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## @param image.registry Redis® image registry +## @param image.repository Redis® image repository +## @param image.tag Redis® image tag (immutable tags are recommended) +## @param image.pullPolicy Redis® image pull policy +## @param image.pullSecrets Redis® image pull secrets +## @param image.debug Enable image debug mode +## +image: + registry: docker.io + repository: bitnami/redis + tag: 6.2.7-debian-11-r11 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + +## @section Redis® common configuration parameters +## https://github.com/bitnami/bitnami-docker-redis#configuration +## + +## @param architecture Redis® architecture. Allowed values: `standalone` or `replication` +## +architecture: replication +## Redis® Authentication parameters +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +auth: + ## @param auth.enabled Enable password authentication + ## + enabled: true + ## @param auth.sentinel Enable password authentication on sentinels too + ## + sentinel: true + ## @param auth.password Redis® password + ## Defaults to a random 10-character alphanumeric string if not set + ## + password: "" + ## @param auth.existingSecret The name of an existing secret with Redis® credentials + ## NOTE: When it's set, the previous `auth.password` parameter is ignored + ## + existingSecret: "" + ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingSecret` parameter is set + ## + existingSecretPasswordKey: "" + ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable + ## + usePasswordFiles: false + +## @param commonConfiguration [string] Common configuration to be added into the ConfigMap +## ref: https://redis.io/topics/config +## +commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" +## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis® nodes +## +existingConfigmap: "" + +## @section Redis® master configuration parameters +## + +master: + ## @param master.count Number of Redis® master instances to deploy (experimental, requires additional configuration) + ## + count: 1 + ## @param master.configuration Configuration for Redis® master nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param master.disableCommands Array with Redis® commands to disable on master nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param master.command Override default container command (useful when using custom images) + ## + command: [] + ## @param master.args Override default container args (useful when using custom images) + ## + args: [] + ## @param master.preExecCmds Additional commands to run prior to starting Redis® master + ## + preExecCmds: [] + ## @param master.extraFlags Array with additional command line flags for Redis® master + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param master.extraEnvVars Array with extra environment variables to add to Redis® master nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis® master nodes + ## + extraEnvVarsCM: "" + ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis® master nodes + ## + extraEnvVarsSecret: "" + ## @param master.containerPorts.redis Container port to open on Redis® master nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis® containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param master.startupProbe.enabled Enable startupProbe on Redis® master nodes + ## @param master.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param master.startupProbe.periodSeconds Period seconds for startupProbe + ## @param master.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param master.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param master.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.livenessProbe.enabled Enable livenessProbe on Redis® master nodes + ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.readinessProbe.enabled Enable readinessProbe on Redis® master nodes + ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param master.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis® master resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param master.resources.limits The resources limits for the Redis® master containers + ## @param master.resources.requests The requested resources for the Redis® master containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.podSecurityContext.enabled Enabled Redis® master pods' Security Context + ## @param master.podSecurityContext.fsGroup Set Redis® master pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.containerSecurityContext.enabled Enabled Redis® master containers' Security Context + ## @param master.containerSecurityContext.runAsUser Set Redis® master containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param master.kind Use either Deployment or StatefulSet (default) + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ + ## + kind: StatefulSet + ## @param master.schedulerName Alternate scheduler for Redis® master pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param master.updateStrategy.type Redis® master statefulset strategy type + ## @skip master.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param master.priorityClassName Redis® master pods' priorityClassName + ## + priorityClassName: "" + ## @param master.hostAliases Redis® master pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param master.podLabels Extra labels for Redis® master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param master.podAnnotations Annotations for Redis® master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis® master pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node master.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set + ## + key: "" + ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param master.affinity Affinity for Redis® master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param master.nodeSelector Node labels for Redis® master pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param master.tolerations Tolerations for Redis® master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param master.topologySpreadConstraints Spread Constraints for Redis® master pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param master.dnsPolicy DNS Policy for Redis® master pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + dnsPolicy: "" + ## @param master.dnsConfig DNS Configuration for Redis® master pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + dnsConfig: {} + ## @param master.lifecycleHooks for the Redis® master container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis® master pod(s) + ## + extraVolumes: [] + ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® master container(s) + ## + extraVolumeMounts: [] + ## @param master.sidecars Add additional sidecar containers to the Redis® master pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param master.initContainers Add additional init containers to the Redis® master pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param master.persistence.enabled Enable persistence on Redis® master nodes using Persistent Volume Claims + ## + enabled: true + ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param master.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes. + ## + sizeLimit: "" + ## @param master.persistence.path The path the volume will be mounted at on Redis® master containers + ## NOTE: Useful when using different Redis® images + ## + path: /data + ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis® master containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param master.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param master.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param master.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param master.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param master.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param master.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires master.persistence.enabled: true + ## + existingClaim: "" + ## Redis® master service parameters + ## + service: + ## @param master.service.type Redis® master service type + ## + type: ClusterIP + ## @param master.service.ports.redis Redis® master service port + ## + ports: + redis: 6379 + ## @param master.service.nodePorts.redis Node port for Redis® master + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param master.service.externalTrafficPolicy Redis® master service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param master.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param master.service.internalTrafficPolicy Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + ## + internalTrafficPolicy: Cluster + ## @param master.service.clusterIP Redis® master service Cluster IP + ## + clusterIP: "" + ## @param master.service.loadBalancerIP Redis® master service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param master.service.loadBalancerSourceRanges Redis® master service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param master.service.annotations Additional custom annotations for Redis® master service + ## + annotations: {} + ## @param master.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param master.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods + ## + terminationGracePeriodSeconds: 30 + +## @section Redis® replicas configuration parameters +## + +replica: + ## @param replica.replicaCount Number of Redis® replicas to deploy + ## + replicaCount: 3 + ## @param replica.configuration Configuration for Redis® replicas nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param replica.disableCommands Array with Redis® commands to disable on replicas nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param replica.command Override default container command (useful when using custom images) + ## + command: [] + ## @param replica.args Override default container args (useful when using custom images) + ## + args: [] + ## @param replica.preExecCmds Additional commands to run prior to starting Redis® replicas + ## + preExecCmds: [] + ## @param replica.extraFlags Array with additional command line flags for Redis® replicas + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param replica.extraEnvVars Array with extra environment variables to add to Redis® replicas nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis® replicas nodes + ## + extraEnvVarsCM: "" + ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis® replicas nodes + ## + extraEnvVarsSecret: "" + ## @param replica.externalMaster.enabled Use external master for bootstrapping + ## @param replica.externalMaster.host External master host to bootstrap from + ## @param replica.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param replica.containerPorts.redis Container port to open on Redis® replicas nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis® containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param replica.startupProbe.enabled Enable startupProbe on Redis® replicas nodes + ## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param replica.startupProbe.periodSeconds Period seconds for startupProbe + ## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param replica.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 22 + ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis® replicas nodes + ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis® replicas nodes + ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis® replicas resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param replica.resources.limits The resources limits for the Redis® replicas containers + ## @param replica.resources.requests The requested resources for the Redis® replicas containers + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 250m + # memory: 256Mi + requests: {} + # cpu: 250m + # memory: 256Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.podSecurityContext.enabled Enabled Redis® replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroup Set Redis® replicas pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.containerSecurityContext.enabled Enabled Redis® replicas containers' Security Context + ## @param replica.containerSecurityContext.runAsUser Set Redis® replicas containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param replica.schedulerName Alternate scheduler for Redis® replicas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param replica.updateStrategy.type Redis® replicas statefulset strategy type + ## @skip replica.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param replica.priorityClassName Redis® replicas pods' priorityClassName + ## + priorityClassName: "" + ## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param replica.hostAliases Redis® replicas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param replica.podLabels Extra labels for Redis® replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param replica.podAnnotations Annotations for Redis® replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis® replicas pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set + ## + key: "" + ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param replica.affinity Affinity for Redis® replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param replica.nodeSelector Node labels for Redis® replicas pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param replica.tolerations Tolerations for Redis® replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param replica.topologySpreadConstraints Spread Constraints for Redis® replicas pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param replica.dnsPolicy DNS Policy for Redis® replica pods + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + dnsPolicy: "" + ## @param replica.dnsConfig DNS Configuration for Redis® replica pods + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + dnsConfig: {} + ## @param replica.lifecycleHooks for the Redis® replica container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis® replicas pod(s) + ## + extraVolumes: [] + ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) + ## + extraVolumeMounts: [] + ## @param replica.sidecars Add additional sidecar containers to the Redis® replicas pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param replica.initContainers Add additional init containers to the Redis® replicas pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence Parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param replica.persistence.enabled Enable persistence on Redis® replicas nodes using Persistent Volume Claims + ## + enabled: true + ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param replica.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes. + ## + sizeLimit: "" + ## @param replica.persistence.path The path the volume will be mounted at on Redis® replicas containers + ## NOTE: Useful when using different Redis® images + ## + path: /data + ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis® replicas containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param replica.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param replica.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param replica.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param replica.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param replica.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param replica.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param replica.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires replica.persistence.enabled: true + ## + existingClaim: "" + ## Redis® replicas service parameters + ## + service: + ## @param replica.service.type Redis® replicas service type + ## + type: ClusterIP + ## @param replica.service.ports.redis Redis® replicas service port + ## + ports: + redis: 6379 + ## @param replica.service.nodePorts.redis Node port for Redis® replicas + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param replica.service.externalTrafficPolicy Redis® replicas service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param replica.service.internalTrafficPolicy Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + ## + internalTrafficPolicy: Cluster + ## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param replica.service.clusterIP Redis® replicas service Cluster IP + ## + clusterIP: "" + ## @param replica.service.loadBalancerIP Redis® replicas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param replica.service.loadBalancerSourceRanges Redis® replicas service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param replica.service.annotations Additional custom annotations for Redis® replicas service + ## + annotations: {} + ## @param replica.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param replica.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods + ## + terminationGracePeriodSeconds: 30 + ## Autoscaling configuration + ## + autoscaling: + ## @param replica.autoscaling.enabled Enable replica autoscaling settings + ## + enabled: false + ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling + ## + minReplicas: 1 + ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling + ## + maxReplicas: 11 + ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling + ## + targetCPU: "" + ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling + ## + targetMemory: "" + +## @section Redis® Sentinel configuration parameters +## + +sentinel: + ## @param sentinel.enabled Use Redis® Sentinel on Redis® pods. + ## IMPORTANT: this will disable the master and replicas services and + ## create a single Redis® service exposing both the Redis and Sentinel ports + ## + enabled: false + ## Bitnami Redis® Sentinel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## @param sentinel.image.registry Redis® Sentinel image registry + ## @param sentinel.image.repository Redis® Sentinel image repository + ## @param sentinel.image.tag Redis® Sentinel image tag (immutable tags are recommended) + ## @param sentinel.image.pullPolicy Redis® Sentinel image pull policy + ## @param sentinel.image.pullSecrets Redis® Sentinel image pull secrets + ## @param sentinel.image.debug Enable image debug mode + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + tag: 6.2.7-debian-11-r12 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param sentinel.masterSet Master set name + ## + masterSet: mymaster + ## @param sentinel.quorum Sentinel Quorum + ## + quorum: 2 + ## @param sentinel.getMasterTimeout Amount of time to allow before get_sentinel_master_info() times out. + ## NOTE: This is directly related to the startupProbes which are configured to run every 10 seconds for a total of 22 failures. If adjusting this value, also adjust the startupProbes. + getMasterTimeout: 220 + ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. + ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. + ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. + ## + automateClusterRecovery: false + ## Sentinel timing restrictions + ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis® node is down + ## @param sentinel.failoverTimeout Timeout for performing a election failover + ## + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover + ## + parallelSyncs: 1 + ## @param sentinel.configuration Configuration for Redis® Sentinel nodes + ## ref: https://redis.io/topics/sentinel + ## + configuration: "" + ## @param sentinel.command Override default container command (useful when using custom images) + ## + command: [] + ## @param sentinel.args Override default container args (useful when using custom images) + ## + args: [] + ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis® Sentinel + ## + preExecCmds: [] + ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis® Sentinel nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes + ## + extraEnvVarsCM: "" + ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis® Sentinel nodes + ## + extraEnvVarsSecret: "" + ## @param sentinel.externalMaster.enabled Use external master for bootstrapping + ## @param sentinel.externalMaster.host External master host to bootstrap from + ## @param sentinel.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param sentinel.containerPorts.sentinel Container port to open on Redis® Sentinel nodes + ## + containerPorts: + sentinel: 26379 + ## Configure extra options for Redis® containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param sentinel.startupProbe.enabled Enable startupProbe on Redis® Sentinel nodes + ## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe + ## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 22 + ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis® Sentinel nodes + ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis® Sentinel nodes + ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param sentinel.persistence.enabled Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) + ## + enabled: false + ## @param sentinel.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param sentinel.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param sentinel.persistence.size Persistent Volume size + ## + size: 100Mi + ## @param sentinel.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param sentinel.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param sentinel.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param sentinel.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## Redis® Sentinel resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sentinel.resources.limits The resources limits for the Redis® Sentinel containers + ## @param sentinel.resources.requests The requested resources for the Redis® Sentinel containers + ## + resources: + limits: {} + requests: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param sentinel.lifecycleHooks for the Redis® sentinel container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis® Sentinel + ## + extraVolumes: [] + ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) + ## + extraVolumeMounts: [] + ## Redis® Sentinel service parameters + ## + service: + ## @param sentinel.service.type Redis® Sentinel service type + ## + type: ClusterIP + ## @param sentinel.service.ports.redis Redis® service port for Redis® + ## @param sentinel.service.ports.sentinel Redis® service port for Redis® Sentinel + ## + ports: + redis: 6379 + sentinel: 26379 + ## @param sentinel.service.nodePorts.redis Node port for Redis® + ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## NOTE: By leaving these values blank, they will be generated by ports-configmap + ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port + ## + nodePorts: + redis: "" + sentinel: "" + ## @param sentinel.service.externalTrafficPolicy Redis® Sentinel service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param sentinel.service.clusterIP Redis® Sentinel service Cluster IP + ## + clusterIP: "" + ## @param sentinel.service.loadBalancerIP Redis® Sentinel service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param sentinel.service.loadBalancerSourceRanges Redis® Sentinel service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param sentinel.service.annotations Additional custom annotations for Redis® Sentinel service + ## + annotations: {} + ## @param sentinel.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param sentinel.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods + ## + terminationGracePeriodSeconds: 30 + +## @section Other Parameters +## + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## When set to false, only pods with the correct client label will have network access to the ports + ## Redis® is listening on. When true, Redis® will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress Add extra egress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules + ## + enabled: false +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Redis® Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Specifies whether a PodDisruptionBudget should be created + ## + create: false + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction + ## + maxUnavailable: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic + ## + enabled: false + ## @param tls.authClients Require clients to authenticate + ## + authClients: true + ## @param tls.autoGenerated Enable autogenerated certificates + ## + autoGenerated: false + ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates + ## + existingSecret: "" + ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate Key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" + ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) + ## + dhParamsFilename: "" + +## @section Metrics Parameters +## + +metrics: + ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis® metrics + ## + enabled: false + ## Bitnami Redis® Exporter image + ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ + ## @param metrics.image.registry Redis® Exporter image registry + ## @param metrics.image.repository Redis® Exporter image repository + ## @param metrics.image.tag Redis® Redis® Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Redis® Exporter image pull policy + ## @param metrics.image.pullSecrets Redis® Exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.43.0-debian-11-r4 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.command Override default metrics container init command (useful when using custom images) + ## + command: [] + ## @param metrics.redisTargetHost A way to specify an alternative Redis® hostname + ## Useful for certificate CN/SAN matching + ## + redisTargetHost: "localhost" + ## @param metrics.extraArgs Extra arguments for Redis® exporter, for example: + ## e.g.: + ## extraArgs: + ## check-keys: myKey,myOtherKey + ## + extraArgs: {} + ## @param metrics.extraEnvVars Array with extra environment variables to add to Redis® exporter + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param metrics.containerSecurityContext.enabled Enabled Redis® exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set Redis® exporter containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis® metrics sidecar + ## + extraVolumes: [] + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar + ## + extraVolumeMounts: [] + ## Redis® exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the Redis® exporter container + ## @param metrics.resources.requests The requested resources for the Redis® exporter container + ## + resources: + limits: {} + requests: {} + ## @param metrics.podLabels Extra labels for Redis® exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param metrics.podAnnotations [object] Annotations for Redis® exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + ## Redis® exporter service parameters + ## + service: + ## @param metrics.service.type Redis® exporter service type + ## + type: ClusterIP + ## @param metrics.service.port Redis® exporter service port + ## + port: 9121 + ## @param metrics.service.externalTrafficPolicy Redis® exporter service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param metrics.service.loadBalancerIP Redis® exporter service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param metrics.service.loadBalancerSourceRanges Redis® exporter service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.annotations Additional custom annotations for Redis® exporter service + ## + annotations: {} + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created + ## + namespace: "" + ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabellings: [] + ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus + ## + additionalLabels: {} + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Custom Prometheus rules + ## e.g: + ## rules: + ## - alert: RedisDown + ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis® instance {{ "{{ $labels.instance }}" }} down + ## description: Redis® instance {{ "{{ $labels.instance }}" }} is down + ## - alert: RedisMemoryHigh + ## expr: > + ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 + ## / + ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} + ## > 90 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis® instance {{ "{{ $labels.instance }}" }} is using too much memory + ## description: | + ## Redis® instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + ## - alert: RedisKeyEviction + ## expr: | + ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 + ## for: 1s + ## labels: + ## severity: error + ## annotations: + ## summary: Redis® instance {{ "{{ $labels.instance }}" }} has evicted keys + ## description: | + ## Redis® instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + ## + rules: [] + +## @section Init Container Parameters +## + +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the *podSecurityContext/*containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param volumePermissions.image.registry Bitnami Shell image registry + ## @param volumePermissions.image.repository Bitnami Shell image repository + ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy + ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r11 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + containerSecurityContext: + runAsUser: 0 + +## init-sysctl container parameters +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +## +sysctl: + ## @param sysctl.enabled Enable init container to modify Kernel settings + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param sysctl.image.registry Bitnami Shell image registry + ## @param sysctl.image.repository Bitnami Shell image repository + ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy + ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r11 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) + ## + command: [] + ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` + ## + mountHostSys: false + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sysctl.resources.limits The resources limits for the init container + ## @param sysctl.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + +## @section useExternalDNS Parameters +## +## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. +## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled. +## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. +## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. +## +useExternalDNS: + enabled: false + suffix: "" + annotationKey: external-dns.alpha.kubernetes.io/ + additionalAnnotations: {} diff --git a/gitlab-ci/modules/k8s-node-group/outputs.tf b/kubernetes/Charts/gitlab/charts/registry/CHANGELOG.md similarity index 100% rename from gitlab-ci/modules/k8s-node-group/outputs.tf rename to kubernetes/Charts/gitlab/charts/registry/CHANGELOG.md diff --git a/kubernetes/Charts/gitlab/charts/registry/Chart.yaml b/kubernetes/Charts/gitlab/charts/registry/Chart.yaml new file mode 100644 index 0000000..f5402fc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +appVersion: v3.86.1-gitlab +description: Stateless, highly scalable application that stores and lets you distribute + container images +home: https://docs.gitlab.com/ee/user/packages/container_registry +icon: https://hub.docker.com/public/images/logos/mini-logo.svg +keywords: +- registry +- container +- docker +- gitlab +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: registry +sources: +- https://gitlab.com/gitlab-org/container-registry +- https://gitlab.com/gitlab-org/charts/gitlab/charts/registry +version: 0.7.0 diff --git a/kubernetes/Charts/gitlab/charts/registry/index.md b/kubernetes/Charts/gitlab/charts/registry/index.md new file mode 100644 index 0000000..7261190 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/index.md @@ -0,0 +1,13 @@ +Forked from https://github.com/helm/charts/tree/master/stable/docker-registry + +With a few tweaks to make it play nicely with GitLab, including Minio S3 +storage and GitLab authentication endpoint. + +## Configuration + +In addition to the original configuration that are inherited from the upstream, +this chart also introduces some additional configuration. See [additional options](../../doc/charts/registry/index.md#installation-command-line-options) + +## Development + +For more details, see [development notes](../../doc/development/index.md#verifying-registry) diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/_database.tpl b/kubernetes/Charts/gitlab/charts/registry/templates/_database.tpl new file mode 100644 index 0000000..b4c39aa --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/_database.tpl @@ -0,0 +1,108 @@ +{{/* +Return database configuration, if enabled. +*/}} +{{- define "registry.database.config" -}} +{{- if .Values.database.enabled }} +database: + enabled: true + host: {{ default (include "gitlab.psql.host" .) .Values.database.host | quote }} + port: {{ default (include "gitlab.psql.port" .) .Values.database.port }} + user: {{ .Values.database.user }} + password: "DB_PASSWORD_FILE" + dbname: {{ .Values.database.name }} + sslmode: {{ .Values.database.sslmode }} + {{- if .Values.database.ssl }} + sslcert: /etc/docker/registry/ssl/client-certificate.pem + sslkey: /etc/docker/registry/ssl/client-key.pem + sslrootcert: /etc/docker/registry/ssl/server-ca.pem + {{- end }} + {{- if .Values.database.connecttimeout }} + connecttimeout: {{ .Values.database.connecttimeout }} + {{- end }} + {{- if .Values.database.draintimeout }} + draintimeout: {{ .Values.database.draintimeout }} + {{- end }} + {{- if .Values.database.preparedstatements }} + preparedstatements: true + {{- end }} + {{- if .Values.database.pool }} + pool: + {{- if .Values.database.pool.maxidle }} + maxidle: {{ .Values.database.pool.maxidle }} + {{- end }} + {{- if .Values.database.pool.maxopen }} + maxopen: {{ .Values.database.pool.maxopen }} + {{- end }} + {{- if .Values.database.pool.maxlifetime }} + maxlifetime: {{ .Values.database.pool.maxlifetime }} + {{- end }} + {{- if .Values.database.pool.maxidletime }} + maxidletime: {{ .Values.database.pool.maxidletime }} + {{- end }} + {{- end }} + {{- if .Values.database.discovery.enabled }} + discovery: + enabled: true + nameserver: {{ .Values.database.discovery.nameserver | quote }} + port: {{ default 53 .Values.database.discovery.port }} + primaryrecord: {{ .Values.database.discovery.primaryrecord | quote }} + tcp: {{ default false .Values.database.discovery.tcp }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Return Registry's database secret entry as a projected volume +*/}} +{{- define "gitlab.registry.database.password.projectedVolume" -}} +- secret: + name: {{ default (printf "%s-registry-database-password" .Release.Name) .Values.database.password.secret }} + items: + - key: {{ default "password" .Values.database.password.key }} + path: database_password +{{- end -}} + +{{/* +Return PostgreSQL SSL client certificate secret key +*/}} +{{- define "gitlab.registry.psql.ssl.clientCertificate" -}} +{{ default .Values.global.psql.ssl.serverCA .Values.database.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `registry.database.ssl.clientCertificate`" }} +{{- end -}} + +{{/* +Return PostgreSQL SSL client key secret key +*/}} +{{- define "gitlab.registry.psql.ssl.clientKey" -}} +{{ default .Values.global.psql.ssl.clientKey .Values.database.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `registry.database.ssl.clientKey`" }} +{{- end -}} + +{{/* +Return PostgreSQL SSL server CA secret key +*/}} +{{- define "gitlab.registry.psql.ssl.serverCA" -}} +{{ default .Values.global.psql.ssl.serverCA .Values.database.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `registry.database.ssl.serverCA`" }} +{{- end -}} + +{{/* +Return PostgreSQL SSL secret name +*/}} +{{- define "gitlab.registry.psql.ssl.secret" -}} +{{ default .Values.global.psql.ssl.secret .Values.database.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `registry.database.ssl.secret`" }} +{{- end -}} + +{{/* +Returns the K8s Secret definition for a PostgreSQL mutual TLS connection. +*/}} +{{- define "gitlab.registry.psql.ssl" -}} +{{- if or .Values.database.ssl .Values.global.psql.ssl }} +- secret: + name: {{ include "gitlab.registry.psql.ssl.secret" . }} + items: + - key: {{ include "gitlab.registry.psql.ssl.clientCertificate" . }} + path: ssl/client-certificate.pem + - key: {{ include "gitlab.registry.psql.ssl.clientKey" . }} + path: ssl/client-key.pem + - key: {{ include "gitlab.registry.psql.ssl.serverCA" . }} + path: ssl/server-ca.pem +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/_gc.tpl b/kubernetes/Charts/gitlab/charts/registry/templates/_gc.tpl new file mode 100644 index 0000000..9a17c22 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/_gc.tpl @@ -0,0 +1,40 @@ +{{/* +Return online garbage collection configuration. +*/}} +{{- define "registry.gc.config" -}} +gc: + disabled: {{ .Values.gc.disabled }} + {{- if .Values.gc.maxbackoff }} + maxbackoff: {{ .Values.gc.maxbackoff }} + {{- end }} + {{- if .Values.gc.noidlebackoff }} + noidlebackoff: {{ .Values.gc.noidlebackoff }} + {{- end }} + {{- if .Values.gc.transactiontimeout }} + transactiontimeout: {{ .Values.gc.transactiontimeout }} + {{- end }} + {{- if .Values.gc.reviewafter }} + reviewafter: {{ .Values.gc.reviewafter }} + {{- end }} + {{- if .Values.gc.manifests }} + manifests: + {{- if .Values.gc.manifests.disabled }} + disabled: {{ .Values.gc.manifests.disabled }} + {{- end }} + {{- if .Values.gc.manifests.interval }} + interval: {{ .Values.gc.manifests.interval }} + {{- end }} + {{- end }} + {{- if .Values.gc.blobs }} + blobs: + {{- if .Values.gc.blobs.disabled }} + disabled: {{ .Values.gc.blobs.disabled }} + {{- end }} + {{- if .Values.gc.blobs.interval }} + interval: {{ .Values.gc.blobs.interval }} + {{- end }} + {{- if .Values.gc.blobs.storagetimeout }} + storagetimeout: {{ .Values.gc.blobs.storagetimeout }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/registry/templates/_helpers.tpl new file mode 100644 index 0000000..6ea4703 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/_helpers.tpl @@ -0,0 +1,168 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the registry authEndpoint +Defaults to the globally set gitlabHostname if an authEndpoint hasn't been provided +to the chart +*/}} +{{- define "registry.authEndpoint" -}} +{{- if .Values.authEndpoint -}} +{{- .Values.authEndpoint -}} +{{- else -}} +{{- template "gitlab.gitlab.url" . -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the hostname. +If the hostname is set in `global.hosts.registry.name`, that will be returned, +otherwise the hostname will be assembed using `registry` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "registry.hostname" -}} +{{- coalesce .Values.global.hosts.registry.name (include "gitlab.assembleHost" (dict "name" "registry" "context" . )) -}} +{{- end -}} + +{{/* +Returns the secret name for the Secret containing the TLS certificate and key. +Uses `ingress.tls.secretName` first and falls back to `global.ingress.tls.secretName` +if there is a shared tls secret for all ingresses. +*/}} +{{- define "registry.tlsSecret" -}} +{{- $defaultName := (dict "secretName" "") -}} +{{- if .Values.global.ingress.configureCertmanager -}} +{{- $_ := set $defaultName "secretName" (printf "%s-registry-tls" .Release.Name) -}} +{{- else -}} +{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}} +{{- end -}} +{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}} +{{- end -}} + +{{/* +Returns the minio URL. +If `registry.redirect` is set to `true` it will return the external domain name of minio, +e.g. `https://minio.example.com`, otherwise it will fallback to the internal minio service +URL, e.g. `http://minio-svc:9000`. + +For external domain name, if `global.hosts.https` or `global.hosts.minio.https` is true, +it uses https, otherwise http. Calls into the `gitlab.minio.hostname` function for the +hostname part of the url. +*/}} +{{- define "registry.minio.url" -}} +{{- if .Values.minio.redirect -}} + {{- if or .Values.global.hosts.https .Values.global.hosts.minio.https -}} + {{- printf "https://%s" (include "gitlab.minio.hostname" .) -}} + {{- else -}} + {{- printf "http://%s" (include "gitlab.minio.hostname" .) -}} + {{- end -}} +{{- else -}} + {{- include "gitlab.minio.endpoint" . -}} +{{- end -}} +{{- end -}} + +{{/* +Populate registry notifications +*/}} +{{- define "registry.notifications.config" -}} +{{- $geoNotifier := include "global.geo.registry.syncNotifier" . | fromYaml -}} +{{- $notifications := merge $.Values.global.registry.notifications $geoNotifier -}} +{{- if $notifications }} +notifications: + {{- if $notifications.events }} + events: + {{- toYaml $.Values.global.registry.notifications.events | nindent 4 }} + {{- end -}} + {{- $endpoints := concat (list) $notifications.endpoints $geoNotifier.endpoints | uniq -}} + {{- if $endpoints }} + endpoints: + {{- range $endpoint := $endpoints -}} + {{- if $endpoint.name -}} + {{- $headers := pluck "headers" $endpoint | first -}} + {{- $endpoint = omit $endpoint "headers" }} + {{- toYaml (list $endpoint) | nindent 4 }} + {{- if $headers }} + headers: + {{- range $header, $value := $headers -}} + {{- if kindIs "map" $value -}} + {{- if hasKey $value "secret" }} + {{ $header }}: SECRET_{{ $value.secret }}_{{ default "value" $value.key }} + {{- end -}} + {{- else }} + {{ $header }}: {{ $value }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Individual secret items to be used as volumes +Usage: +{{ include "registry.notifications.secrets.item " ( \ + dict + "value" $value + "fileName" $fileName + ) }} +*/}} +{{- define "registry.notifications.secrets.item" -}} +- secret: + name: {{ .value.secret }} + items: + - key: {{ default "value" .value.key }} + path: notifications/SECRET_{{ .fileName }} +{{- end }} + +{{/* +Sensitive registry notification headers mounted as secrets +*/}} +{{- define "registry.notifications.secrets" -}} +{{- $geoNotifier := include "global.geo.registry.syncNotifier" . | fromYaml -}} +{{- $notifications := merge $.Values.global.registry.notifications $geoNotifier -}} +{{- if $notifications }} + {{- $uniqSecrets := list -}} + {{- $endpoints := concat (list) $notifications.endpoints $geoNotifier.endpoints | uniq -}} + {{- range $endpoint := $endpoints -}} + {{- if and $endpoint.name $endpoint.headers -}} + {{- range $header, $value := $endpoint.headers -}} + {{- if kindIs "map" $value -}} + {{- if hasKey $value "secret" }} + {{- $fileName := printf "%s_%s" $value.secret (default "value" $value.key) -}} + {{- if not (has $fileName $uniqSecrets) }} + {{- $uniqSecrets = append $uniqSecrets $fileName }} +{{ include "registry.notifications.secrets.item" (dict "value" $value "fileName" $fileName) }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "registry.fullname" -}} +{{- include "fullname" $ -}} +{{- end -}} +{{/* +Return the sub-chart serviceAccount name +If that is not present it will use the global chart serviceAccount name +Failing that a serviceAccount will be generated automatically +*/}} +{{- define "registry.serviceAccount.name" -}} +{{- coalesce .Values.serviceAccount.name .Values.global.serviceAccount.name ( include "registry.fullname" . ) -}} +{{- end -}} + +{{/* +Create a default fully qualified job name. +Due to the job only being allowed to run once, we add the chart revision so Helm +upgrades don't cause errors trying to create the already ran job. +*/}} +{{- define "registry.migrations.jobname" -}} +{{- $name := include "registry.fullname" . | trunc 55 | trimSuffix "-" -}} +{{- printf "%s-migrations-%d" $name .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/_profiling.tpl b/kubernetes/Charts/gitlab/charts/registry/templates/_profiling.tpl new file mode 100644 index 0000000..608da58 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/_profiling.tpl @@ -0,0 +1,13 @@ +{{/* +Return the registry's profiling credentials secret key +*/}} +{{- define "gitlab.registry.profiling.stackdriver.credentials.key" -}} +{{- default "credentials" .Values.profiling.stackdriver.credentials.key | quote -}} +{{- end -}} + +{{/* +Construct a default registry profiling service name, if not supplied +*/}} +{{- define "gitlab.registry.profiling.stackdriver.service" -}} +{{- default (include "registry.fullname" .) .Values.profiling.stackdriver.service | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/_redis.tpl b/kubernetes/Charts/gitlab/charts/registry/templates/_redis.tpl new file mode 100644 index 0000000..a174875 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/_redis.tpl @@ -0,0 +1,77 @@ +{{/* +Helper for Sentinels as a string + +Expectation: input contents has .sentinels, which is a List of Dict + in the format of [{host: , port:}, ...] +*/}} +{{- define "registry.redis.host.sentinels" -}} +{{- $sentinels := list -}} +{{- range .sentinels -}} +{{- $sentinels = append $sentinels (printf "%s:%d" .host (default 26379 .port | int)) -}} +{{- end -}} +{{ join "," $sentinels }} +{{- end -}} + + +{{- define "gitlab.registry.redisCacheSecret.mount" -}} +{{- if .Values.redis.cache.password.enabled }} +- secret: + name: {{ default (include "redis.secretName" . ) ( .Values.redis.cache.password.secret | quote) }} + items: + - key: {{ default (include "redis.secretPasswordKey" . ) ( .Values.redis.cache.password.key | quote) }} + path: registry/redis-password +{{- end }} +{{- end -}} + +{{/* +Return migration configuration. +*/}} +{{- define "registry.redis.config" -}} +{{- include "gitlab.redis.selectedMergedConfig" . -}} +redis: + cache: + enabled: {{ .Values.redis.cache.enabled | eq true }} + {{- if .Values.redis.cache.sentinels }} + addr: {{ include "registry.redis.host.sentinels" .Values.redis.cache | quote }} + mainname: {{ .Values.redis.cache.host }} + {{- else if .redisMergedConfig.sentinels }} + addr: {{ include "registry.redis.host.sentinels" .redisMergedConfig | quote }} + mainname: {{ template "gitlab.redis.host" . }} + {{- else if .Values.redis.cache.host }} + addr: {{ printf "%s:%d" .Values.redis.cache.host (int .Values.redis.cache.port | default 6379) | quote }} + {{- else }} + addr: {{ printf "%s:%s" ( include "gitlab.redis.host" . ) ( include "gitlab.redis.port" . ) | quote }} + {{- end }} + {{- if .Values.redis.cache.password.enabled }} + password: "REDIS_CACHE_PASSWORD" + {{- end }} + {{- if hasKey .Values.redis.cache "db" }} + db: {{ .Values.redis.cache.db }} + {{- end }} + {{- if .Values.redis.cache.dialtimeout }} + dialtimeout: {{ .Values.redis.cache.dialtimeout }} + {{- end }} + {{- if .Values.redis.cache.readtimeout }} + readtimeout: {{ .Values.redis.cache.readtimeout }} + {{- end }} + {{- if .Values.redis.cache.writetimeout }} + writetimeout: {{ .Values.redis.cache.writetimeout }} + {{- end }} + {{- if .Values.redis.cache.tls }} + tls: + enabled: {{ .Values.redis.cache.tls.enabled | eq true }} + insecure: {{ .Values.redis.cache.tls.insecure | eq true }} + {{- end }} + {{- if .Values.redis.cache.pool }} + pool: + {{- if .Values.redis.cache.pool.size }} + size: {{ .Values.redis.cache.pool.size }} + {{- end }} + {{- if .Values.redis.cache.pool.maxlifetime }} + maxlifetime: {{ .Values.redis.cache.pool.maxlifetime }} + {{- end }} + {{- if .Values.redis.cache.pool.idletimeout }} + idletimeout: {{ .Values.redis.cache.pool.idletimeout }} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/_storage_default.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/_storage_default.yaml new file mode 100644 index 0000000..3157f33 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/_storage_default.yaml @@ -0,0 +1,6 @@ +filesystem: + rootdirectory: '/tmp/registry' +cache: + blobdescriptor: 'inmemory' +delete: + enabled: true diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/configmap.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/configmap.yaml new file mode 100644 index 0000000..34ed5c2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/configmap.yaml @@ -0,0 +1,163 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + configure: |- + {{- .Values.init.script | nindent 4 }} + config.yml: | + version: 0.1 + log: + {{ toYaml .Values.log | nindent 6 | trim }} + http: + addr: :{{ .Values.service.internalPort }} + # `host` is not configurable + # `prefix` is not configurable + {{- if .Values.tls.enabled }} + tls: + certificate: /etc/docker/registry/tls/tls.crt + key: /etc/docker/registry/tls/tls.key + {{- if and .Values.tls.clientCAs (kindIs "slice" .Values.tls.clientCAs) }} + clientCAs: {{- toYaml .Values.tls.clientCAs | nindent 10 }} + {{- end }} + minimumTLS: {{ default "tls1.2" .Values.tls.minimumTLS | quote }} + {{- end }} + {{- if .Values.debug }} + debug: + addr: :{{ .Values.debug.addr.port | int }} + prometheus: + enabled: {{ (or .Values.metrics.enabled .Values.debug.prometheus.enabled) }} + path: {{ default .Values.metrics.path .Values.debug.prometheus.path }} + {{- if .Values.debug.tls.enabled }} + tls: + enabled: true + {{- if .Values.debug.tls.secretName }} + certificate: /etc/docker/registry/tls/tls-debug.crt + key: /etc/docker/registry/tls/tls-debug.key + {{- if and .Values.debug.tls.clientCAs (kindIs "slice" .Values.debug.tls.clientCAs) }} + clientCAs: {{- toYaml .Values.debug.tls.clientCAs | nindent 12 }} + {{- end }} + minimumTLS: {{ .Values.debug.tls.minimumTLS | quote }} + {{- end }} + {{- end }} + {{- end }} + draintimeout: {{ .Values.draintimeout }} + headers: + X-Content-Type-Options: [nosniff] + secret: "HTTP_SECRET" + relativeurls: {{ .Values.relativeurls }} + health: + {{- if kindIs "map" .Values.health }} + {{ toYaml .Values.health | nindent 6 | trim }} + {{- end }} + auth: + token: + realm: {{ template "registry.authEndpoint" . }}/jwt/auth + service: {{ .Values.tokenService }} + issuer: {{ coalesce .Values.tokenIssuer (dig "registry" "tokenIssuer" "gitlab-issuer" .Values.global ) }} + # This is provided from the initContainer execution, at a known path. + rootcertbundle: /etc/docker/registry/certificate.crt + autoredirect: {{ .Values.authAutoRedirect }} + validation: + disabled: {{ eq true .Values.validation.disabled }} + {{- with .Values.validation.manifests }} + manifests: + referencelimit: {{ .referencelimit }} + payloadsizelimit: {{ .payloadsizelimit }} + urls: + allow: + {{- range .urls.allow }} + - {{ . }} + {{- end }} + deny: + {{- range .urls.deny }} + - {{ . }} + {{- end }} + {{- end }} + {{- include "registry.notifications.config" $ | nindent 4 }} + reporting: + {{- if .Values.reporting.sentry.enabled }} + sentry: + enabled: true + dsn: {{ .Values.reporting.sentry.dsn }} + {{- if .Values.reporting.sentry.environment }} + environment: {{ .Values.reporting.sentry.environment }} + {{- end }} + {{- end }} + profiling: + {{- if .Values.profiling.stackdriver.enabled }} + stackdriver: + enabled: true + service: {{ template "gitlab.registry.profiling.stackdriver.service" . }} + serviceversion: {{ .Values.image.tag }} + {{- if .Values.profiling.stackdriver.projectid }} + projectid: {{ .Values.profiling.stackdriver.projectid }} + {{- end }} + {{- if .Values.profiling.stackdriver.credentials.secret }} + keyfile: /etc/docker/registry/profiling-key.json + {{- end }} + {{- end }} + storage: + maintenance: + readonly: + enabled: {{ .Values.maintenance.readonly.enabled }} + uploadpurging: + enabled: {{ .Values.maintenance.uploadpurging.enabled }} + age: {{ .Values.maintenance.uploadpurging.age }} + interval: {{ .Values.maintenance.uploadpurging.interval }} + dryrun: {{ .Values.maintenance.uploadpurging.dryrun }} + {{- if .Values.storage }} + {{- with .Values.storage.redirect }} + redirect: + disable: {{ default false .disable }} + exceptions: + {{- range .exceptions }} + - {{ . }} + {{- end }} + {{- end }} + {{- else if .Values.global.minio.enabled }} + s3: + accesskey: "ACCESS_KEY" + secretkey: "SECRET_KEY" + region: us-east-1 + regionendpoint: {{ template "registry.minio.url" . }} + bucket: {{ coalesce .Values.minio.bucket .Values.global.registry.bucket }} + secure: true + v4auth: true + rootdirectory: / + cache: + blobdescriptor: 'inmemory' + delete: + enabled: true + {{- if not .Values.minio.redirect }} + redirect: + disable: true + {{- end }} + {{- else }} + {{- include (print $.Template.BasePath "/_storage_default.yaml") . | nindent 6}} + {{- end }} + middleware: + {{- if .Values.middleware.storage }} + storage: + {{ range $index, $v := .Values.middleware.storage }} + - name: {{ $v.name }} + options: {{ omit $v.options "privatekeySecret" "privatekey" | toYaml | nindent 10 }} + privatekey: {{ printf "/etc/docker/registry/middleware.storage/%d/%s" $index $v.options.privatekeySecret.key }} + {{ end }} + {{- end }} + {{- include "registry.database.config" $ | nindent 4 }} + {{- include "registry.gc.config" $ | nindent 4 }} + {{- include "registry.redis.config" $ | nindent 4}} + + # minimal configuration, in order to do database migrations + migrations-config.yml: | + version: 0.1 + log: + {{ toYaml .Values.log | nindent 6 | trim }} + {{- include "registry.database.config" $ | nindent 4 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/deployment.yaml new file mode 100644 index 0000000..54b3abb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/deployment.yaml @@ -0,0 +1,243 @@ +{{- if .Values.enabled -}} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := include "gitlab.configure.config" $.Values | fromYaml -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.deploymentAnnotations" . | nindent 4 }} +spec: + # Don't provide replicas when HPA are present + # replicas: {{ .Values.hpa.minReplicas }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .Values.deployment.strategy }} + strategy: {{ .Values.deployment.strategy | toYaml | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- if and (or .Values.metrics.enabled .Values.debug.prometheus.enabled) (not .Values.metrics.serviceMonitor.enabled) }} + {{- if .Values.debug.tls.enabled }} + gitlab.com/prometheus_scheme: "https" + prometheus.io/scheme: "https" + {{- end }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: {{ .Values.debug.addr.port | quote }} + gitlab.com/prometheus_path: {{ default .Values.metrics.path .Values.debug.prometheus.path | quote }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.debug.addr.port | quote }} + prometheus.io/path: {{ default .Values.metrics.path .Values.debug.prometheus.path | quote }} + {{- end }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- include "gitlab.podSecurityContext" .Values.securityContext | nindent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ default .Values.global.affinity.podAntiAffinity.topologyKey .Values.affinity.podAntiAffinity.topologyKey | quote }} + labelSelector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "registry.serviceAccount.name" $ }} + {{- end }} + automountServiceAccountToken: false + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + - name: configure + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + command: ["sh", "/config/configure"] + volumeMounts: + - name: registry-secrets + mountPath: /config + - name: registry-server-config + mountPath: /registry + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + {{- if .Values.database.enabled }} + - name: dependencies + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} + command: ["/scripts/wait-for-deps"] + volumeMounts: + - name: registry-server-config + mountPath: /etc/docker/registry/ + readOnly: true + resources: + {{- toYaml .Values.init.resources | nindent 12 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + {{- end }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} + containers: + - name: registry + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ include "gitlab.image.tagSuffix" . }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} + volumeMounts: + - name: registry-server-config + mountPath: /etc/docker/registry/ + readOnly: true + {{- include "gitlab.certificates.volumeMount" . | nindent 10 }} + ports: + - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.tls.enabled | ternary "https" "http" }} + {{- with .Values.debug }} + - containerPort: {{ .addr.port }} + name: debug + {{- end }} + {{- if .Values.deployment.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.deployment.livenessProbe.path }} + port: {{ if .Values.deployment.livenessProbe.port }}{{ .Values.deployment.livenessProbe.port }}{{ else }}debug{{ end }} + scheme: {{ .Values.debug.tls.enabled | ternary "HTTPS" "HTTP" }} + initialDelaySeconds: {{ .Values.deployment.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.deployment.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.deployment.readinessProbe.path }} + port: {{ if .Values.deployment.readinessProbe.port }}{{ .Values.deployment.readinessProbe.port }}{{ else }}debug{{ end }} + scheme: {{ .Values.debug.tls.enabled | ternary "HTTPS" "HTTP" }} + initialDelaySeconds: {{ .Values.deployment.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.deployment.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.deployment.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.deployment.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.deployment.readinessProbe.failureThreshold }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + lifecycle: + preStop: + exec: + command: ["/bin/bash", "-c", "sleep 5"] + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + volumes: + - name: registry-server-config + emptyDir: + medium: "Memory" + - name: registry-secrets + projected: + sources: + - configMap: + name: {{ template "registry.fullname" . }} + - secret: + name: {{ template "gitlab.registry.certificate.secret" . }} + items: + - key: registry-auth.crt + path: certificate.crt + - secret: + name: {{ template "gitlab.registry.httpSecret.secret" . }} + items: + - key: {{ template "gitlab.registry.httpSecret.key" . }} + path: httpSecret + {{- if .Values.global.minio.enabled }} + - secret: + name: {{ template "gitlab.minio.credentials.secret" . }} + {{- end }} + {{- if .Values.storage.secret }} + - secret: + name: {{ .Values.storage.secret }} + items: + - key: {{ default "config" .Values.storage.key }} + path: storage/config + {{- if .Values.storage.extraKey }} + - key: {{ .Values.storage.extraKey }} + path: storage/{{ .Values.storage.extraKey }} + {{- end }} + {{- end }} + {{- if .Values.middleware.storage }} + {{- range $index, $v := .Values.middleware.storage }} + - secret: + name: {{ $v.options.privatekeySecret.secret }} + items: + - key: {{ $v.options.privatekeySecret.key }} + path: {{ printf "middleware.storage/%d/%s" $index $v.options.privatekeySecret.key }} + {{- end }} + {{- end }} + {{- if .Values.profiling.stackdriver.credentials.secret }} + - secret: + name: {{ .Values.profiling.stackdriver.credentials.secret }} + items: + - key: {{ template "gitlab.registry.profiling.stackdriver.credentials.key" . }} + path: profiling-key.json + {{- end }} + {{- include "registry.notifications.secrets" $ | nindent 10 }} + {{- if .Values.database.enabled -}} + {{- include "gitlab.registry.database.password.projectedVolume" . | nindent 10 }} + {{- include "gitlab.registry.psql.ssl" . | nindent 10 }} + {{- end }} + {{- if .Values.tls.enabled }} + # TLS secret for HTTPS service + - secret: + name: {{ include "gitlab.registry.tls.secret" $ }} + items: + - key: tls.crt + path: tls/tls.crt + - key: tls.key + path: tls/tls.key + {{- end }} + {{- if and .Values.debug.tls.enabled .Values.debug.tls.secretName }} + # TLS secret for metrics/debug HTTPS service + - secret: + name: {{ .Values.debug.tls.secretName }} + items: + - key: tls.crt + path: tls/tls-debug.crt + - key: tls.key + path: tls/tls-debug.key + {{- end }} + {{- include "gitlab.registry.redisCacheSecret.mount" $ | nindent 10 }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/hpa.yaml new file mode 100644 index 0000000..6b7a861 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/hpa.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.enabled (not (default $.Values.global.keda.enabled .Values.keda.enabled)) -}} +{{- $hpaCfg := (dict "global" $.Values.global.hpa "local" .Values.hpa "context" $) -}} +--- +apiVersion: {{ template "gitlab.hpa.apiVersion" $hpaCfg }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "registry.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- include "gitlab.hpa.metrics" $hpaCfg | nindent 2 }} + {{- include "gitlab.hpa.behavior" $hpaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/ingress.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/ingress.yaml new file mode 100644 index 0000000..c761df6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/ingress.yaml @@ -0,0 +1,66 @@ +{{- if .Values.enabled -}} +{{- if eq (include "gitlab.ingress.enabled" $) "true" -}} +{{- $hostname := include "registry.hostname" . -}} +{{- $tlsSecret := include "registry.tlsSecret" . -}} +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} + +apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} +kind: Ingress +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{ include "ingress.class.annotation" $ingressCfg }} + kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" + {{- if eq "nginx" .Values.global.ingress.provider }} + nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.ingress.proxyBodySize | quote }} + nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.ingress.proxyReadTimeout | quote }} + nginx.ingress.kubernetes.io/proxy-request-buffering: {{ .Values.ingress.proxyBuffering | quote }} + nginx.ingress.kubernetes.io/proxy-buffering: {{ .Values.ingress.proxyBuffering | quote }} + {{- if .Values.tls.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: https + {{- if .Values.tls.verify }} + nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" + nginx.ingress.kubernetes.io/proxy-ssl-name: {{ template "registry.fullname" . }}.{{ $.Release.Namespace }}.svc + {{- if .Values.tls.caSecretName }} + nginx.ingress.kubernetes.io/proxy-ssl-secret: {{ $.Release.Namespace}}/{{ .Values.tls.caSecretName }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- include "gitlab.certmanager_annotations" . | nindent 4 }} + {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{ include "ingress.class.field" $ingressCfg }} + rules: + - host: {{ $hostname }} + http: + paths: + - path: {{ coalesce $.Values.ingress.path $.Values.global.ingress.path }} + {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} + pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} + backend: + service: + name: {{ template "registry.fullname" . }} + port: + number: {{ .Values.service.externalPort }} + {{- else -}} + backend: + serviceName: {{ template "registry.fullname" . }} + servicePort: {{ .Values.service.externalPort }} + {{- end -}} + {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} + tls: + - hosts: + - {{ $hostname }} + secretName: {{ $tlsSecret }} + {{- else }} + tls: [] + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/keda.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/keda.yaml new file mode 100644 index 0000000..9f22b07 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/keda.yaml @@ -0,0 +1,19 @@ +{{- $kedaCfg := (dict "global" .Values.global "hpa" .Values.hpa "keda" .Values.keda "resources" .Values.resources) -}} +{{- $kedaEnabled := include "gitlab.keda.scaledobject.enabled" $kedaCfg -}} +{{- if and .Values.enabled $kedaEnabled -}} +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "registry.fullname" . }} + {{- include "gitlab.keda.scaledobject.spec" $kedaCfg | nindent 2 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/migrations-job.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/migrations-job.yaml new file mode 100644 index 0000000..2cd25ac --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/migrations-job.yaml @@ -0,0 +1,92 @@ +{{- if and .Values.enabled .Values.database.enabled .Values.database.migrations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "registry.migrations.jobname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + activeDeadlineSeconds: {{ .Values.database.migrations.activeDeadlineSeconds }} + backoffLimit: {{ .Values.database.migrations.backoffLimit }} + template: + metadata: + {{- if .Values.annotations }} + annotations: + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + {{- include "gitlab.priorityClassName" . | nindent 6 }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 6 }} + {{- include "gitlab.certificates.initContainer" . | nindent 6 }} + - name: configure + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} + imagePullPolicy: {{ .Values.init.image.pullPolicy }} + command: ['sh', '/config/configure'] + volumeMounts: + - name: registry-secrets + mountPath: /config + - name: registry-server-config + mountPath: /registry + resources: + {{- toYaml .Values.init.resources | nindent 10 }} + env: + {{- include "gitlab.extraEnv" . | nindent 8 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 8 }} + restartPolicy: OnFailure + {{- include "gitlab.image.pullSecrets" (dict "global" .Values.global.image "local" .Values.image) | indent 6 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 6 }} + - name: migrations + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ include "gitlab.image.tagSuffix" . }}" + imagePullPolicy: {{ default "" .Values.image.pullPolicy | quote }} + args: + - /scripts/wait-for-deps + - /scripts/db-migrate + volumeMounts: + - name: registry-server-config + mountPath: /etc/docker/registry/ + readOnly: true + {{- include "gitlab.certificates.volumeMount" . | nindent 10 }} + resources: + {{- toYaml .Values.resources | nindent 10 }} + env: + - name: BYPASS_SCHEMA_VERSION + value: 'true' + {{- include "gitlab.extraEnv" . | nindent 8 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 8 }} + volumes: + - name: registry-server-config + emptyDir: + medium: "Memory" + - name: registry-secrets + projected: + sources: + - configMap: + name: {{ template "registry.fullname" . }} + items: + - key: configure + path: configure + - key: migrations-config.yml + path: config.yml + {{- include "gitlab.registry.database.password.projectedVolume" . | nindent 10 }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/networkpolicy.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/networkpolicy.yaml new file mode 100644 index 0000000..ea23a97 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/networkpolicy.yaml @@ -0,0 +1,34 @@ +{{- if .Values.enabled -}} +{{- if .Values.networkpolicy.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "registry.fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + {{- toYaml .Values.networkpolicy.annotations | nindent 4 }} +spec: + podSelector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + policyTypes: + {{- if .Values.networkpolicy.egress.enabled }} + - Egress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + - Ingress + {{- end }} + {{- if .Values.networkpolicy.ingress.enabled }} + ingress: + {{- toYaml .Values.networkpolicy.ingress.rules | nindent 4 }} + {{- end -}} + {{- if .Values.networkpolicy.egress.enabled }} + egress: + {{- toYaml .Values.networkpolicy.egress.rules | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/pdb.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/pdb.yaml new file mode 100644 index 0000000..917d942 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/pdb.yaml @@ -0,0 +1,17 @@ +{{- if .Values.enabled -}} +{{- $pdbCfg := (dict "global" $.Values.global.pdb "local" .Values.pdb "context" $) -}} +apiVersion: {{ template "gitlab.pdb.apiVersion" $pdbCfg }} +kind: PodDisruptionBudget +metadata: + name: {{ template "registry.fullname" . }}-v1 + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/service.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/service.yaml new file mode 100644 index 0000000..c58f7b6 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/service.yaml @@ -0,0 +1,35 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} + annotations: + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} +{{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }} + clusterIP: {{ .Values.service.clusterIP }} +{{- end }} +{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.tls.enabled | ternary "https" "http" }} + protocol: TCP + name: {{ .Values.tls.enabled | ternary "https" "http" }}-{{ .Values.service.name }} + {{- if (or .Values.metrics.enabled .Values.debug.prometheus.enabled) }} + - port: {{ .Values.debug.addr.port }} + targetPort: debug + protocol: TCP + name: {{ .Values.debug.tls.enabled | ternary "https" "http" }}-metrics + {{- end }} + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/serviceaccount.yaml new file mode 100644 index 0000000..a229ff3 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $enabled := or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled -}} +{{- $create := or .Values.serviceAccount.create .Values.global.serviceAccount.create -}} +{{- if and $enabled $create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "registry.serviceAccount.name" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with default .Values.serviceAccount.annotations .Values.global.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/templates/servicemonitor.yaml b/kubernetes/Charts/gitlab/charts/registry/templates/servicemonitor.yaml new file mode 100644 index 0000000..2051a5a --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/templates/servicemonitor.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.enabled (or .Values.metrics.enabled .Values.debug.prometheus.enabled) .Values.metrics.serviceMonitor.enabled -}} +{{- if eq (include "gitlab.monitoring.enabled" .) "true" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "registry.fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ $.Release.Namespace }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + endpoints: + - port: http-metrics + path: {{ default .Values.metrics.path .Values.debug.prometheus.path }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/registry/values.yaml b/kubernetes/Charts/gitlab/charts/registry/values.yaml new file mode 100644 index 0000000..e5f64eb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/registry/values.yaml @@ -0,0 +1,415 @@ +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry + tag: 'v3.86.1-gitlab' + # pullPolicy: IfNotPresent + # pullSecrets: [] + +deployment: + terminationGracePeriodSeconds: 30 + readinessProbe: + enabled: true + path: '/debug/health' + # defaults to the debug port + port: + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + livenessProbe: + enabled: true + path: '/debug/health' + # defaults to the debug port + port: + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + + # strategy is utilized to configure the desired upgrade approach and + # configuration for the deployment. See the Kubernetes documentation + # related to this subject. + # https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: {} + +podLabels: {} +common: + labels: {} + +serviceLabels: {} +service: + name: registry + type: ClusterIP + externalPort: 5000 + internalPort: 5000 + clusterIP: + loadBalancerIP: + +## Support for tolerations for pod scheduling +tolerations: [] + +# Priority class assigned to pods +priorityClassName: "" + +## Enable/Disable Chart +enabled: true + +## Registry Maintenance Settings +## See https://docs.docker.com/registry/configuration/#maintenance +maintenance: + readonly: + ## Enable read-only mode for Registry + enabled: false + uploadpurging: + enabled: true + age: 168h + interval: 24h + dryrun: false + +annotations: {} + +networkpolicy: + enabled: false + egress: + enabled: false + rules: [] + ingress: + enabled: false + rules: [] + annotations: {} + +ingress: + apiVersion: + enabled: + proxyReadTimeout: 900 + proxyBodySize: "0" + proxyBuffering: "off" + tls: {} + # secretName: + # enabled: true + annotations: {} + configureCertmanager: + path: # / + +global: + ingress: + enabled: + annotations: {} + tls: {} + # secretName: + # enabled: true + hosts: + domain: example.com + hostSuffix: + https: true + tls: {} + # secretName: + gitlab: {} + #name: gitlab.example.com + #https: false + registry: {} + #name: registry.example.com + #https: false + minio: {} + #name: minio.example.com + #https: false + minio: + enabled: + credentials: {} + registry: + certificate: {} + httpSecret: {} + psql: + ssl: {} + +## Control the InitContainer behaviors. +init: + image: {} + # repository: + # tag: + # pullPolicy: IfNotPresent + resources: + requests: + cpu: 50m + containerSecurityContext: {} + script: |- + if [ -e /config/accesskey ] ; then + sed -e 's@ACCESS_KEY@'"$(cat /config/accesskey)"'@' -e 's@SECRET_KEY@'"$(cat /config/secretkey)"'@' /config/config.yml > /registry/config.yml + else + cp -v -r -L /config/config.yml /registry/config.yml + fi + # Place the `http.secret` value from the kubernetes secret + sed -i -e 's@HTTP_SECRET@'"$(cat /config/httpSecret)"'@' /registry/config.yml + # Populate sensitive registry notification secrets in the config file + if [ -d /config/notifications ]; then + for i in /config/notifications/*; do + filename=$(basename $i); + sed -i -e 's@'"${filename}"'@'"$(cat $i)"'@' /registry/config.yml; + done + fi + # Insert any provided `storage` block from kubernetes secret + if [ -d /config/storage ]; then + # Copy contents of storage secret(s) + mkdir -p /registry/storage + cp -v -r -L /config/storage/* /registry/storage/ + # Ensure there is a new line in the end + echo '' >> /registry/storage/config + # Default `delete.enabled: true` if not present. + ## Note: busybox grep doesn't support multiline, so we chain `egrep`. + if ! $(egrep -A1 '^delete:\s*$' /registry/storage/config | egrep -q '\s{2,4}enabled:') ; then + echo 'delete:' >> /registry/storage/config + echo ' enabled: true' >> /registry/storage/config + fi + # Indent /registry/storage/config 2 spaces before inserting into config.yml + sed -i 's/^/ /' /registry/storage/config + # Insert into /registry/config.yml after `storage:` + sed -i '/^storage:/ r /registry/storage/config' /registry/config.yml + # Remove the now extraneous `config` file + rm /registry/storage/config + fi + # Copy any middleware.storage if present + if [ -d /config/middleware.storage ]; then + cp -v -r -L /config/middleware.storage /registry/middleware.storage + fi + # Set to known path, to used ConfigMap + cat /config/certificate.crt > /registry/certificate.crt + # Copy the optional profiling keyfile to the expected location + if [ -f /config/profiling-key.json ]; then + cp /config/profiling-key.json /registry/profiling-key.json + fi + # Insert Database password, if enabled + if [ -f /config/database_password ] ; then + sed -i -e 's@DB_PASSWORD_FILE@'"$(cat /config/database_password)"'@' /registry/config.yml + fi + # Insert Redis password, if enabled + if [ -f /config/registry/redis-password ] ; then + sed -i -e 's@REDIS_CACHE_PASSWORD@'"$(cat /config/registry/redis-password)"'@' /registry/config.yml + fi + # Copy the database TLS connection files to the expected location and set permissions + if [ -d /config/ssl ]; then + cp -r /config/ssl/ /registry/ssl + chmod 700 /registry/ssl + chmod 600 /registry/ssl/*.pem + fi + # Copy TLS certificates if present + if [ -d /config/tls ]; then + cp -r /config/tls/ /registry/tls + chmod 700 /registry/tls + chmod 600 /registry/tls/* + fi + +# define some sane resource requests and limitations +resources: + # limits: + # cpu: 200m + # memory: 1024Mi + requests: + cpu: 50m + memory: 32Mi + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +nodeSelector: {} + +affinity: + podAntiAffinity: + topologyKey: + +# Protocol/Host only. '/jwt/auth' will be appended. +authEndpoint: +# Do not change this +tokenService: 'container_registry' +# This must match your GitLab Rails configuration +# tokenIssuer: 'gitlab-issuer' + +# Must to be `false` to support Windows clients +# See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3964 +authAutoRedirect: false + +maxUnavailable: 1 + +# if minReplicas is >1, shared storage MUST be used. +hpa: + minReplicas: 2 + maxReplicas: 10 + cpu: + targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1 + targetAverageUtilization: 75 + # memory: + # targetType: Utilization # Utilization or AverageValue + # targetAverageValue: 1G + # targetAverageUtilization: 75 + # Note that the HPA is limited to autoscaling/v2beta1, autoscaling/v2beta2 and autoscaling/v2 + customMetrics: [] # Overrides HPA metrics definition + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + +keda: + enabled: false + ## See https://keda.sh/docs/2.10/concepts/scaling-deployments/#scaledobject-spec + pollingInterval: 30 + cooldownPeriod: 300 + # minReplicaCount: 2 + # maxReplicaCount: 10 + # fallback: {} + # failureThreshold: 3 + # replicas: 6 + # hpaName: keda-hpa-{scaled-object-name} + # restoreToOriginalReplicaCount: false + # behavior: {} + # triggers: [] + +storage: {} +# secret: +# redirect: +# disable: +# exceptions: [] +middleware: + # See https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#middleware + storage: [] + ## EXAMPLE ONLY + # - name: cloudfront + # options: + # baseurl: cdn.registry.example.com + # # `privatekey` is auto-populated with the content from the privatekey Secret. + # privatekeySecret: + # secret: cdn-private-key + # key: private.pem + # keypairid: YOURKEYPAIRIDFORPRIVATEKEY + +minio: + redirect: false + +# Enable the registry to accept windows based docker images +# See https://github.com/docker/distribution/issues/2795 +validation: + disabled: true + manifests: + referencelimit: 0 + payloadsizelimit: 0 + urls: + allow: [] + deny: [] + +# Configure the logging mechanism for the Container Registry as desired +# See https://docs.docker.com/registry/configuration/#log +log: + level: info + fields: + service: registry + +debug: + addr: + port: 5001 + tls: + enabled: false + secretName: # Kubernetes secret, type kubernetes.io/tls + clientCAs: [] + minimumTLS: "tls1.2" + # DEPRECATED in favor of `metrics` + prometheus: + enabled: false + path: + +# The debug.addr.port is used for metrics +metrics: + enabled: false + path: /metrics + serviceMonitor: + enabled: false + additionalLabels: {} + endpointConfig: {} + +# Amount of time to wait for HTTP connections to drain after +# receiving a SIGTERM signal +draintimeout: '0' + +# Enable the registry to return relative URLs in Location headers +relativeurls: false + +# https://docs.docker.com/registry/configuration/#health +health: + storagedriver: + enabled: false + interval: 10s + threshold: 3 + +## Allow to overwrite under which User and Group the Pod will be running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 + # fsGroupChangePolicy: OnRootMismatch + +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + +# Disable reporting by default +# https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#reporting +reporting: + sentry: + enabled: false + # dsn: + # environment: + +# Disable continuous profiling by default +# https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#profiling +# keyfile is provided via secrets, and serviceversion will be image.tag +profiling: + stackdriver: + enabled: false + credentials: {} + +serviceAccount: + create: false + +# Disable metadata database by default +# NOTE: The metadata database is a beta feature from version 16.4 and later. Please +# review the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/423459) +# and associated documentation before enabling this feature. +# https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#database +database: + enabled: false + user: registry + password: {} + # secret: RELEASE_NAME-registry-database-password + # key: password + name: registry + sslmode: disable + ssl: {} + migrations: + enabled: true + activeDeadlineSeconds: 3600 + backoffLimit: 6 + discovery: + enabled: false +# Redis cache to be used in conjunction with the metadata database. +# NOTE: This is an experimental feature and must not be used in production. +# https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#cache-1 +redis: + cache: + enabled: false + password: + enabled: false + +# The online garbage collector is only going to be enabled if the metadata +# database is enabled. In general, we don't want to default to disabled, since +# online garbage collection is designed to run continuously and should only be +# disabled for compelling debugging and troubleshooting reasons. +# https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#gc +gc: + disabled: false + +## Configure TLS on the instance itself +## WARNING: All clients must trust the certificate used for service. +tls: + enabled: false + secretName: # Kubernetes secret, type kubernetes.io/tls + clientCAs: [] + minimumTLS: "tls1.2" + # NGINX Ingress related + verify: true + caSecretName: # Kubernetes secret, type Opaque, with `ca.crt` key diff --git a/kubernetes/Charts/gitlab/charts/traefik/.helmignore b/kubernetes/Charts/gitlab/charts/traefik/.helmignore new file mode 100644 index 0000000..2bfa6a4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/.helmignore @@ -0,0 +1 @@ +tests/ diff --git a/kubernetes/Charts/gitlab/charts/traefik/Chart.yaml b/kubernetes/Charts/gitlab/charts/traefik/Chart.yaml new file mode 100644 index 0000000..a3e1a85 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 2.6.3 +description: A Traefik based Kubernetes ingress controller +home: https://traefik.io/ +icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png +keywords: +- traefik +- ingress +maintainers: +- email: emile@vauge.com + name: emilevauge +- email: daniel.tomcej@gmail.com + name: dtomcej +- email: ldez@traefik.io + name: ldez +name: traefik +sources: +- https://github.com/traefik/traefik +- https://github.com/traefik/traefik-helm-chart +type: application +version: 10.19.4 diff --git a/kubernetes/Charts/gitlab/charts/traefik/Guidelines.md b/kubernetes/Charts/gitlab/charts/traefik/Guidelines.md new file mode 100644 index 0000000..e59a517 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/Guidelines.md @@ -0,0 +1,93 @@ +# Traefik Helm Chart Guidelines + +This document outlines the guidelines for developing, managing and extending the Traefik helm chart. + +Optionallity +All non-critical features (Features not mandatory to starting Traefik) in the helm chart must be optional. All non-critical features should be disabled (commented out) in the values.yaml file. All optional non-critical features should be disabled (commented out) in the values.yaml file, and have a comment # (Optional) in the line above. This allows minimal configuration, and ease of extension. + +## Critical Feature Example + +```yaml +image: + name: traefik +``` + +This feature is critical, and therefore is defined clearly in the values.yaml file. + +## Non-Critical Feature Example + +```yaml +# storage: +# controlNode: +# type: emptyDir +``` + +This feature is non-critical, and therefore is commented out by default in the values.yaml file. + +To allow this, template blocks that use this need to recursively test for existence of values before using them: + +```yaml +{{- if .Values.storage}} + {{- if .Values.storage.controlNode }} + //code + {{ .Values.storage.controlNode.type }} + {{- end }} +{{- end }} +``` + +The non-critical feature defaults should be populated so that they can be enabled by simply uncommenting the section in the values.yaml file. + +## Optional Non-Critical Feature Example + +```yaml +# storage: +# controlNode: +# type: emptyDir +# # (Optional) +# # volume: 1Gi +``` + +The volume option is clearly optional, and non-critical. It is commented out (apart from the storage section comment block), and is also preceeded by a comment of # (Optional) in the preceeding line. This facilitates configuration, when the storage section is uncommented, the optional features are still disabled by default. + +Similar to non-critical feaures, these options need to be tested for existance before use in the template. + +Note +There can be optional values in critical features. These should just be added as an uncommented non-critical feature: + +```yaml +image: + name: traefik + tag: 2.0.0 + # (Optional) + # pullPolicy: IfNotPresent +``` + +Also, the first value under the primary value key does not require an optional comment: + +```yaml +# ports: +# http: 80 +# # (Optional) +# # https: 443 +``` + +This is because if the main subkey is not defined, the entirety of the feature is optional. + +## Whitespace + +Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace: + +```yaml +{{- if .Values }} +{{- end }} +``` + +There should be an empty commented line between each primary key in the values.yaml file to separate features from each other. + +## Values YAML Design + +The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names to not have to correspond to fields in the tempate if it is not condusive. + +## Comments + +The values.yaml file should not contain comments or explainations of what options are, or what values are available. The values table in the README file is for this purpose. diff --git a/kubernetes/Charts/gitlab/charts/traefik/LICENSE b/kubernetes/Charts/gitlab/charts/traefik/LICENSE new file mode 100644 index 0000000..907ff83 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2020 Containous + Copyright 2020 Traefik Labs + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/kubernetes/Charts/gitlab/charts/traefik/README.md b/kubernetes/Charts/gitlab/charts/traefik/README.md new file mode 100644 index 0000000..ade8c5f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/README.md @@ -0,0 +1,93 @@ +# Traefik + +[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy +microservices with ease. + +## Introduction + +This chart bootstraps Traefik version 2 as a Kubernetes ingress controller, +using Custom Resources `IngressRoute`: . + +### Philosophy + +The Traefik HelmChart is focused on Traefik deployment configuration. + +To keep this HelmChart as generic as possible we tend +to avoid integrating any third party solutions nor any specific use cases. + +Accordingly, the encouraged approach to fulfill your needs: +1. override the default Traefik configuration values ([yaml file or cli](https://helm.sh/docs/chart_template_guide/values_files/)) +2. append your own configurations (`kubectl apply -f myconf.yaml`) +3. extend this HelmChart ([as a Subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/)) + +## Installing + +### Prerequisites + +With the command `helm version`, make sure that you have: +- Helm v3 [installed](https://helm.sh/docs/using_helm/#installing-helm) + +Add Traefik's chart repository to Helm: + +```bash +helm repo add traefik https://helm.traefik.io/traefik +``` + +You can update the chart repository by running: + +```bash +helm repo update +``` + +### Kubernetes Version Support + +Due to changes in CRD version support, the following versions of the chart are usable and supported on the following kubernetes versions: + +| | Kubernetes v1.15 and below | Kubernetes v1.16-v1.21 | Kubernetes v1.22 and above | +|-------------------------|-----------------------------|------------------------|----------------------------| +| Chart v9.20.2 and below | [x] | [x] | | +| Chart 10.0.0 and above | | [x] | [x] | + +### Deploying Traefik + +```bash +helm install traefik traefik/traefik +``` + +#### Warning + +Helm v2 support was removed in the chart version 10.0.0. + +### Exposing the Traefik dashboard + +This HelmChart does not expose the Traefik dashboard by default, for security concerns. +Thus, there are multiple ways to expose the dashboard. +For instance, the dashboard access could be achieved through a port-forward : + +``` +kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 +``` + +Another way would be to apply your own configuration, for instance, +by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`): + +```yaml +# dashboard.yaml +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: dashboard +spec: + entryPoints: + - web + routes: + - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + kind: Rule + services: + - name: api@internal + kind: TraefikService +``` + +## Contributing + +If you want to contribute to this chart, please read the [Contributing Guide](../CONTRIBUTING.md). diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/ingressroute.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/ingressroute.yaml new file mode 100644 index 0000000..0230fea --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/ingressroute.yaml @@ -0,0 +1,196 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutes.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRoute is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteSpec is a specification for a IngressRouteSpec + resource. + properties: + entryPoints: + items: + type: string + type: array + routes: + items: + description: Route contains the set of routes. + properties: + kind: + enum: + - Rule + type: string + match: + type: string + middlewares: + items: + description: MiddlewareRef is a ref to the Middleware resources. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + priority: + type: integer + services: + items: + description: Service defines an upstream to proxy traffic. + properties: + kind: + enum: + - Service + - TraefikService + type: string + name: + description: Name is a reference to a Kubernetes Service + object (for a load-balancer of servers), or to a TraefikService + object (service load-balancer, mirroring, etc). The + differentiation between the two is specified in the + Kind field. + type: string + namespace: + type: string + passHostHeader: + type: boolean + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding holds configuration for + the forward of the response. + properties: + flushInterval: + type: string + type: object + scheme: + type: string + serversTransport: + type: string + sticky: + description: Sticky holds the sticky configuration. + properties: + cookie: + description: Cookie holds the sticky configuration + based on cookie. + properties: + httpOnly: + type: boolean + name: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + strategy: + type: string + weight: + description: Weight should only be specified when Name + references a TraefikService object (and to be precise, + one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + required: + - kind + - match + type: object + type: array + tls: + description: "TLS contains the TLS certificates configuration of the + routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in + YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: + # block format" + properties: + certResolver: + type: string + domains: + items: + description: Domain holds a domain name with SANs. + properties: + main: + type: string + sans: + items: + type: string + type: array + type: object + type: array + options: + description: Options is a reference to a TLSOption, that specifies + the parameters of the TLS connection. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store is a reference to a TLSStore, that specifies + the parameters of the TLS store. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/ingressroutetcp.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/ingressroutetcp.yaml new file mode 100644 index 0000000..48a09eb --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/ingressroutetcp.yaml @@ -0,0 +1,158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressroutetcps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRouteTCP + listKind: IngressRouteTCPList + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteTCP is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec + resource. + properties: + entryPoints: + items: + type: string + type: array + routes: + items: + description: RouteTCP contains the set of routes. + properties: + match: + type: string + middlewares: + description: Middlewares contains references to MiddlewareTCP + resources. + items: + description: ObjectReference is a generic reference to a Traefik + resource. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + services: + items: + description: ServiceTCP defines an upstream to proxy traffic. + properties: + name: + type: string + namespace: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + proxyProtocol: + description: ProxyProtocol holds the ProxyProtocol configuration. + properties: + version: + type: integer + type: object + terminationDelay: + type: integer + weight: + type: integer + required: + - name + - port + type: object + type: array + required: + - match + type: object + type: array + tls: + description: "TLSTCP contains the TLS certificates configuration of + the routes. To enable Let's Encrypt, use an empty TLS struct, e.g. + in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName: + # block format" + properties: + certResolver: + type: string + domains: + items: + description: Domain holds a domain name with SANs. + properties: + main: + type: string + sans: + items: + type: string + type: array + type: object + type: array + options: + description: Options is a reference to a TLSOption, that specifies + the parameters of the TLS connection. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + passthrough: + type: boolean + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: Store is a reference to a TLSStore, that specifies + the parameters of the TLS store. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/ingressrouteudp.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/ingressrouteudp.yaml new file mode 100644 index 0000000..000e220 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/ingressrouteudp.yaml @@ -0,0 +1,82 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: ingressrouteudps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: IngressRouteUDP + listKind: IngressRouteUDPList + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteUDP is an Ingress CRD specification. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec + resource. + properties: + entryPoints: + items: + type: string + type: array + routes: + items: + description: RouteUDP contains the set of routes. + properties: + services: + items: + description: ServiceUDP defines an upstream to proxy traffic. + properties: + name: + type: string + namespace: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + weight: + type: integer + required: + - name + - port + type: object + type: array + type: object + type: array + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/middlewares.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/middlewares.yaml new file mode 100644 index 0000000..94807b2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/middlewares.yaml @@ -0,0 +1,570 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewares.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: Middleware + listKind: MiddlewareList + plural: middlewares + singular: middleware + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Middleware is a specification for a Middleware resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareSpec holds the Middleware configuration. + properties: + addPrefix: + description: AddPrefix holds the AddPrefix configuration. + properties: + prefix: + type: string + type: object + basicAuth: + description: BasicAuth holds the HTTP basic authentication configuration. + properties: + headerField: + type: string + realm: + type: string + removeHeader: + type: boolean + secret: + type: string + type: object + buffering: + description: Buffering holds the request/response buffering configuration. + properties: + maxRequestBodyBytes: + format: int64 + type: integer + maxResponseBodyBytes: + format: int64 + type: integer + memRequestBodyBytes: + format: int64 + type: integer + memResponseBodyBytes: + format: int64 + type: integer + retryExpression: + type: string + type: object + chain: + description: Chain holds a chain of middlewares. + properties: + middlewares: + items: + description: MiddlewareRef is a ref to the Middleware resources. + properties: + name: + type: string + namespace: + type: string + required: + - name + type: object + type: array + type: object + circuitBreaker: + description: CircuitBreaker holds the circuit breaker configuration. + properties: + expression: + type: string + type: object + compress: + description: Compress holds the compress configuration. + properties: + excludedContentTypes: + items: + type: string + type: array + minResponseBodyBytes: + type: integer + type: object + contentType: + description: ContentType middleware - or rather its unique `autoDetect` + option - specifies whether to let the `Content-Type` header, if + it has not been set by the backend, be automatically set to a value + derived from the contents of the response. As a proxy, the default + behavior should be to leave the header alone, regardless of what + the backend did with it. However, the historic default was to always + auto-detect and set the header if it was nil, and it is going to + be kept that way in order to support users currently relying on + it. This middleware exists to enable the correct behavior until + at least the default one can be changed in a future version. + properties: + autoDetect: + type: boolean + type: object + digestAuth: + description: DigestAuth holds the Digest HTTP authentication configuration. + properties: + headerField: + type: string + realm: + type: string + removeHeader: + type: boolean + secret: + type: string + type: object + errors: + description: ErrorPage holds the custom error page configuration. + properties: + query: + type: string + service: + description: Service defines an upstream to proxy traffic. + properties: + kind: + enum: + - Service + - TraefikService + type: string + name: + description: Name is a reference to a Kubernetes Service object + (for a load-balancer of servers), or to a TraefikService + object (service load-balancer, mirroring, etc). The differentiation + between the two is specified in the Kind field. + type: string + namespace: + type: string + passHostHeader: + type: boolean + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding holds configuration for the + forward of the response. + properties: + flushInterval: + type: string + type: object + scheme: + type: string + serversTransport: + type: string + sticky: + description: Sticky holds the sticky configuration. + properties: + cookie: + description: Cookie holds the sticky configuration based + on cookie. + properties: + httpOnly: + type: boolean + name: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + strategy: + type: string + weight: + description: Weight should only be specified when Name references + a TraefikService object (and to be precise, one that embeds + a Weighted Round Robin). + type: integer + required: + - name + type: object + status: + items: + type: string + type: array + type: object + forwardAuth: + description: ForwardAuth holds the http forward authentication configuration. + properties: + address: + type: string + authRequestHeaders: + items: + type: string + type: array + authResponseHeaders: + items: + type: string + type: array + authResponseHeadersRegex: + type: string + tls: + description: ClientTLS holds TLS specific configurations as client. + properties: + caOptional: + type: boolean + caSecret: + type: string + certSecret: + type: string + insecureSkipVerify: + type: boolean + type: object + trustForwardHeader: + type: boolean + type: object + headers: + description: Headers holds the custom header configuration. + properties: + accessControlAllowCredentials: + description: AccessControlAllowCredentials is only valid if true. + false is ignored. + type: boolean + accessControlAllowHeaders: + description: AccessControlAllowHeaders must be used in response + to a preflight request with Access-Control-Request-Headers set. + items: + type: string + type: array + accessControlAllowMethods: + description: AccessControlAllowMethods must be used in response + to a preflight request with Access-Control-Request-Method set. + items: + type: string + type: array + accessControlAllowOriginList: + description: AccessControlAllowOriginList is a list of allowable + origins. Can also be a wildcard origin "*". + items: + type: string + type: array + accessControlAllowOriginListRegex: + description: AccessControlAllowOriginListRegex is a list of allowable + origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). + items: + type: string + type: array + accessControlExposeHeaders: + description: AccessControlExposeHeaders sets valid headers for + the response. + items: + type: string + type: array + accessControlMaxAge: + description: AccessControlMaxAge sets the time that a preflight + request may be cached. + format: int64 + type: integer + addVaryHeader: + description: AddVaryHeader controls if the Vary header is automatically + added/updated when the AccessControlAllowOriginList is set. + type: boolean + allowedHosts: + items: + type: string + type: array + browserXssFilter: + type: boolean + contentSecurityPolicy: + type: string + contentTypeNosniff: + type: boolean + customBrowserXSSValue: + type: string + customFrameOptionsValue: + type: string + customRequestHeaders: + additionalProperties: + type: string + type: object + customResponseHeaders: + additionalProperties: + type: string + type: object + featurePolicy: + description: 'Deprecated: use PermissionsPolicy instead.' + type: string + forceSTSHeader: + type: boolean + frameDeny: + type: boolean + hostsProxyHeaders: + items: + type: string + type: array + isDevelopment: + type: boolean + permissionsPolicy: + type: string + publicKey: + type: string + referrerPolicy: + type: string + sslForceHost: + description: 'Deprecated: use RedirectRegex instead.' + type: boolean + sslHost: + description: 'Deprecated: use RedirectRegex instead.' + type: string + sslProxyHeaders: + additionalProperties: + type: string + type: object + sslRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + sslTemporaryRedirect: + description: 'Deprecated: use EntryPoint redirection or RedirectScheme + instead.' + type: boolean + stsIncludeSubdomains: + type: boolean + stsPreload: + type: boolean + stsSeconds: + format: int64 + type: integer + type: object + inFlightReq: + description: InFlightReq limits the number of requests being processed + and served concurrently. + properties: + amount: + format: int64 + type: integer + sourceCriterion: + description: SourceCriterion defines what criterion is used to + group requests as originating from a common source. If none + are set, the default is to use the request's remote address + field. All fields are mutually exclusive. + properties: + ipStrategy: + description: IPStrategy holds the ip strategy configuration. + properties: + depth: + type: integer + excludedIPs: + items: + type: string + type: array + type: object + requestHeaderName: + type: string + requestHost: + type: boolean + type: object + type: object + ipWhiteList: + description: IPWhiteList holds the ip white list configuration. + properties: + ipStrategy: + description: IPStrategy holds the ip strategy configuration. + properties: + depth: + type: integer + excludedIPs: + items: + type: string + type: array + type: object + sourceRange: + items: + type: string + type: array + type: object + passTLSClientCert: + description: PassTLSClientCert holds the TLS client cert headers configuration. + properties: + info: + description: TLSClientCertificateInfo holds the client TLS certificate + info configuration. + properties: + issuer: + description: TLSClientCertificateIssuerDNInfo holds the client + TLS certificate distinguished name info configuration. cf + https://tools.ietf.org/html/rfc3739 + properties: + commonName: + type: boolean + country: + type: boolean + domainComponent: + type: boolean + locality: + type: boolean + organization: + type: boolean + province: + type: boolean + serialNumber: + type: boolean + type: object + notAfter: + type: boolean + notBefore: + type: boolean + sans: + type: boolean + serialNumber: + type: boolean + subject: + description: TLSClientCertificateSubjectDNInfo holds the client + TLS certificate distinguished name info configuration. cf + https://tools.ietf.org/html/rfc3739 + properties: + commonName: + type: boolean + country: + type: boolean + domainComponent: + type: boolean + locality: + type: boolean + organization: + type: boolean + organizationalUnit: + type: boolean + province: + type: boolean + serialNumber: + type: boolean + type: object + type: object + pem: + type: boolean + type: object + plugin: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + type: object + rateLimit: + description: RateLimit holds the rate limiting configuration for a + given router. + properties: + average: + format: int64 + type: integer + burst: + format: int64 + type: integer + period: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + sourceCriterion: + description: SourceCriterion defines what criterion is used to + group requests as originating from a common source. If none + are set, the default is to use the request's remote address + field. All fields are mutually exclusive. + properties: + ipStrategy: + description: IPStrategy holds the ip strategy configuration. + properties: + depth: + type: integer + excludedIPs: + items: + type: string + type: array + type: object + requestHeaderName: + type: string + requestHost: + type: boolean + type: object + type: object + redirectRegex: + description: RedirectRegex holds the redirection configuration. + properties: + permanent: + type: boolean + regex: + type: string + replacement: + type: string + type: object + redirectScheme: + description: RedirectScheme holds the scheme redirection configuration. + properties: + permanent: + type: boolean + port: + type: string + scheme: + type: string + type: object + replacePath: + description: ReplacePath holds the ReplacePath configuration. + properties: + path: + type: string + type: object + replacePathRegex: + description: ReplacePathRegex holds the ReplacePathRegex configuration. + properties: + regex: + type: string + replacement: + type: string + type: object + retry: + description: Retry holds the retry configuration. + properties: + attempts: + type: integer + initialInterval: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + stripPrefix: + description: StripPrefix holds the StripPrefix configuration. + properties: + forceSlash: + type: boolean + prefixes: + items: + type: string + type: array + type: object + stripPrefixRegex: + description: StripPrefixRegex holds the StripPrefixRegex configuration. + properties: + regex: + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/middlewarestcp.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/middlewarestcp.yaml new file mode 100644 index 0000000..6a8fda7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/middlewarestcp.yaml @@ -0,0 +1,64 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: middlewaretcps.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: MiddlewareTCP + listKind: MiddlewareTCPList + plural: middlewaretcps + singular: middlewaretcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MiddlewareTCP is a specification for a MiddlewareTCP resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MiddlewareTCPSpec holds the MiddlewareTCP configuration. + properties: + inFlightConn: + description: TCPInFlightConn holds the TCP in flight connection configuration. + properties: + amount: + format: int64 + type: integer + type: object + ipWhiteList: + description: TCPIPWhiteList holds the TCP ip white list configuration. + properties: + sourceRange: + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/serverstransports.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/serverstransports.yaml new file mode 100644 index 0000000..c62ccdc --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/serverstransports.yaml @@ -0,0 +1,120 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: serverstransports.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: ServersTransport + listKind: ServersTransportList + plural: serverstransports + singular: serverstransport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ServersTransport is a specification for a ServersTransport resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServersTransportSpec options to configure communication between + Traefik and the servers. + properties: + certificatesSecrets: + description: Certificates for mTLS. + items: + type: string + type: array + disableHTTP2: + description: Disable HTTP/2 for connections with backend servers. + type: boolean + forwardingTimeouts: + description: Timeouts for requests forwarded to the backend servers. + properties: + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a + connection to a backend server can be established. If zero, + no timeout exists. + x-kubernetes-int-or-string: true + idleConnTimeout: + anyOf: + - type: integer + - type: string + description: IdleConnTimeout is the maximum period for which an + idle HTTP keep-alive connection will remain open before closing + itself. + x-kubernetes-int-or-string: true + pingTimeout: + anyOf: + - type: integer + - type: string + description: PingTimeout is the timeout after which the HTTP/2 + connection will be closed if a response to ping is not received. + x-kubernetes-int-or-string: true + readIdleTimeout: + anyOf: + - type: integer + - type: string + description: ReadIdleTimeout is the timeout after which a health + check using ping frame will be carried out if no frame is received + on the HTTP/2 connection. If zero, no health check is performed. + x-kubernetes-int-or-string: true + responseHeaderTimeout: + anyOf: + - type: integer + - type: string + description: ResponseHeaderTimeout is the amount of time to wait + for a server's response headers after fully writing the request + (including its body, if any). If zero, no timeout exists. + x-kubernetes-int-or-string: true + type: object + insecureSkipVerify: + description: Disable SSL certificate verification. + type: boolean + maxIdleConnsPerHost: + description: If non-zero, controls the maximum idle (keep-alive) to + keep per-host. If zero, DefaultMaxIdleConnsPerHost is used. + type: integer + peerCertURI: + description: URI used to match against SAN URI during the peer certificate + verification. + type: string + rootCAsSecrets: + description: Add cert file for self-signed certificate. + items: + type: string + type: array + serverName: + description: ServerName used to contact the server. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/tlsoptions.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/tlsoptions.yaml new file mode 100644 index 0000000..61e9235 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/tlsoptions.yaml @@ -0,0 +1,90 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsoptions.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TLSOption + listKind: TLSOptionList + plural: tlsoptions + singular: tlsoption + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: TLSOption is a specification for a TLSOption resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSOptionSpec configures TLS for an entry point. + properties: + alpnProtocols: + items: + type: string + type: array + cipherSuites: + items: + type: string + type: array + clientAuth: + description: ClientAuth defines the parameters of the client authentication + part of the TLS connection, if any. + properties: + clientAuthType: + description: ClientAuthType defines the client authentication + type to apply. + enum: + - NoClientCert + - RequestClientCert + - RequireAnyClientCert + - VerifyClientCertIfGiven + - RequireAndVerifyClientCert + type: string + secretNames: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + items: + type: string + type: array + type: object + curvePreferences: + items: + type: string + type: array + maxVersion: + type: string + minVersion: + type: string + preferServerCipherSuites: + type: boolean + sniStrict: + type: boolean + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/tlsstores.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/tlsstores.yaml new file mode 100644 index 0000000..b484268 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/tlsstores.yaml @@ -0,0 +1,62 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: tlsstores.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TLSStore + listKind: TLSStoreList + plural: tlsstores + singular: tlsstore + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: TLSStore is a specification for a TLSStore resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TLSStoreSpec configures a TLSStore resource. + properties: + defaultCertificate: + description: DefaultCertificate holds a secret name for the TLSOption + resource. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + required: + - defaultCertificate + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/crds/traefikservices.yaml b/kubernetes/Charts/gitlab/charts/traefik/crds/traefikservices.yaml new file mode 100644 index 0000000..969a01c --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/crds/traefikservices.yaml @@ -0,0 +1,268 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.2 + creationTimestamp: null + name: traefikservices.traefik.containo.us +spec: + group: traefik.containo.us + names: + kind: TraefikService + listKind: TraefikServiceList + plural: traefikservices + singular: traefikservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: TraefikService is the specification for a service (that an IngressRoute + refers to) that is usually not a terminal service (i.e. not a pod of servers), + as opposed to a Kubernetes Service. That is to say, it usually refers to + other (children) services, which themselves can be TraefikServices or Services. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSpec defines whether a TraefikService is a load-balancer + of services or a mirroring service. + properties: + mirroring: + description: Mirroring defines a mirroring service, which is composed + of a main load-balancer, and a list of mirrors. + properties: + kind: + enum: + - Service + - TraefikService + type: string + maxBodySize: + format: int64 + type: integer + mirrors: + items: + description: MirrorService defines one of the mirrors of a Mirroring + service. + properties: + kind: + enum: + - Service + - TraefikService + type: string + name: + description: Name is a reference to a Kubernetes Service + object (for a load-balancer of servers), or to a TraefikService + object (service load-balancer, mirroring, etc). The differentiation + between the two is specified in the Kind field. + type: string + namespace: + type: string + passHostHeader: + type: boolean + percent: + type: integer + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding holds configuration for + the forward of the response. + properties: + flushInterval: + type: string + type: object + scheme: + type: string + serversTransport: + type: string + sticky: + description: Sticky holds the sticky configuration. + properties: + cookie: + description: Cookie holds the sticky configuration based + on cookie. + properties: + httpOnly: + type: boolean + name: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + strategy: + type: string + weight: + description: Weight should only be specified when Name references + a TraefikService object (and to be precise, one that embeds + a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + name: + description: Name is a reference to a Kubernetes Service object + (for a load-balancer of servers), or to a TraefikService object + (service load-balancer, mirroring, etc). The differentiation + between the two is specified in the Kind field. + type: string + namespace: + type: string + passHostHeader: + type: boolean + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding holds configuration for the forward + of the response. + properties: + flushInterval: + type: string + type: object + scheme: + type: string + serversTransport: + type: string + sticky: + description: Sticky holds the sticky configuration. + properties: + cookie: + description: Cookie holds the sticky configuration based on + cookie. + properties: + httpOnly: + type: boolean + name: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + strategy: + type: string + weight: + description: Weight should only be specified when Name references + a TraefikService object (and to be precise, one that embeds + a Weighted Round Robin). + type: integer + required: + - name + type: object + weighted: + description: WeightedRoundRobin defines a load-balancer of services. + properties: + services: + items: + description: Service defines an upstream to proxy traffic. + properties: + kind: + enum: + - Service + - TraefikService + type: string + name: + description: Name is a reference to a Kubernetes Service + object (for a load-balancer of servers), or to a TraefikService + object (service load-balancer, mirroring, etc). The differentiation + between the two is specified in the Kind field. + type: string + namespace: + type: string + passHostHeader: + type: boolean + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding holds configuration for + the forward of the response. + properties: + flushInterval: + type: string + type: object + scheme: + type: string + serversTransport: + type: string + sticky: + description: Sticky holds the sticky configuration. + properties: + cookie: + description: Cookie holds the sticky configuration based + on cookie. + properties: + httpOnly: + type: boolean + name: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + strategy: + type: string + weight: + description: Weight should only be specified when Name references + a TraefikService object (and to be precise, one that embeds + a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + sticky: + description: Sticky holds the sticky configuration. + properties: + cookie: + description: Cookie holds the sticky configuration based on + cookie. + properties: + httpOnly: + type: boolean + name: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/_helpers.tpl b/kubernetes/Charts/gitlab/charts/traefik/templates/_helpers.tpl new file mode 100644 index 0000000..f7b055f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "traefik.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "traefik.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "traefik.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +The name of the service account to use +*/}} +{{- define "traefik.serviceAccountName" -}} +{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}} +{{- end -}} + +{{/* +Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice. +By convention this will simply use the / to match the name of the +service generated. +Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride` +*/}} +{{- define "providers.kubernetesIngress.publishedServicePath" -}} +{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct a comma-separated list of whitelisted namespaces +*/}} +{{- define "providers.kubernetesIngress.namespaces" -}} +{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- end -}} +{{- define "providers.kubernetesCRD.namespaces" -}} +{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/_podtemplate.tpl b/kubernetes/Charts/gitlab/charts/traefik/templates/_podtemplate.tpl new file mode 100644 index 0000000..66c82a2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/_podtemplate.tpl @@ -0,0 +1,340 @@ +{{- define "traefik.podTemplate" }} + metadata: + annotations: + {{- with .Values.deployment.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.metrics }} + {{- if .Values.metrics.prometheus }} + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: {{ quote (index .Values.ports .Values.metrics.prometheus.entryPoint).port }} + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.deployment.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "traefik.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ default 60 .Values.deployment.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.hostNetwork }} + {{- with .Values.deployment.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.deployment.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if .Values.deployment.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: "{{ .Values.image.name }}:{{ default .Chart.AppVersion .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ template "traefik.fullname" . }} + resources: + {{- with .Values.resources }} + {{- toYaml . | nindent 10 }} + {{- end }} + readinessProbe: + httpGet: + path: /ping + port: {{ default .Values.ports.traefik.port .Values.ports.traefik.healthchecksPort }} + {{- toYaml .Values.readinessProbe | nindent 10 }} + livenessProbe: + httpGet: + path: /ping + port: {{ default .Values.ports.traefik.port .Values.ports.traefik.healthchecksPort }} + {{- toYaml .Values.livenessProbe | nindent 10 }} + ports: + {{- range $name, $config := .Values.ports }} + {{- if $config }} + - name: {{ $name | quote }} + containerPort: {{ $config.port }} + {{- if $config.hostPort }} + hostPort: {{ $config.hostPort }} + {{- end }} + {{- if $config.hostIP }} + hostIP: {{ $config.hostIP }} + {{- end }} + protocol: {{ default "TCP" $config.protocol | quote }} + {{- end }} + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: {{ .Values.persistence.name }} + mountPath: {{ .Values.persistence.path }} + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: tmp + mountPath: /tmp + {{- $root := . }} + {{- range .Values.volumes }} + - name: {{ tpl (.name) $root }} + mountPath: {{ .mountPath }} + readOnly: true + {{- end }} + {{- if .Values.experimental.plugins.enabled }} + - name: plugins + mountPath: "/plugins-storage" + {{- end }} + {{- if .Values.additionalVolumeMounts }} + {{- toYaml .Values.additionalVolumeMounts | nindent 10 }} + {{- end }} + args: + {{- with .Values.globalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- range $name, $config := .Values.ports }} + {{- if $config }} + - "--entrypoints.{{$name}}.address=:{{ $config.port }}/{{ default "tcp" $config.protocol | lower }}" + {{- end }} + {{- end }} + - "--api.dashboard=true" + - "--ping=true" + {{- if .Values.metrics }} + {{- if .Values.metrics.datadog }} + - "--metrics.datadog=true" + - "--metrics.datadog.address={{ .Values.metrics.datadog.address }}" + {{- end }} + {{- if .Values.metrics.influxdb }} + - "--metrics.influxdb=true" + - "--metrics.influxdb.address={{ .Values.metrics.influxdb.address }}" + - "--metrics.influxdb.protocol={{ .Values.metrics.influxdb.protocol }}" + {{- end }} + {{- if .Values.metrics.prometheus }} + - "--metrics.prometheus=true" + - "--metrics.prometheus.entrypoint={{ .Values.metrics.prometheus.entryPoint }}" + {{- if .Values.metrics.prometheus.addRoutersLabels }} + - "--metrics.prometheus.addRoutersLabels=true" + {{- end }} + {{- end }} + {{- if .Values.metrics.statsd }} + - "--metrics.statsd=true" + - "--metrics.statsd.address={{ .Values.metrics.statsd.address }}" + {{- end }} + {{- end }} + {{- if .Values.tracing }} + {{- if .Values.tracing.instana }} + - "--tracing.instana=true" + {{- end }} + {{- if .Values.tracing.datadog }} + - "--tracing.datadog=true" + {{- if .Values.tracing.datadog.localAgentHostPort }} + - "--tracing.datadog.localAgentHostPort={{ .Values.tracing.datadog.localAgentHostPort }}" + {{- end }} + {{- if .Values.tracing.datadog.debug }} + - "--tracing.datadog.debug=true" + {{- end }} + {{- if .Values.tracing.datadog.globalTag }} + - "--tracing.datadog.globalTag={{ .Values.tracing.datadog.globalTag }}" + {{- end }} + {{- if .Values.tracing.datadog.prioritySampling }} + - "--tracing.datadog.prioritySampling=true" + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.providers.kubernetesCRD.enabled }} + - "--providers.kubernetescrd" + {{- if .Values.providers.kubernetesCRD.labelSelector }} + - "--providers.kubernetescrd.labelSelector={{ .Values.providers.kubernetesCRD.labelSelector }}" + {{- end }} + {{- if .Values.providers.kubernetesCRD.ingressClass }} + - "--providers.kubernetescrd.ingressClass={{ .Values.providers.kubernetesCRD.ingressClass }}" + {{- end }} + {{- if .Values.providers.kubernetesCRD.allowCrossNamespace }} + - "--providers.kubernetescrd.allowCrossNamespace=true" + {{- end }} + {{- if .Values.providers.kubernetesCRD.allowExternalNameServices }} + - "--providers.kubernetescrd.allowExternalNameServices=true" + {{- end }} + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress" + {{- if .Values.providers.kubernetesIngress.allowExternalNameServices }} + - "--providers.kubernetesingress.allowExternalNameServices=true" + {{- end }} + {{- if .Values.providers.kubernetesIngress.allowEmptyServices }} + - "--providers.kubernetesingress.allowEmptyServices=true" + {{- end }} + {{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }} + - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.labelSelector }} + - "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.ingressClass }} + - "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}" + {{- end }} + {{- end }} + {{- if .Values.experimental.kubernetesGateway.enabled }} + - "--providers.kubernetesgateway" + - "--experimental.kubernetesgateway" + {{- end }} + {{- if .Values.experimental.http3.enabled }} + - "--experimental.http3=true" + {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} + {{- if .Values.providers.kubernetesCRD.enabled }} + - "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" . }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" . }}" + {{- end }} + {{- end }} + {{- range $entrypoint, $config := $.Values.ports }} + {{- if $config.redirectTo }} + {{- $toPort := index $.Values.ports $config.redirectTo }} + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}" + - "--entrypoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https" + {{- end }} + {{- if $config.tls }} + {{- if $config.tls.enabled }} + - "--entrypoints.{{ $entrypoint }}.http.tls=true" + {{- if $config.tls.options }} + - "--entrypoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}" + {{- end }} + {{- if $config.tls.certResolver }} + - "--entrypoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}" + {{- end }} + {{- if $config.tls.domains }} + {{- range $index, $domain := $config.tls.domains }} + {{- if $domain.main }} + - "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}" + {{- end }} + {{- if $domain.sans }} + - "--entrypoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}" + {{- end }} + {{- end }} + {{- end }} + {{- if $config.http3 }} + {{- if semverCompare ">=2.6.0" (default $.Chart.AppVersion $.Values.image.tag)}} + - "--entrypoints.{{ $entrypoint }}.http3.advertisedPort={{ default $config.port $config.exposedPort }}" + {{- else }} + - "--entrypoints.{{ $entrypoint }}.enableHTTP3=true" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.logs }} + {{- if .general.format }} + - "--log.format={{ .general.format }}" + {{- end }} + {{- if ne .general.level "ERROR" }} + - "--log.level={{ .general.level | upper }}" + {{- end }} + {{- if .access.enabled }} + - "--accesslog=true" + {{- if .access.format }} + - "--accesslog.format={{ .access.format }}" + {{- end }} + {{- if .access.bufferingsize }} + - "--accesslog.bufferingsize={{ .access.bufferingsize }}" + {{- end }} + {{- if .access.filters }} + {{- if .access.filters.statuscodes }} + - "--accesslog.filters.statuscodes={{ .access.filters.statuscodes }}" + {{- end }} + {{- if .access.filters.retryattempts }} + - "--accesslog.filters.retryattempts" + {{- end }} + {{- if .access.filters.minduration }} + - "--accesslog.filters.minduration={{ .access.filters.minduration }}" + {{- end }} + {{- end }} + - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.general.names }} + - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.headers.names }} + - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.pilot.enabled }} + - "--pilot.token={{ .Values.pilot.token }}" + {{- end }} + {{- if hasKey .Values.pilot "dashboard" }} + - "--pilot.dashboard={{ .Values.pilot.dashboard }}" + {{- end }} + {{- with .Values.additionalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.env }} + env: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.envFrom }} + envFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.deployment.additionalContainers }} + {{- toYaml .Values.deployment.additionalContainers | nindent 6 }} + {{- end }} + volumes: + - name: {{ .Values.persistence.name }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }} + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + emptyDir: {} + {{- $root := . }} + {{- range .Values.volumes }} + - name: {{ tpl (.name) $root }} + {{- if eq .type "secret" }} + secret: + secretName: {{ tpl (.name) $root }} + {{- else if eq .type "configMap" }} + configMap: + name: {{ tpl (.name) $root }} + {{- end }} + {{- end }} + {{- if .Values.deployment.additionalVolumes }} + {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }} + {{- end }} + {{- if .Values.experimental.plugins.enabled }} + - name: plugins + emptyDir: {} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} +{{ end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/daemonset.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/daemonset.yaml new file mode 100644 index 0000000..35ffc0b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/daemonset.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} + {{- fail "\n\n ERROR: latest tag should not be used" }} + {{- end }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: {{ .Values.rollingUpdate.maxUnavailable }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + template: {{ template "traefik.podTemplate" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/dashboard-hook-ingressroute.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/dashboard-hook-ingressroute.yaml new file mode 100644 index 0000000..ec278c2 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/dashboard-hook-ingressroute.yaml @@ -0,0 +1,28 @@ +{{- if .Values.ingressRoute.dashboard.enabled -}} +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: {{ template "traefik.fullname" . }}-dashboard + annotations: + helm.sh/hook: "post-install,post-upgrade" + {{- with .Values.ingressRoute.dashboard.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.ingressRoute.dashboard.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/deployment.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/deployment.yaml new file mode 100644 index 0000000..e9ea7ad --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/deployment.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}} + {{- if gt (int .Values.deployment.replicas) 1 -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "You can not enable acme if you set more than one traefik replica") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} + {{- fail "\n\n ERROR: latest tag should not be used" }} + {{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.deployment.replicas }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + strategy: + type: RollingUpdate + rollingUpdate: + {{- with .Values.rollingUpdate }} + {{- toYaml . | nindent 6 }} + {{- end }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + template: {{ template "traefik.podTemplate" . }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/gateway.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/gateway.yaml new file mode 100644 index 0000000..bf9c2ef --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/gateway.yaml @@ -0,0 +1,25 @@ +{{- if .Values.experimental.kubernetesGateway.enabled }} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: Gateway +metadata: + name: traefik-gateway + namespace: {{ default .Release.Namespace .Values.experimental.kubernetesGateway.namespace }} +spec: + gatewayClassName: traefik + listeners: + - name: web + port: {{ .Values.ports.web.port }} + protocol: HTTP + + {{- if .Values.experimental.kubernetesGateway.certificate }} + - name: websecure + port: {{ $.Values.ports.websecure.port }} + protocol: HTTPS + tls: + certificateRefs: + - name: {{ .Values.experimental.kubernetesGateway.certificate.name }} + group: {{ .Values.experimental.kubernetesGateway.certificate.group }} + kind: {{ .Values.experimental.kubernetesGateway.certificate.kind }} + {{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/gatewayclass.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/gatewayclass.yaml new file mode 100644 index 0000000..6f085d4 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/gatewayclass.yaml @@ -0,0 +1,9 @@ +{{- if .Values.experimental.kubernetesGateway.enabled }} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: traefik +spec: + controllerName: traefik.io/gateway-controller +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/hpa.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/hpa.yaml new file mode 100644 index 0000000..bf37117 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/hpa.yaml @@ -0,0 +1,20 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "traefik.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/ingressclass.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/ingressclass.yaml new file mode 100644 index 0000000..ec76692 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/ingressclass.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.ingressClass.enabled (semverCompare ">=2.3.0" (default .Chart.AppVersion .Values.image.tag)) -}} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass" }} +apiVersion: networking.k8s.io/v1beta1 + {{- else if or (eq .Values.ingressClass.fallbackApiVersion "v1beta1") (eq .Values.ingressClass.fallbackApiVersion "v1") }} +apiVersion: {{ printf "networking.k8s.io/%s" .Values.ingressClass.fallbackApiVersion }} + {{- else }} + {{- fail "\n\n ERROR: You must have at least networking.k8s.io/v1beta1 to use ingressClass" }} + {{- end }} +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: {{ template "traefik.fullname" . }} +spec: + controller: traefik.io/ingress-controller +{{- end }} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/poddisruptionbudget.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..ba560be --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/pvc.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/pvc.yaml new file mode 100644 index 0000000..dff341d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/pvc.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "traefik.fullname" . }} + annotations: + {{- with .Values.persistence.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/clusterrole.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/clusterrole.yaml new file mode 100644 index 0000000..42bd50d --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/clusterrole.yaml @@ -0,0 +1,96 @@ +{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + verbs: + - get + - list + - watch +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - policy + resourceNames: + - {{ template "traefik.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +{{- end -}} +{{- if .Values.experimental.kubernetesGateway.enabled }} + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/clusterrolebinding.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/clusterrolebinding.yaml new file mode 100644 index 0000000..509e92f --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "traefik.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "traefik.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/podsecuritypolicy.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/podsecuritypolicy.yaml new file mode 100644 index 0000000..66bc145 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/podsecuritypolicy.yaml @@ -0,0 +1,68 @@ +{{- if .Values.podSecurityPolicy.enabled }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL +{{- if not .Values.securityContext.runAsNonRoot }} + allowedCapabilities: + - NET_BIND_SERVICE +{{- end }} + hostNetwork: {{ .Values.hostNetwork }} + hostIPC: false + hostPID: false + fsGroup: +{{- if .Values.securityContext.runAsNonRoot }} + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- else }} + rule: RunAsAny +{{- end }} +{{- if .Values.hostNetwork }} + hostPorts: + - max: 65535 + min: 1 +{{- end }} + readOnlyRootFilesystem: true + runAsUser: +{{- if .Values.securityContext.runAsNonRoot }} + rule: MustRunAsNonRoot +{{- else }} + rule: RunAsAny +{{- end }} + seLinux: + rule: RunAsAny + supplementalGroups: +{{- if .Values.securityContext.runAsNonRoot }} + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- else }} + rule: RunAsAny +{{- end }} + volumes: + - configMap + - downwardAPI + - secret + - emptyDir + - projected +{{- if .Values.persistence.enabled }} + - persistentVolumeClaim +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/role.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/role.yaml new file mode 100644 index 0000000..fe8d4b7 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/role.yaml @@ -0,0 +1,64 @@ +{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + verbs: + - get + - list + - watch +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resourceNames: + - {{ template "traefik.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/rolebinding.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/rolebinding.yaml new file mode 100644 index 0000000..1041640 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "traefik.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "traefik.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/serviceaccount.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/serviceaccount.yaml new file mode 100644 index 0000000..bcc941e --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/rbac/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.serviceAccount.name -}} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ include "traefik.serviceAccountName" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + {{- with .Values.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/service.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/service.yaml new file mode 100644 index 0000000..8391694 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/service.yaml @@ -0,0 +1,135 @@ +{{- if .Values.service.enabled -}} + +{{ $tcpPorts := dict }} +{{ $udpPorts := dict }} +{{- range $name, $config := .Values.ports }} + {{- if or $config.http3 (eq (toString $config.protocol) "UDP") }} + {{ $_ := set $udpPorts $name $config }} + {{- end }} + {{- if eq (toString (default "TCP" $config.protocol)) "TCP" }} + {{ $_ := set $tcpPorts $name $config }} + {{- end }} +{{- end }} + +apiVersion: v1 +kind: List +metadata: + name: {{ template "traefik.fullname" . }} +items: +{{- if $tcpPorts }} + - apiVersion: v1 + kind: Service + metadata: + name: {{ template "traefik.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- with (merge .Values.service.annotationsTCP .Values.service.annotations) }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- $type := default "LoadBalancer" .Values.service.type }} + type: {{ $type }} + {{- with .Values.service.spec }} + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + {{- range $name, $config := $tcpPorts }} + {{- if $config.expose }} + - port: {{ default $config.port $config.exposedPort }} + name: {{ $name }} + targetPort: {{ $name | quote }} + protocol: TCP + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- end }} + {{- end }} + {{- if eq $type "LoadBalancer" }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- end -}} + {{- with .Values.service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} + {{- end }} + {{- with .Values.service.ipFamilies }} + ipFamilies: + {{- toYaml . | nindent 6 }} + {{- end -}} +{{- end }} + +{{- if $udpPorts }} + - apiVersion: v1 + kind: Service + metadata: + name: {{ template "traefik.fullname" . }}-udp + labels: + app.kubernetes.io/name: {{ template "traefik.name" . }} + helm.sh/chart: {{ template "traefik.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- with (merge .Values.service.annotationsUDP .Values.service.annotations) }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- $type := default "LoadBalancer" .Values.service.type }} + type: {{ $type }} + {{- with .Values.service.spec }} + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "traefik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + {{- range $name, $config := $udpPorts }} + {{- if $config.expose }} + - port: {{ default $config.port $config.exposedPort }} + name: {{ $name }} + # Due to https://github.com/kubernetes/kubernetes/issues/58477 it is not possible + # to define the HTTP/3 UDP port as a containerPort. TCP and UDP containerPort will have + # the same value which will break the chart upgrade. + targetPort: {{ if $config.http3 }}{{ $config.port }}{{ else }}{{ $name | quote }}{{ end }} + protocol: UDP + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- end }} + {{- end }} + {{- if eq $type "LoadBalancer" }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- end -}} + {{- with .Values.service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} + {{- end }} + {{- with .Values.service.ipFamilies }} + ipFamilies: + {{- toYaml . | nindent 6 }} + {{- end -}} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/templates/tlsoption.yaml b/kubernetes/Charts/gitlab/charts/traefik/templates/tlsoption.yaml new file mode 100644 index 0000000..ec46e8b --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/templates/tlsoption.yaml @@ -0,0 +1,14 @@ +{{- range $name, $config := .Values.tlsOptions }} +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: {{ $name }} + labels: + app.kubernetes.io/name: {{ template "traefik.name" $ }} + helm.sh/chart: {{ template "traefik.chart" $ }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/instance: {{ $.Release.Name }} +spec: + {{- toYaml $config | nindent 2 }} +--- +{{- end -}} diff --git a/kubernetes/Charts/gitlab/charts/traefik/values.yaml b/kubernetes/Charts/gitlab/charts/traefik/values.yaml new file mode 100644 index 0000000..a16b107 --- /dev/null +++ b/kubernetes/Charts/gitlab/charts/traefik/values.yaml @@ -0,0 +1,501 @@ +# Default values for Traefik +image: + name: traefik + # defaults to appVersion + tag: "" + pullPolicy: IfNotPresent + +# +# Configure the deployment +# +deployment: + enabled: true + # Can be either Deployment or DaemonSet + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy + # image: alpine/socat:1.0.5 + # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] + # volumeMounts: + # - name: dsdsocket + # mountPath: /socket + # Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik/issues/6972 + # - name: volume-permissions + # image: busybox:1.31.1 + # command: ["sh", "-c", "chmod -Rv 600 /data/*"] + # volumeMounts: + # - name: data + # mountPath: /data + # Use process namespace sharing + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName + +# Pod disruption budget +podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # maxUnavailable: 33% + # minAvailable: 0 + # minAvailable: 25% + +# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x +ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" + fallbackApiVersion: "" + +# Activate Pilot integration +pilot: + enabled: false + token: "" + # Toggle Pilot Dashboard + # dashboard: false + +# Enable experimental features +experimental: + http3: + enabled: false + plugins: + enabled: false + kubernetesGateway: + enabled: false + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + +# Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + +rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + +# Customize liveness and readiness probe values. +readinessProbe: + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + +livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + +# +# Configure providers +# +providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + +# +# Add volumes to the traefik pod. The volume name will be passed to tpl. +# This can be used to mount a cert pair or a configmap that holds a config.toml file. +# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# additionalArguments: +# - "--providers.file.filename=/config/dynamic.toml" +# - "--ping" +# - "--ping.entrypoint=web" +volumes: [] +# - name: public-cert +# mountPath: "/certs" +# type: secret +# - name: '{{ printf "%s-configs" .Release.Name }}' +# mountPath: "/config" +# type: configMap + +# Additional volumeMounts to add to the Traefik container +additionalVolumeMounts: [] + # For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + +# Logs +# https://docs.traefik.io/observability/logs/ +logs: + # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs + enabled: false + # By default, logs are written using the Common Log Format (CLF). + # To write logs in JSON, use json in the format option. + # If the given format is unsupported, the default (CLF) is used instead. + # format: json + # To write the logs in an asynchronous fashion, specify a bufferingSize option. + # This option represents the number of log lines Traefik will keep in memory before writing + # them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + # Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + # Fields + # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + # Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + # Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + +metrics: + # datadog: + # address: 127.0.0.1:8125 + # influxdb: + # address: localhost:8089 + # protocol: udp + prometheus: + entryPoint: metrics + # addRoutersLabels: true + # statsd: + # address: localhost:8125 + +tracing: {} + # instana: + # enabled: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + +# +# Configure Traefik static configuration +# Additional arguments to be passed at Traefik's binary +# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: [] +# - "--providers.kubernetesingress.ingressclass=traefik-internal" +# - "--log.level=DEBUG" + +# Environment variables to be passed to Traefik's binary +env: [] +# - name: SOME_VAR +# value: some-var-value +# - name: SOME_VAR_FROM_CONFIG_MAP +# valueFrom: +# configMapRef: +# name: configmap-name +# key: config-key +# - name: SOME_SECRET +# valueFrom: +# secretKeyRef: +# name: secret-name +# key: secret-key + +envFrom: [] +# - configMapRef: +# name: config-map-name +# - secretRef: +# name: secret-name + +# Configure ports +ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 + # + # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. + # healthchecksPort: 9000 + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + # The port protocol (TCP/UDP) + protocol: TCP + web: + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 + expose: true + exposedPort: 443 + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # Enable HTTP/3. + # Requires enabling experimental http3 feature and tls. + # Note that you cannot have a UDP entrypoint with the same port. + # http3: true + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: false + # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] + # - main: example.com + # sans: + # - foo.example.com + # - bar.example.com + metrics: + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9100 + # The port protocol (TCP/UDP) + protocol: TCP + +# TLS Options are created as TLSOption CRDs +# https://doc.traefik.io/traefik/https/tls/#tls-options +# Example: +# tlsOptions: +# default: +# sniStrict: true +# preferServerCipherSuites: true +# foobar: +# curvePreferences: +# - CurveP521 +# - CurveP384 +tlsOptions: {} + +# Options for the main traefik service, where the entrypoints traffic comes +# from. +service: + enabled: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # Additional annotations for TCP service only + annotationsTCP: {} + # Additional annotations for UDP service only + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. + # Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 + # One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + # List of IP families (e.g. IPv4 and/or IPv6). + # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + +## Create HorizontalPodAutoscaler object. +## +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# targetAverageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# targetAverageUtilization: 60 + +# Enable persistence using Persistent Volume Claims +# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +# additionalArguments: +# - "--certificatesresolvers.le.acme.storage=/data/acme.json" +# It will persist TLS certificates. +persistence: + enabled: false + name: data +# existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + +# If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the +# affinity is left as default. +hostNetwork: false + +# Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: + enabled: true + + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +podSecurityPolicy: + enabled: false + +# The service account the pods will use to interact with the Kubernetes API +serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +# Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + +resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" +affinity: {} +# # This example pod anti-affinity forces the scheduler to put traefik pods +# # on nodes where no other traefik pods are scheduled. +# # It should be used when hostNetwork: true to prevent port conflicts +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchExpressions: +# - key: app.kubernetes.io/name +# operator: In +# values: +# - {{ template "traefik.name" . }} +# topologyKey: kubernetes.io/hostname +nodeSelector: {} +tolerations: [] + +# Pods can have priority. +# Priority indicates the importance of a Pod relative to other Pods. +priorityClassName: "" + +# Set the container security context +# To run the container with ports below 1024 this will need to be adjust to run as root +securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +podSecurityContext: + fsGroup: 65532 diff --git a/kubernetes/Charts/gitlab/gitlab-ci-config/gitlab-com.yml b/kubernetes/Charts/gitlab/gitlab-ci-config/gitlab-com.yml new file mode 100644 index 0000000..c5894dc --- /dev/null +++ b/kubernetes/Charts/gitlab/gitlab-ci-config/gitlab-com.yml @@ -0,0 +1,16 @@ +# QA job to post allure report snapshot as a comment in the MR +e2e-test-report: + extends: + # https://gitlab.com/gitlab-org/quality/pipeline-common/-/blob/master/ci/allure-report.yml + - .generate-allure-report-base + stage: qa-report + variables: + GITLAB_AUTH_TOKEN: $DANGER_GITLAB_API_TOKEN + ALLURE_PROJECT_PATH: $CI_PROJECT_PATH + ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID + ALLURE_RESULTS_GLOB: "gitlab-qa-run-*/**/allure-results" + ALLURE_JOB_NAME: $QA_RUN_TYPE + rules: + - if: '$CI_SERVER_HOST != "gitlab.com"' + when: never + - if: '$PIPELINE_TYPE =~ /_MR_PIPELINE$/' diff --git a/kubernetes/Charts/gitlab/requirements.lock b/kubernetes/Charts/gitlab/requirements.lock new file mode 100644 index 0000000..849bfa3 --- /dev/null +++ b/kubernetes/Charts/gitlab/requirements.lock @@ -0,0 +1,45 @@ +dependencies: +- name: gitlab + repository: "" + version: '*.*.*' +- name: certmanager-issuer + repository: "" + version: '*.*.*' +- name: minio + repository: "" + version: '*.*.*' +- name: registry + repository: "" + version: '*.*.*' +- name: cert-manager + repository: https://charts.jetstack.io/ + version: v1.12.6 +- name: prometheus + repository: https://prometheus-community.github.io/helm-charts + version: 15.18.0 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 12.5.2 +- name: gitlab-runner + repository: https://charts.gitlab.io/ + version: 0.58.2 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 16.13.2 +- name: nginx-ingress + repository: "" + version: '*.*.*' +- name: nginx-ingress + repository: "" + version: '*.*.*' +- name: gitlab-zoekt + repository: https://charts.gitlab.io/ + version: 0.8.1 +- name: traefik + repository: https://helm.traefik.io/traefik + version: 10.19.4 +- name: kubernetes-ingress + repository: https://haproxytech.github.io/helm-charts + version: 1.32.0 +digest: sha256:e60f412488b25c34181196886982beb239801a80eee7468bfa3ecda6291d8a3b +generated: "2023-11-16T13:33:22.886629873Z" diff --git a/kubernetes/Charts/gitlab/requirements.yaml b/kubernetes/Charts/gitlab/requirements.yaml new file mode 100644 index 0000000..b48a0d4 --- /dev/null +++ b/kubernetes/Charts/gitlab/requirements.yaml @@ -0,0 +1,50 @@ +dependencies: +- name: gitlab + version: '*.*.*' +- name: certmanager-issuer + version: '*.*.*' +- name: minio + version: '*.*.*' +- name: registry + version: '*.*.*' +- name: cert-manager + version: 1.12.6 + repository: https://charts.jetstack.io/ + condition: certmanager.install + alias: certmanager +- name: prometheus + version: 15.18.0 + repository: https://prometheus-community.github.io/helm-charts + condition: prometheus.install +- name: postgresql + version: 12.5.2 + repository: https://charts.bitnami.com/bitnami + condition: postgresql.install +- name: gitlab-runner + version: 0.58.2 + repository: https://charts.gitlab.io/ + condition: gitlab-runner.install +- name: redis + version: 16.13.2 + repository: https://charts.bitnami.com/bitnami + condition: redis.install +- name: nginx-ingress + condition: nginx-ingress.enabled + version: '*.*.*' +- name: nginx-ingress + condition: nginx-ingress-geo.enabled + version: '*.*.*' + alias: nginx-ingress-geo +- name: gitlab-zoekt + version: 0.8.1 + repository: https://charts.gitlab.io/ + condition: gitlab-zoekt.install +- name: traefik + repository: https://helm.traefik.io/traefik + condition: traefik.install + version: 10.19.4 +- name: kubernetes-ingress + alias: haproxy + version: 1.32.0 + condition: haproxy.install + repository: https://haproxytech.github.io/helm-charts diff --git a/kubernetes/Charts/gitlab/support/crd.yaml b/kubernetes/Charts/gitlab/support/crd.yaml new file mode 100644 index 0000000..48d6bf9 --- /dev/null +++ b/kubernetes/Charts/gitlab/support/crd.yaml @@ -0,0 +1,99 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gitlabs.gitlab.com +spec: + group: gitlab.com + names: + kind: GitLab + singular: gitlab + plural: gitlabs + shortNames: + - gl + versions: + - name: v1beta1 + served: true + storage: true + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + properties: + helmRelease: + type: string + revision: + type: string + templates: + type: object + properties: + migrationsTemplate: + type: object + properties: + configMapKey: + type: string + configMapName: + type: string + required: + - configMapName + - configMapKey + sharedSecretsTemplate: + type: object + properties: + roleBindingKey: + type: string + roleKey: + type: string + serviceAccountKey: + type: string + required: + - serviceAccountKey + - roleKey + - roleBindingKey + required: + - migrationsTemplate + - sharedSecretsTemplate + version: + type: string + required: + - version + - templates + - helmRelease + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastTransitionTime: + type: string + format: date-time + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + - status + - lastTransitionTime + deployedRevision: + type: string + observedGeneration: + type: integer + format: int64 diff --git a/kubernetes/Charts/gitlab/templates/NOTES.txt b/kubernetes/Charts/gitlab/templates/NOTES.txt new file mode 100644 index 0000000..b8f02a8 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/NOTES.txt @@ -0,0 +1,195 @@ +{{- $NOTICE := "\n=== NOTICE" -}} +{{- $WARNING := "\n=== WARNING" -}} +{{- $CRITICAL := "\n=== CRITICAL" -}} + +{{- /* If any development subchart is enabled, note it is not production ready */}} +{{- $enabledNonProdCharts := fromJsonArray (include "gitlab.nonProdCharts.enabledNames" .) -}} +{{- if not (empty $enabledNonProdCharts) }} +{{ $CRITICAL }} +The following charts are included for evaluation purposes only. They will not be supported by GitLab Support +for production workloads. Use Cloud Native Hybrid deployments for production. For more information visit +https://docs.gitlab.com/charts/installation/index.html#use-the-reference-architectures. +{{- range $name := $enabledNonProdCharts }} +- {{ $name }} +{{- end }} +{{- end }} + +{{- /* PostgreSQL minimum version change */}} +{{ $NOTICE }} +The minimum required version of PostgreSQL is now 13. See https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/installation/upgrade.md for more details. + +{{- /* If the Container Registry metadata database is enabled, note it is not production ready */}} +{{- if eq .Values.registry.database.enabled true }} +{{ $WARNING }} +The Container Registry metadata database has been enabled. Please note that it is an experimental feature and must not be used in production. +{{- end }} + +{{- /* If shared-secrets is disable, manual secret creation will be needed */}} +{{- if not (index .Values "shared-secrets").enabled }} +{{ $NOTICE }} +The automatic generation of secrets has been disabled. +The user should ensure all necessary secrets are created according to documentation, or the deployment will fail to operate correctly. +{{- end }} +{{- /* If using self-signed auto-generated certificates, and a service needing them is enabled */}} +{{- if or .Values.gitlab.webservice.enabled .Values.registry.enabled .Values.global.minio.enabled }} +{{- if not (or .Values.global.ingress.configureCertmanager (include "gitlab.ingress.tls.configured" .)) }} +{{ $WARNING }} +Automatic TLS certificate generation with cert-manager is disabled. +One or more of the components does not have a TLS certificate Secret configured. +As a result, Self-signed certificates were generated for these components. + +You may retrieve the CA root for these certificates from the `{{ template "gitlab.wildcard-self-signed-cert-name" $ }}-ca` secret, via the following command. It can then be imported to a web browser or system store. + + kubectl get secret {{ template "gitlab.wildcard-self-signed-cert-name" $ }}-ca -ojsonpath='{.data.cfssl_ca}' | base64 --decode > {{ template "gitlab.gitlab.hostname" $ }}.ca.pem + +If you do not wish to use self-signed certificates, please set the following properties: +- global.ingress.tls.secretName +OR all of: +- global.ingress.tls.enabled (set to `true`) +{{- if $.Values.gitlab.webservice.enabled }} +- gitlab.webservice.ingress.tls.secretName +{{- if $.Values.global.appConfig.smartcard.enabled }} +- gitlab.webservice.ingress.tls.smartcardSecretName +{{- end }} +{{- end }} +{{- if $.Values.registry.enabled }} +- registry.ingress.tls.secretName +{{- end }} +{{- if $.Values.global.minio.enabled }} +- minio.ingress.tls.secretName +{{- end }} +{{- if $.Values.global.pages.enabled }} +- gitlab.gitlab-pages.ingress.tls.secretName +{{- end }} +{{- if $.Values.global.kas.enabled }} +- gitlab.kas.ingress.tls.secretName +{{- end }} + +{{- if (index .Values "gitlab-runner").install }} +{{ $WARNING }} +Automatic TLS certificate generation with cert-manager is disabled and no TLS certificates were provided. Self-signed certificates were generated that do not work with gitlab-runner. Please either disable gitlab-runner by setting `gitlab-runner.install=false` or provide valid certificates. +{{- end -}} +{{- end -}} +{{- end -}} +{{- /* Runner notice if .install && ! .runners.privileged */}} +{{- if and (index .Values "gitlab-runner").install (not (index .Values "gitlab-runner").runners.privileged) }} +{{ $NOTICE }} +You've installed GitLab Runner without the ability to use 'docker in docker'. +The GitLab Runner chart (gitlab/gitlab-runner) is deployed without the `privileged` flag by default for security purposes. This can be changed by setting `gitlab-runner.runners.privileged` to `true`. Before doing so, please read the GitLab Runner chart's documentation on why we +chose not to enable this by default. See https://docs.gitlab.com/runner/install/kubernetes.html#running-docker-in-docker-containers-with-gitlab-runners +{{- end }} + +{{- /* toolbox replicas */}} +{{- if eq (index $.Values.gitlab "toolbox" "replicas" | int) 0 }} +{{ $NOTICE }} +The GitLab toolbox is scaled to 0. +The `toolbox` Pod is very useful for administration and debugging of this application suite. You may configure `gitlab.toolbox.replicas=1` if you wish to leave a Pod running at all times, or you can scale the deployment up when needed: + + `kubectl scale --replicas=1 deployment/{{ .Release.Name }}-toolbox` +{{- end }} + +{{- /* WARN: global.registry.notificationSecret */}} +{{- if and (not (index .Values "shared-secrets" "enabled")) (not .Values.global.registry.notificationSecret) }} +{{ $WARNING }} +The attribute `shared-secrets.enabled` is `false`, no `global.registry.notificationSecret` provided. +The shared-secrets chart has been disabled, and `global.registry.notificationSecret` has not been provided. +Starting in 4.11.x of this chart, this secret must be present, but shared-secrets will not be run to generated it. +Please see https://docs.gitlab.com/charts/charts/globals#configure-registry-settings +{{- end }} +{{- /* print install survey link */}} +{{- $appVersion := coalesce .Values.global.gitlabVersion .Chart.AppVersion -}} +{{- if and .Release.IsInstall (regexMatch "^\\d+\\.\\d+\\.\\d+(-rc\\d+)?(-pre)?$" $appVersion) }} +Help us improve the installation experience, let us know how we did with a 1 minute survey: +{{- printf "https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=helm&release=%s" (regexReplaceAll "^(\\d+)\\.(\\d+)\\..+" $appVersion "${1}-${2}") }} +{{- end }} + +{{- /* WARN: Usage of PAGES_UPDATE_LEGACY_STORAGE with bundled Pages discouraged.*/}} +{{- if .Values.global.pages.enabled }} +{{- $envValues := dict }} +{{- $_ := set $envValues "gitlab.webservice" (default false .Values.gitlab.webservice.extraEnv.PAGES_UPDATE_LEGACY_STORAGE) }} +{{- $_ := set $envValues "gitlab.sidekiq" (default false .Values.gitlab.sidekiq.extraEnv.PAGES_UPDATE_LEGACY_STORAGE) }} +{{- $_ := set $envValues "global" (default false .Values.global.extraEnv.PAGES_UPDATE_LEGACY_STORAGE) }} +{{- $toolboxExtraEnv := index .Values.gitlab "toolbox" "extraEnv" }} +{{- $_ := set $envValues "gitlab.toolbox" (default false $toolboxExtraEnv.PAGES_UPDATE_LEGACY_STORAGE) }} +{{- range $component, $value := $envValues }} +{{- if eq $value true }} +{{ $WARNING }} +GitLab Pages configured to use disk storage via `{{ $component }}.extraEnv.PAGES_UPDATE_LEGACY_STORAGE`. +Using `PAGES_UPDATE_LEGACY_STORAGE` environment variable with bundled Pages service is not recommended. This setting is specifically used when using an external GitLab Pages deployment. +{{- end }} +{{- end }} +{{- end }} + +{{- /* Deprecation notice for `gitlab.deprecate.kas.privateApi.tls.enabled` setting */}} +{{- if eq true $.Values.gitlab.kas.privateApi.tls.enabled }} +{{ $NOTICE }} +kas: + The configuration of `gitlab.kas.privateApi.tls.enabled` has moved. Please use `global.kas.tls.enabled` instead. + Other components of the GitLab chart other than KAS also need to be configured to talk to KAS via TLS. + With a global value the chart can take care of these configurations without the need for other specific values. +{{- end }} + +{{- /* Deprecation notice for `gitlab.deprecate.kas.privateApi.tls.secretName` setting */}} +{{- if hasKey $.Values.gitlab.kas.privateApi.tls "secretName" }} +{{ $NOTICE }} +kas: + The configuration of `gitlab.kas.privateApi.tls.secretName` has moved. Please use `global.kas.tls.secretName` instead. + Other components of the GitLab chart other than KAS also need to be configured to talk to KAS via TLS. + With a global value the chart can take care of these configurations without the need for other specific values. +{{- end }} + +{{- /* Deprecation notice for `gitlab.deprecate.sidekiq.queueSelector` setting */}} +{{- if and (hasKey .Values.gitlab.sidekiq "queueSelector") (eq true .Values.gitlab.sidekiq.queueSelector) -}} +{{ $NOTICE }} +sidekiq: + The configuration of 'gitlab.sidekiq.queueSelector' should be removed. Please follow the steps at https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html#start-multiple-processes, to run Sidekiq with multiple processes while listening to all queues. +{{- end }} + +{{- /* Deprecation notice for `gitlab.deprecate.sidekiq.pods.queueSelector` setting */}} +{{- range $index, $pod := .Values.gitlab.sidekiq.pods -}} +{{- if and (hasKey $pod "queueSelector") -}} +{{ $NOTICE }} +sidekiq.pods[{{ $index }}] ({{ $pod.name }}): + The configuration of 'gitlab.sidekiq.pods[{{ $index }}].queueSelector' should be removed. Please follow the steps at https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html#start-multiple-processes, to run Sidekiq with multiple processes while listening to all queues. +{{- end -}} +{{- end }} + +{{- /* Deprecation notice for `gitlab.deprecate.sidekiq.negateQueues` setting */}} +{{- if hasKey .Values.gitlab.sidekiq "negateQueues" -}} +{{ $NOTICE }} +sidekiq: + The configuration of 'gitlab.sidekiq.negateQueues' should be removed. Please follow the steps at https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html#start-multiple-processes, to run Sidekiq with multiple processes while listening to all queues. +{{- end }} + +{{- /* Deprecation notice for `gitlab.deprecate.sidekiq.pods.negateQueues` setting */}} +{{- range $index, $pod := .Values.gitlab.sidekiq.pods -}} +{{- if hasKey $pod "negateQueues" -}} +{{ $NOTICE }} +sidekiq.pods[{{ $index }}] ({{ $pod.name }}): + The configuration of 'gitlab.sidekiq.pods[{{ $index }}].negateQueues' should be removed. Please follow the steps at https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html#start-multiple-processes, to run Sidekiq with multiple processes while listening to all queues. +{{- end -}} +{{- end }} + +{{- /* Deprecation notice for global.redis.password */}} +{{- if kindIs "map" .Values.global.redis.password }} +{{ $NOTICE }} +redis: + The configuration key `global.redis.password` has been renamed. Please use + `globa.redis.auth` instead. This is the source of the `coalesce.go` warning + message from Helm as well. For more details, please see: + https://docs.gitlab.com/charts/installation/upgrade.html#use-of-globalredispassword +{{- end -}} + +{{- /* Deprecation notice for global.busybox */}} +{{- if hasKey .Values.global "busybox" }} +{{ $NOTICE }} +global.busybox: + The configuration key `global.busybox` is deprecated in favor of `global.gitlabBase`. + For more details, please see: + https://docs.gitlab.com/charts/charts/globals#gitlab-base-image +{{- end -}} + +{{- /* run deprecations */}} +{{ include "gitlab.deprecations" . }} +{{- /* run checkConfig */}} +{{ include "gitlab.checkConfig" . }} diff --git a/kubernetes/Charts/gitlab/templates/_application.tpl b/kubernetes/Charts/gitlab/templates/_application.tpl new file mode 100644 index 0000000..95639da --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_application.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "gitlab.application.labels" -}} +app.kubernetes.io/name: {{ .Release.Name }} +{{- end -}} + +{{- define "gitlab.standardLabels" -}} +app: {{ template "name" . }} +chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +{{- if .Values.global.application.create }} +{{ include "gitlab.application.labels" . }} +{{- end -}} +{{- end -}} + + +{{- define "gitlab.selectorLabels" -}} +app: {{ template "name" . }} +release: {{ .Release.Name }} +{{ if .Values.global.application.create -}} +{{ include "gitlab.application.labels" . }} +{{- end -}} +{{- end -}} + +{{- define "gitlab.commonLabels" -}} +{{- $commonLabels := merge (pluck "labels" (default (dict) .Values.common) | first) .Values.global.common.labels}} +{{- if $commonLabels }} +{{- range $key, $value := $commonLabels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* Deprecated, do not use these labels.*/}} +{{- define "gitlab.immutableLabels" -}} +app: {{ template "name" . }} +chart: {{ .Chart.Name }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +{{ if .Values.global.application.create -}} +{{ include "gitlab.application.labels" . }} +{{- end -}} +{{- end -}} + + +{{- define "gitlab.nodeSelector" -}} +{{- $nodeSelector := default .Values.global.nodeSelector .Values.nodeSelector -}} +{{- if $nodeSelector }} +nodeSelector: + {{- toYaml $nodeSelector | nindent 2 }} +{{- end }} +{{- end -}} + +{{/* +Return priorityClassName for Pod definitions +*/}} +{{- define "gitlab.priorityClassName" -}} +{{- $pcName := default .Values.global.priorityClassName .Values.priorityClassName -}} +{{- if $pcName }} +priorityClassName: {{ $pcName }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_boolean.tpl b/kubernetes/Charts/gitlab/templates/_boolean.tpl new file mode 100644 index 0000000..7fdd9d8 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_boolean.tpl @@ -0,0 +1,24 @@ +{{/* +- If `local` is present (true or false; not nil), use that. +- Otherwise, if `global` is present, use that. +- Otherwise, use `default`. + +Example: include "gitlab.boolean.local" (dict "global" $.Values.cluster "local" .cluster "default" true) + +For all cases, return `"true"` for true values, and `""` for false +values. This means that we can keep the literal string 'true' when true, +but have false values act as falsey (because `default` cares about empty +values). + +The `default` function won't handle this case correctly as in Sprig, +false is empty. +*/}} +{{- define "gitlab.boolean.local" -}} +{{- if kindIs "bool" .local -}} +{{- default "" .local -}} +{{- else if kindIs "bool" .global -}} +{{- default "" .global -}} +{{- else -}} +{{- default "" .default -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_certificates.tpl b/kubernetes/Charts/gitlab/templates/_certificates.tpl new file mode 100644 index 0000000..1a32d68 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_certificates.tpl @@ -0,0 +1,109 @@ +{{/* Templates for certificates injection */}} + +{{- define "gitlab.certificates.initContainer" -}} +{{- $customCAsEnabled := .Values.global.certificates.customCAs }} +{{- $internalGitalyTLSEnabled := $.Values.global.gitaly.tls.enabled }} +{{- $internalPraefectTLSEnabled := $.Values.global.praefect.tls.enabled }} +{{- $certmanagerDisabled := not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.global.certificates.image -}} +- name: certificates + image: {{ include "gitlab.certificates.image" . }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 2 }} + {{- include "gitlab.init.containerSecurityContext" . | indent 2 }} + env: + {{- include "gitlab.extraEnv" . | nindent 2 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 2 }} + volumeMounts: + - name: etc-ssl-certs + mountPath: /etc/ssl/certs + readOnly: false + - name: etc-pki-ca-trust-extracted-pem + mountPath: /etc/pki/ca-trust/extracted/pem + readOnly: false +{{- if or $customCAsEnabled (or $certmanagerDisabled $internalGitalyTLSEnabled $internalPraefectTLSEnabled) }} + - name: custom-ca-certificates + mountPath: /usr/local/share/ca-certificates + readOnly: true +{{- end }} + resources: + {{- toYaml .Values.init.resources | nindent 4 }} +{{- end -}} + +{{- define "gitlab.certificates.volumes" -}} +{{- $customCAsEnabled := .Values.global.certificates.customCAs }} +{{- $internalGitalyTLSEnabled := $.Values.global.gitaly.tls.enabled }} +{{- $internalPraefectTLSEnabled := $.Values.global.praefect.tls.enabled }} +{{- $certmanagerDisabled := not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }} +- name: etc-ssl-certs + emptyDir: + medium: "Memory" +- name: etc-pki-ca-trust-extracted-pem + emptyDir: + medium: "Memory" +{{- if or $customCAsEnabled (or $certmanagerDisabled $internalGitalyTLSEnabled $internalPraefectTLSEnabled) }} +- name: custom-ca-certificates + projected: + defaultMode: 0440 + sources: + {{- range $index, $customCA := .Values.global.certificates.customCAs }} + {{- if $customCA.secret }} + - secret: + name: {{ $customCA.secret }} + {{- if $customCA.keys }} + items: + {{- range $customCA.keys }} + - key: {{ . }} + path: {{ . }} + {{- end }} + {{- end }} + {{- else if $customCA.configMap }} + - configMap: + name: {{ $customCA.configMap }} + {{- if $customCA.keys }} + items: + {{- range $customCA.keys }} + - key: {{ . }} + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }} + - secret: + name: {{ template "gitlab.wildcard-self-signed-cert-name" $ }}-ca + {{- end }} + {{- if $internalGitalyTLSEnabled }} + {{- if $.Values.global.praefect.enabled }} + {{- range $vs := $.Values.global.praefect.virtualStorages }} + - secret: + name: {{ $vs.tlsSecretName }} + items: + - key: "tls.crt" + path: "gitaly-{{ $vs.name }}-tls.crt" + {{- end }} + {{- else }} + - secret: + name: {{ template "gitlab.gitaly.tls.secret" $ }} + items: + - key: "tls.crt" + path: "gitaly-internal-tls.crt" + {{- end }} + {{- end }} + {{- if $internalPraefectTLSEnabled }} + - secret: + name: {{ template "gitlab.praefect.tls.secret" $ }} + items: + - key: "tls.crt" + path: "praefect-internal-tls.crt" + {{- end }} +{{- end -}} +{{- end -}} + +{{- define "gitlab.certificates.volumeMount" -}} +- name: etc-ssl-certs + mountPath: /etc/ssl/certs/ + readOnly: true +- name: etc-pki-ca-trust-extracted-pem + mountPath: /etc/pki/ca-trust/extracted/pem + readOnly: true +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig.tpl new file mode 100644 index 0000000..932e300 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig.tpl @@ -0,0 +1,240 @@ +{{/* +Template for checking configuration + +The messages templated here will be combined into a single `fail` call. This creates a means for the user to receive all messages at one time, instead of a frustrating iterative approach. + +- Pick a location for the new check. + + Checks of a group reside in a sub file, `_checkConfig_xxx.tpl`. + + If there isn't a group for that check yet, put it at the end of this file + + If there are more than 1 check of a same group, extract those checks into a new + file following the above format. Don't forget to extract the tests too. +- `define` a new template, prefixed `gitlab.checkConfig.` +- Check for known problems in configuration, and directly output messages (see message format below) +- Add a line to `gitlab.checkConfig` to include the new template. +- Add tests for the newly created check. + + Tests for checks of a group are put in `spec/integration/check_config/xxx_spec.rb` + + Tests for other miscellaneous checks are put in `spec/integration/check_config_spec.rb` + +Message format: + +**NOTE**: The `if` statement preceding the block should _not_ trim the following newline (`}}` not `-}}`), to ensure formatting during output. + +``` +chart: + MESSAGE +``` +*/}} +{{/* +Compile all warnings into a single message, and call fail. + +Due to gotpl scoping, we can't make use of `range`, so we have to add action lines. +*/}} +{{- define "gitlab.checkConfig" -}} +{{- $messages := list -}} +{{/* add templates here */}} + +{{/* _checkConfig_mailroom.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.incomingEmail.microsoftGraph" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.serviceDesk" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.serviceDesk.microsoftGraph" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.incomingEmail.deliveryMethod" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.serviceDeskEmail.deliveryMethod" .) -}} + +{{/* _checkConfig_geo.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.geo.database" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.geo.secondary.database" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.geo.registry.replication.primaryApiUrl" .) -}} + +{{/* _checkConfig_gitaly.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitaly.storageNames" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitaly.tls" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitaly.extern.repos" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitaly.gpgSigning" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.praefect.storageNames" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.praefect.defaultReplicationFactor" .) -}} + +{{/* _checkConfig_ingress.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.ingress.alternatives" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.ingress.class" .) -}} + +{{/* _checkConfig_nginx.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.nginx.controller.extraArgs" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.nginx.clusterrole.scope" .) -}} + +{{/* _checkConfig_object_storage.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.objectStorage.consolidatedConfig" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.objectStorage.typeSpecificConfig" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.objectStorage.ciSecureFiles" .) -}} + +{{/* _checkConfig_postgresql.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.postgresql.deprecatedVersion" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.postgresql.noPasswordFile" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.database.externalLoadBalancing" .) -}} + +{{/* _checkConfig_registry.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.registry.sentry.dsn" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.registry.notifications" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.registry.database" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.registry.redis.cache" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.registry.tls" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.registry.debug.tls" .) -}} + +{{/* _checkConfig_sidekiq.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.queues.mixed" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.queues" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.timeout" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.routingRules" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.server_ports" .) -}} + +{{/* _checkConfig_toolbox.tpl*/}} +{{- $messages = append $messages (include "gitlab.toolbox.replicas" .) -}} +{{- $messages = append $messages (include "gitlab.toolbox.backups.objectStorage.config.secret" .) -}} + +{{/* _checkConfig_webservice.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.appConfig.maxRequestDurationSeconds" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.webservice.gracePeriod" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.webservice.loadBalancer" .) -}} + +{{/* _checkConfig_workhorse.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.workhorse.exporter.tls.enabled" .) -}} + +{{/* _checkConfig_gitlab_shell.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitlabShell.proxyPolicy" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitlabShell.metrics" .) -}} + +{{/* _checkConfig_omniauth.tpl*/}} +{{- $messages = append $messages (include "gitlab.checkConfig.omniauth.providerFormat" .) -}} + +{{/* other checks */}} +{{- $messages = append $messages (include "gitlab.checkConfig.multipleRedis" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.redisYmlOverride" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.hostWhenNoInstall" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.sentry" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.gitlab_docs" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.smtp.openssl_verify_mode" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.smtp.tls_kind" .) -}} +{{- $messages = append $messages (include "gitlab.checkConfig.globalServiceAccount" .) -}} +{{- $messages = append $messages (include "gitlab.duoAuth.checkConfig" .) -}} + +{{- /* prepare output */}} +{{- $messages = without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- /* print output */}} +{{- if $message -}} +{{- printf "\nCONFIGURATION CHECKS:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Ensure that `redis.install: false` if configuring multiple Redis instances +*/}} +{{- define "gitlab.checkConfig.multipleRedis" -}} +{{/* "cache" "sharedState" "queues" "actioncable" */}} +{{- $x := dict "count" 0 -}} +{{- range $redis := list "cache" "sharedState" "queues" "actioncable" -}} +{{- if hasKey $.Values.global.redis $redis -}} +{{- $_ := set $x "count" ( add1 $x.count ) -}} +{{- end -}} +{{- end -}} +{{- if and .Values.redis.install ( lt 0 $x.count ) }} +redis: + If configuring multiple Redis servers, you can not use the in-chart Redis server. Please see https://docs.gitlab.com/charts/charts/globals#configure-redis-settings +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.multipleRedis */}} + +{{/* +Ensure that `redis.install: false` if using redis.yml override +*/}} +{{- define "gitlab.checkConfig.redisYmlOverride" -}} +{{- if and .Values.redis.install ( hasKey .Values.global.redis "redisYmlOverride" ) }} +redis: + When you override redis.yml you can not use the in-chart Redis server. Please see https://docs.gitlab.com/charts/charts/globals#configure-redis-settings +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.redisYmlOverride */}} + +{{/* +Ensure that `global.redis.host: ` is present if `redis.install: false` +*/}} +{{- define "gitlab.checkConfig.hostWhenNoInstall" -}} +{{- if and (not .Values.redis.install) (empty .Values.global.redis.host) (empty .Values.global.redis.redisYmlOverride) }} +redis: + You've disabled the installation of Redis. When using an external Redis, you must populate `global.redis.host` or `gitlab.redis.redisYmlOverride`. Please see https://docs.gitlab.com/charts/advanced/external-redis/ +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.hostWhenNoInstall */}} + +{{/* +Ensure that sentry has a DSN configured if enabled +*/}} +{{- define "gitlab.checkConfig.sentry" -}} +{{- if $.Values.global.appConfig.sentry.enabled }} +{{- if (not (or $.Values.global.appConfig.sentry.dsn $.Values.global.appConfig.sentry.clientside_dsn)) }} +sentry: + When enabling sentry, you must configure at least one DSN. + See https://docs.gitlab.com/charts/charts/globals.html#sentry-settings +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.sentry */}} + +{{/* +Ensure that gitlab_docs has a host configured if enabled +host mush be starts with https:// or http://, and not empty. +*/}} +{{- define "gitlab.checkConfig.gitlab_docs" -}} +{{- if $.Values.global.appConfig.gitlab_docs.enabled }} +{{- with $.Values.global.appConfig.gitlab_docs -}} +{{- if or (not .host) (and (not (hasPrefix "http://" .host)) (not (hasPrefix "https://" .host))) }} +gitlab_docs: + When enabling gitlab_docs, you must configure host, and it must start with `http://` or `https://`. +{{- end }} +{{- end }} +{{- end }} +{{- end -}} +{{/* END gitlab.checkConfig.gitlab_docs */}} + +{{/* +Ensure that a correct value is provided for +`global.smtp.openssl_verify_mode`. +*/}} +{{- define "gitlab.checkConfig.smtp.openssl_verify_mode" -}} +{{- $opensslVerifyModes := list "none" "peer" "client_once" "fail_if_no_peer_cert" -}} +{{- if .Values.global.smtp.openssl_verify_mode -}} +{{- if not (has .Values.global.smtp.openssl_verify_mode $opensslVerifyModes) }} +smtp: + "{{ .Values.global.smtp.openssl_verify_mode }}" is not a valid value for `global.smtp.openssl_verify_mode`. + Valid values are: {{ join ", " $opensslVerifyModes }}. +{{- end }} +{{- end }} +{{- end -}} +{{/* END gitlab.checkConfig.smtp.openssl_verify_mode */}} + +{{/* +Ensure that either `global.smtp.tls` or `global.smtp.starttls_auto` is set to true, but not both. +*/}} +{{- define "gitlab.checkConfig.smtp.tls_kind" -}} +{{- if and .Values.global.smtp.tls .Values.global.smtp.starttls_auto -}} +smtp: + global.smtp.tls and global.smtp.starttls_auto are mutually exclusive. + Set one of them to false. SMTP providers usually use port 465 for TLS and port 587 for STARTTLS. +{{- end }} +{{- end }} +{{/* END gitlab.checkConfig.smtp.tls_kind */}} + +{{/* +Ensure that global service account settings are correct. +*/}} +{{- define "gitlab.checkConfig.globalServiceAccount" -}} +{{- if and .Values.global.serviceAccount.enabled .Values.global.serviceAccount.create -}} +{{- if .Values.global.serviceAccount.name }} +serviceAccount: + `global.serviceAccount.name` is set to {{ .Values.global.serviceAccount.name | quote }}. + Please set `global.serviceAccount.create=false` and manually create a ServiceAccount + object in the cluster with a matching name. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.globalServiceAccount */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_duoAuth.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_duoAuth.tpl new file mode 100644 index 0000000..be4c7b6 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_duoAuth.tpl @@ -0,0 +1,22 @@ + +{{- define "gitlab.duoAuth.checkConfig" -}} +{{ with $.Values.global.appConfig }} +{{- if .duoAuth.enabled }} +{{- if (not .duoAuth.hostname) }} +duoAuth: Enabling Duo Auth requires hostname to be present + Duo Auth requires value of hostname acquired from Duo admin panel, which is provided here as string. + Please see https://docs.gitlab.com/charts/charts/globals.html#duoauth +{{- end -}} +{{- if (not .duoAuth.integrationKey) }} +duoAuth: Enabling Duo Auth requires integrationKey to be present + Duo Auth requires an integrationKey acquired from Duo admin panel, which is provided here as a string. + Please see https://docs.gitlab.com/charts/charts/globals.html#duoauth +{{- end -}} +{{- if (not .duoAuth.secretKey) }} +duoAuth: Enabling Duo Auth requires secretKey.secret to be present + Duo Auth requires a secretKey acquired from Duo admin panel, which is provided here via Kubernete Secret. + Please see https://docs.gitlab.com/charts/charts/globals.html#duoauth +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_geo.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_geo.tpl new file mode 100644 index 0000000..43211d4 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_geo.tpl @@ -0,0 +1,49 @@ +{{/* +Ensure a database is configured when using Geo +listen over TLS */}} +{{- define "gitlab.checkConfig.geo.database" -}} +{{- with $.Values.global -}} +{{- if eq true .geo.enabled -}} +{{- if not .psql.host }} +geo: no database provided + It appears Geo was configured but no database was provided. Geo behaviors require external databases. Ensure `global.psql.host` is set. +{{ end -}} +{{- if not .psql.password.secret }} +geo: no database password provided + It appears Geo was configured, but no database password was provided. Geo behaviors require external databases. Ensure `global.psql.password.secret` is set. +{{ end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.geo.database */}} + +{{/* +Ensure a database is configured when using Geo secondary +listen over TLS */}} +{{- define "gitlab.checkConfig.geo.secondary.database" -}} +{{- with $.Values.global.geo -}} +{{- if include "gitlab.geo.secondary" $ }} +{{- if not .psql.host }} +geo: no secondary database provided + It appears Geo was configured with `role: secondary`, but no database was provided. Geo behaviors require external databases. Ensure `global.geo.psql.host` is set. +{{ end -}} +{{- if not .psql.password.secret }} +geo: no secondary database password provided + It appears Geo was configured with `role: secondary`, but no database password was provided. Geo behaviors require external databases. Ensure `global.geo.psql.password.secret` is set. +{{ end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.geo.secondary.database */}} + +{{/* +Ensure that when Registry replication is enabled for Geo, a primary API URL is specified. +*/}} +{{- define "gitlab.checkConfig.geo.registry.replication.primaryApiUrl" -}} +{{- if and (eq true .Values.global.geo.enabled) (and (eq .Values.global.geo.role "secondary") (eq true .Values.global.geo.registry.replication.enabled)) -}} +{{- if not .Values.global.geo.registry.replication.primaryApiUrl }} +geo: + Registry replication is enabled for GitLab Geo, but no primary API URL is specified. Please specify a value for `global.geo.registry.replication.primaryApiUrl`. +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_gitaly.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_gitaly.tpl new file mode 100644 index 0000000..93e50f0 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_gitaly.tpl @@ -0,0 +1,112 @@ +{{/* +Protect against problems in storage names within repositories configuration. +- Ensure that one (and only one) storage is named 'default'. +- Ensure no duplicates + +Collects the list of storage names by rendering the 'gitlab.appConfig.repositories' +template, and grabbing any lines that start with exactly 4 spaces. +*/}} +{{- define "gitlab.checkConfig.gitaly.storageNames" -}} +{{- $errorMsg := list -}} +{{- $config := include "gitlab.appConfig.repositories" $ -}} +{{- $storages := list }} +{{- range (splitList "\n" $config) -}} +{{- if (regexMatch "^ [^ ]" . ) -}} +{{- $storages = append $storages (trim . | trimSuffix ":") -}} +{{- end }} +{{- end }} +{{- if gt (len $storages) (len (uniq $storages)) -}} +{{- $errorMsg = append $errorMsg (printf "Each storage name must be unique. Current storage names: %s" $storages | sortAlpha | join ", ") -}} +{{- end -}} +{{- if not (has "default" $storages) -}} +{{- $errorMsg = append $errorMsg ("There must be one (and only one) storage named 'default'.") -}} +{{- end }} +{{- if not (empty $errorMsg) }} +gitaly: +{{- range $msg := $errorMsg }} + {{ $msg }} +{{- end }} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.gitaly.storageNames -}} + +{{/* +Ensure that if a user is migrating to Praefect, none of the Praefect virtual storage +names are 'default', as it should already be used by the non-Praefect storage configuration. +*/}} +{{- define "gitlab.checkConfig.praefect.storageNames" -}} +{{- if and $.Values.global.gitaly.enabled $.Values.global.praefect.enabled (not $.Values.global.praefect.replaceInternalGitaly) -}} +{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} +{{- if eq $vs.name "default" -}} +praefect: + Praefect is enabled, but `global.praefect.replaceInternalGitaly=false`. In this scenario, + none of the Praefect virtual storage names can be 'default'. Please modify + `global.praefect.virtualStorages[{{ $i }}].name`. +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.praefect.storageNames" -}} + +{{/* +Ensure that defaultReplicationFactor is greater then 0, and less than gitalyReplicas's number +*/}} +{{- define "gitlab.checkConfig.praefect.defaultReplicationFactor" -}} +{{- if and $.Values.global.gitaly.enabled $.Values.global.praefect.enabled -}} +{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} +{{- $gitalyReplicas := int (default 1 $vs.gitalyReplicas) -}} +{{- $defaultReplicationFactor := int (default 1 $vs.defaultReplicationFactor) -}} +{{- if or ( gt $defaultReplicationFactor $gitalyReplicas ) ( lt $defaultReplicationFactor 1 ) -}} +praefect: + Praefect is enabled but 'defaultReplicationFactor' is not correct. + 'defaultReplicationFactor' is greater than 1, less than 'gitalyReplicas'. + Please modify `global.praefect.virtualStorages[{{ $i }}].defaultReplicationFactor`. +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{/* END gitlab.checkConfig.praefect.defaultReplicationFactor */}} + +{{/* +Ensure a certificate is provided when Gitaly is enabled and is instructed to +listen over TLS */}} +{{- define "gitlab.checkConfig.gitaly.tls" -}} +{{- $errorMsg := list -}} +{{- if and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled -}} +{{- if $.Values.global.praefect.enabled -}} +{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} +{{- if not $vs.tlsSecretName }} +{{- $errorMsg = append $errorMsg (printf "global.praefect.virtualStorages[%d].tlsSecretName not specified ('%s')" $i $vs.name) -}} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if not (empty $errorMsg) }} +gitaly: +{{- range $msg := $errorMsg }} + {{ $msg }} +{{- end }} + This configuration is not supported. +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.gitaly.tls */}} + +{{/* Check configuration of Gitaly external repos*/}} +{{- define "gitlab.checkConfig.gitaly.extern.repos" -}} +{{- if (and (not .Values.global.gitaly.enabled) (not .Values.global.gitaly.external) ) }} +gitaly: + external Gitaly repos needs to be specified if global.gitaly.enabled is not set +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.gitaly.extern.repos */}} + +{{/* Check that both GPG secret and key are set*/}} +{{- define "gitlab.checkConfig.gitaly.gpgSigning" -}} +{{- if and $.Values.global.gitaly.enabled $.Values.gitlab.gitaly.gpgSigning.enabled -}} +{{- if not (and $.Values.gitlab.gitaly.gpgSigning.secret $.Values.gitlab.gitaly.gpgSigning.key) -}} +gitaly: + secret and key must be set if gitlab.gitaly.gpgSigning.enabled is set +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.gitaly.gpgSigning */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_gitlab_shell.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_gitlab_shell.tpl new file mode 100644 index 0000000..1fb3731 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_gitlab_shell.tpl @@ -0,0 +1,32 @@ +{{- define "gitlab.checkConfig.gitlabShell.proxyPolicy" -}} +{{- $config := (index .Values "gitlab" "gitlab-shell").config -}} +{{/* +We enable ProxyProtocol between nginx-ingress and gitlab-shell whenever +gitlab-sshd is enabled to ensure the right remote IPs are seen by SSH. +By default, gitlab-sshd will optionally use the ProxyProtocol if +available. Setting the proxy policy to "reject" would prevent +gitlab-shell from working, so we check that this can't be done. +*/}} +{{- if and $config.proxyProtocol (eq $config.proxyPolicy "reject") }} +gitlab-shell: + gitlab.gitlab-shell.config.proxyProtocol is enabled, but gitlab.gitlab-shell.config.proxyPolicy is set to "reject". + gitlab-shell will not accept connections since these settings conflict with each other. + Either disable proxyProtocol or set proxyPolicy to "use", "require", or "ignore". +{{- end -}} +{{- end -}} +{{/* END "gitlab.checkConfig.gitlabShell.proxyPolicy" */}} + +{{- define "gitlab.checkConfig.gitlabShell.metrics" -}} +{{- $shell := (index .Values "gitlab" "gitlab-shell") -}} +{{/* +Metrics are only supported for "gitlab-shell" when "gitlab-sshd" +is used as the SSH daemon, as the OpenSSH daemon does not provide +viable collectable metrics. +*/}} +{{- if and $shell.metrics.enabled (not (eq $shell.sshDaemon "gitlab-sshd")) }} +gitlab-shell: + gitlab.gitlab-shell.metrics.enabled is true, but gitlab.gitlab-shell.sshDaemon is set to "{{- $shell.sshDaemon -}}". + Metrics are not supported for the "{{- $shell.sshDaemon -}}". + Either disable metrics or set sshDaemon to "gitlab-sshd". +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_ingress.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_ingress.tpl new file mode 100644 index 0000000..99a7cc0 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_ingress.tpl @@ -0,0 +1,29 @@ +{{- define "gitlab.checkConfig.ingress.alternatives" -}} +{{- if and (index $.Values "nginx-ingress").enabled $.Values.haproxy.install -}} +ingress: + HAProxy is also enabled via `haproxy.install=true`. + Please disable NGINX via `nginx-ingress.enabled=false`. +{{- end -}} +{{- if and (index $.Values "nginx-ingress").enabled $.Values.traefik.install -}} +ingress: + Traefik is also enabled via `traefik.install=true`. + Please disable NGINX via `nginx-ingress.enabled=false`. +{{- end -}} +{{- end -}} + +{{- define "gitlab.checkConfig.ingress.class" -}} +{{- if $.Values.traefik.install -}} +{{- if ne $.Values.global.ingress.class "traefik" -}} +ingress: + Traefik is enabled. + Please set `global.ingress.class=traefik`. +{{- end -}} +{{- end -}} +{{- if $.Values.haproxy.install -}} +{{- if ne $.Values.global.ingress.class "haproxy" -}} +ingress: + HAProxy is enabled. + Please set `global.ingress.class=haproxy`. +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_mailroom.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_mailroom.tpl new file mode 100644 index 0000000..3f4b71b --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_mailroom.tpl @@ -0,0 +1,84 @@ +{{/* +Ensure that tenantId and clientId are set if Microsoft Graph settings are used in incomingEmail +*/}} +{{- define "gitlab.checkConfig.incomingEmail.microsoftGraph" -}} +{{- with $.Values.global.appConfig.incomingEmail }} +{{- if (and .enabled (eq .inboxMethod "microsoft_graph")) }} +{{- if not .tenantId }} +incomingEmail: + When configuring incoming email with Microsoft Graph, be sure to specify the tenant ID. + See https://docs.gitlab.com/ee/administration/incoming_email.html#microsoft-graph +{{- end -}} +{{- if not .clientId }} +incomingEmail: + When configuring incoming email with Microsoft Graph, be sure to specify the client ID. + See https://docs.gitlab.com/ee/administration/incoming_email.html#microsoft-graph +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.incomingEmail.microsoftGraph */}} + +{{/* +Ensure that incomingEmail is enabled too if serviceDesk is enabled +*/}} +{{- define "gitlab.checkConfig.serviceDesk" -}} +{{- if $.Values.global.appConfig.serviceDeskEmail.enabled }} +{{- if not $.Values.global.appConfig.incomingEmail.enabled }} +serviceDesk: + When configuring Service Desk email, you must also configure incoming email. + See https://docs.gitlab.com/charts/charts/globals#incoming-email-settings +{{- end -}} +{{- if (not (and (contains "+%{key}@" $.Values.global.appConfig.incomingEmail.address) (contains "+%{key}@" $.Values.global.appConfig.serviceDeskEmail.address))) }} +serviceDesk: + When configuring Service Desk email, both incoming email and Service Desk email address must contain the "+%{key}" tag. + See https://docs.gitlab.com/ee/user/project/service_desk.html#using-custom-email-address +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.serviceDesk */}} + +{{/* +Ensure that tenantId and clientId are set if Microsoft Graph settings are used in serviceDesk +*/}} +{{- define "gitlab.checkConfig.serviceDesk.microsoftGraph" -}} +{{- with $.Values.global.appConfig.serviceDesk }} +{{- if (and .enabled (eq .inboxMethod "microsoft_graph")) }} +{{- if not .tenantId }} +incomingEmail: + When configuring Service Desk with Microsoft Graph, be sure to specify the tenant ID. + See https://docs.gitlab.com/ee/user/project/service_desk.html#microsoft-graph +{{- end -}} +{{- if not .clientId }} +incomingEmail: + When configuring Service Desk with Microsoft Graph, be sure to specify the client ID. + See https://docs.gitlab.com/ee/user/project/service_desk.html#microsoft-graph +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.serviceDesk.microsoftGraph */}} + +{{/* +Ensure that incomingEmail's deliveryMethod is either sidekiq or webhook +*/}} +{{- define "gitlab.checkConfig.incomingEmail.deliveryMethod" -}} +{{- if not (or (eq $.Values.global.appConfig.incomingEmail.deliveryMethod "sidekiq") (eq $.Values.global.appConfig.incomingEmail.deliveryMethod "webhook")) }} +incomingEmail: + Delivery method should be either "sidekiq" or "webhook" + See https://docs.gitlab.com/charts/installation/command-line-options.html#incoming-email-configuration +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.incomingEmail.deliveryMethod */}} + +{{/* +Ensure that serviceDeskEmail's deliveryMethod is either sidekiq or webhook +*/}} +{{- define "gitlab.checkConfig.serviceDeskEmail.deliveryMethod" -}} +{{- if not (or (eq $.Values.global.appConfig.serviceDeskEmail.deliveryMethod "sidekiq") (eq $.Values.global.appConfig.serviceDeskEmail.deliveryMethod "webhook")) }} +serviceDeskEmail: + Delivery method should be either "sidekiq" or "webhook" + See https://docs.gitlab.com/charts/installation/command-line-options.html#service-desk-email-configuration +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.serviceDeskEmail.deliveryMethod */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_nginx.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_nginx.tpl new file mode 100644 index 0000000..89e1f66 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_nginx.tpl @@ -0,0 +1,20 @@ +{{- define "gitlab.checkConfig.nginx.controller.extraArgs" -}} +{{- if (index $.Values "nginx-ingress").enabled -}} +{{- if hasKey (index $.Values "nginx-ingress").controller.extraArgs "force-namespace-isolation" -}} +nginx-ingress: + `nginx-ingress.controller.extraArgs.force-namespace-isolation` was previously set by default in the GitLab chart's values.yaml file, + but has since been deprecated upon the upgrade to NGINX 0.41.2 (upstream chart version 3.11.1). + Please remove the `force-namespace-isolation` key. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END "gitlab.checkConfig.nginx.controller" */}} + +{{- define "gitlab.checkConfig.nginx.clusterrole.scope" -}} +{{- if (index $.Values "nginx-ingress").rbac.scope -}} +nginx-ingress: + 'rbac.scope' should be false. Namespaced IngressClasses do not exist. + See https://github.com/kubernetes/ingress-nginx/issues/7519 +{{- end -}} +{{- end -}} +{{/* END "gitlab.checkConfig.nginx.clusterrole" */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_object_storage.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_object_storage.tpl new file mode 100644 index 0000000..2aa75d6 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_object_storage.tpl @@ -0,0 +1,52 @@ +{{/* +Ensure consolidate and type-specific object store configuration are not mixed. +*/}} +{{- define "gitlab.checkConfig.objectStorage.consolidatedConfig" -}} +{{- if $.Values.global.appConfig.object_store.enabled -}} +{{- $problematicTypes := list -}} +{{- range $objectTypes := list "artifacts" "lfs" "uploads" "packages" "externalDiffs" "terraformState" "dependencyProxy" -}} +{{- if hasKey $.Values.global.appConfig . -}} +{{- $objectProps := index $.Values.global.appConfig . -}} +{{- if (and (index $objectProps "enabled") (or (not (empty (index $objectProps "connection"))) (empty (index $objectProps "bucket")))) -}} +{{- $problematicTypes = append $problematicTypes . -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if not (empty $problematicTypes) -}} +When consolidated object storage is enabled, for each item `bucket` must be specified and the `connection` must be empty. Check the following object storage configuration(s): {{ join "," $problematicTypes }} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.objectStorage.consolidatedConfig */}} + +{{- define "gitlab.checkConfig.objectStorage.typeSpecificConfig" -}} +{{- if and (not $.Values.global.minio.enabled) (not $.Values.global.appConfig.object_store.enabled) -}} +{{- $problematicTypes := list -}} +{{- range $objectTypes := list "artifacts" "lfs" "uploads" "packages" "externalDiffs" "terraformState" "dependencyProxy" -}} +{{- if hasKey $.Values.global.appConfig . -}} +{{- $objectProps := index $.Values.global.appConfig . -}} +{{- if and (index $objectProps "enabled") (empty (index $objectProps "connection")) -}} +{{- $problematicTypes = append $problematicTypes . -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if not (empty $problematicTypes) -}} +When type-specific object storage is enabled the `connection` property can not be empty. Check the following object storage configuration(s): {{ join "," $problematicTypes }} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.objectStorage.typeSpecificConfig */}} + +{{- define "gitlab.checkConfig.objectStorage.ciSecureFiles" -}} +{{- if and (not $.Values.global.minio.enabled) ($.Values.global.appConfig.ciSecureFiles.enabled) -}} +{{- $objectProps := index $.Values.global.appConfig "ciSecureFiles" -}} +{{- if or (empty (index $objectProps "connection")) (empty (index $objectProps "bucket")) -}} +ciSecureFiles: + A valid object storage configuration must be set for ciSecureFiles, the + `bucket` and `connection` properties can not be empty. + Consolidated object storage configurations is not supported at this time + for ciSecureFiles. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.objectStorage.ciSecureFiles */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_omniauth.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_omniauth.tpl new file mode 100644 index 0000000..2e88e93 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_omniauth.tpl @@ -0,0 +1,17 @@ +{{/* +Ensure the provided global.appConfig.omniauth.provider value is in expected format */}} +{{- define "gitlab.checkConfig.omniauth.providerFormat" -}} +{{- range $index, $provider := .Values.global.appConfig.omniauth.providers }} +{{- $badKeys := omit $provider "secret" "key" "name" "label" "icon" }} +{{- $secretAndOther := and (hasKey $provider "secret") (omit $provider "secret" "key") }} +{{- $nameAndOther := and (hasKey $provider "name") (omit $provider "name" "label" "icon") }} +{{- if or $badKeys $secretAndOther $nameAndOther }} +omniauth.providers: each provider should only contain either: + a) 'secret', and optionally 'key', or + b) 'name', and optionally 'icon', and `label` + A current value of global.appConfig.omniauth.providers[{{ $index }}] must be updated. + Please see https://docs.gitlab.com/charts/charts/globals.html#providers +{{- end }} +{{- end }} +{{- end }} +{{/* END gitlab.checkConfig.omniauth.providerFormat */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_postgresql.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_postgresql.tpl new file mode 100644 index 0000000..c85ad70 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_postgresql.tpl @@ -0,0 +1,75 @@ +{{/* +Ensure that `postgresql.image.tag` meets current requirements +*/}} +{{- define "gitlab.checkConfig.postgresql.deprecatedVersion" -}} +{{- $pgVersion := semver (.Values.postgresql.image.tag | toString) -}} +{{- if lt $pgVersion.Major 13 -}} + PostgreSQL 12 and earlier are not supported in GitLab 16. The minimum required version is PostgreSQL 13. +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.postgresql.deprecatedVersion */}} + + +{{/* +Ensure that if `psql.password.useSecret` is set to false, a path to the password file is provided +*/}} +{{- define "gitlab.checkConfig.postgresql.noPasswordFile" -}} +{{- $errorMsg := list -}} +{{- $subcharts := pick .Values.gitlab "geo-logcursor" "gitlab-exporter" "migrations" "sidekiq" "toolbox" "webservice" -}} +{{- range $name, $sub := $subcharts -}} +{{- $useSecret := include "gitlab.boolean.local" (dict "local" (pluck "useSecret" (index $sub "psql" "password") | first) "global" $.Values.global.psql.password.useSecret "default" true) -}} +{{- if and (not $useSecret) (not (pluck "file" (index $sub "psql" "password") ($.Values.global.psql.password) | first)) -}} +{{- $errorMsg = append $errorMsg (printf "%s: If `psql.password.useSecret` is set to false, you must specify a value for `psql.password.file`." $name) -}} +{{- end -}} +{{- if and (not $useSecret) ($.Values.postgresql.install) -}} +{{- $errorMsg = append $errorMsg (printf "%s: PostgreSQL can not be deployed with this chart when using `psql.password.useSecret` is false." $name) -}} +{{- end -}} +{{- end -}} +{{- if not (empty $errorMsg) }} +postgresql: +{{- range $msg := $errorMsg }} + {{ $msg }} +{{- end }} + This configuration is not supported. +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.postgresql.noPasswordFile */}} + +{{/* +Ensure that `postgresql.install: false` when `global.psql.load_balancing` defined +*/}} +{{- define "gitlab.checkConfig.database.externalLoadBalancing" -}} +{{- if hasKey .Values.global.psql "load_balancing" -}} +{{- with .Values.global.psql.load_balancing -}} +{{- if and $.Values.postgresql.install (kindIs "map" .) }} +postgresql: + It appears PostgreSQL is set to install, but database load balancing is also enabled. This configuration is not supported. + See https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings +{{- end -}} +{{- if not (kindIs "map" .) }} +postgresql: + It appears database load balancing is desired, but the current configuration is not supported. + See https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings +{{- end -}} +{{- if and (not (hasKey . "discover") ) (not (hasKey . "hosts") ) }} +postgresql: + It appears database load balancing is desired, but the current configuration is not supported. + You must specify `load_balancing.hosts` or `load_balancing.discover`. + See https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings +{{- end -}} +{{- if and (hasKey . "hosts") (not (kindIs "slice" .hosts) ) }} +postgresql: + Database load balancing using `hosts` is configured, but does not appear to be a list. + See https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings + Current format: {{ kindOf .hosts }} +{{- end -}} +{{- if and (hasKey . "discover") (not (kindIs "map" .discover)) }} +postgresql: + Database load balancing using `discover` is configured, but does not appear to be a map. + See https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings + Current format: {{ kindOf .discover }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.database.externalLoadBalancing */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_registry.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_registry.tpl new file mode 100644 index 0000000..f10525d --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_registry.tpl @@ -0,0 +1,124 @@ +{{/* +Ensure that registry's sentry has a DSN configured if enabled +*/}} +{{- define "gitlab.checkConfig.registry.sentry.dsn" -}} +{{- if $.Values.registry.reporting.sentry.enabled }} +{{- if not $.Values.registry.reporting.sentry.dsn }} +registry: + When enabling sentry, you must configure at least one DSN. + See https://docs.gitlab.com/charts/charts/registry#reporting +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.registry.sentry.dsn */}} + +{{/* +Ensure Registry notifications settings are in global scope +*/}} +{{- define "gitlab.checkConfig.registry.notifications" }} +{{- if hasKey $.Values.registry "notifications" }} +Registry: Notifications should be defined in the global scope. Use `global.registry.notifications` setting instead of `registry.notifications`. +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.registry.notifications */}} + +{{/* +Ensure Registry database is configured properly and dependencies are met +*/}} +{{- define "gitlab.checkConfig.registry.database" -}} +{{- if $.Values.registry.database.enabled }} +{{- $validSSLModes := list "require" "disable" "allow" "prefer" "require" "verify-ca" "verify-full" -}} +{{- if not (has $.Values.registry.database.sslmode $validSSLModes) }} +registry: + Invalid SSL mode "{{ .Values.registry.database.sslmode }}". + Valid values are: {{ join ", " $validSSLModes }}. + See https://docs.gitlab.com/charts/charts/registry#database +{{- end -}} +{{- $pgVersion := semver (.Values.postgresql.image.tag | toString) -}} +{{- if lt $pgVersion.Major 13 -}} +registry: + Invalid PostgreSQL version "{{ .Values.postgresql.image.tag }}". + PostgreSQL 13 is the minimum required version for the registry database. + See https://docs.gitlab.com/charts/charts/registry#database +{{- end -}} +{{- if and ($.Values.registry.database.discovery.enabled) }} +{{- if or (not (kindIs "string" $.Values.registry.database.discovery.nameserver)) (empty $.Values.registry.database.discovery.nameserver) }} +registry: + Enabling database discovery requires a nameserver to be provided. + See https://docs.gitlab.com/charts/charts/registry#database. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.registry.database */}} + +{{/* +Ensure Registry Redis cache is configured properly and dependencies are met +*/}} +{{- define "gitlab.checkConfig.registry.redis.cache" -}} +{{- if and $.Values.registry.redis.cache.enabled (not $.Values.registry.database.enabled) }} +registry: + Enabling the Redis cache requires the metadata database to be enabled. + See https://docs.gitlab.com/charts/charts/registry#redis-cache +{{- end -}} +{{- if and $.Values.registry.database.enabled $.Values.registry.redis.cache.enabled }} +{{- if and (kindIs "string" $.Values.registry.redis.cache.host) (empty $.Values.registry.redis.cache.host) }} +registry: + Enabling the Redis cache requires the host to not be empty. + See https://docs.gitlab.com/charts/charts/registry#redis-cache +{{- end -}} +{{- end -}} +{{- if and $.Values.registry.database.enabled $.Values.registry.redis.cache.enabled $.Values.registry.redis.cache.sentinels}} +{{- if not $.Values.registry.redis.cache.host }} +registry: + Enabling the Redis cache with sentinels requires the registry.redis.cache.host to be set. + See https://docs.gitlab.com/charts/charts/registry#redis-cache +{{- end -}} +{{- end -}} +{{- if and $.Values.registry.redis.cache.enabled $.Values.registry.redis.cache.password.enabled }} +{{- if and (kindIs "string" $.Values.registry.redis.cache.password.secret) (empty $.Values.registry.redis.cache.password.secret) }} +registry: + Enabling the Redis cache password requires 'registry.redis.cache.password.secret' to be set. + See https://docs.gitlab.com/charts/charts/registry#redis-cache +{{- end -}} +{{- if and (kindIs "string" $.Values.registry.redis.cache.password.key) (empty $.Values.registry.redis.cache.password.key) }} +registry: + Enabling the Redis cache password requires 'registry.redis.cache.password.key' to be set. + See https://docs.gitlab.com/charts/charts/registry#redis-cache +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.registry.redis.cache */}} + +{{/* +Ensure Registry TLS has a secret when enabled +*/}} +{{- define "gitlab.checkConfig.registry.tls" -}} +{{- if $.Values.registry.tls.enabled }} +{{- if not (eq (default "http" $.Values.global.hosts.registry.protocol) "https") }} +registry: + Enabling the service level TLS requires 'global.hosts.registry.protocol' + be set to 'https'. + See https://docs.gitlab.com/charts/charts/registry/#configuring-tls +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.registry.tls */}} + +{{/* +Ensure a debug TLS secretName is provided if enabling debug TLS for the Registry +*/}} +{{- define "gitlab.checkConfig.registry.debug.tls" -}} +{{- if $.Values.registry.debug.tls.enabled }} +{{- if not $.Values.registry.debug.tls.secretName}} +{{- if not (and $.Values.registry.tls.enabled $.Values.registry.tls.secretName)}} +registry: + When Registry debug TLS is enabled a `registry.debug.tls.secretName` + secret is required when not enabling TLS for the non-debug Registry endpoint. + You must provide a secret containing a TLS certificate and key pair. + See https://docs.gitlab.com/charts/charts/registry/index.html#configuring-tls-for-the-debug-port +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* gitlab.checkConfig.registry.tls */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_sidekiq.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_sidekiq.tpl new file mode 100644 index 0000000..a46a87e --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_sidekiq.tpl @@ -0,0 +1,89 @@ +{{/* Check configuration of Sidekiq - don't supply queues and negateQueues */}} +{{- define "gitlab.checkConfig.sidekiq.queues.mixed" -}} +{{- if .Values.gitlab.sidekiq.pods -}} +{{- range $pod := .Values.gitlab.sidekiq.pods -}} +{{- if and (hasKey $pod "queues") (hasKey $pod "negateQueues") }} +sidekiq: mixed queues + It appears you've supplied both `queues` and `negateQueues` for the pod definition of `{{ $pod.name }}`. `negateQueues` is not usable if `queues` is provided. Please use only one. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.sidekiq.queues.mixed */}} + +{{/* Check configuration of Sidekiq - queues must be a string */}} +{{- define "gitlab.checkConfig.sidekiq.queues" -}} +{{- if .Values.gitlab.sidekiq.pods -}} +{{- range $pod := .Values.gitlab.sidekiq.pods -}} +{{- if and (hasKey $pod "queues") (ne (kindOf $pod.queues) "string") }} +sidekiq: + The `queues` in pod definition `{{ $pod.name }}` is not a string. +{{- else if and (hasKey $pod "negateQueues") (ne (kindOf $pod.negateQueues) "string") }} +sidekiq: + The `negateQueues` in pod definition `{{ $pod.name }}` is not a string. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.sidekiq.queues */}} + +{{/* +Ensure that Sidekiq timeout is less than terminationGracePeriodSeconds +*/}} +{{- define "gitlab.checkConfig.sidekiq.timeout" -}} +{{- range $i, $pod := $.Values.gitlab.sidekiq.pods -}} +{{- $activeTimeout := int (default $.Values.gitlab.sidekiq.timeout $pod.timeout) }} +{{- $activeTerminationGracePeriodSeconds := int (default $.Values.gitlab.sidekiq.deployment.terminationGracePeriodSeconds $pod.terminationGracePeriodSeconds) }} +{{- if gt $activeTimeout $activeTerminationGracePeriodSeconds }} +sidekiq: + You must set `terminationGracePeriodSeconds` ({{ $activeTerminationGracePeriodSeconds }}) longer than `timeout` ({{ $activeTimeout }}) for pod `{{ $pod.name }}`. +{{- end }} +{{- end }} +{{- end -}} +{{/* END gitlab.checkConfig.sidekiq.timeout */}} + +{{/* +Ensure that Sidekiq routingRules configuration is in a valid format +*/}} +{{- define "gitlab.checkConfig.sidekiq.routingRules" -}} +{{- $validRoutingRules := true -}} +{{- with $.Values.global.appConfig.sidekiq.routingRules }} +{{- if not (kindIs "slice" .) }} +{{- $validRoutingRules = false }} +{{- else -}} +{{- range $rule := . }} +{{- if (not (kindIs "slice" $rule)) }} +{{- $validRoutingRules = false }} +{{- else if (ne (len $rule) 2) }} +{{- $validRoutingRules = false }} +{{/* The first item (routing query) must be a string */}} +{{- else if not (kindIs "string" (index $rule 0)) }} +{{- $validRoutingRules = false }} +{{/* The second item (queue name) must be either a string or null */}} +{{- else if not (or (kindIs "invalid" (index $rule 1)) (kindIs "string" (index $rule 1))) -}} +{{- $validRoutingRules = false }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if eq false $validRoutingRules }} +sidekiq: + The Sidekiq's routing rules list must be an ordered array of tuples of query and corresponding queue. + See https://docs.gitlab.com/charts/charts/globals.html#sidekiq-routing-rules-settings +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.sidekiq.routingRules */}} + +{{/* +Ensure that metrics and health check servers bind different ports +*/}} +{{- define "gitlab.checkConfig.sidekiq.server_ports" -}} +{{- $metricsEnabled := .Values.gitlab.sidekiq.metrics.enabled -}} +{{- $portsMatch := eq (.Values.gitlab.sidekiq.metrics.port | int) (.Values.gitlab.sidekiq.health_checks.port | int) -}} +{{- if and $metricsEnabled $portsMatch }} +sidekiq: + metrics.port and health_checks.port must not be equal. + See https://docs.gitlab.com/charts/charts/gitlab/sidekiq/index.html#configuration +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.sidekiq.server_ports */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_toolbox.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_toolbox.tpl new file mode 100644 index 0000000..e8969bb --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_toolbox.tpl @@ -0,0 +1,28 @@ +{{/* +Ensure that a valid object storage config secret is provided. +*/}} +{{- define "gitlab.toolbox.backups.objectStorage.config.secret" -}} +{{- if .Values.gitlab.toolbox.enabled -}} +{{- if or .Values.gitlab.toolbox.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) (eq .Values.gitlab.toolbox.backups.objectStorage.backend "gcs") }} +{{- if not .Values.gitlab.toolbox.backups.objectStorage.config.secret -}} +toolbox: + A valid object storage config secret is needed for backups. + Please configure it via `gitlab.toolbox.backups.objectStorage.config.secret`. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.toolbox.backups.objectStorage.config.secret */}} + +{{/* +Ensure that gitlab/toolbox is not configured with `replicas` > 1 if +persistence is enabled. +*/}} +{{- define "gitlab.toolbox.replicas" -}} +{{- $replicas := index $.Values.gitlab "toolbox" "replicas" | int -}} +{{- if and (gt $replicas 1) (index $.Values.gitlab "toolbox" "persistence" "enabled") -}} +toolbox: replicas is greater than 1, with persistence enabled. + It appear that `gitlab/toolbox` has been configured with more than 1 replica, but also with a PersistentVolumeClaim. This is not supported. Please either reduce the replicas to 1, or disable persistence. +{{- end -}} +{{- end -}} +{{/* END gitlab.toolbox.replicas */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_webservice.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_webservice.tpl new file mode 100644 index 0000000..3cf2805 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_webservice.tpl @@ -0,0 +1,50 @@ +{{/* +Ensure the provided global.appConfig.maxRequestDurationSeconds value is smaller than +webservice's worker timeout */}} +{{- define "gitlab.checkConfig.appConfig.maxRequestDurationSeconds" -}} +{{- $maxDuration := $.Values.global.appConfig.maxRequestDurationSeconds }} +{{- if $maxDuration }} +{{- $workerTimeout := $.Values.global.webservice.workerTimeout }} +{{- if not (lt $maxDuration $workerTimeout) }} +gitlab: maxRequestDurationSeconds should be smaller than Webservice's worker timeout + The current value of global.appConfig.maxRequestDurationSeconds ({{ $maxDuration }}) is greater than or equal to global.webservice.workerTimeout ({{ $workerTimeout }}) while it should be a lesser value. +{{- end }} +{{- end }} +{{- end }} +{{/* END gitlab.checkConfig.appConfig.maxRequestDurationSeconds */}} + +{{/* +Ensure terminationGracePeriodSeconds is longer than blackoutSeconds +*/}} +{{- define "gitlab.checkConfig.webservice.gracePeriod" -}} +{{- $terminationGracePeriodSeconds := default 30 .Values.gitlab.webservice.deployment.terminationGracePeriodSeconds | int -}} +{{- $blackoutSeconds := .Values.gitlab.webservice.shutdown.blackoutSeconds | int -}} +{{- if lt $terminationGracePeriodSeconds $blackoutSeconds }} +You must set terminationGracePeriodSeconds ({{ $terminationGracePeriodSeconds }}) longer than blackoutSeconds ({{ $blackoutSeconds }}) +{{ end -}} +{{- end -}} +{{/* END gitlab.checkConfig.webservice.gracePeriod */}} + +{{/* +Ensure that when type is set to LoadBalancer that loadBalancerSourceRanges are set +*/}} +{{- define "gitlab.checkConfig.webservice.loadBalancer" -}} +{{- if .Values.gitlab.webservice.enabled -}} +{{- $serviceType := .Values.gitlab.webservice.service.type -}} +{{- $numDeployments := len .Values.gitlab.webservice.deployments -}} +{{- if (and (eq $serviceType "LoadBalancer") (gt $numDeployments 1)) }} +webservice: + It is not currently recommended to set a service type of `LoadBalancer` with multiple deployments defined. + Instead, use a global `service.type` of `ClusterIP` and override `service.type` in each deployment. +{{- end -}} +{{- range $name, $deployment := .Values.gitlab.webservice.deployments -}} +{{- $serviceType := $deployment.service.type -}} +{{- $loadBalancerSourceRanges := $deployment.service.loadBalancerSourceRanges -}} +{{- if (and (eq $serviceType "LoadBalancer") (empty ($loadBalancerSourceRanges))) }} +webservice: + It is not currently recommended to set a service type of `{{ $serviceType }}` on a public exposed network without restrictions, please add `service.loadBalancerSourceRanges` to limit access to the service of the `{{ $name }}` deployment. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.checkConfig.webservice.loadBalancer */}} diff --git a/kubernetes/Charts/gitlab/templates/_checkConfig_workhorse.tpl b/kubernetes/Charts/gitlab/templates/_checkConfig_workhorse.tpl new file mode 100644 index 0000000..5df50b5 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_checkConfig_workhorse.tpl @@ -0,0 +1,13 @@ +{{/* +Ensure workhorse monitoring exporter's TLS config is valid +*/}} +{{- define "gitlab.checkConfig.workhorse.exporter.tls.enabled" -}} +{{- $workhorseTlsEnabled := $.Values.global.workhorse.tls.enabled -}} +{{- $monitoringTlsOverride := pluck "enabled" $.Values.gitlab.webservice.workhorse.monitoring.exporter.tls (dict "enabled" false) | first -}} +{{- if and (eq $monitoringTlsOverride true) (not $workhorseTlsEnabled) }} +webservice.workhorse: + The monitoring exporter TLS depends on the main workhorse listener using TLS. + Use `global.workhorse.tls.enabled` to enable TLS for the main listener or `gitlab.webservice.workhorse.monitoring.exporter.tls.enabled` + to disable TLS for the monitoring exporter. +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_clickhouse.tpl b/kubernetes/Charts/gitlab/templates/_clickhouse.tpl new file mode 100644 index 0000000..8fb583b --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_clickhouse.tpl @@ -0,0 +1,7 @@ +{{- define "gitlab.clickhouse.main.password.secret" -}} +{{- .Values.global.clickhouse.main.password.secret | quote -}} +{{- end -}} + +{{- define "gitlab.clickhouse.main.password.key" -}} +{{- coalesce .Values.global.clickhouse.main.key "password" | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_deprecations.tpl b/kubernetes/Charts/gitlab/templates/_deprecations.tpl new file mode 100644 index 0000000..75e1ad1 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_deprecations.tpl @@ -0,0 +1,489 @@ +{{/* +Template for handling deprecation messages + +The messages templated here will be combined into a single `fail` call. This creates a means for the user to receive all messages at one time, in place a frustrating iterative approach. + +- `define` a new template, prefixed `gitlab.deprecate.` +- Check for deprecated values / patterns, and directly output messages (see message format below) +- Add a line to `gitlab.deprecations` to include the new template. + +Message format: + +**NOTE**: The `if` statement preceding the block should _not_ trim the following newline (`}}` not `-}}`), to ensure formatting during output. + +``` +chart: + MESSAGE +``` +*/}} +{{/* +Compile all deprecations into a single message, and call fail. + +Due to gotpl scoping, we can't make use of `range`, so we have to add action lines. +*/}} +{{- define "gitlab.deprecations" -}} +{{- $deprecated := list -}} +{{/* add templates here */}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.rails.appConfig" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.minio" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.registryStorage" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.registryHttpSecret" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.registry.replicas" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.registry.updateStrategy" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.webservice.omniauth" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.webservice.ldap" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.webservice.webServer.unicorn" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.appConfig.ldap.password" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.sidekiq.cronJobs" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.sidekiq.updateStrategy" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.sidekiq.pods.updateStrategy" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.sidekiq.cluster" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.sidekiq.pods.cluster" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.local.kubectl" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.gitlab.gitaly.enabled" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.initContainerImage" .) -}} +{{- $deprecated = append $deprecated (include "external.deprecate.initContainerImage" .) -}} +{{- $deprecated = append $deprecated (include "external.deprecate.initContainerPullPolicy" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.redis-ha.enabled" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.redis.enabled" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.gitlab.webservice.service.configuration" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.gitlab.gitaly.serviceName" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.psql.pool" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.appConfig.extra.piwik" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.geo.registry.syncEnabled" .) -}} +{{- $deprecated = append $deprecated (include "certmanager.createCustomResource" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.imagePullPolicy" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.task-runner" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.gitaly-gitconfig-volume" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.hpa.legacyCpuTarget" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.hpa.behaviorMispell" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.grafana" .) -}} + +{{- /* we're ready to deprecate top-level registry entries for workhorse and sidekiq, but not enforcing yet */ -}} +{{- /* $deprecated = append $deprecated (include "gitlab.deprecate.registry.topLevel" .) */ -}} + +{{- /* prepare output */}} +{{- $deprecated = without $deprecated "" -}} +{{- $message := join "\n" $deprecated -}} + +{{- /* print output */}} +{{- if $message -}} +{{- printf "\nDEPRECATIONS:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Migration of rails shared lfs/artifacts/uploads blocks to globals */}} +{{- define "gitlab.deprecate.rails.appConfig" -}} +{{- range $chart := list "webservice" "sidekiq" "toolbox" -}} +{{- if index $.Values.gitlab $chart -}} +{{- range $i, $block := list "lfs" "artifacts" "uploads" -}} +{{- if hasKey (index $.Values.gitlab $chart) $block }} +{{- with $config := index $.Values.gitlab $chart $block -}} +{{- range $item := list "enabled" "bucket" "proxy_download" -}} +{{- if hasKey $config $item }} +gitlab.{{ $chart }}: + `{{ $block }}.{{ $item }}` has been moved to global. Please remove `{{ $block }}.{{ $item }}` from your properties, and set `global.appConfig.{{ $block }}.{{ $item }}` +{{- end -}} +{{- end -}} +{{- if .connection -}} +{{- if without (keys .connection) "secret" "key" | len | ne 0 }} +gitlab.{{ $chart }}: + The `{{ $block }}.connection` declarations have been moved into a secret. Please create a secret with these contents, and set `global.appConfig.{{ $block }}.connection.secret` +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Deprecation behaviors for global configuration of Minio */}} +{{- define "gitlab.deprecate.minio" -}} +{{- if ( hasKey .Values.minio "enabled" ) }} +minio: + Chart-local `enabled` property has been moved to global. Please remove `minio.enabled` from your properties, and set `global.minio.enabled` instead. +{{- end -}} +{{- if .Values.registry.minio -}} +{{- if ( hasKey .Values.registry.minio "enabled" ) }} +registry: + Chart-local configuration of Minio features has been moved to global. Please remove `registry.minio.enabled` from your properties, and set `global.minio.enabled` instead. +{{- end -}} +{{- end -}} +{{- if .Values.gitlab.webservice.minio -}} +{{- if ( hasKey .Values.gitlab.webservice.minio "enabled" ) }} +gitlab.webservice: + Chart-local configuration of Minio features has been moved to global. Please remove `gitlab.webservice.minio.enabled` from your properties, and set `global.minio.enabled` instead. +{{- end -}} +{{- end -}} +{{- if .Values.gitlab.sidekiq.minio -}} +{{- if ( hasKey .Values.gitlab.sidekiq.minio "enabled" ) }} +gitlab.sidekiq: + Chart-local configuration of Minio features has been moved to global. Please remove `gitlab.sidekiq.minio.enabled` from your properties, and set `global.minio.enabled` instead. +{{- end -}} +{{- end -}} +{{- if index .Values.gitlab "toolbox" "minio" -}} +{{- if ( hasKey ( index .Values.gitlab "toolbox" "minio" ) "enabled" ) }} +gitlab.toolbox: + Chart-local configuration of Minio features has been moved to global. Please remove `gitlab.toolbox.minio.enabled` from your properties, and set `global.minio.enabled` instead. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END deprecate.minio */}} + +{{/* Migration of Registry `storage` dict to a secret */}} +{{- define "gitlab.deprecate.registryStorage" -}} +{{- if .Values.registry.storage -}} +{{- $keys := without (keys .Values.registry.storage) "secret" "key" "extraKey" "redirect" -}} +{{- if len $keys | ne 0 }} +registry: + The `storage` property has been moved into a secret. Please create a secret with these contents, and set `storage.secret`. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Migration of Registry `httpSecret` property to secret */}} +{{- define "gitlab.deprecate.registryHttpSecret" -}} +{{- if .Values.registry.httpSecret -}} +registry: + The `httpSecret` property has been moved into a secret. Please create a secret with these contents, and set `global.registry.httpSecret.secret` and `global.registry.httpSecret.key`. +{{- end -}} +{{- end -}} + +{{/* Migration of Registry `minReplicas` and `maxReplicas` to `hpa.*` */}} +{{- define "gitlab.deprecate.registry.replicas" -}} +{{- if or (hasKey .Values.registry "minReplicas") (hasKey .Values.registry "maxReplicas") -}} +registry: + The `minReplicas` property has been moved under the hpa object. Please create a configuration with the new path: `registry.hpa.minReplicas`. + The `maxReplicas` property has been moved under the hpa object. Please create a configuration with the new path: `registry.hpa.maxReplicas`. +{{- end -}} +{{- end -}} +{{/* END deprecate.registry.replicas */}} + +{{/* Deprecation behaviors for configuration of Omniauth */}} +{{- define "gitlab.deprecate.webservice.omniauth" -}} +{{- if hasKey .Values.gitlab.webservice "omniauth" -}} +webservice: + Chart-local configuration of Omniauth has been moved to global. Please remove `webservice.omniauth.*` settings from your properties, and set `global.appConfig.omniauth.*` instead. +{{- end -}} +{{- end -}} +{{/* END deprecate.webservice.omniauth */}} + +{{/* Deprecation behaviors for configuration of LDAP */}} +{{- define "gitlab.deprecate.webservice.ldap" -}} +{{- if hasKey .Values.gitlab.webservice "ldap" -}} +webservice: + Chart-local configuration of LDAP has been moved to global. Please remove `webservice.ldap.*` settings from your properties, and set `global.appConfig.ldap.*` instead. +{{- end -}} +{{- end -}} +{{/* END deprecate.webservice.ldap */}} + +{{- define "gitlab.deprecate.global.appConfig.ldap.password" -}} +{{- if .Values.global.appConfig.ldap.servers -}} +{{- $hasPlaintextPassword := dict -}} +{{- range $name, $config := .Values.global.appConfig.ldap.servers -}} +{{- if and (hasKey $config "password") (kindIs "string" $config.password) -}} +{{- $_ := set $hasPlaintextPassword "true" "true" -}} +{{- end -}} +{{- end -}} +{{- if hasKey $hasPlaintextPassword "true" -}} +global.appConfig.ldap: + Plain-text configuration of LDAP passwords has been deprecated in favor of secret configuration. Please create a secret containing the password, and set `password.secret` and `password.key`. +{{- end -}} +{{- end -}} +{{- end -}}{{/* "gitlab.deprecate.global.appConfig.ldap.password" */}} + +{{/* Deprecation behaviors for configuration of cron jobs */}} +{{- define "gitlab.deprecate.sidekiq.cronJobs" -}} +{{- if hasKey .Values.gitlab.sidekiq "cron_jobs" -}} +sidekiq: + Chart-local configuration of cron jobs has been moved to global. Please remove `sidekiq.cron_jobs.*` settings from your properties, and set `global.appConfig.cron_jobs.*` instead. +{{- end -}} +{{- end -}} +{{/* END deprecate.sidekiq.cronJobs */}} + +{{/* Deprecation behaviors for configuration of local kubectl images */}} +{{- define "gitlab.deprecate.local.kubectl" -}} +{{- range $chart := list "certmanager-issuer" "shared-secrets" -}} +{{- if hasKey (index $.Values $chart) "image" -}} +{{ $chart }}: + Chart-local configuration of kubectl image has been moved to global. Please remove `{{ $chart }}.image.*` settings from your properties, and set `global.kubectl.image.*` instead. +{{- if and (eq $chart "shared-secrets") (hasKey (index $.Values $chart "image") "pullSecrets") }} + If you need to set `pullSecrets` of the self-sign image, please use `shared-secrets.selfsign.image.pullSecrets` instead. +{{ end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.local.kubectl */}} + +{{/* Deprecation behaviors for configuration of Gitaly */}} +{{- define "gitlab.deprecate.gitlab.gitaly.enabled" -}} +{{- if hasKey .Values.gitlab.gitaly "enabled" -}} +gitlab: + Chart-local configuration of Gitaly features has been moved to global. Please remove `gitlab.gitaly.enabled` from your properties, and set `global.gitaly.enabled` instead. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.gitaly.enabled */}} + +{{/* Deprecation behavious for configuration of initContainer images of gitlab sub-charts */}} +{{- define "gitlab.deprecate.initContainerImage" -}} +{{- range $chart:= list "geo-logcursor" "gitaly" "gitlab-exporter" "gitlab-shell" "mailroom" "migrations" "sidekiq" "toolbox" "webservice" }} +{{- if hasKey (index $.Values.gitlab $chart) "init" -}} +{{- with $config := index $.Values.gitlab $chart "init" -}} +{{- if or (and (hasKey $config "image") (kindIs "string" $config.image)) (hasKey $config "tag") }} +gitlab.{{ $chart }}: + Configuring image for initContainers using gitlab.{{ $chart }}.init.image and gitlab.{{ $chart }}.init.tag has been deprecated. Please use gitlab.{{ $chart }}.init.image.repository and gitlab.{{ $chart }}.init.image.tag for that. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.initContainerImage */}} + +{{/* Deprecation behavious for configuration of initContainer images of external charts */}} +{{- define "external.deprecate.initContainerImage" -}} +{{- range $chart:= list "minio" "registry" "redis" "redis-ha" }} +{{- if hasKey (index $.Values $chart) "init" -}} +{{- with $config := index $.Values $chart "init" -}} +{{- if or (and (hasKey $config "image") (kindIs "string" $config.image)) (hasKey $config "tag") }} +{{ $chart }}: + Configuring image for initContainers using {{ $chart }}.init.image and {{ $chart }}.init.tag has been deprecated. Please use {{ $chart }}.init.image.repository and {{ $chart }}.init.image.tag for that. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END external.deprecate.initContainerImage */}} + +{{/* Deprecation behavious for configuration of initContainer image pull policy of external charts */}} +{{- define "external.deprecate.initContainerPullPolicy" -}} +{{- range $chart:= list "minio" "registry" }} +{{- if hasKey (index $.Values $chart) "init" -}} +{{- with $config := index $.Values $chart "init" -}} +{{- if hasKey $config "pullPolicy" }} +{{ $chart }}: + Configuring pullPolicy for initContainer images using {{ $chart }}.init.pullPolicy has been deprecated. Please use {{ $chart }}.init.image.pullPolicy for that. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END external.deprecate.initContainerPullPolicy*/}} + +{{/* Deprecation behaviors for redis-ha.enabled */}} +{{- define "gitlab.deprecate.redis-ha.enabled" -}} +{{- if hasKey (index .Values "redis-ha") "enabled" -}} +redis-ha: + The `redis-ha.enabled` has been deprecated. Redis HA is now implemented by the Redis chart. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.redis-ha.enabled */}} + +{{/* Deprecation behaviors for redis.enabled */}} +{{- define "gitlab.deprecate.redis.enabled" -}} +{{- if hasKey .Values.redis "enabled" -}} +redis: + The `redis.enabled` has been deprecated. Please use `redis.install` to install the Redis service. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.redis.enabled */}} + +{{- define "gitlab.deprecate.gitlab.webservice.service.configuration" -}} +{{- range $chart := list "gitaly" "gitlab-shell" -}} +{{- if index $.Values.gitlab $chart -}} +{{- if hasKey (index $.Values.gitlab $chart) "webservice" }} +gitlab.{{ $chart }}: + webservice: + The configuration of 'gitlab.{{ $chart }}.webservice' has been moved to 'gitlab.{{ $chart }}.workhorse' to better reflect the underlying architecture. Please relocate this property. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.gitlab.webservice.service.configuration */}} + +{{- define "gitlab.deprecate.gitlab.gitaly.serviceName" -}} +{{- if hasKey $.Values.gitlab.gitaly "serviceName" -}} +gitlab.gitaly.serviceName: + The configuration of 'gitlab.gitaly.serviceName' has been moved to 'global.gitaly.serviceName' to fix an issue with consistent templating. Please relocate this property. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.gitlab.gitaly.serviceName */}} + +{{- define "gitlab.deprecate.global.psql.pool" -}} +{{- if hasKey $.Values.global "psql" -}} +{{- if hasKey $.Values.global.psql "pool" }} +global.psql.pool: + Manually configuring the database connection pool has been removed. The application now manages the connection pool size. +{{- end -}} +{{- end -}} + +{{- range $chart := list "webservice" "sidekiq" "toolbox" -}} +{{- if index $.Values.gitlab $chart -}} +{{- if hasKey (index $.Values.gitlab $chart) "psql" -}} +{{- with $localConfig := index $.Values.gitlab $chart "psql" -}} +{{- if hasKey $localConfig "pool" }} +gitlab.{{ $chart }}.psql.pool: + Manually configuring the database connection pool has been removed. The application now manages the connection pool size. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.global.psql.pool */}} + +{{- define "gitlab.deprecate.global.appConfig.extra.piwik" -}} +{{- if .Values.global.appConfig.extra.piwikSiteId }} +global.appConfig.extra.piwikSiteId: + Piwik config keys have been renamed to reflect the rebranding to Matomo. Please rename `piwikSiteId` to `matomoSiteId`. +{{- end -}} +{{- if .Values.global.appConfig.extra.piwikUrl }} +global.appConfig.extra.piwikUrl: + Piwik config keys have been renamed to reflect the rebranding to Matomo. Please rename `piwikUrl` to `matomoUrl` +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.global.appConfig.extra.piwik */}} + +{{/* Migration from `updateStrategy` to `deployment.strategy` for Deployment Kubernetes type */}} +{{- define "gitlab.deprecate.registry.updateStrategy" -}} +{{- if .Values.registry.updateStrategy }} +registry: + The configuration of `registry.updateStrategy` has moved. Please use +`registry.deployment.strategy` instead. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.registry.updateStrategy */}} + +{{- define "gitlab.deprecate.sidekiq.updateStrategy" -}} +{{- if hasKey .Values.gitlab.sidekiq "updateStrategy" -}} +sidekiq: + The configuration of 'gitlab.sidekiq.updateStrategy' has moved. Please use 'gitlab.sidekiq.deployment.strategy' instead. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.sidekiq.updateStrategy */}} + +{{- define "gitlab.deprecate.sidekiq.pods.updateStrategy" -}} +{{- range $index, $pod := .Values.gitlab.sidekiq.pods -}} +{{- if hasKey $pod "updateStrategy" }} +sidekiq.pods[{{ $index }}] ({{ $pod.name }}): + The configuration of 'gitlab.sidekiq.pods[{{ $index }}].updateStrategy' has moved. Please use 'gitlab.sidekiq.pods[{{ $index }}].deployment.strategy' instead. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.sidekiq.pods.updateStrategy */}} + +{{- define "gitlab.deprecate.global.geo.registry.syncEnabled" -}} +{{- if and (eq true .Values.global.geo.enabled) (hasKey .Values.global.geo.registry "syncEnabled") -}} +geo: + The configuration of `global.geo.registry.syncEnabled` has moved. Please use `global.geo.registry.replication.enabled` instead. +{{- end -}} +{{- end -}} + +{{- define "gitlab.deprecate.webservice.webServer.unicorn" -}} +{{/* WARN: Unicorn is deprecated and is removed in 14.0 */}} +{{- if eq .Values.gitlab.webservice.webServer "unicorn" -}} +webservice: + Starting with GitLab 14.0, Unicorn is no longer supported and users must switch to Puma by either setting `gitlab.webservice.webServer` value to `puma` or removing the setting reverting it to default (`puma`). Check https://docs.gitlab.com/ee/administration/operations/puma.html for details. +{{- end }} +{{- end }} + +{{- define "gitlab.deprecate.sidekiq.cluster" -}} +{{- if hasKey .Values.gitlab.sidekiq "cluster" -}} +sidekiq: + The configuration of 'gitlab.sidekiq.cluster' should be removed. Sidekiq is now always in cluster mode. +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.sidekiq.cluster */}} + +{{- define "gitlab.deprecate.sidekiq.pods.cluster" -}} +{{- range $index, $pod := .Values.gitlab.sidekiq.pods -}} +{{- if hasKey $pod "cluster" }} +sidekiq.pods[{{ $index }}] ({{ $pod.name }}): + The configuration of 'gitlab.sidekiq.pods[{{ $index }}].cluster' should be removed. Sidekiq is now always in cluster mode. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.sidekiq.pods.cluster */}} + +{{- define "certmanager.createCustomResource" -}} +{{- if hasKey .Values.certmanager "createCustomResource" -}} +certmanager: + The configuration of 'certmanager.createCustomResource' has been renamed. Please use `certmanager.installCRDs` instead. +{{- end -}} +{{- end -}} +{{/* END certmanager.createCustomResource */}} + +{{/* Deprecation behaviors for configuration of global imagePullPolicy */}} +{{- define "gitlab.deprecate.global.imagePullPolicy" -}} +{{- if .Values.global.imagePullPolicy }} +global.imagePullPolicy: + The configuration of `global.imagePullPolicy` has moved. Please use `global.image.pullPolicy` instead. +{{- end -}} + +{{- end -}} + +{{/* Deprecation behaviors for task-runner rename to toolbox */}} +{{- define "gitlab.deprecate.task-runner" -}} +{{- if index .Values.gitlab "task-runner" }} +gitlab.task-runner: + The configuration of `gitlab.task-runner` has been renamed. Please use `gitlab.toolbox` instead. + If you have enabled persistence for `task-runner` and/or its CronJob for backups, you may need to manually bind the new `toolbox` PVC to the previous `task-runner` PV. +{{- end -}} +{{- end -}} + +{{- define "gitlab.deprecate.gitaly-gitconfig-volume" -}} +{{- if hasKey .Values.gitlab.gitaly "extraVolumes" -}} +{{- if regexMatch "- *name:[^\n]*git-?config" .Values.gitlab.gitaly.extraVolumes -}} +gitaly: + Git commands spawned by Gitaly have stopped reading `gitconfig` files. Please stop mounting `gitconfig` volumes and use the `git.config` value to inject Git configuration. +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.deprecate.hpa.legacyCpuTarget" -}} +{{- range $chart := list "gitlab-pages" "gitlab-shell" "kas" "sidekiq" "spamcheck" "webservice" -}} +{{- if and (hasKey $.Values.gitlab $chart) (hasKey (index $.Values.gitlab $chart) "hpa") -}} +{{- if hasKey (index $.Values.gitlab $chart).hpa "targetAverageValue" }} +gitlab.{{ $chart }}: + The configuration of `gitlab.{{ $chart }}.hpa.targetAverageValue` has moved. Please use `gitlab.{{ $chart }}.hpa.cpu.targetAverageValue` instead. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitlab.deprecate.hpa.behaviorMispell" -}} +{{- if and (hasKey $.Values.registry "hpa") (hasKey $.Values.registry.hpa "behaviour") }} +registry: + The configuration of `registry.hpa.behaviour` has moved. Please use `registry.hpa.behavior` instead. +{{- end -}} +{{- range $chart := list "gitlab-pages" "gitlab-shell" "kas" "mailroom" "sidekiq" "spamcheck" "webservice" -}} +{{- if and (hasKey $.Values.gitlab $chart) (hasKey (index $.Values.gitlab $chart) "hpa") -}} +{{- if hasKey (index $.Values.gitlab $chart).hpa "behaviour" }} +gitlab.{{ $chart }}: + The configuration of `gitlab.{{ $chart }}.hpa.behaviour` has moved. Please use `gitlab.{{ $chart }}.hpa.behavior` instead. +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Deprecation behaviors for Grafana*/}} +{{- define "gitlab.deprecate.global.grafana" -}} +{{- if kindIs "map" (index .Values.global "grafana") }} +{{- if and ( hasKey .Values.global.grafana "enabled" ) (eq true .Values.global.grafana.enabled)}} +grafana: + The bundled Grafana chart has been removed, and thus `global.grafana.enabled` does not have any effect. It is recommended that you switch to the newer chart version from Grafana Labs available at https://artifacthub.io/packages/helm/grafana/grafana or a Grafana Operator from a trusted provider. You can find instructions to integrate Grafana with GitLab at https://docs.gitlab.com/ee/administration/monitoring/performance/grafana_configuration.html. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.global.grafana */}} + +{{- define "gitlab.deprecate.registry.topLevel" -}} +{{- if hasKey $.Values.gitlab.webservice "registry" }} +registry: + The configuration of `gitlab.webservice.registry` has moved. Please use `global.registry` instead +{{- end -}} +{{- if hasKey $.Values.gitlab.sidekiq "registry" }} +registry: + The configuration of `gitlab.sidekiq.registry` has moved. Please use `global.registry` instead +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_geo.tpl b/kubernetes/Charts/gitlab/templates/_geo.tpl new file mode 100644 index 0000000..33ef6d2 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_geo.tpl @@ -0,0 +1,64 @@ +{{/* ######## Templates related to Geo functionality */}} + +{{/* +Return the Geo DB hostname +*/}} +{{- define "gitlab.geo.psql.host" -}} +{{- if .Values.global.geo.psql.host -}} +{{- .Values.global.geo.psql.host | quote -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name "geo-postgresql" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Geo database name +*/}} +{{- define "gitlab.geo.psql.database" -}} +{{- coalesce .Values.global.geo.psql.database "gitlabhq_geo_production" | quote -}} +{{- end -}} + +{{/* +Return the Geo database username +If the postgresql username is provided, it will use that, otherwise it will fallback +to "gitlab_replicator" default +*/}} +{{- define "gitlab.geo.psql.username" -}} +{{- coalesce .Values.global.geo.psql.username "gitlab_geo" -}} +{{- end -}} + +{{/* +Return the Geo database port +If the postgresql port is provided, it will use that, otherwise it will fallback +to 5432 default +*/}} +{{- define "gitlab.geo.psql.port" -}} +{{- coalesce .Values.global.geo.psql.port 5432 -}} +{{- end -}} + +{{/* +Return the Geo database secret name +Defaults to a release-based name and falls back to .Values.global.geo.psql.secretName + when using an external postegresql +*/}} +{{- define "gitlab.geo.psql.password.secret" -}} +{{- default (printf "%s-%s" .Release.Name "geo-postgresql-password") .Values.global.geo.psql.password.secret | quote -}} +{{- end -}} + +{{/* NOTE: SKIPPED `postgresql.secretName` */}} + +{{/* +Return the name of the key in a secret that contains the postgres password +Uses `postgresql-password` to match upstream postgresql chart when not using an + external postegresql +*/}} +{{- define "gitlab.geo.psql.password.key" -}} +{{- default "postgresql-password" .Values.global.geo.psql.password.key | quote -}} +{{- end -}} + +{{/* +Calculates the IngressClass name of Ingresses accepting traffic from other Geo sites. +*/}} +{{- define "gitlab.geo.ingress.class.name" -}} +{{- .Values.global.geo.ingressClass | default (printf "%s-nginx-geo" .Release.Name) -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_gitaly.tpl b/kubernetes/Charts/gitlab/templates/_gitaly.tpl new file mode 100644 index 0000000..9e294a5 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_gitaly.tpl @@ -0,0 +1,82 @@ +{{/* ######### Gitaly related templates */}} + +{{/* +Return the gitaly secret name +Preference is local, global, default (`gitaly-secret`) +*/}} +{{- define "gitlab.gitaly.authToken.secret" -}} +{{- coalesce .Values.global.gitaly.authToken.secret (printf "%s-gitaly-secret" .Release.Name) | quote -}} +{{- end -}} + +{{/* +Return the gitaly secret key +Preference is local, global, default (`token`) +*/}} +{{- define "gitlab.gitaly.authToken.key" -}} +{{- coalesce .Values.global.gitaly.authToken.key "token" | quote -}} +{{- end -}} + +{{/* +Return the gitaly TLS secret name +*/}} +{{- define "gitlab.gitaly.tls.secret" -}} +{{- default (printf "%s-gitaly-tls" .Release.Name) .Values.global.gitaly.tls.secretName | quote -}} +{{- end -}} + +{{/* +Return the gitaly internal port + +NOTE: When called from another subchart, e.g. Praefect, it ignores the empty chart-local value. +*/}} +{{- define "gitlab.gitaly.internalPort" -}} +{{- $internalPort := 0 -}} +{{- if hasKey .Values "gitaly" -}} +{{- $internalPort = .Values.gitaly.service.internalPort -}} +{{- end -}} +{{- coalesce $internalPort .Values.global.gitaly.service.internalPort -}} +{{- end -}} + +{{/* +Return the gitaly TLS internal port + +NOTE: When called from another subchart, e.g. Praefect, it ignores the empty chart-local value. +*/}} +{{- define "gitlab.gitaly.tls.internalPort" -}} +{{- $internalPort := 0 -}} +{{- if hasKey .Values "gitaly" -}} +{{- $internalPort = .Values.gitaly.service.tls.internalPort -}} +{{- end -}} +{{- coalesce $internalPort .Values.global.gitaly.service.tls.internalPort -}} +{{- end -}} + +{{/* +Return the gitaly service name + +Order of operations: +- chart-local gitaly service name override +- global gitaly service name override +- derived from chart name + +NOTE: When called from another subchart, e.g. Praefect, it ignores chart-local values if empty. +*/}} +{{- define "gitlab.gitaly.serviceName" -}} +{{- $serviceName := "" -}} +{{- if hasKey .Values "gitaly" -}} +{{- $serviceName = .Values.gitaly.serviceName -}} +{{- end -}} +{{- coalesce $serviceName .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} +{{- end -}} + +{{/* +Return a qualified gitaly service name, for direct access to the gitaly headless service endpoint of a pod. + +Call: + +``` +{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i) -}} +``` +*/}} +{{- define "gitlab.gitaly.qualifiedServiceName" -}} +{{- $name := include "gitlab.gitaly.serviceName" .context -}} +{{ include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" ) }}-{{ .index }}.{{ $name }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_gitlab_exporter.tpl b/kubernetes/Charts/gitlab/templates/_gitlab_exporter.tpl new file mode 100644 index 0000000..073ff5a --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_gitlab_exporter.tpl @@ -0,0 +1,6 @@ +{{/* +Return the GitLab Exporter TLS secret name +*/}} +{{- define "gitlab.gitlab-exporter.tls.secret" -}} +{{- default (printf "%s-gitlab-exporter-tls" .Release.Name) .Values.tls.secretName | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_helpers.tpl b/kubernetes/Charts/gitlab/templates/_helpers.tpl new file mode 100644 index 0000000..345fd28 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_helpers.tpl @@ -0,0 +1,548 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Run "fullname" as if it was in another chart. This is an imperfect emulation, but close. + +This is especially useful when you reference "fullname" services/pods which may or may not be easy to reconstruct. + +Call: + +``` +{{- include "gitlab.other.fullname" ( dict "context" . "chartName" "name-of-other-chart" ) -}} +``` +*/}} +{{- define "gitlab.other.fullname" -}} +{{- $Chart := dict "Name" .chartName -}} +{{- $Release := .context.Release -}} +{{- $localNameOverride := (pluck "nameOverride" (pluck .chartName .context.Values | first) | first) -}} +{{- $globalNameOverride := (pluck "nameOverride" (pluck .chartName .context.Values.global | first) | first) -}} +{{- $nameOverride := coalesce $localNameOverride $globalNameOverride -}} +{{- $Values := dict "nameOverride" $nameOverride "global" .context.Values.global -}} +{{- include "fullname" (dict "Chart" $Chart "Release" $Release "Values" $Values) -}} +{{- end -}} + +{{/* ######### Hostname templates */}} + +{{/* +Returns the hostname. +If the hostname is set in `global.hosts.gitlab.name`, that will be returned, +otherwise the hostname will be assembled using `gitlab` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "gitlab.gitlab.hostname" -}} +{{- coalesce .Values.global.hosts.gitlab.name (include "gitlab.assembleHost" (dict "name" "gitlab" "context" . )) -}} +{{- end -}} + +{{/* +Returns the GitLab Url, ex: `http://gitlab.example.com` +If `global.hosts.https` or `global.hosts.gitlab.https` is true, it uses https, otherwise http. +Calls into the `gitlab.gitlabHost` function for the hostname part of the url. +*/}} +{{- define "gitlab.gitlab.url" -}} +{{- if or .Values.global.hosts.https .Values.global.hosts.gitlab.https -}} +{{- printf "https://%s" (include "gitlab.gitlab.hostname" .) -}} +{{- else -}} +{{- printf "http://%s" (include "gitlab.gitlab.hostname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the minio hostname. +If the hostname is set in `global.hosts.minio.name`, that will be returned, +otherwise the hostname will be assembled using `minio` as the prefix, and the `gitlab.assembleHost` function. +*/}} +{{- define "gitlab.minio.hostname" -}} +{{- coalesce .Values.global.hosts.minio.name (include "gitlab.assembleHost" (dict "name" "minio" "context" . )) -}} +{{- end -}} + +{{/* +Returns the minio url. +*/}} + +{{- define "gitlab.minio.url" -}} +{{- if or .Values.global.hosts.https .Values.global.hosts.minio.https -}} +{{- printf "https://%s" (include "gitlab.minio.hostname" .) -}} +{{- else -}} +{{- printf "http://%s" (include "gitlab.minio.hostname" .) -}} +{{- end -}} +{{- end -}} + +{{/* ######### Utility templates */}} + +{{/* + A helper function for assembling a hostname using the base domain specified in `global.hosts.domain` + Takes a `Map/Dictonary` as an argument. Where key `name` is the domain to build, and `context` should be a + reference to the chart's $ object. + eg: `template "assembleHost" (dict "name" "minio" "context" .)` + + The hostname will be the combined name with the domain. eg: If domain is `example.com`, it will produce `minio.example.com` + Additionally if `global.hosts.hostSuffix` is set, it will append a hyphen, then the suffix to the name: + eg: If hostSuffix is `beta` it will produce `minio-beta.example.com` +*/}} +{{- define "gitlab.assembleHost" -}} +{{- $name := .name -}} +{{- $context := .context -}} +{{- $result := dict -}} +{{- if $context.Values.global.hosts.domain -}} +{{- $_ := set $result "domainHost" (printf ".%s" $context.Values.global.hosts.domain) -}} +{{- if $context.Values.global.hosts.hostSuffix -}} +{{- $_ := set $result "domainHost" (printf "-%s%s" $context.Values.global.hosts.hostSuffix $result.domainHost) -}} +{{- end -}} +{{- $_ := set $result "domainHost" (printf "%s%s" $name $result.domainHost) -}} +{{- end -}} +{{- $result.domainHost -}} +{{- end -}} + +{{/* ######### cert-manager templates */}} + +{{- define "gitlab.certmanager_annotations" -}} +{{- if (pluck "configureCertmanager" .Values.ingress .Values.global.ingress (dict "configureCertmanager" false) | first) -}} +cert-manager.io/issuer: "{{ .Release.Name }}-issuer" +acme.cert-manager.io/http01-edit-in-place: "true" +{{- end -}} +{{- end -}} + +{{/* ######### postgresql templates */}} + +{{/* +Return the db hostname +If an external postgresl host is provided, it will use that, otherwise it will fallback +to the service name. Failing a specified service name it will fall back to the default service name. + +This overrides the upstream postegresql chart so that we can deterministically +use the name of the service the upstream chart creates +*/}} +{{- define "gitlab.psql.host" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- coalesce (pluck "host" $local .Values.global.psql | first) (printf "%s.%s.svc" (include "postgresql.primary.fullname" .) $.Release.Namespace) -}} +{{- end -}} + +{{/* +Return the configmap for initializing the PostgreSQL database. This is used to enable the +necessary postgres extensions for Gitlab to work +This overrides the upstream postegresql chart so that we can deterministically +use the name of the initdb scripts ConfigMap the upstream chart creates +*/}} +{{- define "gitlab.psql.initdbscripts" -}} +{{- printf "%s-%s-%s" .Release.Name "postgresql" "init-db" -}} +{{- end -}} + +{{/* +Overrides the full name of PostegreSQL in the upstream chart. +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- coalesce (pluck "serviceName" $local .Values.global.psql | first) (printf "%s-%s" $.Release.Name "postgresql") -}} +{{- end -}} + +{{/* +Overrides the username of PostegreSQL in the upstream chart. + +Alias of gitlab.psql.username +*/}} +{{- define "postgresql.username" -}} +{{- template "gitlab.psql.username" . -}} +{{- end -}} + +{{/* +Overrides the database name of PostegreSQL in the upstream chart. + +Alias of gitlab.psql.database +*/}} +{{- define "postgresql.database" -}} +{{- template "gitlab.psql.database" . -}} +{{- end -}} + + +{{/* +Return the db database name +*/}} +{{- define "gitlab.psql.database" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- coalesce (pluck "database" $local .Values.global.psql | first) "gitlabhq_production" -}} +{{- end -}} + +{{/* +Return the db username +If the postgresql username is provided, it will use that, otherwise it will fallback +to "gitlab" default +*/}} +{{- define "gitlab.psql.username" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- coalesce (pluck "username" $local .Values.global.psql | first) "gitlab" -}} +{{- end -}} + +{{/* +Return the db port +If the postgresql port is provided in subchart values or global values, it will use that, otherwise it will fallback +to 5432 default +*/}} +{{- define "gitlab.psql.port" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- default 5432 (pluck "port" $local $.Values.global.psql | first ) | int -}} +{{- end -}} + +{{/* +Return the secret name +Defaults to a release-based name and falls back to .Values.global.psql.secretName + when using an external PostgreSQL +*/}} +{{- define "gitlab.psql.password.secret" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- $localPass := pluck "password" $local | first -}} +{{- default (printf "%s-%s" .Release.Name "postgresql-password") (pluck "secret" $localPass $.Values.global.psql.password | first ) | quote -}} +{{- end -}} + +{{/* +Return the name of the key in a secret that contains the postgres password +Uses `postgresql-password` to match upstream postgresql chart when not using an + external postegresql +*/}} +{{- define "gitlab.psql.password.key" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- $localPass := pluck "password" $local | first -}} +{{- default "postgresql-password" (pluck "key" $localPass $.Values.global.psql.password | first ) | quote -}} +{{- end -}} + +{{/* +Return the application name that should be presented to PostgreSQL. +A blank string tells the client NOT to send an application name. +A nil value will use the process name by default. +See https://github.com/Masterminds/sprig/issues/53 for how we distinguish these. +Defaults to nil. +*/}} +{{- define "gitlab.psql.applicationName" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- $appname := pluck "applicationName" $local .Values.global.psql | first -}} +{{- if not ( kindIs "invalid" $appname ) -}} +{{- $appname | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Return if prepared statements should be used by PostgreSQL. +Defaults to false +*/}} +{{- define "gitlab.psql.preparedStatements" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- eq true (default false (pluck "preparedStatements" $local .Values.global.psql | first)) -}} +{{- end -}} + +{{/* +Return if database tasks should be used by GitLab Rails for a given configuration. +Defaults to true +*/}} +{{- define "gitlab.psql.databaseTasks" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{- $databaseTasks := pluck "databaseTasks" $local .Values.global.psql | first -}} +{{- if not ( kindIs "invalid" $databaseTasks ) -}} +{{- eq true $databaseTasks -}} +{{- else -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return connect_timeout value +Defaults to nil +*/}} +{{- define "gitlab.psql.connectTimeout" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{ pluck "connectTimeout" $local .Values.global.psql | first -}} +{{- end -}} + +{{/* +Return keepalives value +Defaults to nil +*/}} +{{- define "gitlab.psql.keepalives" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{ pluck "keepalives" $local .Values.global.psql | first -}} +{{- end -}} + +{{/* +Return keepalives_idle value +Defaults to nil +*/}} +{{- define "gitlab.psql.keepalivesIdle" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{ pluck "keepalivesIdle" $local .Values.global.psql | first -}} +{{- end -}} + +{{/* +Return keepalives_interval value +Defaults to nil +*/}} +{{- define "gitlab.psql.keepalivesInterval" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{ pluck "keepalivesInterval" $local .Values.global.psql | first -}} +{{- end -}} + +{{/* +Return keepalives_count value +Defaults to nil +*/}} +{{- define "gitlab.psql.keepalivesCount" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{ pluck "keepalivesCount" $local .Values.global.psql | first -}} +{{- end -}} + +{{/* +Return tcp_user_timeout value +Defaults to nil +*/}} +{{- define "gitlab.psql.tcpUserTimeout" -}} +{{- $local := pluck "psql" $.Values | first -}} +{{ pluck "tcpUserTimeout" $local .Values.global.psql | first -}} +{{- end -}} + +{{/* ######### annotations */}} + +{{/* +Handles merging a set of service annotations +*/}} +{{- define "gitlab.serviceAnnotations" -}} +{{- $allAnnotations := merge (default (dict) (default (dict) .Values.service).annotations) .Values.global.service.annotations -}} +{{- if $allAnnotations }} +{{- toYaml $allAnnotations -}} +{{- end -}} +{{- end -}} + +{{/* +Handles merging a set of deployment annotations +*/}} +{{- define "gitlab.deploymentAnnotations" -}} +{{- $allAnnotations := merge (default (dict) (default (dict) .Values.deployment).annotations) .Values.global.deployment.annotations -}} +{{- if $allAnnotations -}} +{{- toYaml $allAnnotations -}} +{{- end -}} +{{- end -}} + +{{/* ######### labels */}} + +{{/* +Handles merging a set of non-selector labels +*/}} +{{- define "gitlab.podLabels" -}} +{{- $allLabels := merge (default (dict) .Values.podLabels) .Values.global.pod.labels -}} +{{- if $allLabels -}} +{{- range $key, $value := $allLabels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Handles merging a set of labels for services +*/}} +{{- define "gitlab.serviceLabels" -}} +{{- $allLabels := merge (default (dict) .Values.serviceLabels) .Values.global.service.labels -}} +{{- if $allLabels -}} +{{- range $key, $value := $allLabels }} +{{ $key }}: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* selfsigned cert for when other options aren't provided */}} +{{- define "gitlab.wildcard-self-signed-cert-name" -}} +{{- default (printf "%s-wildcard-tls" .Release.Name) .Values.global.ingress.tls.secretName -}} +{{- end -}} + +{{/* +Detect if `x.ingress.tls.secretName` are set +Return value if either `global.ingress.tls.secretName` or all components have `x.ingress.tls.secretName` set. +Return empty if not. + +We're explicitly checking for an actual value being present, not the existence of map. +*/}} +{{- define "gitlab.ingress.tls.configured" -}} +{{/* Pull the value, if it exists */}} +{{- $global := pluck "secretName" (default (dict) $.Values.global.ingress.tls) | first -}} +{{- $webservice := pluck "secretName" $.Values.gitlab.webservice.ingress.tls | first -}} +{{- $registry := pluck "secretName" $.Values.registry.ingress.tls | first -}} +{{- $minio := pluck "secretName" $.Values.minio.ingress.tls | first -}} +{{- $pages := pluck "secretName" ((index $.Values.gitlab "gitlab-pages").ingress).tls | first -}} +{{- $kas := pluck "secretName" $.Values.gitlab.kas.ingress.tls | first -}} +{{- $smartcard := pluck "smartcardSecretName" $.Values.gitlab.webservice.ingress.tls | first -}} +{{/* Set each item to configured value, or !enabled + This works because `false` is the same as empty, so we'll use the value when `enabled: true` + - default "" (not true) => '' + - default "" (not false) => 'true' + - default "valid" (not true) => 'valid' + - default "valid" (not false) => 'true' + Now, disabled sub-charts won't block this template from working properly. +*/}} +{{- $webservice := default $webservice (not $.Values.gitlab.webservice.enabled) -}} +{{- $registry := default $registry (not $.Values.registry.enabled) -}} +{{- $minio := default $minio (not $.Values.global.minio.enabled) -}} +{{- $pages := default $pages (not $.Values.global.pages.enabled) -}} +{{- $kas := default $kas (not $.Values.global.kas.enabled) -}} +{{- $smartcard := default $smartcard (not $.Values.global.appConfig.smartcard.enabled) -}} +{{/* Check that all enabled items have been configured */}} +{{- if or $global (and $webservice $registry $minio $pages $kas $smartcard) -}} +true +{{- end -}} +{{- end -}} + +{{/* +Detect if `.Values.ingress.tls.enabled` is set +Returns `ingress.tls.enabled` if it is a boolean, +Returns `global.ingress.tls.enabled` if it is a boolean, and `ingress.tls.enabled` is not. +Return true in any other case. +*/}} +{{- define "gitlab.ingress.tls.enabled" -}} +{{- $globalSet := and (hasKey .Values.global.ingress "tls") (and (hasKey .Values.global.ingress.tls "enabled") (kindIs "bool" .Values.global.ingress.tls.enabled)) -}} +{{- $localSet := and (hasKey .Values.ingress "tls") (and (hasKey .Values.ingress.tls "enabled") (kindIs "bool" .Values.ingress.tls.enabled)) -}} +{{- if $localSet }} +{{- .Values.ingress.tls.enabled }} +{{- else if $globalSet }} +{{- .Values.global.ingress.tls.enabled }} +{{- else }} +{{- true }} +{{- end -}} +{{- end -}} + +{{/* +Detect if `.Values.ingress.enabled` is set +Returns `ingress.enabled` if it is a boolean, +Returns `global.ingress.enabled` if it is a boolean, and `ingress.enabled` is not. +Return true in any other case. +*/}} +{{- define "gitlab.ingress.enabled" -}} +{{- $globalSet := and (hasKey .Values.global.ingress "enabled") (kindIs "bool" .Values.global.ingress.enabled) -}} +{{- $localSet := and (hasKey .Values.ingress "enabled") (kindIs "bool" .Values.ingress.enabled) -}} +{{- if $localSet }} +{{- .Values.ingress.enabled }} +{{- else if $globalSet }} +{{- .Values.global.ingress.enabled }} +{{- else }} +{{- true }} +{{- end -}} +{{- end -}} + +{{/* +Override upstream redis chart naming +*/}} +{{- define "redis.secretName" -}} +{{ template "gitlab.redis.password.secret" . }} +{{- end -}} + +{{/* +Override upstream redis secret key name +*/}} +{{- define "redis.secretPasswordKey" -}} +{{ template "gitlab.redis.password.key" . }} +{{- end -}} + +{{/* +Return the fullname template for shared-secrets job. +*/}} +{{- define "shared-secrets.fullname" -}} +{{- printf "%s-shared-secrets" .Release.Name -}} +{{- end -}} + +{{/* +Return the name template for shared-secrets job. +*/}} +{{- define "shared-secrets.name" -}} +{{- $sharedSecretValues := index .Values "shared-secrets" -}} +{{- default "shared-secrets" $sharedSecretValues.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified job name for shared-secrets. +Due to the job only being allowed to run once, we add the chart revision so helm +upgrades don't cause errors trying to create the already ran job. +Due to the helm delete not cleaning up these jobs, we add a randome value to +reduce collision +*/}} +{{- define "shared-secrets.jobname" -}} +{{- $name := include "shared-secrets.fullname" . | trunc 55 | trimSuffix "-" -}} +{{- $rand := randAlphaNum 3 | lower }} +{{- printf "%s-%d-%s" $name .Release.Revision $rand | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use for shared-secrets job +*/}} +{{- define "shared-secrets.serviceAccountName" -}} +{{- $sharedSecretValues := index .Values "shared-secrets" -}} +{{- if $sharedSecretValues.serviceAccount.create -}} + {{ default (include "shared-secrets.fullname" .) $sharedSecretValues.serviceAccount.name }} +{{- else -}} + {{ coalesce $sharedSecretValues.serviceAccount.name .Values.global.serviceAccount.name "default" }} +{{- end -}} +{{- end -}} + +{{/* +Return a emptyDir definition for Volume declarations + +Scope is the configuration of that emptyDir. +Only accepts sizeLimit and/or medium +*/}} +{{- define "gitlab.volume.emptyDir" -}} +{{- $values := pick . "sizeLimit" "medium" -}} +{{- if not $values -}} +emptyDir: {} +{{- else -}} +emptyDir: {{ toYaml $values | nindent 2 }} +{{- end -}} +{{- end -}} + +{{/* +Return init container specific securityContext template +*/}} +{{- define "gitlab.init.containerSecurityContext" }} +{{- if .Values.init.containerSecurityContext }} +securityContext: + {{- toYaml .Values.init.containerSecurityContext | nindent 2 }} +{{- end }} +{{- end }} + +{{/* +Return container specific securityContext template +*/}} +{{- define "gitlab.containerSecurityContext" }} +{{- if .Values.containerSecurityContext }} +securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 2 }} +{{- end }} +{{- end }} +Return a PodSecurityContext definition. + +Usage: + {{ include "gitlab.podSecurityContext" .Values.securityContext }} +*/}} +{{- define "gitlab.podSecurityContext" -}} +{{- $psc := . }} +{{- if $psc }} +securityContext: +{{- if not (empty $psc.runAsUser) }} + runAsUser: {{ $psc.runAsUser }} +{{- end }} +{{- if not (empty $psc.runAsGroup) }} + runAsGroup: {{ $psc.runAsGroup }} +{{- end }} +{{- if not (empty $psc.fsGroup) }} + fsGroup: {{ $psc.fsGroup }} +{{- end }} +{{- if not (empty $psc.fsGroupChangePolicy) }} + fsGroupChangePolicy: {{ $psc.fsGroupChangePolicy }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_hpa.tpl b/kubernetes/Charts/gitlab/templates/_hpa.tpl new file mode 100644 index 0000000..f9ca3d8 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_hpa.tpl @@ -0,0 +1,130 @@ +{{/* Common templates for HorizontalPodAutoscaler */}} + +{{/* +Returns the appropriate apiVersion for HoritonzalPodAutoscaler. + +It expects a dictionary with three entries: + - `global` which contains global HPA settings, e.g. .Values.global.hpa + - `local` which contains local HPA settings, e.g. .Values.sidekiq.hpa + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "gitlab.hpa.apiVersion" -}} +{{- if .local.apiVersion -}} +{{- .local.apiVersion -}} +{{- else if .global.apiVersion -}} +{{- .global.apiVersion -}} +{{- else if .context.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler" -}} +{{- print "autoscaling/v2" -}} +{{- else if .context.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler" -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Checks if the autoscaling/v2 metrics spec is supported + +It expects a dictionary with three entries: + - `global` which contains global HPA settings, e.g. .Values.global.hpa + - `local` which contains local HPA settings, e.g. .Values.sidekiq.hpa + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "gitlab.hpa.supportsV2MetricsSpec" -}} +{{- $apiVersion := include "gitlab.hpa.apiVersion" . -}} +{{- if or (eq $apiVersion "autoscaling/v2") (eq $apiVersion "autoscaling/v2beta2") -}} +true +{{- end -}} +{{- end -}} + +{{/* +Checks if the autoscaling/v2 behavior spec is supported + +It expects a dictionary with three entries: + - `global` which contains global HPA settings, e.g. .Values.global.hpa + - `local` which contains local HPA settings, e.g. .Values.sidekiq.hpa + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "gitlab.hpa.supportsV2BehaviorSpec" -}} +{{- $apiVersion := include "gitlab.hpa.apiVersion" . -}} +{{- if or (eq $apiVersion "autoscaling/v2") (and (eq $apiVersion "autoscaling/v2beta2") (semverCompare ">=1.18.0-0" .context.Capabilities.KubeVersion.Version)) -}} +true +{{- end -}} +{{- end -}} + +{{/* +Returns the HorizontalPodAutoscaler metrics spec properly formatted for the +highest supported API version of HorizontalPodAutoscaler + +It expects a dictionary with three entries: + - `global` which contains global HPA settings, e.g. .Values.global.hpa + - `local` which contains local HPA settings, e.g. .Values.sidekiq.hpa + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "gitlab.hpa.metrics" -}} +{{- $params := . -}} +metrics: +{{- if not .local.customMetrics }} + {{- with .local.cpu }} + {{- $targetType := default "Utilization" .targetType }} + - type: Resource + resource: + name: cpu + {{- if (include "gitlab.hpa.supportsV2MetricsSpec" $params) }} + target: + type: {{ $targetType }} + {{- if eq $targetType "Utilization" }} + averageUtilization: {{ default .targetAverageUtilization $params.local.targetAverageUtilization }} + {{- else }} + averageValue: {{ default .targetAverageValue $params.local.targetAverageValue }} + {{- end }} + {{- else }} + {{- if eq $targetType "Utilization" }} + targetAverageUtilization: {{ default .targetAverageUtilization $params.local.targetAverageUtilization }} + {{- else }} + targetAverageValue: {{ default .targetAverageValue $params.local.targetAverageValue }} + {{- end }} + {{- end }} + {{- end }} + {{- with .local.memory }} + {{- $targetType := default "Utilization" .targetType }} + - type: Resource + resource: + name: memory + {{- if (include "gitlab.hpa.supportsV2MetricsSpec" $params) }} + target: + type: {{ $targetType }} + {{- if eq $targetType "Utilization" }} + averageUtilization: {{ .targetAverageUtilization }} + {{- else }} + averageValue: {{ .targetAverageValue }} + {{- end }} + {{- else }} + {{- if eq $targetType "Utilization" }} + targetAverageUtilization: {{ .targetAverageUtilization }} + {{- else }} + targetAverageValue: {{ .targetAverageValue }} + {{- end }} + {{- end }} + {{- end }} +{{- else }} + {{- toYaml .local.customMetrics | nindent 4 }} +{{- end }} +{{- end -}} + +{{/* +Returns the HorizontalPodAutoscaler behavior spec if supported + +It expects a dictionary with three entries: + - `global` which contains global HPA settings, e.g. .Values.global.hpa + - `local` which contains local HPA settings, e.g. .Values.sidekiq.hpa + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "gitlab.hpa.behavior" -}} +{{- if (include "gitlab.hpa.supportsV2BehaviorSpec" .) }} +{{- with .local.behavior -}} +behavior: + {{- toYaml . | nindent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_image.tpl b/kubernetes/Charts/gitlab/templates/_image.tpl new file mode 100644 index 0000000..c972b7f --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_image.tpl @@ -0,0 +1,272 @@ +{{/* +Returns a image tag from the passed in app version or branchname +Usage: +{{ include "gitlab.parseAppVersion" ( \ + dict \ + "appVersion" .Chart.AppVersion \ + "prepend" "false" \ + ) }} +1. If the version is a semver version, we check the prepend flag. + 1. If it is true, we prepend a `v` and return `vx.y.z` image tag. + 2. If it is false, we do not prepend a `v` and just use the input version +2. Else we just use the version passed as the image tag +*/}} +{{- define "gitlab.parseAppVersion" -}} +{{- $appVersion := coalesce .appVersion "master" -}} +{{- if regexMatch "^\\d+\\.\\d+\\.\\d+(-rc\\d+)?(-pre)?$" $appVersion -}} +{{- if eq .prepend "true" -}} +{{- printf "v%s" $appVersion -}} +{{- else -}} +{{- $appVersion -}} +{{- end -}} +{{- else -}} +{{- $appVersion -}} +{{- end -}} +{{- end -}} + +{{/* + A helper template for collecting and inserting the imagePullSecrets. + + It expects a dictionary with two entries: + - `global` which contains global image settings, e.g. .Values.global.image + - `local` which contains local image settings, e.g. .Values.image +*/}} +{{- define "gitlab.image.pullSecrets" -}} +{{- $pullSecrets := default (list) .global.pullSecrets -}} +{{- if .local.pullSecrets -}} +{{- $pullSecrets = concat $pullSecrets .local.pullSecrets -}} +{{- end -}} +{{- if $pullSecrets }} +imagePullSecrets: +{{- range $index, $entry := $pullSecrets }} +- name: {{ $entry.name }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + A helper template for inserting imagePullPolicy. + + It expects a dictionary with two entries: + - `global` which contains global image settings, e.g. .Values.global.image + - `local` which contains local image settings, e.g. .Values.image +*/}} +{{- define "gitlab.image.pullPolicy" -}} +{{- $pullPolicy := coalesce .local.pullPolicy .global.pullPolicy -}} +{{- if $pullPolicy }} +imagePullPolicy: {{ $pullPolicy | quote }} +{{- end -}} +{{- end -}} + +{{/* +Allow configuring a standard suffix on all images in chart +*/}} +{{- define "gitlab.image.tagSuffix" -}} +{{- if hasKey . "Values" -}} +{{ .Values.global.image.tagSuffix }} +{{- else if hasKey . "global" -}} +{{ .global.image.tagSuffix }} +{{- else }} +"" +{{- end -}} +{{- end -}} + +{{/* +Constructs helper image value. +Format: + {{ include "gitlab.helper.image" (dict "context" . "image" "") }} +*/}} +{{- define "gitlab.helper.image" -}} +{{- $gitlabVersion := "" -}} +{{- if .context.Values.global.gitlabVersion -}} +{{- $gitlabVersion = include "gitlab.parseAppVersion" (dict "appVersion" .context.Values.global.gitlabVersion "prepend" "true") -}} +{{- end -}} +{{- $tag := coalesce .image.tag $gitlabVersion "master" -}} +{{- $tagSuffix := include "gitlab.image.tagSuffix" .context -}} +{{- printf "%s:%s%s" .image.repository $tag $tagSuffix -}} +{{- end -}} + +{{/* +Constructs kubectl image value. +*/}} +{{- define "gitlab.kubectl.image" -}} +{{- include "gitlab.helper.image" (dict "context" . "image" .Values.global.kubectl.image) -}} +{{- end -}} + +{{/* +Constructs certificates image value. +*/}} +{{- define "gitlab.certificates.image" -}} +{{- include "gitlab.helper.image" (dict "context" . "image" .Values.global.certificates.image) -}} +{{- end -}} + +{{/* +Constructs selfsign image value. +*/}} +{{- define "gitlab.selfsign.image" -}} +{{- $image := index .Values "shared-secrets" "selfsign" "image" -}} +{{- include "gitlab.helper.image" (dict "context" . "image" $image) -}} +{{- end -}} + +{{/* +DEPRECATED: Constructs busybox image name. +*/}} +{{- define "gitlab.busybox.image" -}} +{{/* + # Earlier, init.image and init.tag were used to configure initContainer + # image details. We deprecated them in favor of init.image.repository and + # init.image.tag. However, deprecation checking happens after template + # rendering is done. So, we have to handle the case of `init.image` being a + # string to avoid the process being broken at rendering stage itself. It + # doesn't matter what we print there because once rendering is done + # deprecation check will kick-in and abort the process. That value will not + # be used. + # TODO: consider tagSuffix here, since we took it out of example +*/}} +{{- if kindIs "map" .image }} +{{- $image := coalesce .image.repository .global.busybox.image.repository "registry.gitlab.com/gitlab-org/cloud-native/mirror/images/busybox" }} +{{- $tag := coalesce .image.tag .global.busybox.image.tag "latest" }} +{{- printf "%s:%s" $image $tag -}} +{{- else }} +{{- printf "DEPRECATED:DEPRECATED" -}} +{{- end -}} +{{- end -}} + +{{/* +Constructs the image value used for the configure container. + +Defaults to GitLab Base image and falls back to the deprecated busybox image, +when custom global busybox values are defined. + +It expects a dictionary with two entries: + - `root` which contains the root context + - `image` which contains overrides for the GitLab base image + +Format: + {{ include "gitlab.configure.image" (dict "root" $ "image" "") }} +*/}} +{{- define "gitlab.configure.image" -}} +{{/* Fall back to deprecated busybox */}} +{{- if hasKey .root.Values.global "busybox" }} +{{- include "gitlab.busybox.image" (dict "global" .root.Values.global "image" .image) -}} +{{- else }} +{{- $image := mergeOverwrite (deepCopy .root.Values.global.gitlabBase.image) .image }} +{{- include "gitlab.helper.image" (dict "context" .root "image" $image) -}} +{{- end }} +{{- end -}} + +{{/* +Constructs the image configuration for the `configure` container. + +Defaults to the GitLab Base values and falls back to the deprecated busybox values, +when custom global busybox values are defined. +*/}} +{{- define "gitlab.configure.config" -}} +{{- $global := .global.gitlabBase.image }} +{{/* Fall back to deprecated busybox */}} +{{- if hasKey .global "busybox" }} +{{- $global := .global.busybox.image }} +{{- end }} +{{- dict "global" $global "local" .init.image | toYaml }} +{{- end -}} + +{{/* +Return the version tag used to fetch the GitLab images +Defaults to using the information from the chart appVersion field, but can be +overridden using the global.gitlabVersion field in values. +*/}} +{{- define "gitlab.versionTag" -}} +{{- template "gitlab.parseAppVersion" (dict "appVersion" (coalesce .Values.global.gitlabVersion .Chart.AppVersion) "prepend" "true") -}} +{{- end -}} + +{{/* +Returns the image repository depending on the value of global.edition. + +Used to switch the deployment from Enterprise Edition (default) to Community +Edition. If global.edition=ce, returns the Community Edition image repository +set in the Gitlab values.yaml, otherwise returns the Enterprise Edition +image repository. +*/}} +{{- define "image.repository" -}} +{{- if eq "ce" .Values.global.edition -}} +{{ index .Values "global" "communityImages" .Chart.Name "repository" }} +{{- else -}} +{{ index .Values "global" "enterpriseImages" .Chart.Name "repository" }} +{{- end -}} +{{- end -}} + + + +{{/* +New image templates that will eventually replace those above. +See https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2859. +*/}} + +{{/* +Defines the registry for a given image. +*/}} +{{- define "gitlab.image.registry" -}} +{{- coalesce .local.registry .global.registry "none" -}} +{{- end -}} + +{{/* +Defines the repository for a given image. +*/}} +{{- define "gitlab.image.repository" -}} +{{- coalesce .local.repository .global.repository -}} +{{- end -}} + +{{/* +Return the version tag used to fetch the GitLab images +Defaults to using the information from the chart appVersion field, but can be +overridden using the global.gitlabVersion field in values. +*/}} +{{- define "gitlab.image.tag" -}} +{{- $prepend := coalesce .local.prepend "false" -}} +{{- $appVersion := include "gitlab.parseAppVersion" (dict "appVersion" .context.Chart.AppVersion "prepend" $prepend) -}} +{{- coalesce .local.tag .global.tag $appVersion }} +{{- end -}} + +{{/* +Allow configuring a standard suffix on all images in chart +*/}} +{{- define "gitlab.image.tag.suffix" -}} +{{- if hasKey . "Values" -}} +{{ .Values.global.tagSuffix }} +{{- else if hasKey . "global" -}} +{{ .global.tagSuffix }} +{{- else }} +"" +{{- end -}} +{{- end -}} + +{{/* +Return the image digest to use. +*/}} +{{- define "gitlab.image.digest" -}} +{{- if .local.digest -}} +{{- printf "@%s" .local.digest -}} +{{- end -}} +{{- end -}} + +{{/* +Creates the full image path for use in manifests. +Will replace the `-ee` edition suffix if `global.edition=ce`. +*/}} +{{- define "gitlab.image.fullPath" -}} +{{- $registry := include "gitlab.image.registry" . -}} +{{- $repository := include "gitlab.image.repository" . -}} +{{- $tag := include "gitlab.image.tag" . -}} +{{- $tagSuffix := include "gitlab.image.tag.suffix" . -}} +{{- $digest := include "gitlab.image.digest" . -}} +{{- if hasSuffix "-ee" $repository -}} +{{- if eq .context.Values.global.edition "ce" -}} +{{- $repository = print $repository | replace "-ee" "-ce" -}} +{{- end -}} +{{- end -}} +{{- if eq $registry "none" -}} +{{- printf "%s:%s%s%s" $repository $tag $tagSuffix $digest | quote -}} +{{- else -}} +{{- printf "%s/%s:%s%s%s" $registry $repository $tag $tagSuffix $digest | quote -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_ingress.tpl b/kubernetes/Charts/gitlab/templates/_ingress.tpl new file mode 100644 index 0000000..6cfcdb5 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_ingress.tpl @@ -0,0 +1,106 @@ + +{{/* ######### ingress templates */}} + +{{/* +Return the appropriate apiVersion for Ingress. + +It expects a dictionary with three entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `local` which contains local ingress settings, e.g. .Values.ingress + - `context` which is the parent context (either `.` or `$`) + +Example usage: +{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} +kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" +*/}} +{{- define "gitlab.ingress.apiVersion" -}} +{{- if .local.apiVersion -}} +{{- .local.apiVersion -}} +{{- else if .global.apiVersion -}} +{{- .global.apiVersion -}} +{{- else if .context.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} +{{- print "networking.k8s.io/v1" -}} +{{- else if .context.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the ingress provider + +It expects a dictionary with two entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `local` which contains local ingress settings, e.g. .Values.ingress +*/}} +{{- define "gitlab.ingress.provider" -}} +{{- default .global.provider .local.provider -}} +{{- end -}} + +{{/* +Overrides the ingress-nginx template to make sure gitlab-shell name matches +*/}} +{{- define "ingress-nginx.tcp-configmap" -}} +{{ .Release.Name}}-nginx-ingress-tcp +{{- end -}} + +{{/* +Adds `ingress.class` annotation based on the API version of Ingress. + +It expects a dictionary with two entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "ingress.class.annotation" -}} +{{- if not (eq (default "" .global.class) "none" ) -}} +{{- $apiVersion := include "gitlab.ingress.apiVersion" . -}} +{{- $className := include "ingress.class.name" . -}} +{{- if not (eq $apiVersion "networking.k8s.io/v1") -}} +kubernetes.io/ingress.class: {{ $className | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Calculates the IngressClass name. + +It expects either: + - a dictionary with two entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `context` which is the parent context (either `.` or `$`) + - the parent context ($ from caller) + - This detected by access to both `.Capabilities` and `.Release` + +If the value is not set or is set to nil, then it provides a default. +Otherwise, it will use the given value (even an empty string ""). +*/}} +{{- define "ingress.class.name" -}} +{{- $here := dict }} +{{- if and (hasKey $ "Release") (hasKey $ "Capabilities") -}} +{{- $here = dict "global" $.Values.global.ingress "context" $ -}} +{{- else -}} +{{- $here = . -}} +{{- end -}} +{{- if kindIs "invalid" $here.global.class -}} +{{- printf "%s-nginx" $here.context.Release.Name -}} +{{- else -}} +{{- $here.global.class -}} +{{- end -}} +{{- end -}} + +{{/* +Sets `ingressClassName` based on the API version of Ingress. + +It expects a dictionary with two entries: + - `global` which contains global ingress settings, e.g. .Values.global.ingress + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "ingress.class.field" -}} +{{- if not (eq (default "" .global.class) "none" ) -}} +{{- $apiVersion := include "gitlab.ingress.apiVersion" . -}} +{{- if eq $apiVersion "networking.k8s.io/v1" -}} +ingressClassName: {{ include "ingress.class.name" . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_kas.tpl b/kubernetes/Charts/gitlab/templates/_kas.tpl new file mode 100644 index 0000000..35798ce --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_kas.tpl @@ -0,0 +1,37 @@ +{{/* ######### gitlab-kas related templates */}} + +{{/* +Return the gitlab-kas secret +*/}} + +{{- define "gitlab.kas.secret" -}} +{{- default (printf "%s-gitlab-kas-secret" .Release.Name) .Values.global.appConfig.gitlab_kas.secret | quote -}} +{{- end -}} + +{{- define "gitlab.kas.key" -}} +{{- default "kas_shared_secret" .Values.global.appConfig.gitlab_kas.key | quote -}} +{{- end -}} + +{{/* +Return the gitlab-kas private API secret +*/}} + +{{- define "gitlab.kas.privateApi.secret" -}} +{{- $secret := "" -}} +{{- if eq .Chart.Name "kas" -}} +{{- $secret = .Values.privateApi.secret -}} +{{- else -}} +{{- $secret = .Values.gitlab.kas.privateApi.secret -}} +{{- end -}} +{{- default (printf "%s-kas-private-api" .Release.Name) $secret | quote -}} +{{- end -}} + +{{- define "gitlab.kas.privateApi.key" -}} +{{- $key := "" -}} +{{- if eq .Chart.Name "kas" -}} +{{- $key = .Values.privateApi.key -}} +{{- else -}} +{{- $key = .Values.gitlab.kas.privateApi.key -}} +{{- end -}} +{{- default "kas_private_api_secret" $key | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_keda.tpl b/kubernetes/Charts/gitlab/templates/_keda.tpl new file mode 100644 index 0000000..0203630 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_keda.tpl @@ -0,0 +1,85 @@ +{{/* Common templates for KEDA */}} + +{{/* +Check if KEDA is enabled and any ScaledObject trigger can be set + +It expects a dictionary with two entries: + - `global` which contains global settings, e.g. .Values.global + - `hpa` which contains HPA settings, e.g. .Values.sidekiq.hpa + - `keda` which contains KEDA settings, e.g. .Values.sidekiq.keda + - `resources` (optional) which is the resource configuration for the main container +*/}} +{{- define "gitlab.keda.scaledobject.enabled" -}} +{{- $cpuTrigger := and .hpa.cpu .resources.requests.cpu -}} +{{- $memoryTrigger := and .hpa.memory .resources.requests.memory -}} +{{- if and (default .global.keda.enabled .keda.enabled) (or .keda.triggers $cpuTrigger $memoryTrigger) -}} +true +{{- end -}} +{{- end -}} + +{{/* +Returns a ScaledObject spec, defaulting to the HPA behavior configuration where applicable if set + +It expects a dictionary with four entries: + - `hpa` which contains HPA settings, e.g. .Values.sidekiq.hpa + - `keda` which contains KEDA settings, e.g. .Values.sidekiq.keda + - `minReplicas` (optional) which is the minimum replica count if not set in `hpa` + - `maxReplicas` (optional) which is the maximum replica count if not set in `hpa` + - `resources` (optional) which is the resource configuration for the main container +*/}} +{{- define "gitlab.keda.scaledobject.spec" -}} +{{- $behavior := .keda.behavior | default .hpa.behavior -}} +pollingInterval: {{ .keda.pollingInterval }} +cooldownPeriod: {{ .keda.cooldownPeriod }} +minReplicaCount: {{ coalesce .keda.minReplicaCount .hpa.minReplicas .minReplicas }} +maxReplicaCount: {{ coalesce .keda.maxReplicaCount .hpa.maxReplicas .maxReplicas }} +{{- if or .keda.restoreToOriginalReplicaCount $behavior }} +advanced: + {{- if .keda.restoreToOriginalReplicaCount }} + restoreToOriginalReplicaCount: {{ .keda.restoreToOriginalReplicaCount }} + {{- end -}} + {{- if or $behavior .keda.hpaName }} + horizontalPodAutoscalerConfig: + {{- if .keda.hpaName }} + name: {{ .keda.hpaName }} + {{- end -}} + {{- if $behavior }} + behavior: {{ toYaml $behavior | nindent 6 }} + {{- end -}} + {{- end -}} +{{- end }} +{{- if .keda.fallback }} +fallback: {{ toYaml .keda.fallback | nindent 2 }} +{{- end }} +triggers: +{{- if .keda.triggers }} + {{- toYaml .keda.triggers | nindent 2 }} +{{- else -}} + {{- if .resources.requests.cpu -}} + {{- with .hpa.cpu -}} + {{- $targetType := default "Utilization" .targetType }} + - type: cpu + metricType: {{ $targetType }} + metadata: + {{- if eq $targetType "Utilization" }} + value: {{ quote .targetAverageUtilization }} + {{- else }} + value: {{ quote .targetAverageValue }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if .resources.requests.memory -}} + {{- with .hpa.memory -}} + {{- $targetType := default "Utilization" .targetType }} + - type: memory + metricType: {{ $targetType }} + metadata: + {{- if eq $targetType "Utilization" }} + value: {{ quote .targetAverageUtilization }} + {{- else }} + value: {{ quote .targetAverageValue }} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_migrations.tpl b/kubernetes/Charts/gitlab/templates/_migrations.tpl new file mode 100644 index 0000000..94459e7 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_migrations.tpl @@ -0,0 +1,22 @@ +{{/* ######### GitLab related templates */}} + +{{/* +Return the initial root password secret name +*/}} +{{- define "gitlab.migrations.initialRootPassword.secret" -}} +{{- default (printf "%s-gitlab-initial-root-password" .Release.Name) .Values.global.initialRootPassword.secret | quote -}} +{{- end -}} + +{{/* +Return the initial root password secret key +*/}} +{{- define "gitlab.migrations.initialRootPassword.key" -}} +{{- coalesce .Values.global.initialRootPassword.key "password" | quote -}} +{{- end -}} + +{{/* +Return the initial Enterprise license secret key +*/}} +{{- define "gitlab.migrations.license.key" -}} +{{- coalesce .Values.global.gitlab.license.key "license" | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_minio.tpl b/kubernetes/Charts/gitlab/templates/_minio.tpl new file mode 100644 index 0000000..7d9dfd1 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_minio.tpl @@ -0,0 +1,8 @@ +{{/* ######### Minio related templates */}} + +{{/* +Return the minio credentials secret +*/}} +{{- define "gitlab.minio.credentials.secret" -}} +{{- default (printf "%s-minio-secret" .Release.Name) .Values.global.minio.credentials.secret | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_monitoring.tpl b/kubernetes/Charts/gitlab/templates/_monitoring.tpl new file mode 100644 index 0000000..46b77ee --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_monitoring.tpl @@ -0,0 +1,14 @@ +{{/* +Detect if Monitoring ("monitoring.coreos.com/v1") is enabled. +Returns 'true' if either it was manually enabled via `global.monitoring.enabled` +or if the API is available via Helm's Capabilities. +*/}} +{{- define "gitlab.monitoring.enabled" -}} +{{- $manuallyEnabled := .Values.global.monitoring.enabled -}} +{{- $apiAvailable := .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}} +{{- if or $manuallyEnabled $apiAvailable -}} +{{- true -}} +{{- else -}} +{{- false -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_notes.tpl b/kubernetes/Charts/gitlab/templates/_notes.tpl new file mode 100644 index 0000000..f85a55b --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_notes.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* + Returns information about all non-production ready subcharts, formatted + as YAML. +*/}} +{{- define "gitlab.nonProdCharts" }} +charts: + - name: PostgreSQL + enabled: {{ .Values.postgresql.install }} + - name: Redis + enabled: {{ .Values.redis.install }} + - name: Gitaly + enabled: {{ .Values.global.gitaly.enabled }} + - name: Praefect + enabled: {{ .Values.global.praefect.enabled }} + - name: MinIO + enabled: {{ .Values.global.minio.enabled }} +{{- end }} + +{{/* + Returns a array of all enabled non-production ready subcharts. +*/}} +{{- define "gitlab.nonProdCharts.enabledNames" }} +{{- $names := (list) }} +{{- $charts := (fromYaml (include "gitlab.nonProdCharts" .)).charts }} +{{- range $charts }} +{{- if .enabled }} +{{- $names = append $names .name }} +{{- end }} +{{- end }} +{{ toJson $names }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/templates/_oauth.tpl b/kubernetes/Charts/gitlab/templates/_oauth.tpl new file mode 100644 index 0000000..ded21dd --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_oauth.tpl @@ -0,0 +1,27 @@ +{{- define "oauth.gitlab-pages.secret" -}} +{{ default (printf "%s-oauth-gitlab-pages-secret" .Release.Name) (index $.Values.global.oauth "gitlab-pages" "secret") }} +{{- end -}} + +{{- define "oauth.gitlab-pages.appIdKey" -}} +{{ default "appid" (index $.Values.global.oauth "gitlab-pages" "appIdKey") }} +{{- end -}} + +{{- define "oauth.gitlab-pages.appSecretKey" -}} +{{ default "appsecret" (index $.Values.global.oauth "gitlab-pages" "appSecretKey") }} +{{- end -}} + +{{- define "oauth.gitlab-pages.authScope" -}} +{{ default "api" (index $.Values.global.oauth "gitlab-pages" "authScope") }} +{{- end -}} + +{{- define "oauth.gitlab-pages.authRedirectUri" -}} +{{- if (index $.Values.global.oauth "gitlab-pages" "redirectUri") -}} +{{ (index $.Values.global.oauth "gitlab-pages" "redirectUri") }} +{{- else -}} +{{- if eq "true" (include "gitlab.pages.https" $) -}} +https://projects.{{ template "gitlab.pages.hostname" . }}/auth +{{- else -}} +http://projects.{{ template "gitlab.pages.hostname" . }}/auth +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_pages.tpl b/kubernetes/Charts/gitlab/templates/_pages.tpl new file mode 100644 index 0000000..7e16eac --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_pages.tpl @@ -0,0 +1,21 @@ +{{/* ######### gitlab-pages related templates */}} + +{{/* +Return the gitlab-pages secret +*/}} + +{{- define "gitlab.pages.apiSecret.secret" -}} +{{- default (printf "%s-gitlab-pages-secret" .Release.Name) $.Values.global.pages.apiSecret.secret | quote -}} +{{- end -}} + +{{- define "gitlab.pages.apiSecret.key" -}} +{{- default "shared_secret" $.Values.global.pages.apiSecret.key | quote -}} +{{- end -}} + +{{- define "gitlab.pages.authSecret.secret" -}} +{{ default (printf "%s-gitlab-pages-auth-secret" .Release.Name) $.Values.global.pages.authSecret.secret }} +{{- end -}} + +{{- define "gitlab.pages.authSecret.key" -}} +{{ default "password" $.Values.global.pages.authSecret.key }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_pdb.tpl b/kubernetes/Charts/gitlab/templates/_pdb.tpl new file mode 100644 index 0000000..22ffcc1 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_pdb.tpl @@ -0,0 +1,22 @@ +{{/* Common templates for PodDisruptionBudget */}} + +{{/* +Returns the appropriate apiVersion for PodDisruptionBudget. + +It expects a dictionary with three entries: + - `global` which contains global PDB settings, e.g. .Values.global.pdb + - `local` which contains local PDB settings, e.g. .Values.sidekiq.pdb + - `context` which is the parent context (either `.` or `$`) +*/}} +{{- define "gitlab.pdb.apiVersion" -}} +{{- $local := default dict .local -}} +{{- if (get $local "apiVersion") -}} +{{- .local.apiVersion -}} +{{- else if .global.apiVersion -}} +{{- .global.apiVersion -}} +{{- else if .context.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_praefect.tpl b/kubernetes/Charts/gitlab/templates/_praefect.tpl new file mode 100644 index 0000000..99acdc6 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_praefect.tpl @@ -0,0 +1,118 @@ +{{/* +Return Praefect's dbSecert secret name +*/}} +{{- define "gitlab.praefect.dbSecret.secret" -}} +{{- default (printf "%s-praefect-dbsecret" .Release.Name) .Values.global.praefect.dbSecret.secret | quote -}} +{{- end -}} + +{{/* +Return Praefect's dbSecert secret key +*/}} +{{- define "gitlab.praefect.dbSecret.key" -}} +{{- default "secret" .Values.global.praefect.dbSecret.key | quote -}} +{{- end -}} + +{{/* +Return Praefect's database hostname +*/}} +{{- define "gitlab.praefect.psql.host" -}} +{{- coalesce .Values.global.praefect.psql.host (include "gitlab.psql.host" .) }} +{{- end -}} + +{{/* +Return Praefect's database port +*/}} +{{- define "gitlab.praefect.psql.port" -}} +{{- coalesce .Values.global.praefect.psql.port (include "gitlab.psql.port" .) }} +{{- end -}} + +{{/* +Return Praefect's database username +*/}} +{{- define "gitlab.praefect.psql.user" -}} +{{- default "praefect" .Values.global.praefect.psql.user }} +{{- end -}} + +{{/* +Return Praefect's database name +*/}} +{{- define "gitlab.praefect.psql.dbName" -}} +{{- default "praefect" .Values.global.praefect.psql.dbName }} +{{- end -}} + +{{/* +Return the praefect secret name +Preference is local, global, default (`praefect-secret`) +*/}} +{{- define "gitlab.praefect.authToken.secret" -}} +{{- coalesce .Values.global.praefect.authToken.secret (printf "%s-praefect-secret" .Release.Name) | quote -}} +{{- end -}} + +{{/* +Return the praefect secret key +Preference is local, global, default (`token`) +*/}} +{{- define "gitlab.praefect.authToken.key" -}} +{{- coalesce .Values.global.praefect.authToken.key "token" | quote -}} +{{- end -}} + +{{/* +Return the praefect internal port +*/}} +{{- define "gitlab.praefect.internalPort" -}} +{{- $internalPort := 0 -}} +{{- if hasKey .Values "praefect" -}} +{{- if hasKey .Values.praefect "service" -}} +{{- $internalPort = .Values.praefect.service.internalPort -}} +{{- end -}} +{{- end -}} +{{- coalesce $internalPort .Values.global.praefect.service.internalPort -}} +{{- end -}} + +{{/* +Return the praefect TLS internal port +*/}} +{{- define "gitlab.praefect.tls.internalPort" -}} +{{- $internalPort := 0 -}} +{{- if hasKey .Values "praefect" -}} +{{- if hasKey .Values.praefect "service" -}} +{{- if hasKey .Values.praefect.service "tls" -}} +{{- $internalPort = .Values.praefect.service.tls.internalPort -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- coalesce $internalPort .Values.global.praefect.service.tls.internalPort -}} +{{- end -}} + +{{/* +Return the praefect external port +*/}} +{{- define "gitlab.praefect.externalPort" -}} +{{- $externalPort := 0 -}} +{{- if hasKey .Values "praefect" -}} +{{- if hasKey .Values.praefect "service" -}} +{{- $externalPort = .Values.praefect.service.externalPort -}} +{{- end -}} +{{- end -}} +{{- coalesce $externalPort .Values.global.praefect.service.externalPort -}} +{{- end -}} + +{{/* +Return the praefect TLS external port +*/}} +{{- define "gitlab.praefect.tls.externalPort" -}} +{{- $externalPort := 0 -}} +{{- if hasKey .Values "praefect" -}} +{{- if hasKey .Values.praefect "service" -}} +{{- $externalPort = .Values.praefect.service.tls.externalPort -}} +{{- end -}} +{{- end -}} +{{- coalesce $externalPort .Values.global.praefect.service.tls.externalPort -}} +{{- end -}} + +{{/* +Return the praefect TLS secret name +*/}} +{{- define "gitlab.praefect.tls.secret" -}} +{{- default (printf "%s-praefect-tls" .Release.Name) .Values.global.praefect.tls.secretName | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_rails.tpl b/kubernetes/Charts/gitlab/templates/_rails.tpl new file mode 100644 index 0000000..56cd31d --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_rails.tpl @@ -0,0 +1,9 @@ +{{/* vim: set filetype=mustache: */}} +{{/* ######### Generic rails templates */}} + +{{/* +Return the rails secrets.yml secret +*/}} +{{- define "gitlab.rails-secrets.secret" -}} +{{- default (printf "%s-rails-secret" .Release.Name) .Values.global.railsSecrets.secret | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_redis.tpl b/kubernetes/Charts/gitlab/templates/_redis.tpl new file mode 100644 index 0000000..17405e2 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_redis.tpl @@ -0,0 +1,61 @@ +{{/* ######### Redis related templates */}} + +{{/* +Build a dict of redis configuration + +- inherit from global.redis, all but sentinels and cluster +- use values within children, if they exist, even if "empty" +*/}} +{{- define "gitlab.redis.configMerge" -}} +{{- $_ := set $ "redisConfigName" (default "" $.redisConfigName) -}} +{{- $_ := set $ "usingOverride" (default false $.usingOverride) -}} +{{- $_ := unset $ "redisMergedConfig" -}} +{{- $_ := set $ "redisMergedConfig" (dict "redisConfigName" $.redisConfigName) -}} +{{- $hasOverrideSecret := false -}} +{{- if and $.Values.global.redis.redisYmlOverride $.redisConfigName -}} +{{- $hasOverrideSecret = (kindIs "map" (dig $.redisConfigName "password" "" $.Values.global.redis.redisYmlOverride)) -}} +{{- end -}} +{{- range $want := list "host" "port" "scheme" "user" -}} +{{- $_ := set $.redisMergedConfig $want (pluck $want (index $.Values.global.redis $.redisConfigName) $.Values.global.redis | first) -}} +{{- end -}} +{{- if and $hasOverrideSecret $.usingOverride -}} +{{- $_ := set $.redisMergedConfig "password" (get (index $.Values.global.redis.redisYmlOverride $.redisConfigName) "password") -}} +{{- else if kindIs "map" (get (index $.Values.global.redis $.redisConfigName) "password") -}} +{{- $_ := set $.redisMergedConfig "password" (get (index $.Values.global.redis $.redisConfigName) "password") -}} +{{- else if (kindIs "map" (get $.Values.global.redis "password")) -}} +{{- $_ := set $.redisMergedConfig "password" (get $.Values.global.redis "password") -}} +{{- else -}} +{{- $_ := set $.redisMergedConfig "password" $.Values.global.redis.auth -}} +{{- end -}} +{{- range $key := keys $.Values.global.redis.auth -}} +{{- if not (hasKey $.redisMergedConfig.password $key) -}} +{{- $_ := set $.redisMergedConfig.password $key (index $.Values.global.redis.auth $key) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the redis password secret name +*/}} +{{- define "gitlab.redis.password.secret" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- default (printf "%s-redis-secret" .Release.Name) .redisMergedConfig.password.secret | quote -}} +{{- end -}} + +{{/* +Return the redis password secret key +*/}} +{{- define "gitlab.redis.password.key" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{- default "secret" .redisMergedConfig.password.key | quote -}} +{{- end -}} + +{{/* +Return a merged setting between global.redis.password.enabled, +global.redis.[subkey/"redisConfigName"].password.enabled, or +global.redis.auth.enabled +*/}} +{{- define "gitlab.redis.password.enabled" -}} +{{- include "gitlab.redis.configMerge" . -}} +{{ ternary "true" "" .redisMergedConfig.password.enabled }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_registry.tpl b/kubernetes/Charts/gitlab/templates/_registry.tpl new file mode 100644 index 0000000..6f56655 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_registry.tpl @@ -0,0 +1,74 @@ +{{/* ######### Registry related templates */}} + +{{/* +Return the registry certificate secret name +*/}} +{{- define "gitlab.registry.certificate.secret" -}} +{{- default (printf "%s-registry-secret" .Release.Name) .Values.global.registry.certificate.secret | quote -}} +{{- end -}} + +{{/* +Return the registry TLS secret name +*/}} +{{- define "gitlab.registry.tls.secret" -}} +{{- coalesce .Values.tls.secretName .Values.global.registry.tls.secretName (printf "%s-registry-tls" .Release.Name) | quote -}} +{{- end -}} + +{{/* +Return the registry's httpSecert secret name +*/}} +{{- define "gitlab.registry.httpSecret.secret" -}} +{{- default (printf "%s-registry-httpsecret" .Release.Name) .Values.global.registry.httpSecret.secret | quote -}} +{{- end -}} + +{{/* +Return the registry's httpSecert secret key +*/}} +{{- define "gitlab.registry.httpSecret.key" -}} +{{- default "secret" .Values.global.registry.httpSecret.key | quote -}} +{{- end -}} + +{{/* +Return the registry's notification secret name +*/}} +{{- define "gitlab.registry.notificationSecret.secret" -}} +{{- default (printf "%s-registry-notification" .Release.Name) .Values.global.registry.notificationSecret.secret | quote -}} +{{- end -}} + +{{/* +Return the registry's notification secret key +*/}} +{{- define "gitlab.registry.notificationSecret.key" -}} +{{- default "secret" .Values.global.registry.notificationSecret.key | quote -}} +{{- end -}} + +{{/* +Return the registry's notification mount +*/}} +{{- define "gitlab.registry.notificationSecret.mount" -}} +- secret: + name: {{ template "gitlab.registry.notificationSecret.secret" $ }} + items: + - key: {{ template "gitlab.registry.notificationSecret.key" $ }} + path: registry/notificationSecret +{{- end -}} + +{{/* +When Geo + Container Registry syncing enabled, adds the following notifier +*/}} +{{- define "global.geo.registry.syncNotifier" -}} +{{- if and .Values.global.geo.enabled .Values.global.geo.registry.replication.enabled -}} +endpoints: + - name: geo_event + url: https://{{ include "gitlab.gitlab.hostname" . }}/api/v4/container_registry_event/events + timeout: 2s + threshold: 5 + backoff: 1s + headers: + Authorization: + secret: {{ template "gitlab.registry.notificationSecret.secret" $ }} + key: {{ template "gitlab.registry.notificationSecret.key" $ }} +{{- else -}} +endpoints: [] +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_runcheck.tpl b/kubernetes/Charts/gitlab/templates/_runcheck.tpl new file mode 100644 index 0000000..751ae28 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_runcheck.tpl @@ -0,0 +1,85 @@ +#!/bin/sh + +set -e + +notify() { + echo "$1" + echo -n "$1 " >> /dev/termination-log +} + +greater_version() +{ + test "$(printf '%s\n' "$@" | sort -V | tail -n 1)" = "$1"; +} + +is_semver() +{ + printf '%s' "$1" | grep -Eq "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" + return "$?" +} + +# For the PostgreSQL upgrade, you either need both secrets, or no secrets. +# If there are no secrets, we will create them for you. +# If the secrets aren't in either of these states, we assume you are upgrading from an older version +# This is running ahead of version checks to ensure this always runs. This is to account for +# installations outside of the official helm repo. +secrets_dir="/etc/secrets/postgresql" +if [ -d "${secrets_dir}" ]; then + if [ ! "$(ls -A ${secrets_dir}/..data/)" = "" ]; then + if [ ! -f "${secrets_dir}/postgresql-postgres-password" ] || [ ! -f "${secrets_dir}/{{ include "gitlab.psql.password.key" . | trimAll "\"" }}" ]; then + notify "You seem to be upgrading from a previous version of GitLab using the bundled PostgreSQL chart" + notify "There are some manual steps which need to be performed in order to upgrade the database" + notify "Please see the upgrade documentation for instructions on how to proceed:" + notify "https://docs.gitlab.com/charts/installation/upgrade.html" + exit 1 + fi + fi +fi +MIN_VERSION=16.3 +CHART_MIN_VERSION=7.3 + +# Remove 'v' prefix from GitLab version if present (set in Chart.yaml appVersions) +GITLAB_VERSION=${GITLAB_VERSION#v} + +# Only run check for semver releases +if ! is_semver "$GITLAB_VERSION"; then + exit 0 +fi + +NEW_MAJOR_VERSION=$(echo $GITLAB_VERSION | awk -F "." '{print $1}') +NEW_MINOR_VERSION=$(echo $GITLAB_VERSION | awk -F "." '{print $1"."$2}') + +NEW_CHART_MAJOR_VERSION=$(echo $CHART_VERSION | awk -F "." '{print $1}') +NEW_CHART_MINOR_VERSION=$(echo $CHART_VERSION | awk -F "." '{print $1"."$2}') + +if [ ! -f /chart-info/gitlabVersion ]; then + notify "It seems you are attempting an unsupported upgrade path." + notify "Please follow the upgrade documentation at https://docs.gitlab.com/ee/update/#upgrade-paths" + exit 1 +fi + +OLD_VERSION_STRING=$(cat /chart-info/gitlabVersion) +OLD_VERSION_STRING=${OLD_VERSION_STRING#v} +OLD_CHART_VERSION_STRING=$(cat /chart-info/gitlabChartVersion) + +# Skip check if old version wasn't semver +if ! is_semver "$OLD_VERSION_STRING"; then + exit 0 +fi + +OLD_MAJOR_VERSION=$(echo $OLD_VERSION_STRING | awk -F "." '{print $1}') +OLD_MINOR_VERSION=$(echo $OLD_VERSION_STRING | awk -F "." '{print $1"."$2}') +OLD_CHART_MAJOR_VERSION=$(echo $OLD_CHART_VERSION_STRING | awk -F "." '{print $1}') +OLD_CHART_MINOR_VERSION=$(echo $OLD_CHART_VERSION_STRING | awk -F "." '{print $1"."$2}') + +# Checking Version +if ( ! greater_version "$OLD_MINOR_VERSION" "$MIN_VERSION" ) || ( ! greater_version "$OLD_CHART_MINOR_VERSION" "$CHART_MIN_VERSION" ); then + notify "It seems you are upgrading the GitLab Helm Chart from ${OLD_CHART_VERSION_STRING} (GitLab ${OLD_VERSION_STRING}) to ${CHART_VERSION} (GitLab ${GITLAB_VERSION})." + notify "It is required to upgrade to the latest ${CHART_MIN_VERSION}.x version first before proceeding." + # Link to upgrade docs if it is a major version jump + if [ "${OLD_MAJOR_VERSION}" -lt "${NEW_MAJOR_VERSION}" ] || [ "${OLD_CHART_MAJOR_VERSION}" -lt "${NEW_CHART_MAJOR_VERSION}" ]; then + notify "Please follow the upgrade documentation at https://docs.gitlab.com/charts/releases/7_0.html" + notify "and upgrade to GitLab Helm Chart version ${CHART_MIN_VERSION}.x before upgrading to ${CHART_VERSION}." + fi + exit 1 +fi diff --git a/kubernetes/Charts/gitlab/templates/_runner.tpl b/kubernetes/Charts/gitlab/templates/_runner.tpl new file mode 100644 index 0000000..1146743 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_runner.tpl @@ -0,0 +1,42 @@ +{{/* +Return the gitlab-runner registration token secret name +*/}} +{{- define "gitlab.gitlab-runner.registrationToken.secret" -}} +{{- default (printf "%s-gitlab-runner-secret" .Release.Name) .Values.global.runner.registrationToken.secret | quote -}} +{{- end -}} + +{{/* +Override the runner charts secret name containing the tokens so everything matches +*/}} +{{- define "gitlab-runner.secret" -}} +{{ include "gitlab.gitlab-runner.registrationToken.secret" . }} +{{- end -}} + +{{/* +Override the runner charts cache secret name to match minio +*/}} +{{- define "gitlab-runner.cache.secret" -}} +{{- if dig "cache" "secretName" false .Values.runners -}} +{{ .Values.runners.cache.secretName | quote }} +{{- else if .Values.global.minio.enabled -}} +{{ include "gitlab.minio.credentials.secret" . }} +{{- end -}} +{{- end -}} + +{{/* +Provide our own defaults for our cache config +*/}} +{{- define "gitlab-runner.cache-tpl.s3ServerAddress" -}} +{{ dig "cache" "s3ServerAddress" ( include "gitlab.minio.hostname" . ) .Values.runners | quote }} +{{- end -}} + +{{/* +Override gitlab external URL +*/}} +{{- define "gitlab-runner.gitlabUrl" -}} +{{- if .Values.gitlabUrl -}} +{{- .Values.gitlabUrl -}} +{{- else -}} +{{- template "gitlab.gitlab.url" . -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_shell.tpl b/kubernetes/Charts/gitlab/templates/_shell.tpl new file mode 100644 index 0000000..bd80778 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_shell.tpl @@ -0,0 +1,35 @@ +{{/* +Return the gitlab-shell authToken secret name +*/}} +{{- define "gitlab.gitlab-shell.authToken.secret" -}} +{{- default (printf "%s-gitlab-shell-secret" .Release.Name) .Values.global.shell.authToken.secret | quote -}} +{{- end -}} + +{{/* +Return the gitlab-shell authToken secret key +*/}} +{{- define "gitlab.gitlab-shell.authToken.key" -}} +{{- coalesce .Values.global.shell.authToken.key "secret" | quote -}} +{{- end -}} + +{{/* +Return the gitlab-shell host keys secret name +*/}} +{{- define "gitlab.gitlab-shell.hostKeys.secret" -}} +{{- default (printf "%s-gitlab-shell-host-keys" .Release.Name) .Values.global.shell.hostKeys.secret | quote -}} +{{- end -}} + +{{/* +Return the port to expose via Ingress/URLs + +NOTE: All templates return _strings_, use as: + {{ include "gitlab.shell.port" $ | int }} +*/}} +{{- define "gitlab.shell.port" -}} +{{- if .Values.global.shell.port -}} +{{- if eq 0 ( int .Values.global.shell.port ) -}} +{{- printf "global.shell.port: '%s' is not an integer." .Values.global.shell.port | fail -}} +{{- end -}} +{{- end -}} +{{ default 22 .Values.global.shell.port }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_suggested_reviewers.tpl b/kubernetes/Charts/gitlab/templates/_suggested_reviewers.tpl new file mode 100644 index 0000000..a2fdcc6 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_suggested_reviewers.tpl @@ -0,0 +1,13 @@ +{{/* ######### gitlab-suggested-reviewers related templates */}} + +{{/* +Return the gitlab-suggested-reviewers secret +*/}} + +{{- define "gitlab.suggested-reviewers.secret" -}} +{{- default (printf "%s-gitlab-suggested-reviewers" .Release.Name) .Values.global.appConfig.suggested_reviewers.secret | quote -}} +{{- end -}} + +{{- define "gitlab.suggested-reviewers.key" -}} +{{- default "suggested_reviewers_secret" .Values.global.appConfig.suggested_reviewers.key | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_workhorse.tpl b/kubernetes/Charts/gitlab/templates/_workhorse.tpl new file mode 100644 index 0000000..6596a8d --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_workhorse.tpl @@ -0,0 +1,13 @@ +{{/* ######### gitlab-workhorse related templates */}} + +{{/* +Return the gitlab-workhorse secret +*/}} + +{{- define "gitlab.workhorse.secret" -}} +{{- default (printf "%s-gitlab-workhorse-secret" .Release.Name) .Values.global.workhorse.secret | quote -}} +{{- end -}} + +{{- define "gitlab.workhorse.key" -}} +{{- default "shared_secret" .Values.global.workhorse.key | quote -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/_zoekt.tpl b/kubernetes/Charts/gitlab/templates/_zoekt.tpl new file mode 100644 index 0000000..053bd11 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/_zoekt.tpl @@ -0,0 +1,47 @@ +{{/* +Return the Zoekt basic auth password secret name +*/}} + +{{- define "gitlab.zoekt.gateway.basicAuth.secretName" -}} +{{- if .Values.global.zoekt.gateway.basicAuth.secretName }} + {{- printf "%s" (tpl .Values.global.zoekt.gateway.basicAuth.secretName $) -}} +{{- else -}} + {{- printf "%s-zoekt-basicauth" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Zoekt internalApi password secret name +*/}} + +{{- define "gitlab.zoekt.indexer.internalApi.secretName" -}} +{{- if .Values.global.zoekt.indexer.internalApi.secretName }} + {{- printf "%s" (tpl .Values.global.zoekt.indexer.internalApi.secretName $) -}} +{{- else -}} + {{- printf (include "gitlab.gitlab-shell.authToken.secret" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Zoekt internalApi password secret key +*/}} + +{{- define "gitlab.zoekt.indexer.internalApi.secretKey" -}} +{{- if .Values.global.zoekt.indexer.internalApi.secretKey }} + {{- printf "%s" (tpl .Values.global.zoekt.indexer.internalApi.secretKey $) -}} +{{- else -}} + {{- printf (include "gitlab.gitlab-shell.authToken.key" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Zoekt internalApi gitlab URL +*/}} + +{{- define "gitlab.zoekt.indexer.internalApi.gitlabUrl" -}} +{{- if .Values.global.zoekt.indexer.internalApi.gitlabUrl }} + {{- printf "%s" (tpl .Values.global.zoekt.indexer.internalApi.gitlabUrl $) -}} +{{- else -}} + {{- template "gitlab.gitlab.url" . -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/application.yaml b/kubernetes/Charts/gitlab/templates/application.yaml new file mode 100644 index 0000000..b0d18de --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/application.yaml @@ -0,0 +1,115 @@ +{{- if .Values.global.application.create -}} +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes-engine.cloud.google.com/icon: >- + data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIIAAACCCAYAAACKAxD9AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAAsTAAALEwEAmpwYAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAl4klEQVR4Ae1de5AcxXmfnpnde+n0PgFC6Hm6OyTAGPHGmMOYh95yuY4/AjYGCZn4EceO49hJJVxsJxWq4lT5hXm7DCSuQnGSMk5ixw8uDpUQB1VsY0GkEwKDXuhA0r3vdmem8/v1TK927/Y1s7On1em6qndnZ3r68fXX3+/rr7/uNYyZMEOBGQrMUGCGAjMUyKGAyPkV8w/ZZVhGX6dfRmePJ7oNL+YipnV2stswjZ5Ok43c1dIjb99luGdcg1UjJtQ6370JSWZ+BhTIR6t89+IiWFUkAivM0X9kU9uVzph5p2WJk7ZlPrjoX/Yc1c/iasB0zEfT6PCGC5e5jrxPGqK+rt779jnf3/tr/SzudsfOCM8ADijCDm9ov9xNmf8zx7aMhBDG246zx6rvv3Lxs4dHpGHgjoGvmTCRApo2/V1r5w+e9P53vm0v9aQ0TjjOWH2jvLTl+3v3VoMZFP5MrEwlv7uCl920+Mw8MMHJtDvSl3LG5tvWWi89+3Y+7unstCopYzq/q2kzOOh+hEzwdsoZPQ4aLkgk6sfGxSdV2/d0xT6AY2UExc2QBie2LZ8rpbhx0IFuKIx6VN5OeXjqGh9gQ/qg+KgGzXxMokBnT49SCKUnto261K1lEh/1gw5ue+KW3vWtdWLXLpe0nvRyBTdiZQSjq0vlNzJW995ZlnluWkoXAMB71giq7knReWzD2nMJHXE3pAIa1MyrSuSj59/cdOFqzK+uHlGMIEg/c9yVMinE6iaRuEpVuEvRNba6x8sIxi5VMc8zt9rUAsDDQU0F2uHMtq3ZjnRu4j0tAoPnM1+kSTBVNNPyVuhWCQyWNG77I18YTqNpGl5abiGxevS0nD9iCLExAke4wEg/1rV2FqTAzb5Ygx0hKwgk8lyxjbdm4CGLMMHlv/f0qIEDWN2KgUMOyBb/5hjkKO6up33mxp4eJ06pGhsjaFhwBt3rGoR5wbgn2ahT+QvDpKgD9t14eHPbwhl4yGUEwkI3xskJTBmlJ68bRjejo7MHkjnieYZtiDVvDV14hXo7Rng41VG59Yr8y/PElqSpGDnXCgZdIS09F7rDAsM1b/Ab4usUkQubRi9qWBh1jZvn2HYDhoyD5mVLBIJtuskyDeiNm9j0OOEhFkagiFKa7Cdb6yDRbhnDyEel8+QtPAvN8dJiKxuyK9ApeH22B8wWFCzAZrCVE6z8QZpq9iWNDXweJzzk6az8VSh6N5gtHN1vXw3jUesYWoO25MsbswfwumG8/3jXyjkz8OBTNZgteH1b2hdDP3gvaYTxkod+wodXabz70Po171ZvxwQPeQor2uV5H/b09flY4BlbqNkiEBayxZp+z0x70kWa80aHku9VNwMm0gnOxm8NC+lx86Zmy5zNGRZGUr6+IU0dWmulK5VUyCzqVUi4fIWFypKwoEQUNFnoB+up2aK2+ZhA5Yv0Hk3OmD0oeAhV2DRNrGEBgmCbkIISs0iQAoPJAKNsZiIR0+yhYkbQs4XDIx1XQaO9cBSaLRpSLF9LTS2hS3CqWQ0rWREq1twj0gqjxjv6gVWLULnOYXADhlER+vnwAE64/MjmNWtVg2KAhyIFlkmzABZg+thMjRaNmqjtTszI5NSSU0xnwHmP35Czd/YAw5rqA3c0+b5ZpjnfwcwKI6lYv9AcA+OcbXkpuVHRLwbjUrECJ3bgpN+okKBo4gNIq42pErCQlYHLKSYtkFn3zspLbViD1WWrGkYG+7lUkMIhPHin4KHUG6WeV8QIGhaO3NZ2BbDt4jJgQdUHUsMkPABEbn2za0nD2QoP3aADZ05ccsY8631qbaEoLOju9OEBvHDVodva23mXy//6aZTvyhhBzxaktbnZUvUoBQuqjmB5C/Nhr16YK8Rg47Xq5lk4e7ghgIXhQbez0bQWYapQChZ0H1MZd2ZbVkJIcz1vrjywrqK+jPxyDiy4gAWwJwIrWFZAareeU03XUtqvnoKW9fI0SdTZ0qKIBv16KxRtKtnqdznNAzBwIQ/LuP4i1LrduxVEl/NuvjSRGcEINNWDm9rehd5/N2EBoez8CA9qEUXK2+TOdYk4rWT5Glpr97rRfkLiO+tbZwPrbwpLP4w5Ba/A16uPbm5fAXpKGqaitjPyi7u1KEqbGwELlARlwYKuKFjfHPM8aQuz/dibQ1eq+2cRPGhYGPUS19eb1vmEStAgTH+o2cMsy2pwxs3bSL/dz66LrCeEKVj1lf64PBBFkE6baAZDIDOECUzvNmLKmXJ87dfQU9EwuZzhaaEkboHDCVuhRGqY5hAeiMj4Vj4KgIfchb4QmUVihEBDlVhO7oD71BWB70GUvASnnGiPUnjispKFaP9pSYoW+9bYjyyvRy/eDMnIekSgn4YHcd2bm9rOBzt5UeEhQuGnNFQvbW6AbdxGI0LBQhb1TWKjMMQl9HpW92OwkmXlX5OXMCIpEX7oaON1Scyc6IaGioaVqGybwBTchSGvWTjmzaqxgZeTug7xEYkRfhCIIEx2ttBNhiIqRJnZSfmew6mn6wm1xp7RPbJTTbPrzqA90vO2YgpNFii0SFey5RhEID/6AM6uKnFEx+DQjKA9ad5a37oK/X+1DwvKwbJkpQskECkMCOn6jADdI03RWSDtGX+bbSMEvoiZEuh3a3RY8EmB/KxR38p4A9cr6C4YBR5CMwK8TtU7jmevByzUoSJRYUF3qpoGga8v41RU3ZzG8KBhYfGh0athO2jDugtIWBHjw56gPL/mpsfsyPAQgRF6lGZDUUQ9j5qe6rzoHxoehImpKLOZzvDQGdDJc7ytDTSoFfbdCFKW/lLwoHISat+IERiqSr95KkWoTqTIUXsat3UsTw+JVzCK68ELlXK0akKDZVrj0nthyY9fueZU9abXFQjFiaIy/Bx8/sKXMG1cM8nJN1qTJVwABezTx+0Gt33xs/ve1mWVm104iRDAgjsqb4Odm0xQKSzoeip4wJz6iiPrW9fwZqWLKDrjmvoODGaHXui4CiY4MkEcg4hN1PAwXzrWTbyhIYjX5YRwjIAzDpgpYcFvQ8WwoOsYwAPW2F1LwUOliyg641r63n3ggKI3bIhw6VMzyMizhYntIjyQiJjJKXjQ6xgT0xX6XTY0aFg4tHXVBd5wkrDQBK6Ii6NVExotyxqR3vNLf/zK9WFFW6EG1tB91U+sz8FbOn6VlOYlkAhUsyKbhbPbRu8/C+sPrvD6mpOJ9rn//NKJMDQsWyJoB0tvPHlLs22SCeKChaA9vpUMDHYl9/6BahUtomQTqRausTtJ0frwxo51sMZeUsTTO1J1ATImvZuaTKtl0E3fyEzCwEPZjKA9aWDE3EZkK1uUlN8s8ACNS2bScDxlctZT1fKzqN2UeibkwqUv8N2IDRZOtVpISAXMQ3zjUhh4KKs/tYjhTuaxlLcXhdHlGrfj5geaSy1rVHo/xezh/ShAOXaeaugZfUVayzdu7nixwbDWwZAUGyxkqAJ4SAAe0kIeGbfTHav/df+A7rtMmgIXZUkELWK4k3m27fvdI7+ymKhAuQVu6w0c8loeG4MCIi+iFCjgtNzWi3RHN3RcDJXusnJd+kJXVm0rxGDCvpEGLG+r98tc2i+LETQsuC4MFrFNFPI2M4AHqwGuCmqNfTrAQ1fgZew5xkYcDcABFLN+lUNLtW9EYOtczt0SP0oyAkULHSwxv28BE9xYeDtWiZLKfEwqqTV2bPbgK7siLqKUWdzUJAtOQcE66xZuTgFCVEGaZpqithXiUJJbD29e3FiuY3BJRtCw4HrJG5vhdw/doNB2rExNKrkAmVRDoFlfDzeuJcH+yJL1rKTMar6rpt3o+cMbV1+I7e5XKk9l4HgVy1TbCrFvZKl051ynyilj7aZkhTQsYDL3ARgtlOGgio1g1lhjV7OHpjHDuoU3wIwl68l0NRkCa6xMW4AFbFqsLiwoEmAwedw3go31/tI0HExLhaIE1rDwpu93f1P5fvelii3+nHJTCVDqJAgZZiz+Wm0+1Ydj4RQUbkqpMixoGqhthbD+rpfwgioHHooygt7AYg16N8yCoYIHXaCHir+jq1LBN8gFeICPgidueANbxQkP3ZFcuSqoRAyvaljo29DRhsl29uFYMeReNAu9rXDF0b46fxGvBDwU7VR9kAW8ybbxgAtfahetQFwP1eFbsGA2m+Pm+5mp9vqNq4CpyKcngIW0K9ZjK7sNBk+j3GoqitnNUvtGHEdvKywOD/Q3zBtQaXU4Fg+0GD5p3BzAQix28bwFTrjpU0uttBPnnlzU0mfKrq4pK39CdSL9xCKTaoYLa6xj4riAjONApOxCvYSCsV0AZUoDh2+t/RzgIaX61EfdSXkV5E4Sndjy25s6NsF+/eywA1iIaYFkUi3y3IAoxZ4HrLEL2e+Y48tW/eRAf55kNX/rYGfrElckyBEJtgnyoCDN42wMOl15MyZBRBR6/eKf7Hmep7HRlS1fOQUlgk7cONvY0oyquy6m9xKm7KkLKFW6sGTOGZfJTx1a3/5TjKhmyzDzNmTqqlVeSSCXJYUYSCbFtnohElM9kFhLjCNnriUSA4bDbYXP+4dv9fDRpJCXO8G5yAMTxicvaXKHRl+2XjOXulgfxoKpORXzx+xamijRHTLFyd9ihWMq2TC7EhGvuXdp3grXMBuwjUmdLxYxoyivsWcd6VpzLMtb6v7GvK/3XehTupGovp2YZX6JsIsHV+xynfHRa+1FYAKsbxovgwlOQ0comKv3vHEcG4TT2IizZfEi6aDEY/A9seH5fhd7Rz/je/muJ90DE9jw4ZJJT4AJiirl+epS8T02XsI/YQnG7zxxUfqhNuwb2fcLHGTHukySqkUrKCyxxcCQNHAyorEMr48jssVTGUBQyzbMulk8o8mAuFXsSJYsGkEH9Vx/l0rP5zqt/s5+J/tevuuce6gj65psNuCJaZgYhVMb2EcpxJXorXmYqSQtw6oz/NNVWjrz9uAkRlCi43ac/t29NikseauRRk+Qo5cg44VBAXmzwrMqBE3D+mZ9VYVC4s6SVQWN6medhjprJjgXdTgPEcikjkC3fEbAXru8R/dOYoRAdBjOktTVZsJc7eKIdWTnn+qyCleNKvMpkwwKClCDZIPEEIO0A1/WeiDFCAusM+vLNkxJYDlc12xGXJEp0fTGsTFOGOtSj6y+VN19RsFDJgEvJjOCFh0mYKEej3EWA9JBzcBnHeJqRIapZHYSNoHiMcIUI0wVYf2WhvtE3eBAatShMwBp0LjDvV5RavYRAZF9BHqpPkPfoQ6ONQvKtl0YHnIYAS+IQHRwfrAeLmPIjUIu+CRLzEGkZJhCGxmJyVGl4GEqCYtmhg6sH+raMNWwwF5i/7Qizgqu/Z7DD8gDmOyF6W8rzAcPOYyQgYWHWq+0E2KNO66ofioNM6boOQfxfEQqJJnCcF2loOGhrrH24YFMa0NyKljA9ZTAAvuAfXEBYgviJLcXoeABausV44+0rkUKbBzJRYNTncyHGhaS5majQT2alCWTKVhYhu+5iPlTMFWsQREY4i5Zy/CADvFhAQxL0azGUaxkmJwZmYDSmYo8GYFSYfLg9OEBDqGmJfyje3VfIzlDhhEU80KjDO5uhDGCl3myxF2NRRRD/MchhSD4rmI4Y+ABFNMzHNa5qoG9w45vQFyJyN8FywQ8oJ9gElCHl+Fod76ZCRlG0KIi9dDKyzH3vcSFpolw6nnmFVzoCnAGQWaYAkbQ8IC/vKvZ2QMVWcJCHWcLamRlE60K17rTqRzyL9TYD+ybvEGYkn1qGleNfWNlG5JJ+YxSLVXqTEfvPuGf0ycS9iazUd0uLvRZIFPMR1yGOAXKo4IHSKBkUw3OHkhZjDFCF2cLhUcmnsURSH/SfCUiFfjivYUEvueX1WQmE42W7xgc9Dkfqh4n817+0d3M1p9i+EKDRRUPTMG05yPySOkqK49K1KLMWp49KCMS6lhVWCDdSevFiDQcsQ94r1TAn0FQakiaBhh2njqb0ZcIgQYpH+64GBle5qYoYwrAAp9kBy2eVuBmE2Jpzsx+O9S10sBRHmcP5ql5cqg8qpWYsECDF+tWVVhgh5PGlAKUxKS/7gNcFg+AB/atkNeMfqtjOeiZ2VboM0IgIhzb2wjRwXvldycrRr6h0kis4ttlVwxpQ4YMPIDgsOeXNxJClhE6OWigYYGGr2q2X9Ga0EPdjN/haIAFMKxINlmNyTrvFrwNM7R/NqPPCIGIwDLvJiVmYHtQicr9YGqKp9mIKxGrCBFqtKHWCh5IhBoKqk5kimoNBNKZQ5QGPUrfciEBSScGTxj+Bpid/tmMJjVHJSIe6WjDaL7SCwML2bnrStLYtASxSiuVGXiAwqjgoVpEz25biWvCAutCWKA0UHUs8U7ox6QvaboMkTaD8mU2EmcHYRqYPWDQv2f46+2LUVe1rdA0AliAP80GwAL/fTRyEUqOcJSysvMQqzST4IhLYJqWIDxUMCqyyRP5mhIAdeA6iA14rIo0IBNQypIBOMjCwQFeyAkC/5DgWg3mbExzb1ZPbuiEPnDEFw2e5W1VBYSFhZwy8AOdpGanxDDqDVXoqJqDB7SZsEBJEDsjkAlIQxqNCAn8TRpXErhPifnYwQaYvh5MJxDkg20r3SbjZYgL/m8ji1H3+SxSYA5UZI4j7gmu8RVnINFTY4ZxbD9W1SqrbUXV0ky5qNU1EtWSCGSEixGpg8UzsKRlwjHYlSdG33I7mv/w1WNKWfTqjPXWrFjOTPSJyo4hwNDYtAKxCsojO4DwkDyd8IB2Uj+ggYuzhapIA8IrJQGni/EwATLC4Vs4nwHwMK9hnr9vRDGCpIgg7tDgEFdgTqy4NnrEzAx6JNbPBkew7qcroGwFC6BkrIxA+pFmmn7xMYFPKeXljkvbP3zLlH/dRhXkMoMH32LF2k8V0yezZFiBOGmNXD2J/KHgAPnXYTQC0tALkbOK/iLK5GyhHnVg+bFBFJmAEpWru8sRq8Ho3LroH3Z8pexeDhekBncuNIJGGBpQYsyBDWIjQKxqGJs4ApPB7IEiukLNBhmECGgbZywKFuLWDTTNqHBXj8mpMmLoi/qTy+iLZo8exo13TJ5WVI1xxWwp1uhHR6yLPjnFy7lBwQMIRXjgFG7KAzqsKrBARliNWE3/UE4KKP8948Tcu18fMMVHD4/Ajen7BlccpZr5x09PMgMZgAtTSxDj0heYL7iaonnK4QHl8p8qCE2sQyywwPZQOVyGSEU7xkGD3CaGtO+TKnehWE/pBNYx9wvuSWc/HBwhaFU3oWkxBzaSo3YpIhsZg7FJ8QFqmsBafCLwGEbO1Q+kHNqSABNw5hKLksjGkCYcLOcjkla8F39g36at2Vadd9Ldbb6e/BKL8E3Mnz/Qb70trnEH3OfADEm/AlUQtqwCWY8QQUeKGBrLTuBptnUw6EypnhAnLLDDSQtCwQpEBtIq/uBAcgksOiWck84PzNcTnaJ7T0p2q2MMUSbXG25XVTHcb7fdb9YLPELdUpJCnPbB+AIbSGPTCUQam9CJFQXkx7nO2LAw3n4V2y8qza/MypABaURKgqFjkQiky0WI1KViGCB5mpGy6swkvZTclPHZxPZ9X2Ea3fcZ4aPclrpwhBV0yfSjrZ1m0nzKnG0tcYdcIhXHMWM8QTPDIWS3H5GAxHsVBEqDYzjz2hkDy8dX08k1AsUoKwkLi1ZQq6swsAc43NoQ6WQSt16A5RjubLBm2ZY74Oz3RsQdyd/d9wtKAZRmYMirRmRIpiQCG/lcp524d3/PwPHUxW6/8z2IERsrEkzHKsYT2HhyPbdkMVaoPCp4gJShBj8V8MAyYpktkA5cUaROwFXb+CVB2sIfa1o47dw96X7H+uXoJYoJHl6XIANoJkDJ+dURMgM3QTBB6vG2j8No8jWYI013zEvjFgU7m1BZoATQ7EWIGEZkzhEkg9YTxoaE0Qd4UP87FyEflF5WICO0ABbqsBAUGRZIQVKTpuM1iKQFx2bllEUmioqO1Wgm3CFvDOXcZ+/Y9x31oBt92+33LX/rULDYbNGRegh/+1svn7bn2BcBKlhdkrlyNNa5DCG33wS5FqwRnpcIPjxYhoNRFst0Lk95LIPL3y2AhchlsI0c/WR8LiZxZTE+aeCCmUxIcgHl/7+dUedD9fcd6FXQ/zK2PAVQgBJzQlGyo5+E8VynpbZIdRq2e1fbV+Gz8DFun8KZCeTnRE5uUX6QGUiQY4j/h0jVlPdCBi0VThwxjaG3QAnWLEI+RYsFtSgTZ5/nGXPO8X0hIjMD5S0lwQLE+PSCNP4/Hv8eh3qOygese/Z9nu3JlvD8nS9kdIR8D9FuHLqLbdQUJz2GY9+97+Nuv/tBzCZOACpIajahMnKTFZlLC+JSRGJmUfbE8yJBexEXSRL9EVpKRZT6AUOkavIl6kTLEeNjAp7H4kPBuDxijLi3ZpiAM0K9cQlFFgpFGUG/REwhVJAh7Ht7/8E6bq11hryfAIO0vkDBFj2QOAScCxC5BEZZE5LKHJkU29xzqE4qYX4xBw0LyojE/EPWUaUnE+i9o7HAAf4xk1BQb9rugPdP1uGxtWL7/n+jFICUFNosUIoUYZtiSGqcwR6I9ONtfwzz01+IBDbbpiuECg4ysiUJ9VLwTS0khLzJwMNhwMOxmOEBlCIsNAMW5kaBBVKako9GI9oLOISiMBNeU4FLRtzunhQJ7EpzUbdPJ7f3fp3PsvvIT1z6MzQjqIK4VUrbHB5Zda2os56GY8sKdxQH0ftLGWVJmknVY6ez83mQHpXHkOqoZoTRARiXXot/9kCJsHCVp9Y2aGIOrR+wfVQOK12SV7YBQ0Jfs7xBd487CtvAfft+RakNvaNsKYCaZEKkDsvYHCAdEjtf/c9jrw1d5A5636V4qsjmQLakuOQ6/ErEkBCh4AHEVvDANYAY4YF52YCdJA/IwnUoJmC72JZWxMoth75toN603H7vUfOu3neRCfY8g6OOumEbCCzEKClUiCQRskvIFkPO4233Yh7xIBRJGzYHnvSZjFwAWXQ/4hHEEDMJLRWOHzKN4b6Y4AGNULBwrjTmnuupBaeyGYEEINxR/1mOGF0voDxJg7ZJd9gdQZ47oK99F/fKmhUwXbEQSSJkZ0h9gSKJ81R7+75HobBc6o14v7aagV5+s9n0cIFNZlyOSIdNYisJGiIozT7kOwWzR13UbCHsKSgsn5KArv1LESmhotWJNJSkqTPkvmANmBeRCZRCCNqXMyvA+0VDtGoVyFJLB9DNch9v+5o1GzYHnLMQyeZARqCOMIJI5TEMEdEqaCvKw5krJWWPXhSTL1DK2HVYW1iJWVq5Q4eUZfdxkk29AFAVqg1IHoQUbANYEcZOlBHvAevuwDaQpbTrhJV8x8oIrIhezeK18/jqDxq2+LbVbDa7wxSuSlcuv0wyA7XrtxFfQSzTSMTX6HD1zkHTGDkOeGAevBklIB/WfNYiacxbHBIWyAg8qIYSIbxUI+u7cAtIeAPuMZy7/2Gxc/+PcC+HxvwdRyiXv8sui8oKRpBQNoftvd+z+r01UCR/xgYhEx5JTZKUF8gyTE3bAkUrsbYcNkKnUwpoww/eih7IQGHzYh3J9isQozGBA0ammTgBh6FnzT5jLZkgrG0ApZcdWOWqhWzTpvvE6j8x68wvc4TDMkkykTHChb1I/g5iGZKBjOCglGOvWgom+DtKICxYScACpo10gCkpWVgOGZZLypwlhJNETO1g9pXAVFxC3f50ckfvV3EvFoWQ+RQKEclTKLvJ99Vix+2Y1qAt6W+1X2c2yCfh57ASmi8FJ8svLZVIHqYigWlfoBm6jE5h57/zJuDhRER4wPuEhaYWacw/vwxYYGsowbhTmZBASCpft1H0gBQwnQFnj50y7hQ7e38poQwiF0N0q5x4WZXAqlc9oB9PLV51L250lzU9Aqi4w8AEE39qQdKRZMUDmYGp+hHJDCXYR41kMMvQSWEcfx3GpTKkCHKdFGg4WoCVxkZ4Spc0IrGOpCiVw3Db1h34DdhYFTCwuvuwdU/vJ5CNQ+Xb+OhuB9fMuaphShhBtyAbKpzHWu8xEuY3sV5RX7afg2YG2hZ6EUvYFzLwgP2RJTtRVzLrWzETGGjRKhxoTCYs1h2kJKSH0Y5IB1Syd2nqMkeHC3iYEfTLtNhpb9/7DO4ZaqEvj98An1UjlBhX8Rbpr2Qa5jO0OezY/4QzLC51R7wXqRShJBKF4rFwIGGZgvi7GLGE8siO5J7ESGczoiy93T1TOxSZN7BehKsLELmKWh4T0G/AYNuxgPfz1AnnEjKBfKbLIhzkcx5BzlULbMJpCdrmwMLdJ9r+xmwUnyYrlLQ5kF3IvmQITikJFZqNcJkdNDwMQkc48duQ8ADK0BaxYDlgYU4RWCAFKQnoot+RXXrRa99vAPoDDsz+knV3758xdTZNir5dhYdTKhGy6+9bJDuVboC1888YQ+4WzCaO070K6UhadvnkQMJTAeObrYhMzd95AqGBzKAP3wqz9sC0PByLu62ZR95ZB+tChqRr/ipE/s5fazxQgU99v4ExedgZNm7KMAEkgV7VDdJO6ddpYwS2Uvk50OZAH8kd+58deyu1Fu5VP1ZQQaIW2simO4BLuqsR2RkqPb4nBAUP7NAwR/ciLw0LdjHdgN3KyDqUthz6ewrgw0G/gcHXU2sT9+79GaUA6ogVw11sxWkLBcg39fXJFouAii+YdeIvOeqL2hzYCeyoNxBfQ2Rn8F5WICNw/j/4jjBOYipZ1uwBVOG0cT5goWluAVgg5agXkAmorxTRC5A0BRtK0hmFLcI1PgkJ+A28cVqhgOVnh5phBFZK2RwCPwf5UOs1XoP5t7A5rIDNobSfA41NNEXnmUlQrKfRaTxdpZygmYcbWPIegEGqUVEtZTTSfgOzLMvpd1+WY8bvcMmYynJXEUfScuoYd5qaYgQ2DgNYGA+vs30dIrA5zIbNYQw7dDylO1ArOBUoAQhw1Cq4OMVRyv6eIBlwx3gbCuMYnFaKTgVBEUqDhvnSWHgB/vlkYj6kGEc/7QT0NGJZ1FEmUzJt4a/2DHpvDSrbwMeRxM2WfHirZsJp1RHyUQHEklqRFN2HR+y7e+9Mn3C2QyakAofZXEWSHcCOoCSgmGaY0HnsTLWMTKfTAoql/+KpT72MPYkR+D47n2URliYzAUtPqz0FaTno9svb7Xt671NMQCfgwM0PaWoqkIw1GyTm09r1auzB9na7ST6NXbyX591bQfKzY44i7kOcABGEh3IO39JMk/dwLFKLbMhpYj57ARfU4DsLq6nh9Ds/Bxx8qOFTB96gcci4v4dOpqxlTYaaZgRNsWxxik26X8Hp8Z+hzJ7kMEsyc7QeQDyEOIEZcMfog7l5fLAAPIAatB00QEFcsBRDPbvbSCnqBcuCOFk5TNORlDMYb0x+EQrh/UhZUwoh61MonBGMwMrn+Dk81rpZJM0nzFnmQvg5sEsIcf6/1LJF7EAam04iUqPAb450zh4G4L7WDz8FMw+TEOc9dPa8ZZ4xCzpCxizNPCkJFiDShJwbuKfAw/5CG46kB72UuIvTQibJrnPuK7X3q+Z0hEIkyvFzgM3BHOQmXfdHsDngb7DBBBTLmgkoFVYhZs3t+YgMwQ0wWN5R17yVEyAEyCA5p6DwRc7w8x946dBZV/loDjjfM7FxWNkGQu4pyKnDafqh6HOayo5cbC5UtP+RsOVfCXhIZmwOlAjsbB74+TIiGSMr9MHVPYUNszkMAUpQttTDnLyQsJAdmB+Xlblh1Zc//p4C5TfguiItPmVt3/dNvpK9sMbfZ0o4IxmBxM2xOTzaerWXFE+ZzVYroMK3M3J/BZnhIOIBRIx0mo0JD/3Y/DIAL+cceCAjABbmggmaFwSwQHlJvYAzhPMQyQRIRskDSQS/AfclnDdwZ93H9v5aKbZ4KLrLnZeovGrm44xlBFIQAzXL5rC83l2afBj+kR82cMI8bA7sNlvBRS+u3kIEM7DB46PYPr8faJIHGNVsAZBCIaCYYDG+CTO+kHBgG4DfAH6OyG+ad+/7PfJPtoTia2diOKMZQRM8Wxw7j7V9yEjIh6C8NcLdK41Os6HoCeXMQo9oSAlKBsJDeoQHCvm5EBbq4HzSAkVRcQuVQ7rSExKohnJ7GfwGIHFOwGi13d657x/55lT7DbDMaoQ8Y6IaxVQ3T+3n8Bw36e7Y9xT9/mGWfkE5zLrowiTUPYp3tFbDAw1GOceFof95T0kJggtnG3zHQiqIB/6FAQ6d+Kk1lFpDJiDzYSYiptpvADWqSpgWEiGbMtliOv3E6gfsRvNz7Ei4VqcBDwkDaxICoj9z+FYwFDi9VIdj8RQU6gUXIi6EhdAUvm1g1PtTa0fvl1lWdhn8PR3CtGMEdgq9fPSybvqx9tvwdyRPwubQQpc4+Rp2WhzE0jdG/DHoCc44SAAm4FG6LdjAotYqlkMjWAbbQL1lu4POm1ZK3CHu3fcflAD82+So+wtrmWGmBTRMJDCZgJ3GkZvYsfeHZr8HPwfvh9AbEmIZOnMu8J5QgKki4YFwwWssERtyoeGYSzG5IBMMOH9vvSYvUkxAR1LwzHRkAtJvWkqEbMZ4ER2o/9PSfWz15+AS9wAPnJUveqnRfpHkiiT1gpalrkzONdLmFdhk6nhSjHufsHbsf5B5ZSuj2XlPp+tpzwiqI7uhJt6PVU2eIfmN1mvEXPNpy8Xeiv9ynaOv4ThyMMI5KzxpXQu/Aen8xh407xC0DdAW8ecYLd1npm1gOjFqbG2BGqBc4hRjfPacJufptiflgx3yna0dsr+rQ8qHOqTz1OoHpQEIQKAUiK3wmYxqjwJqSTiolny67a7h328bG/6Dtn75d9iwq+9D2dTXM9/TmAI0B2uT8PgXW9eOfWklLQbKbN1NGJkJZxcFcqQDnUdmwtlLgWzpcPZSYablMxSYocAMBWYoMEOBGQrMUCA/Bf4fxb0WudyD/+kAAAAASUVORK5CYII= + marketplace.cloud.google.com/deploy-info: '{partner_id: "gitlab-public", product_id: "gitlab", partner_name: "GitLab"}' + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + descriptor: + type: GitLab + version: {{ .Chart.AppVersion }} + description: |- + GitLab is a single application for the complete DevOps lifecycle from project planning and source code management to CI/CD and monitoring. + + # Support + Contact [support for GitLab](https://about.gitlab.com/support/). + maintainers: + - name: GitLab + url: https://about.gitlab.com + links: + {{- toYaml .Values.global.application.links | nindent 6 }} + notes: |- + {{ if not .Values.global.hosts.externalIP -}} + # Setting up DNS + + Retrieve the IP address GitLab is available at, note it may take a few minutes for the IP address to populate: + + ``` + kubectl get \ + --namespace {{ .Release.Namespace }} \ + ing {{ .Release.Name }}-webservice \ + -o jsonpath='{.status.loadBalancer.ingress[0].ip}' + ``` + + Then configure a DNS record for `*.{{ .Values.global.hosts.domain }}`, resolving to the IP address you retrieved above. + + {{ end -}} + # Signing in + + Browse to https://gitlab.{{ .Values.global.hosts.domain }} + + {{ if not .Values.gitlab.migrations.initialRootPassword.secret -}} + + GitLab is provisioned with a randomly generated administrator password. To retrieve it: + + ``` + kubectl get secret {{ .Release.Name }}-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo + ``` + + {{ end -}} + + {{- if not ( or .Values.global.ingress.configureCertmanager .Values.global.ingress.tls.secretName ) -}} + # Configuring a valid TLS certificate + + GitLab was configured to utilize self-signed certificates. To utilize your own certificate: + + ``` + kubectl create secret tls {{ .Release.Name }}-wildcard-tls --cert= --key= --dry-run -o json | kubectl apply -f - + ``` + + {{ end -}} + + # Using GitLab + + More information on using GitLab is available in our [documentation](https://docs.gitlab.com/ee/README.html). + icons: + - src: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iMjEwcHgiIGhlaWdodD0iMTk0cHgiIHZlcnNpb249IjEuMSIgdmlld0JveD0iMCAwIDIxMCAxOTQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj48cGF0aCBkPSJtMTA1LjA2IDE5My42NiAzOC42NC0xMTguOTJoLTc3LjI4bDM4LjY0IDExOC45MnoiIGZpbGw9IiNFMjQzMjkiLz48cGF0aCBkPSJtMTA1LjA2IDE5My42NS0zOC42NC0xMTguOTJoLTU0LjE1M2w5Mi43OTMgMTE4LjkyeiIgZmlsbD0iI0ZDNkQyNiIvPjxwYXRoIGQ9Im0xMi4yNjggNzQuNzM0LTExLjc0MiAzNi4xMzljLTEuMDcxIDMuMjk2IDAuMTAyIDYuOTA3IDIuOTA2IDguOTQ0bDEwMS42MyA3My44MzgtOTIuNzkzLTExOC45MnoiIGZpbGw9IiNGQ0EzMjYiLz48cGF0aCBkPSJtMTIuMjY4IDc0LjczNGg1NC4xNTNsLTIzLjI3My03MS42MjVjLTEuMTk3LTMuNjg2LTYuNDExLTMuNjg1LTcuNjA4IDBsLTIzLjI3MiA3MS42MjV6IiBmaWxsPSIjRTI0MzI5Ii8+PHBhdGggZD0ibTEwNS4wNiAxOTMuNjUgMzguNjQtMTE4LjkyaDU0LjE1M2wtOTIuNzkzIDExOC45MnoiIGZpbGw9IiNGQzZEMjYiLz48cGF0aCBkPSJtMTk3Ljg1IDc0LjczNCAxMS43NDIgMzYuMTM5YzEuMDcxIDMuMjk2LTAuMTAyIDYuOTA3LTIuOTA2IDguOTQ0bC0xMDEuNjMgNzMuODM4IDkyLjc5My0xMTguOTJ6IiBmaWxsPSIjRkNBMzI2Ii8+PHBhdGggZD0ibTE5Ny44NSA3NC43MzRoLTU0LjE1M2wyMy4yNzMtNzEuNjI1YzEuMTk3LTMuNjg2IDYuNDExLTMuNjg1IDcuNjA4IDBsMjMuMjcyIDcxLjYyNXoiIGZpbGw9IiNFMjQzMjkiLz48L2c+PC9zdmc+Cg== + type: image/svg+xml + selector: + matchLabels: + app.kubernetes.io/name: {{ .Release.Name }} + componentKinds: + - group: core + kind: ConfigMap + - group: core + kind: Service + - group: core + kind: ServiceAccount + - group: rbac.authorization.k8s.io + kind: Role + - group: rbac.authorization.k8s.io + kind: RoleBinding +{{- if eq .Values.global.application.allowClusterRoles true }} + - group: rbac.authorization.k8s.io + kind: ClusterRole + - group: rbac.authorization.k8s.io + kind: ClusterRoleBinding +{{- end }} + - group: batch + kind: Job + - group: core + kind: Secret + - group: extensions + kind: Ingress + - group: core + kind: PersistentVolumeClaim + - group: apps + kind: Deployment +{{- if eq (index .Values "nginx-ingress" "controller" "kind") "DaemonSet" }} + - group: apps + kind: DaemonSet +{{- end }} + - group: autoscaling + kind: HorizontalPodAutoscaler + - group: apps + kind: StatefulSet + - group: policy + kind: PodDisruptionBudget +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/chart-info.yaml b/kubernetes/Charts/gitlab/templates/chart-info.yaml new file mode 100644 index 0000000..835e1a5 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/chart-info.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-chart-info + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + gitlabVersion: "{{ coalesce .Values.global.gitlabVersion .Chart.AppVersion }}" + gitlabChartVersion: "{{ .Chart.Version }}" diff --git a/kubernetes/Charts/gitlab/templates/initdb-configmap.yaml b/kubernetes/Charts/gitlab/templates/initdb-configmap.yaml new file mode 100644 index 0000000..fa65d5d --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/initdb-configmap.yaml @@ -0,0 +1,21 @@ +{{- if .Values.postgresql.install -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "gitlab.psql.initdbscripts" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +data: + init_revision.sh: | + {{- $initRevision := index .Values.postgresql.primary.podAnnotations "postgresql.gitlab/init-revision" }} + if [[ ! -f "$POSTGRESQL_VOLUME_DIR/.gitlab_{{ $initRevision }}_scripts_initialized" ]] ; then + rm -f "$POSTGRESQL_VOLUME_DIR/.user_scripts_initialized" + touch "$POSTGRESQL_VOLUME_DIR/.gitlab_{{ $initRevision }}_scripts_initialized" + fi + enable_extensions.sh: | + [[ -n "${POSTGRES_POSTGRES_PASSWORD_FILE:-}" ]] && POSTGRES_POSTGRES_PASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) + PGPASSWORD=${POSTGRES_POSTGRES_PASSWORD} psql -d {{ template "gitlab.psql.database" .}} -U postgres -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;' +# Leave this here - This line denotes end of block to the parser. +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/shared-secrets/_generate_secrets.sh.tpl b/kubernetes/Charts/gitlab/templates/shared-secrets/_generate_secrets.sh.tpl new file mode 100644 index 0000000..c626210 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/shared-secrets/_generate_secrets.sh.tpl @@ -0,0 +1,222 @@ +# vim: set filetype=sh: + +namespace={{ .Release.Namespace }} +release={{ .Release.Name }} +env={{ index .Values "shared-secrets" "env" }} + +pushd $(mktemp -d) + +# Args pattern, length +function gen_random(){ + head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2 +} + +# Args: yaml file, search path +function fetch_rails_value(){ + local value=$(yq ".${2}" $1) + + # Don't return null values + if [ "${value}" != "null" ]; then echo "${value}"; fi +} + +# Args: secretname +function label_secret(){ + local secret_name=$1 +{{ if not .Values.global.application.create -}} + # Remove application labels if they exist + kubectl --namespace=$namespace label \ + secret $secret_name $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g') +{{ end }} + kubectl --namespace=$namespace label \ + --overwrite \ + secret $secret_name {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} {{ include "gitlab.commonLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} +} + +# Args: secretname, args +function generate_secret_if_needed(){ + local secret_args=( "${@:2}") + local secret_name=$1 + + if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then + kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]} + else + echo "secret \"$secret_name\" already exists." + + for arg in "${secret_args[@]}"; do + local from=$(echo -n ${arg} | cut -d '=' -f1) + + if [ -z "${from##*literal*}" ]; then + local key=$(echo -n ${arg} | cut -d '=' -f2) + local desiredValue=$(echo -n ${arg} | cut -d '=' -f3-) + local flags="--namespace=$namespace --allow-missing-template-keys=false" + + if ! $(kubectl $flags get secret $secret_name -ojsonpath="{.data.${key}}" > /dev/null 2>&1); then + echo "key \"${key}\" does not exist. patching it in." + + if [ "${desiredValue}" != "" ]; then + desiredValue=$(echo -n "${desiredValue}" | base64 -w 0) + fi + + kubectl --namespace=$namespace patch secret ${secret_name} -p "{\"data\":{\"$key\":\"${desiredValue}\"}}" + fi + fi + done + fi + + label_secret $secret_name +} + +# Initial root password +generate_secret_if_needed {{ template "gitlab.migrations.initialRootPassword.secret" . }} --from-literal={{ template "gitlab.migrations.initialRootPassword.key" . }}=$(gen_random 'a-zA-Z0-9' 64) + +{{/* +The include in this if returns a value that makes use of +"gitlab.redis.configMerge" to return global.redis.password.enabled +with a fallback to global.redis.auth.enabled - it is evaluated for truthiness, based +on emptiness of the returned string. + +This should be read as: + +"if there's not a defined global.redis.host and we've enabled redis password +auth, then generate secrets if needed" +*/}} +{{ if and (not .Values.global.redis.host) (eq (include "gitlab.redis.password.enabled" $) "true" ) -}} +# Redis password +generate_secret_if_needed {{ template "gitlab.redis.password.secret" . }} --from-literal={{ template "gitlab.redis.password.key" . }}=$(gen_random 'a-zA-Z0-9' 64) +{{ end }} + +{{ if not .Values.global.psql.host -}} +# Postgres password +generate_secret_if_needed {{ template "gitlab.psql.password.secret" . }} --from-literal={{ include "gitlab.psql.password.key" . }}=$(gen_random 'a-zA-Z0-9' 64) --from-literal=postgresql-postgres-password=$(gen_random 'a-zA-Z0-9' 64) +{{ end }} + +# Gitlab shell +generate_secret_if_needed {{ template "gitlab.gitlab-shell.authToken.secret" . }} --from-literal={{ template "gitlab.gitlab-shell.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 64) + +# Gitaly secret +generate_secret_if_needed {{ template "gitlab.gitaly.authToken.secret" . }} --from-literal={{ template "gitlab.gitaly.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 64) + +{{ if .Values.global.minio.enabled -}} +# Minio secret +generate_secret_if_needed {{ template "gitlab.minio.credentials.secret" . }} --from-literal=accesskey=$(gen_random 'a-zA-Z0-9' 64) --from-literal=secretkey=$(gen_random 'a-zA-Z0-9' 64) +{{ end }} + +# Gitlab runner secret +generate_secret_if_needed {{ template "gitlab.gitlab-runner.registrationToken.secret" . }} --from-literal=runner-registration-token=$(gen_random 'a-zA-Z0-9' 64) --from-literal=runner-token="" + +# GitLab Pages API secret +{{ if or (eq $.Values.global.pages.enabled true) (not (empty $.Values.global.pages.host)) }} +generate_secret_if_needed {{ template "gitlab.pages.apiSecret.secret" . }} --from-literal={{ template "gitlab.pages.apiSecret.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) +{{ end }} + +# GitLab Pages auth secret for hashing cookie store when using access control +{{ if and (eq $.Values.global.pages.enabled true) (eq $.Values.global.pages.accessControl true) }} +generate_secret_if_needed {{ template "gitlab.pages.authSecret.secret" . }} --from-literal={{ template "gitlab.pages.authSecret.key" . }}=$(gen_random 'a-zA-Z0-9' 64 | base64 -w 0) +{{ end }} + +# GitLab Pages OAuth secret +{{ if and (eq $.Values.global.pages.enabled true) (eq $.Values.global.pages.accessControl true) }} +generate_secret_if_needed {{ template "oauth.gitlab-pages.secret" . }} --from-literal={{ template "oauth.gitlab-pages.appIdKey" . }}=$(gen_random 'a-zA-Z0-9' 64) --from-literal={{ template "oauth.gitlab-pages.appSecretKey" . }}=$(gen_random 'a-zA-Z0-9' 64) +{{ end }} + +{{ if .Values.global.kas.enabled -}} +# Gitlab-kas secret +generate_secret_if_needed {{ template "gitlab.kas.secret" . }} --from-literal={{ template "gitlab.kas.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) + +# Gitlab-kas private API secret +generate_secret_if_needed {{ template "gitlab.kas.privateApi.secret" . }} --from-literal={{ template "gitlab.kas.privateApi.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) +{{ end }} + +# Gitlab-suggested-reviewers secret +generate_secret_if_needed {{ template "gitlab.suggested-reviewers.secret" . }} --from-literal={{ template "gitlab.suggested-reviewers.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) + +{{ if .Values.global.appConfig.incomingEmail.enabled -}} +# Gitlab-mailroom incomingEmail webhook secret +generate_secret_if_needed {{ template "gitlab.appConfig.incomingEmail.authToken.secret" . }} --from-literal={{ template "gitlab.appConfig.incomingEmail.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) +{{ end }} + +{{ if .Values.global.appConfig.serviceDeskEmail.enabled -}} +# Gitlab-mailroom serviceDeskEmail webhook secret +generate_secret_if_needed {{ template "gitlab.appConfig.serviceDeskEmail.authToken.secret" . }} --from-literal={{ template "gitlab.appConfig.serviceDeskEmail.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) +{{ end }} + +# Registry certificates +mkdir -p certs +openssl req -new -newkey rsa:4096 -subj "/CN={{ coalesce .Values.registry.tokenIssuer (dig "registry" "tokenIssuer" "gitlab-issuer" .Values.global ) }}" -nodes -x509 -keyout certs/registry-example-com.key -out certs/registry-example-com.crt -days 3650 +generate_secret_if_needed {{ template "gitlab.registry.certificate.secret" . }} --from-file=registry-auth.key=certs/registry-example-com.key --from-file=registry-auth.crt=certs/registry-example-com.crt + +# config/secrets.yaml +if [ -n "$env" ]; then + rails_secret={{ template "gitlab.rails-secrets.secret" . }} + + # Fetch the values from the existing secret if it exists + if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then + kubectl --namespace=$namespace get secret $rails_secret -o jsonpath="{.data.secrets\.yml}" | base64 --decode > secrets.yml + secret_key_base=$(fetch_rails_value secrets.yml "${env}.secret_key_base") + otp_key_base=$(fetch_rails_value secrets.yml "${env}.otp_key_base") + db_key_base=$(fetch_rails_value secrets.yml "${env}.db_key_base") + openid_connect_signing_key=$(fetch_rails_value secrets.yml "${env}.openid_connect_signing_key") + ci_jwt_signing_key=$(fetch_rails_value secrets.yml "${env}.ci_jwt_signing_key") + encrypted_settings_key_base=$(fetch_rails_value secrets.yml "${env}.encrypted_settings_key_base") + fi; + + # Generate defaults for any unset secrets + secret_key_base="${secret_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) + otp_key_base="${otp_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) + db_key_base="${db_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) + openid_connect_signing_key="${openid_connect_signing_key:-$(openssl genrsa 2048)}" + ci_jwt_signing_key="${ci_jwt_signing_key:-$(openssl genrsa 2048)}" + encrypted_settings_key_base="${encrypted_settings_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) + + # Update the existing secret + cat << EOF > rails-secrets.yml +apiVersion: v1 +kind: Secret +metadata: + name: $rails_secret +type: Opaque +stringData: + secrets.yml: |- + $env: + secret_key_base: $secret_key_base + otp_key_base: $otp_key_base + db_key_base: $db_key_base + encrypted_settings_key_base: $encrypted_settings_key_base + openid_connect_signing_key: | +$(echo "${openid_connect_signing_key}" | awk '{print " " $0}') + ci_jwt_signing_key: | +$(echo "${ci_jwt_signing_key}" | awk '{print " " $0}') +EOF + kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml + label_secret $rails_secret +fi + +# Shell ssh host keys +ssh-keygen -A +mkdir -p host_keys +cp /etc/ssh/ssh_host_* host_keys/ +generate_secret_if_needed {{ template "gitlab.gitlab-shell.hostKeys.secret" . }} --from-file host_keys + +# Gitlab-workhorse secret +generate_secret_if_needed {{ template "gitlab.workhorse.secret" . }} --from-literal={{ template "gitlab.workhorse.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64) + +# Registry http.secret secret +generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} --from-literal={{ template "gitlab.registry.httpSecret.key" . }}=$(gen_random 'a-z0-9' 128 | base64 -w 0) + +# Container Registry notification_secret +generate_secret_if_needed {{ template "gitlab.registry.notificationSecret.secret" . }} --from-literal={{ template "gitlab.registry.notificationSecret.key" . }}=[\"$(gen_random 'a-zA-Z0-9' 32)\"] + +{{ if .Values.global.praefect.enabled -}} +{{ if not .Values.global.praefect.psql.host -}} +# Praefect DB password +generate_secret_if_needed {{ template "gitlab.praefect.dbSecret.secret" . }} --from-literal={{ template "gitlab.praefect.dbSecret.key" . }}=$(gen_random 'a-zA-Z0-9', 32) +{{ end }} + +# Praefect auth token +generate_secret_if_needed {{ template "gitlab.praefect.authToken.secret" . }} --from-literal={{ template "gitlab.praefect.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 64) +{{ end }} + +{{ if (index .Values "gitlab-zoekt" "gateway" "basicAuth" "enabled") -}} +# Zoekt basic auth credentials +generate_secret_if_needed {{ template "gitlab.zoekt.gateway.basicAuth.secretName" . }} --from-literal=gitlab_username=gitlab --from-literal=gitlab_password=$(gen_random 'a-zA-Z0-9' 64) +{{ end }} diff --git a/kubernetes/Charts/gitlab/templates/shared-secrets/configmap.yaml b/kubernetes/Charts/gitlab/templates/shared-secrets/configmap.yaml new file mode 100644 index 0000000..0f576e3 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/shared-secrets/configmap.yaml @@ -0,0 +1,18 @@ +{{- $sharedSecretEnabled := index .Values "shared-secrets" "enabled" -}} +{{- if $sharedSecretEnabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shared-secrets.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +data: + generate-secrets: | + {{- include (print $.Template.BasePath "/shared-secrets/_generate_secrets.sh.tpl") . | nindent 4 }} +{{- end -}} diff --git a/kubernetes/Charts/gitlab/templates/shared-secrets/job.yaml b/kubernetes/Charts/gitlab/templates/shared-secrets/job.yaml new file mode 100644 index 0000000..4cf5d89 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/shared-secrets/job.yaml @@ -0,0 +1,61 @@ +{{- $sharedSecretValues := index .Values "shared-secrets" -}} +{{- if $sharedSecretValues.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.global.kubectl.image -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "shared-secrets.jobname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 8 }} + {{- include "gitlab.commonLabels" . | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + {{- range $key, $value := $sharedSecretValues.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if $sharedSecretValues.tolerations }} + tolerations: + {{- toYaml $sharedSecretValues.tolerations | nindent 8 }} + {{- end }} + {{- if or $.Values.global.priorityClassName $sharedSecretValues.priorityClassName }} + priorityClassName: {{ default $.Values.global.priorityClassName $sharedSecretValues.priorityClassName }} + {{- end }} + securityContext: + runAsUser: {{ $sharedSecretValues.securityContext.runAsUser }} + fsGroup: {{ $sharedSecretValues.securityContext.fsGroup }} + {{- if or $sharedSecretValues.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ template "shared-secrets.serviceAccountName" . }} + {{- end }} + restartPolicy: Never + {{- include "gitlab.image.pullSecrets" $imageCfg | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "gitlab.kubectl.image" . }} + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + command: ['/bin/bash', '/scripts/generate-secrets'] + volumeMounts: + - name: scripts + mountPath: /scripts + - name: ssh + mountPath: /etc/ssh + resources: + {{- toYaml $sharedSecretValues.resources | nindent 12 }} + volumes: + - name: scripts + configMap: + name: {{ template "shared-secrets.fullname" . }} + - name: ssh + emptyDir: {} +{{- end }} diff --git a/kubernetes/Charts/gitlab/templates/shared-secrets/rbac-config.yaml b/kubernetes/Charts/gitlab/templates/shared-secrets/rbac-config.yaml new file mode 100644 index 0000000..0aef070 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/shared-secrets/rbac-config.yaml @@ -0,0 +1,61 @@ +{{- $sharedSecretValues := index .Values "shared-secrets" }} +{{- if and $sharedSecretValues.enabled $sharedSecretValues.rbac.create -}} +{{- if $sharedSecretValues.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "shared-secrets.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- end }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shared-secrets.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "shared-secrets.name" . }} + chart: shared-secrets-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "shared-secrets.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "shared-secrets.name" . }} + chart: shared-secrets-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "shared-secrets.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "shared-secrets.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end}} diff --git a/kubernetes/Charts/gitlab/templates/shared-secrets/self-signed-cert-job.yml b/kubernetes/Charts/gitlab/templates/shared-secrets/self-signed-cert-job.yml new file mode 100644 index 0000000..c92f467 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/shared-secrets/self-signed-cert-job.yml @@ -0,0 +1,117 @@ +{{- $sharedSecretValues := index .Values "shared-secrets" -}} +{{- if $sharedSecretValues.enabled }} +{{- if not .Values.global.ingress.configureCertmanager -}} +{{- if not (include "gitlab.ingress.tls.configured" .) }} +{{- $imageCfgSelfsign := dict "global" .Values.global.image "local" $sharedSecretValues.selfsign.image -}} +{{- $imageCfgKubectl := dict "global" .Values.global.image "local" .Values.global.kubectl.image -}} +{{- $jointPullSecrets := concat (default (list) $sharedSecretValues.selfsign.image.pullSecrets) (default (list) .Values.global.kubectl.image.pullSecrets) -}} +{{- $imageCfg := dict "global" .Values.global.image "local" (dict "pullSecrets" $jointPullSecrets) -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "shared-secrets.jobname" . }}-selfsign + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := $sharedSecretValues.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- if $sharedSecretValues.tolerations }} + tolerations: + {{- toYaml $sharedSecretValues.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{ $sharedSecretValues.securityContext.runAsUser }} + fsGroup: {{ $sharedSecretValues.securityContext.fsGroup }} + {{- if or $sharedSecretValues.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ template "shared-secrets.serviceAccountName" . }} + {{- end }} + restartPolicy: Never + {{- include "gitlab.image.pullSecrets" $imageCfg | nindent 6 }} + initContainers: + - name: cfssl-self-sign + image: {{ include "gitlab.selfsign.image" . }} + {{- include "gitlab.image.pullPolicy" $imageCfgSelfsign | indent 8 }} + env: + - name: CA_SUBJECT + value: {{ $sharedSecretValues.selfsign.caSubject | quote }} # defaults to GitLab in container + - name: CA_ORG + value: {{ .Release.Namespace | quote }} # defaults to GitLab in container + - name: CA_ORG_UNIT + value: {{ .Release.Name | quote }} # defaults to Cloud Native in container + - name: CERT_SUBJECT + value: {{ .Values.global.hosts.domain | quote }} # defaults to GitLab in container + - name: CERT_DOMAIN + value: {{ .Values.global.hosts.domain | quote }} # defaults to example.com in container + - name: EXPIRY + value: {{ $sharedSecretValues.selfsign.expiry | quote }} # defaults to 8076h in container + - name: ALGORITHM + value: {{ $sharedSecretValues.selfsign.keyAlgorithm | quote }} # defaults to ecdsa in container + - name: KEY_SIZE + value: {{ $sharedSecretValues.selfsign.keySize | quote }} # defaults to 256 inside container + volumeMounts: + - name: certs-path + mountPath: /output + resources: + {{- toYaml $sharedSecretValues.resources | nindent 10 }} + containers: + - name: kubectl + image: {{ include "gitlab.kubectl.image" . }} + {{- include "gitlab.image.pullPolicy" $imageCfgKubectl | indent 8 }} + command: + - /bin/bash + - -exc + - | + certname={{ template "gitlab.wildcard-self-signed-cert-name" . }} + # create wildcard certificate secret + kubectl create secret tls $certname \ + --cert=/output/wildcard.pem --key=/output/wildcard-key.pem || true +{{- if not .Values.global.application.create }} + kubectl --namespace=$namespace label \ + secret $certname $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g') +{{- end }} + kubectl --namespace=$namespace label --overwrite \ + secret $certname {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} {{ include "gitlab.commonLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} + # create CA certificate secret + kubectl create secret generic ${certname}-ca \ + --from-file=cfssl_ca=/output/ca.pem || true +{{- if not .Values.global.application.create }} + kubectl --namespace=$namespace label \ + secret ${certname}-ca $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g') +{{- end }} + kubectl --namespace=$namespace label --overwrite \ + secret ${certname}-ca {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} {{ include "gitlab.commonLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} + # create certificate chain for GitLab Runner + cat /output/ca.pem /output/wildcard.pem > /tmp/{{ template "gitlab.gitlab.hostname" $ }}.crt + kubectl create secret generic ${certname}-chain \ + --from-file=/tmp/{{ template "gitlab.gitlab.hostname" $ }}.crt || true +{{- if not .Values.global.application.create }} + kubectl --namespace=$namespace label \ + secret ${certname}-chain $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g') +{{- end }} + kubectl --namespace=$namespace label --overwrite \ + secret ${certname}-chain {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} {{ include "gitlab.commonLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} + volumeMounts: + - name: certs-path + mountPath: /output + resources: + {{- toYaml $sharedSecretValues.resources | nindent 10 }} + volumes: + - name: certs-path + emptyDir: {} +{{- end -}} +{{- end -}} +{{- end }} diff --git a/kubernetes/Charts/gitlab/templates/upgrade_check_hook.yaml b/kubernetes/Charts/gitlab/templates/upgrade_check_hook.yaml new file mode 100644 index 0000000..7d26af2 --- /dev/null +++ b/kubernetes/Charts/gitlab/templates/upgrade_check_hook.yaml @@ -0,0 +1,101 @@ +{{- if .Values.upgradeCheck.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.upgradeCheck.image -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-upgrade-check + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-11" + "helm.sh/hook-delete-policy": before-hook-creation + {{- range $key, $value := .Values.upgradeCheck.configMapAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +data: + runcheck: | + {{- include (print $.Template.BasePath "/_runcheck.tpl") . | nindent 4 }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "fullname" . }}-upgrade-check + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-10" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + backoffLimit: 2 + template: + metadata: + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if .Values.upgradeCheck.annotations }} + {{- range $key, $value := .Values.upgradeCheck.annotations }} + annotations: + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + + spec: + {{- if .Values.upgradeCheck.nodeSelector }} + nodeSelector: {{ toYaml .Values.upgradeCheck.nodeSelector | nindent 8 }} + {{- else }} + {{- include "gitlab.nodeSelector" . | nindent 6 }} + {{- end }} + {{- if or $.Values.global.priorityClassName .Values.upgradeCheck.priorityClassName }} + priorityClassName: {{ default $.Values.global.priorityClassName .Values.upgradeCheck.priorityClassName }} + {{- end }} + {{- if .Values.upgradeCheck.tolerations }} + tolerations: + {{- toYaml .Values.upgradeCheck.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{ .Values.upgradeCheck.securityContext.runAsUser }} + fsGroup: {{ .Values.upgradeCheck.securityContext.fsGroup }} + restartPolicy: Never + {{- include "gitlab.image.pullSecrets" $imageCfg | nindent 6}} + containers: + - name: run-check + image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.upgradeCheck.image) | quote }} + command: ['/bin/sh', '/scripts/runcheck'] + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + env: + - name: GITLAB_VERSION + value: '{{ coalesce .Values.global.gitlabVersion .Chart.AppVersion }}' + - name: CHART_VERSION + value: '{{ .Chart.Version }}' + volumeMounts: + - name: chart-info + mountPath: /chart-info + - name: scripts + mountPath: /scripts +{{- if .Values.postgresql.install }} + - name: postgresql-secret + mountPath: /etc/secrets/postgresql +{{- end }} + resources: + {{- toYaml .Values.upgradeCheck.resources | nindent 12 }} + volumes: + - name: chart-info + configMap: + name: {{ template "fullname" . }}-chart-info + optional: true + - name: scripts + configMap: + name: {{ template "fullname" . }}-upgrade-check +{{- if .Values.postgresql.install }} + - name: postgresql-secret + secret: + secretName: {{ template "gitlab.psql.password.secret" . }} + optional: true +{{- end }} +{{- end }} diff --git a/kubernetes/Charts/gitlab/values.yaml b/kubernetes/Charts/gitlab/values.yaml new file mode 100644 index 0000000..d452e01 --- /dev/null +++ b/kubernetes/Charts/gitlab/values.yaml @@ -0,0 +1,1299 @@ +## NOTICE +# +# Due to the scope and complexity of this chart, all possible values are +# not documented in this file. Extensive documentation is available. +# +# Please read the docs: https://docs.gitlab.com/charts/ +# +# Because properties are regularly added, updated, or relocated, it is +# _strongly suggest_ to not "copy and paste" this YAML. Please provide +# Helm only those properties you need, and allow the defaults to be +# provided by the version of this chart at the time of deployment. + +## Advanced Configuration +## https://docs.gitlab.com/charts/advanced +# +# Documentation for advanced configuration, such as +# - External PostgreSQL +# - External Gitaly +# - External Redis +# - External NGINX +# - External Object Storage providers +# - PersistentVolume configuration + +## The global properties are used to configure multiple charts at once. +## https://docs.gitlab.com/charts/charts/globals +global: + common: + labels: {} + + image: {} + # Registry value override is only available for the following Charts: + # - Spamcheck + # - Mailroom + # If specifying a value here, be sure to also configure + # `gitlab..image.repository` to a value that does not + # include the default registry domain `registry.gitlab.com`. + # Support for other charts is coming as an iterative rollout. + # See https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2859 + # for more information. + # registry: + + # pullPolicy: IfNotPresent + # pullSecrets: [] + # tagSuffix: "" + + ## Supplemental Pod labels. Will not be used for selectors. + pod: + labels: {} + + ## https://docs.gitlab.com/charts/installation/deployment#deploy-the-community-edition + edition: ee + + ## https://docs.gitlab.com/charts/charts/globals#gitlab-version + gitlabVersion: "16.6.0" + + ## https://docs.gitlab.com/charts/charts/globals#application-resource + application: + create: false + links: [] + allowClusterRoles: true + ## https://docs.gitlab.com/charts/charts/globals#configure-host-settings + hosts: + domain: example.com + hostSuffix: + https: true + externalIP: + ssh: ~ + gitlab: {} + minio: {} + registry: {} + tls: {} + smartcard: {} + kas: {} + pages: {} + + ## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings + ingress: + apiVersion: "" + configureCertmanager: true + provider: nginx + # class: + annotations: {} + enabled: true + tls: {} + # enabled: true + # secretName: + path: / + pathType: Prefix + + # Override the API version to use for HorizontalPodAutoscaler + hpa: + apiVersion: "" + + # Enable KEDA globally (https://keda.sh/) + keda: + enabled: false + + # Override the API version to use for PodDisruptionBudget + pdb: + apiVersion: "" + + # Override the API version to use for CronJob + batch: + cronJob: + apiVersion: "" + + # Override enablement of ServiceMonitor and PodMonitor objects. + monitoring: + enabled: false + + gitlab: + ## Enterprise license for this GitLab installation + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-enterprise-license + ## If allowing shared-secrets generation, this is OPTIONAL. + license: {} + # secret: RELEASE-gitlab-license + # key: license + + ## Initial root password for this GitLab installation + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-root-password + ## If allowing shared-secrets generation, this is OPTIONAL. + initialRootPassword: {} + # secret: RELEASE-gitlab-initial-root-password + # key: password + + ## https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings + psql: + connectTimeout: + keepalives: + keepalivesIdle: + keepalivesInterval: + keepalivesCount: + tcpUserTimeout: + password: {} + # useSecret: + # secret: + # key: + # file: + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab + # database: gitlabhq_production + # applicationName: + # preparedStatements: false + # databaseTasks: true + + ## https://docs.gitlab.com/charts/charts/globals#configure-redis-settings + redis: + auth: + enabled: true + # secret: + # key: + # host: redis.hostedsomewhere.else + # port: 6379 + # user: webservice + # sentinels: + # - host: + # port: + + ## https://docs.gitlab.com/charts/charts/globals#configure-gitaly-settings + gitaly: + enabled: true + authToken: {} + # secret: + # key: + # serviceName: + internal: + names: [default] + external: [] + service: + name: gitaly + type: ClusterIP + externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 + tls: + enabled: false + # secretName: + + praefect: + enabled: false + ntpHost: pool.ntp.org + replaceInternalGitaly: true + authToken: {} + autoMigrate: true + dbSecret: {} + virtualStorages: + - name: default + gitalyReplicas: 3 + maxUnavailable: 1 + psql: + sslMode: disable + # serviceName: + service: + name: praefect + type: ClusterIP + externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 + tls: + enabled: false + # secretName: + + ## https://docs.gitlab.com/charts/charts/globals#configure-minio-settings + minio: + enabled: true + credentials: {} + # secret: + + ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings + ## Rails based portions of this chart share many settings + appConfig: + ## https://docs.gitlab.com/charts/charts/globals#general-application-settings + # cdnHost: + enableUsagePing: true + enableSeatLink: true + enableImpersonation: + applicationSettingsCacheSeconds: 60 + usernameChangingEnabled: true + issueClosingPattern: + defaultTheme: + defaultProjectsFeatures: + issues: true + mergeRequests: true + wiki: true + snippets: true + builds: true + graphQlTimeout: + webhookTimeout: + maxRequestDurationSeconds: + + ## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings + cron_jobs: {} + ## Flag stuck CI builds as failed + # stuck_ci_jobs_worker: + # cron: "0 * * * *" + ## Schedule pipelines in the near future + # pipeline_schedule_worker: + # cron: "19 * * * *" + ## Remove expired build artifacts + # expire_build_artifacts_worker: + # cron: "*/7 * * * *" + ## Periodically run 'git fsck' on all repositories. + # repository_check_worker: + # cron: "20 * * * *" + ## Send admin emails once a week + # admin_email_worker: + # cron: "0 0 * * 0" + ## Remove outdated repository archives + # repository_archive_cache_worker: + # cron: "0 * * * *" + ## Verify custom GitLab Pages domains + # pages_domain_verification_cron_worker: + # cron: "*/15 * * * *" + # schedule_migrate_external_diffs_worker: + # cron: "15 * * * *" + ## Prune stale group runners on opted-in namespaces + # ci_runners_stale_group_runners_prune_worker_cron: + # cron: "30 * * * *" + ## Periodically update ci_runner_versions table with up-to-date versions and status + # ci_runner_versions_reconciliation_worker: + # cron: "@daily" + ## Periodically clean up stale ci_runner_machines records + # ci_runners_stale_machines_cleanup_worker: + # cron: "36 * * * *" + ### GitLab Geo + # Geo Primary only! + # geo_prune_event_log_worker: + # cron: "*/5 * * * *" + ## GitLab Geo repository sync worker + # geo_repository_sync_worker: + # cron: "*/5 * * * *" + ## GitLab Geo file download dispatch worker + # geo_file_download_dispatch_worker: + # cron: "*/10 * * * *" + ## GitLab Geo repository verification primary batch worker + # geo_repository_verification_primary_batch_worker: + # cron: "*/5 * * * *" + ## GitLab Geo repository verification secondary scheduler worker + # geo_repository_verification_secondary_scheduler_worker: + # cron: "*/5 * * * *" + ## GitLab Geo migrated local files clean up worker + # geo_migrated_local_files_clean_up_worker: + # cron: "15 */6 * * *" + ### LDAP + # ldap_sync_worker: + # cron: "30 1 * * *" + # ldap_group_sync_worker: + # cron: "0 * * * *" + ### Snapshot active user statistics + # historical_data_worker: + # cron: "0 12 * * *" + # loose_foreign_keys_cleanup_worker_cron: + # cron: "*/5 * * * *" + + ## https://docs.gitlab.com/charts/charts/globals#content-security-policy + contentSecurityPolicy: + enabled: false + report_only: true + # directives: {} + + ## https://docs.gitlab.com/charts/charts/globals#gravatarlibravatar-settings + gravatar: + plainUrl: + sslUrl: + + ## https://docs.gitlab.com/charts/charts/globals#hooking-analytics-services-to-the-gitlab-instance + extra: + googleAnalyticsId: + matomoUrl: + matomoSiteId: + matomoDisableCookies: + oneTrustId: + googleTagManagerNonceId: + bizible: + + ## https://docs.gitlab.com/charts/charts/globals#lfs-artifacts-uploads-packages-external-mr-diffs-and-dependency-proxy + object_store: + enabled: false + proxy_download: true + storage_options: {} + # server_side_encryption: + # server_side_encryption_kms_key_id + connection: {} + # secret: + # key: + lfs: + enabled: true + proxy_download: true + bucket: git-lfs + connection: {} + # secret: + # key: + artifacts: + enabled: true + proxy_download: true + bucket: gitlab-artifacts + connection: {} + # secret: + # key: + uploads: + enabled: true + proxy_download: true + bucket: gitlab-uploads + connection: {} + # secret: + # key: + packages: + enabled: true + proxy_download: true + bucket: gitlab-packages + connection: {} + externalDiffs: + enabled: false + when: + proxy_download: true + bucket: gitlab-mr-diffs + connection: {} + terraformState: + enabled: false + bucket: gitlab-terraform-state + connection: {} + ciSecureFiles: + enabled: false + bucket: gitlab-ci-secure-files + connection: {} + dependencyProxy: + enabled: false + proxy_download: true + bucket: gitlab-dependency-proxy + connection: {} + + backups: + bucket: gitlab-backups + tmpBucket: tmp + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Microsoft Graph Mailer settings + microsoft_graph_mailer: + enabled: false + user_id: "" + tenant: "" + client_id: "" + client_secret: + secret: "" + key: secret + azure_ad_endpoint: "https://login.microsoftonline.com" + graph_endpoint: "https://graph.microsoft.com" + + ## https://docs.gitlab.com/charts/installation/command-line-options.html#incoming-email-configuration + ## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#incoming-email + incomingEmail: + enabled: false + address: "" + host: "imap.gmail.com" + port: 993 + ssl: true + startTls: false + user: "" + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#service-desk-email + serviceDeskEmail: + enabled: false + address: "" + host: "imap.gmail.com" + port: 993 + ssl: true + startTls: false + user: "" + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#ldap + ldap: + # prevent the use of LDAP for sign-in via web. + preventSignin: false + servers: {} + ## See documentation for complete example of a configured LDAP server + + duoAuth: + enabled: false + # hostname: + # integrationKey: + # secretKey: + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#kas-settings + gitlab_kas: {} + # secret: + # key: + # enabled: + # externalUrl: + # internalUrl: + + ## https://docs.gitlab.com/charts/charts/globals#suggested-reviewers-settings + suggested_reviewers: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#omniauth + omniauth: + enabled: false + autoSignInWithProvider: + syncProfileFromProvider: [] + syncProfileAttributes: [email] + allowSingleSignOn: [saml] + blockAutoCreatedUsers: true + autoLinkLdapUser: false + autoLinkSamlUser: false + autoLinkUser: [] + externalProviders: [] + allowBypassTwoFactor: [] + providers: [] + # - secret: gitlab-google-oauth2 + # key: provider + + ## https://docs.gitlab.com/charts/charts/globals#kerberos + kerberos: + enabled: false + keytab: + # secret: + key: keytab + servicePrincipalName: "" + krb5Config: "" + dedicatedPort: + enabled: false + port: 8443 + https: true + simpleLdapLinkingAllowedRealms: [] + + ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings + sentry: + enabled: false + dsn: + clientside_dsn: + environment: + + gitlab_docs: + enabled: false + host: "" + + smartcard: + enabled: false + CASecret: + clientCertificateRequiredHost: + sanExtensions: false + requiredForGitAccess: false + + sidekiq: + routingRules: [] + + # Config that only applies to the defaults on initial install + initialDefaults: {} + # signupEnabled: + ## End of global.appConfig + + oauth: + gitlab-pages: {} + # secret: + # appIdKey: + # appSecretKey: + # redirectUri: + # authScope: + + ## https://docs.gitlab.com/charts/advanced/geo/ + geo: + enabled: false + # Valid values: primary, secondary + role: primary + ## Geo Secondary only + # nodeName allows multiple instances behind a load balancer. + nodeName: # defaults to `gitlab.gitlab.host` + # ingressClass: + # PostgreSQL connection details only needed for `secondary` + psql: + password: {} + # secret: + # key: + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab_replicator + # database: gitlabhq_geo_production + # ssl: + # secret: + # clientKey: + # clientCertificate: + # serverCA: + registry: + replication: + enabled: false + primaryApiUrl: + ## Consumes global.registry.notificationSecret + + ## https://docs.gitlab.com/charts/charts/gitlab/kas/ + kas: + enabled: true + service: + apiExternalPort: 8153 # port for connections from the GitLab backend + tls: + enabled: false + verify: true + # secretName: + # caSecretName: + + ## https://docs.gitlab.com/charts/charts/gitlab/spamcheck/ + spamcheck: + enabled: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-gitlab-shell + shell: + authToken: {} + # secret: + # key: + hostKeys: {} + # secret: + ## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol + tcp: + proxyProtocol: false + + ## Rails application secrets + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret + ## If allowing shared-secrets generation, this is OPTIONAL. + railsSecrets: {} + # secret: + + ## Rails generic setting, applicable to all Rails-based containers + rails: + bootsnap: # Enable / disable Shopify/Bootsnap cache + enabled: true + + ## https://docs.gitlab.com/charts/charts/globals#configure-registry-settings + registry: + bucket: registry + + certificate: {} + # secret: + httpSecret: {} + # secret: + # key: + notificationSecret: {} + # secret: + # key: + tls: + enabled: false + # secretName: + redis: + cache: + password: {} + # https://docs.docker.com/registry/notifications/#configuration + notifications: {} + # endpoints: + # - name: FooListener + # url: https://foolistener.com/event + # timeout: 500ms + # threshold: 10 + # backoff: 1s + # headers: + # FooBar: ['1', '2'] + # Authorization: + # secret: gitlab-registry-authorization-header + # SpecificPassword: + # secret: gitlab-registry-specific-password + # key: password + # events: {} + + # Settings utilized by other services referencing registry: + enabled: true + host: + # port: 443 + api: + protocol: http + serviceName: registry + port: 5000 + tokenIssuer: gitlab-issuer + + pages: + enabled: false + accessControl: false + path: + host: + port: + https: # default true + externalHttp: [] + externalHttps: [] + artifactsServer: true + localStore: + enabled: false + # path: /srv/gitlab/shared/pages + objectStore: + enabled: true + bucket: gitlab-pages + # proxy_download: true + connection: {} + # secret: + # key: + apiSecret: {} + # secret: + # key: + authSecret: {} + # secret: + # key: + + ## GitLab Runner + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret + ## If allowing shared-secrets generation, this is OPTIONAL. + runner: + registrationToken: {} + # secret: + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Outgoing email server settings + smtp: + enabled: false + address: smtp.mailgun.org + port: 2525 + user_name: "" + ## https://docs.gitlab.com/charts/installation/secrets#smtp-password + password: + secret: "" + key: password + # domain: + authentication: "plain" + starttls_auto: false + openssl_verify_mode: "peer" + open_timeout: 30 + read_timeout: 60 + pool: false + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Email persona used in email sent by GitLab + email: + from: "" + display_name: GitLab + reply_to: "" + subject_suffix: "" + smime: + enabled: false + secretName: "" + keyName: "tls.key" + certName: "tls.crt" + + ## Timezone for containers. + time_zone: UTC + + ## Global Service Annotations and Labels + service: + labels: {} + annotations: {} + + ## Global Deployment Annotations + deployment: + annotations: {} + + antiAffinity: soft + affinity: + podAntiAffinity: + topologyKey: "kubernetes.io/hostname" + + # Priority class assigned to pods, may be overridden for individual components + # https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + priorityClassName: "" + + ## https://docs.gitlab.com/charts/charts/globals#configure-workhorse-settings + ## Global settings related to Workhorse + workhorse: + serviceName: webservice-default + # scheme: + # host: + # port: + ## https://docs.gitlab.com/charts/installation/secrets#gitlab-workhorse-secret + # secret: + # key: + tls: + enabled: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-webservice + webservice: + workerTimeout: 60 + + ## https://docs.gitlab.com/charts/charts/globals#custom-certificate-authorities + # configuration of certificates container & custom CA injection + certificates: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/certificates + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + customCAs: [] + # - secret: custom-CA + # - secret: more-custom-CAs + # keys: + # - custom-ca-1.crt + # - configMap: custom-CA-cm + # - configMap: more-custom-CAs-cm + # keys: + # - custom-ca-2.crt + # - custom-ca-3.crt + + ## kubectl image used by hooks to carry out specific jobs + kubectl: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/kubectl + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + securityContext: + # in most base images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + gitlabBase: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # Charts using this image as init container support further overrides with `init.image.tag`. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + + ## https://docs.gitlab.com/charts/charts/globals#service-accounts + serviceAccount: + enabled: false + create: true + annotations: {} + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + + ## https://docs.gitlab.com/charts/charts/globals/#tracing + tracing: + connection: + string: "" + urlTemplate: "" + + zoekt: + gateway: + basicAuth: {} + indexer: + internalApi: {} + + ## https://docs.gitlab.com/charts/charts/globals + extraEnv: {} + # SOME_KEY: some_value + # SOME_OTHER_KEY: some_other_value + + ## https://docs.gitlab.com/charts/charts/globals + extraEnvFrom: {} + # MY_NODE_NAME: + # fieldRef: + # fieldPath: spec.nodeName + # MY_CPU_REQUEST: + # resourceFieldRef: + # containerName: test-container + # resource: requests.cpu + # SECRET_THING: + # secretKeyRef: + # name: special-secret + # key: special_token + # # optional: boolean + # CONFIG_STRING: + # configMapKeyRef: + # name: useful-config + # key: some-string + # # optional: boolean +## End of global + +upgradeCheck: + enabled: true + image: {} + # repository: + # tag: + # pullPolicy: IfNotPresent + # pullSecrets: [] + securityContext: + # in alpine/debian/busybox based images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + tolerations: [] + annotations: {} + configMapAnnotations: {} + resources: + requests: + cpu: 50m + priorityClassName: "" + +## Settings to for the Let's Encrypt ACME Issuer +# certmanager-issuer: +# # The email address to register certificates requested from Let's Encrypt. +# # Required if using Let's Encrypt. +# email: email@example.com + +## Installation & configuration of jetstack/cert-manager +## See requirements.yaml for current version +certmanager: + installCRDs: true + nameOverride: certmanager + # Install cert-manager chart. Set to false if you already have cert-manager + # installed or if you are not using cert-manager. + install: true + # Other cert-manager configurations from upstream + # See https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/README#configuration + rbac: + create: true + +## https://docs.gitlab.com/charts/charts/nginx/ +## https://docs.gitlab.com/charts/architecture/decisions#nginx-ingress +## Installation & configuration of charts/ingress-nginx: +nginx-ingress: &nginx-ingress + enabled: true + tcpExternalConfig: "true" + controller: &nginx-ingress-controller + addHeaders: + Referrer-Policy: strict-origin-when-cross-origin + config: &nginx-ingress-controller-config + annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"" + hsts: "true" + hsts-include-subdomains: "false" + hsts-max-age: "63072000" + server-name-hash-bucket-size: "256" + use-http2: "true" + ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + ssl-protocols: "TLSv1.3 TLSv1.2" + server-tokens: "false" + # Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration + upstream-keepalive-connections: 100 # Limit of 100 held-open connections + upstream-keepalive-time: 30s # 30 second limit for connection reuse + upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections + upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling + + service: + externalTrafficPolicy: "Local" + ingressClassByName: false + ingressClassResource: + name: '{{ include "ingress.class.name" $ | quote }}' + resources: + requests: + cpu: 100m + memory: 100Mi + publishService: + enabled: true + replicaCount: 2 + minAvailable: 1 + scope: + enabled: true + metrics: + enabled: true + service: + annotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "10254" + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + admissionWebhooks: + enabled: false + defaultBackend: + resources: + requests: + cpu: 5m + memory: 5Mi + rbac: + create: true + # Needed for k8s 1.20 and 1.21 + # https://github.com/kubernetes/ingress-nginx/issues/7510 + # https://github.com/kubernetes/ingress-nginx/issues/7519 + scope: false + serviceAccount: + create: true + +# Ingress controller to handle requests forwarded from other Geo sites. +# Configuration differences compared to the main nginx ingress: +# - Pass X-Forwarded-For headers as is +# - Use a different IngressClass name +nginx-ingress-geo: + <<: *nginx-ingress + enabled: false + controller: + <<: *nginx-ingress-controller + config: + <<: *nginx-ingress-controller-config + # Pass incoming X-Forwarded-* headers to upstream. Required to handle requests + # from other Geo sites. + # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers + use-forwarded-headers: true + electionID: ingress-controller-leader-geo + ingressClassResource: + name: '{{ include "gitlab.geo.ingress.class.name" $ | quote }}' + controllerValue: 'k8s.io/nginx-ingress-geo' + # A pre-defined/static external IP can be configured with global.hosts.externalGeoIP. + externalIpTpl: '{{ .Values.global.hosts.externalGeoIP }}' + +haproxy: + install: false + controller: + service: + type: LoadBalancer + tcpPorts: + - name: ssh + port: 22 + targetPort: 22 + extraArgs: + - --configmap-tcp-services=$(POD_NAMESPACE)/$(POD_NAMESPACE)-haproxy-tcp + +## Installation & configuration of stable/prometheus +## See requirements.yaml for current version +prometheus: + install: true + rbac: + create: true + alertmanager: + enabled: false + alertmanagerFiles: + alertmanager.yml: {} + kubeStateMetrics: + enabled: false + nodeExporter: + enabled: false + pushgateway: + enabled: false + server: + retention: 15d + strategy: + type: Recreate + image: + tag: v2.38.0 + serverFiles: + prometheus.yml: + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: + [ + __meta_kubernetes_namespace, + __meta_kubernetes_service_name, + __meta_kubernetes_endpoint_port_name, + ] + action: keep + regex: default;kubernetes;https + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scrape] + action: keep + regex: true + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + [ + __address__, + __meta_kubernetes_pod_annotation_gitlab_com_prometheus_port, + ] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-services + metrics_path: /probe + params: + module: [http_2xx] + kubernetes_sd_configs: + - role: service + relabel_configs: + - source_labels: + [ + __meta_kubernetes_service_annotation_gitlab_com_prometheus_probe, + ] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name + +## Configuration of Redis +## https://docs.gitlab.com/charts/architecture/decisions#redis +## https://docs.gitlab.com/charts/installation/deployment.html#redis +redis: + install: true + auth: + existingSecret: gitlab-redis-secret + existingSecretKey: redis-password + usePasswordFiles: true + architecture: standalone + cluster: + enabled: false + metrics: + enabled: true + +## Installation & configuration of stable/prostgresql +## See requirements.yaml for current version +postgresql: + install: true + auth: + ## These need to be set, for the sake of bitnami/postgresql upgrade patterns. + ## They are overridden by use of `existingSecret` + password: bogus-satisfy-upgrade + postgresPassword: bogus-satisfy-upgrade + ## + usePasswordFiles: false + existingSecret: '{{ include "gitlab.psql.password.secret" . }}' + secretKeys: + adminPasswordKey: postgresql-postgres-password + userPasswordKey: '{{ include "gitlab.psql.password.key" $ }}' + image: + tag: 14.8.0 + primary: + initdb: + scriptsConfigMap: '{{ include "gitlab.psql.initdbscripts" $}}' + extraVolumeMounts: + - name: custom-init-scripts + mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh + subPath: init_revision.sh + podAnnotations: + postgresql.gitlab/init-revision: "1" + metrics: + enabled: true + service: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "9187" + + ## Optionally define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + +## Installation & configuration charts/registry +## https://docs.gitlab.com/charts/architecture/decisions#registry +## https://docs.gitlab.com/charts/charts/registry/ +# registry: +# enabled: false + +## Automatic shared secret generation +## https://docs.gitlab.com/charts/installation/secrets +## https://docs.gitlab.com/charts/charts/shared-secrets.html +shared-secrets: + enabled: true + rbac: + create: true + selfsign: + image: + # pullPolicy: IfNotPresent + # pullSecrets: [] + repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign + # Default tag is `master`, overridable by `global.gitlabVersion`. + # tag: master + keyAlgorithm: "rsa" + keySize: "4096" + expiry: "3650d" + caSubject: "GitLab Helm Chart" + env: production + serviceAccount: + enabled: true + create: true + name: # Specify a pre-existing ServiceAccount name + resources: + requests: + cpu: 50m + securityContext: + # in debian/alpine based images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + tolerations: [] + podLabels: {} + annotations: {} + +## Installation & configuration of gitlab/gitlab-runner +## See requirements.yaml for current version +gitlab-runner: + install: true + rbac: + create: true + runners: + locked: false + # Set secret to an arbitrary value because the runner chart renders the gitlab-runner.secret template only if it is not empty. + # The parent/GitLab chart overrides the template to render the actual secret name. + secret: "nonempty" + config: | + [[runners]] + [runners.kubernetes] + image = "ubuntu:22.04" + {{- if .Values.global.minio.enabled }} + [runners.cache] + Type = "s3" + Path = "gitlab-runner" + Shared = true + [runners.cache.s3] + ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }} + BucketName = "runner-cache" + BucketLocation = "us-east-1" + Insecure = false + {{ end }} + podAnnotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: 9252 + +traefik: + install: false + ports: + gitlab-shell: + expose: true + port: 2222 + exposedPort: 22 + +## Settings for individual sub-charts under GitLab +## Note: Many of these settings are configurable via globals +gitlab: + ## https://docs.gitlab.com/charts/charts/gitlab/toolbox + toolbox: + replicas: 1 + antiAffinityLabels: + matchLabels: + app: gitaly + ## https://docs.gitlab.com/charts/charts/gitlab/migrations + # migrations: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/webservice + # webservice: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/sidekiq + # sidekiq: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/gitaly + # gitaly: + ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell + # gitlab-shell: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-pages + # gitlab-pages: + ## https://docs.gitlab.com/charts/charts/gitlab/kas + # kas: + ## https://docs.gitlab.com/charts/charts/gitlab/praefect + # praefect: + +## Installation & configuration of gitlab/gitlab-zoekt +gitlab-zoekt: + install: false + gateway: + basicAuth: + enabled: true + secretName: '{{ include "gitlab.zoekt.gateway.basicAuth.secretName" $ }}' + indexer: + internalApi: + enabled: false + secretName: '{{ include "gitlab.zoekt.indexer.internalApi.secretName" $ }}' + secretKey: '{{ include "gitlab.zoekt.indexer.internalApi.secretKey" $ }}' + gitlabUrl: '{{ include "gitlab.zoekt.indexer.internalApi.gitlabUrl" $ }}' diff --git a/kubernetes/Charts/gitlabci/.gitlab-ci-auto-deploy-to-prod.yml b/kubernetes/Charts/gitlabci/.gitlab-ci-auto-deploy-to-prod.yml new file mode 100644 index 0000000..5ef1ba5 --- /dev/null +++ b/kubernetes/Charts/gitlabci/.gitlab-ci-auto-deploy-to-prod.yml @@ -0,0 +1,192 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - staging + - production + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main + +staging: + stage: staging + extends: .extended_deploy + script: + - export track="${1-stable}" + - mkdir -p reddit/chats + - helm dep build reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - > + helm upgrade --install --wait --atomic \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + environment: + name: staging + url: http://staging + only: + refs: + - main + except: + - triggers + +production: + stage: production + extends: .extended_deploy + script: + - export track="${1-stable}" + - mkdir -p reddit/chats + - helm dep build reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - > + helm upgrade --install --wait --atomic \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + environment: + name: production + url: http://production + only: + refs: + - main + except: + - triggers diff --git a/kubernetes/Charts/gitlabci/.gitlab-ci-comment.yml b/kubernetes/Charts/gitlabci/.gitlab-ci-comment.yml new file mode 100644 index 0000000..26ab6a8 --- /dev/null +++ b/kubernetes/Charts/gitlabci/.gitlab-ci-comment.yml @@ -0,0 +1,130 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main diff --git a/kubernetes/Charts/gitlabci/.gitlab-ci-post.yml b/kubernetes/Charts/gitlabci/.gitlab-ci-post.yml new file mode 100644 index 0000000..26ab6a8 --- /dev/null +++ b/kubernetes/Charts/gitlabci/.gitlab-ci-post.yml @@ -0,0 +1,130 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main diff --git a/kubernetes/Charts/gitlabci/.gitlab-ci-reddit.yml b/kubernetes/Charts/gitlabci/.gitlab-ci-reddit.yml new file mode 100644 index 0000000..8b0a2c6 --- /dev/null +++ b/kubernetes/Charts/gitlabci/.gitlab-ci-reddit.yml @@ -0,0 +1,125 @@ +image: alpine:latest + +stages: + - test + - staging + - production + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + CI_APPLICATION_REPOSITORY: registry.reddit.voytenkov.ru/voitenkov + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +test: + stage: test + script: + - exit 0 + only: + - triggers + - branches + +staging: + stage: staging + extends: .extended_deploy + script: + - export track="${1-stable}" + - mkdir -p reddit/chats + - helm dep build reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - > + helm template \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + - > + helm upgrade --install --wait --atomic \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + environment: + name: staging + url: http://staging + only: + refs: + - main + except: + - triggers + +production: + stage: production + extends: .extended_deploy + script: + - export track="${1-stable}" + - mkdir -p reddit/chats + - helm dep build reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - > + helm template \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + - > + helm upgrade --install --wait --atomic \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + environment: + name: production + url: http://production + when: manual + only: + refs: + - main + except: + - triggers diff --git a/kubernetes/Charts/gitlabci/.gitlab-ci-ui.yml b/kubernetes/Charts/gitlabci/.gitlab-ci-ui.yml new file mode 100644 index 0000000..26ab6a8 --- /dev/null +++ b/kubernetes/Charts/gitlabci/.gitlab-ci-ui.yml @@ -0,0 +1,130 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main diff --git a/kubernetes/Charts/gitlabci/auto-devops/.gitlab-ci-reddit.yml b/kubernetes/Charts/gitlabci/auto-devops/.gitlab-ci-reddit.yml new file mode 100644 index 0000000..6819bf6 --- /dev/null +++ b/kubernetes/Charts/gitlabci/auto-devops/.gitlab-ci-reddit.yml @@ -0,0 +1,123 @@ +image: alpine:latest + +stages: + - test + - staging + - production + +test: + stage: test + script: + - exit 0 + only: + - triggers + - branches + +staging: + stage: staging + image: dtzar/helm-kubectl:3.13 + script: + - kubectl config use-context $KUBE_CONTEXT + - install_dependencies + - ensure_namespace + - deploy + variables: + KUBE_NAMESPACE: staging + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + environment: + name: staging + url: http://staging + only: + refs: + - main + except: + - triggers + +production: + stage: production + image: dtzar/helm-kubectl:3.13 + script: + - kubectl config use-context $KUBE_CONTEXT + - install_dependencies + - ensure_namespace + - deploy + variables: + KUBE_NAMESPACE: production + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + environment: + name: production + url: http://production + when: manual + only: + refs: + - main + except: + - triggers + +.auto_devops: &auto_devops | + [[ "$TRACE" ]] && set -x + export CI_APPLICATION_REPOSITORY="registry.reddit.voytenkov.ru/voitenkov" + export CI_APPLICATION_TAG=$CI_COMMIT_REF_SLUG + export CI_CONTAINER_NAME=ci_job_build_${CI_JOB_ID} + export GITLAB_URL="https://gitlab.reddit.voytenkov.ru/voitenkov" + + function deploy() { + track="${1-stable}" + name="$CI_ENVIRONMENT_SLUG" + mkdir -p reddit/chats + helm dep build reddit + + # for microservice in $(helm dep ls | grep "file://" | awk '{print $1}') ; do + # SET_VERSION="$SET_VERSION \ --set $microservice.image.tag='$(curl http://gitlab-gitlab/$CI_PROJECT_NAMESPACE/ui/raw/master/VERSION)' " + + echo "Deploy helm release $name to $KUBE_NAMESPACE" + + helm template \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + + helm upgrade --install --wait --atomic \ + --set ui.ingress.host="$host" \ + --set ui.image.repository=$CI_APPLICATION_REPOSITORY/ui \ + --set ui.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/ui/raw/main/VERSION)" \ + --set post.image.repository=$CI_APPLICATION_REPOSITORY/post \ + --set post.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/post/raw/main/VERSION)" \ + --set comment.image.repository=$CI_APPLICATION_REPOSITORY/comment \ + --set comment.image.tag="$(curl https://gitlab.reddit.voytenkov.ru/voitenkov/comment/raw/main/VERSION)" \ + --namespace="$KUBE_NAMESPACE" --create-namespace \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit/ + + } + + function install_dependencies() { + + apk add -U openssl curl tar gzip bash ca-certificates git + wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + + curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + export PATH=${PATH}:$HOME/gsutil + + curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + chmod a+x /usr/bin/sync-repo.sh + + } + + function ensure_namespace() { + kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + } + +before_script: + - *auto_devops diff --git a/kubernetes/Charts/gitlabci/auto-devops/.gitlab-ci-ui.yml b/kubernetes/Charts/gitlabci/auto-devops/.gitlab-ci-ui.yml new file mode 100644 index 0000000..a790638 --- /dev/null +++ b/kubernetes/Charts/gitlabci/auto-devops/.gitlab-ci-ui.yml @@ -0,0 +1,181 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +build: + stage: build + image: docker:git + services: + - docker:18.09.7-dind + script: + - setup_docker + - build + variables: + DOCKER_DRIVER: overlay2 + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + image: docker:git + services: + - docker:18.09.7-dind + script: + - setup_docker + - release + variables: + DOCKER_DRIVER: overlay2 + only: + - main + +review: + stage: review + image: dtzar/helm-kubectl:3.13 + script: + - kubectl config use-context $KUBE_CONTEXT + - install_dependencies + - ensure_namespace + - deploy + variables: + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + except: + - main + +stop_review: + stage: cleanup + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + script: + - kubectl config use-context $KUBE_CONTEXT + - install_dependencies + - delete + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + when: manual + allow_failure: true + only: + - branches + except: + - main + +.auto_devops: &auto_devops | + [[ "$TRACE" ]] && set -x + export CI_APPLICATION_REPOSITORY=$CI_REGISTRY/$CI_PROJECT_PATH + export CI_APPLICATION_TAG=$CI_COMMIT_REF_SLUG + export CI_CONTAINER_NAME=ci_job_build_${CI_JOB_ID} + export GITLAB_URL="https://gitlab.reddit.voytenkov.ru/voitenkov" + + function deploy() { + track="${1-stable}" + name="$CI_ENVIRONMENT_SLUG" + + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + + echo "Clone deploy repository..." + git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + + echo "Download helm dependencies..." + helm dep update reddit-deploy/reddit + + echo "Deploy helm release $name to $KUBE_NAMESPACE" + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + } + + function install_dependencies() { + + apk add -U openssl curl tar gzip bash ca-certificates git + wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + + curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + export PATH=${PATH}:$HOME/gsutil + + curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + chmod a+x /usr/bin/sync-repo.sh + + } + + + function setup_docker() { + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + } + + function ensure_namespace() { + kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + } + + function release() { + + echo "Updating docker images ..." + + if [[ -n "$CI_REGISTRY_USER" ]]; then + echo "Logging to GitLab Container Registry with CI credentials..." + docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + echo "" + fi + + docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + echo "" + } + + function build() { + + if [[ -n "$CI_REGISTRY_USER" ]]; then + echo "Logging to GitLab Container Registry with CI credentials..." + docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY + echo "" + fi + + echo "Building and pushing Dockerfile-based application..." + echo `git show --format="%h" HEAD | head -1` > build_info.txt + echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + echo "" + } + + function delete() { + track="${1-stable}" + name="$CI_ENVIRONMENT_SLUG" + helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + } + +before_script: + - *auto_devops diff --git a/kubernetes/Charts/mongodb/Chart.yaml b/kubernetes/Charts/mongodb/Chart.yaml new file mode 100644 index 0000000..b0d5d7f --- /dev/null +++ b/kubernetes/Charts/mongodb/Chart.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +appVersion: 3.2 +name: mongodb +version: 1.0.0 +description: MongoDB 3.2 Chart +maintainers: + - name: Someone diff --git a/kubernetes/Charts/mongodb/templates/_helpers.tpl b/kubernetes/Charts/mongodb/templates/_helpers.tpl new file mode 100644 index 0000000..05fec48 --- /dev/null +++ b/kubernetes/Charts/mongodb/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "mongodb.fullname" -}} +{{- printf "%s-%s" .Release.Name .Chart.Name }} +{{- end -}} diff --git a/kubernetes/Charts/mongodb/templates/deployment.yaml b/kubernetes/Charts/mongodb/templates/deployment.yaml new file mode 100644 index 0000000..617b994 --- /dev/null +++ b/kubernetes/Charts/mongodb/templates/deployment.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "mongodb.fullname" . }} + labels: + app: reddit + component: mongo + release: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app: reddit + component: mongo + release: {{ .Release.Name }} + template: + metadata: + name: mongo + labels: + app: reddit + component: mongo + release: {{ .Release.Name }} + spec: + containers: + - image: mongo:3.2 + name: mongo + volumeMounts: + - name: mongo-gce-pd-storage + mountPath: /data/db + volumes: + - name: mongo-gce-pd-storage + persistentVolumeClaim: + claimName: mongo-pvc-dynamic diff --git a/kubernetes/Charts/mongodb/templates/pvc.yaml b/kubernetes/Charts/mongodb/templates/pvc.yaml new file mode 100644 index 0000000..12409c6 --- /dev/null +++ b/kubernetes/Charts/mongodb/templates/pvc.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mongo-pvc-dynamic + labels: + app: reddit + component: pvc + release: {{ .Release.Name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/kubernetes/Charts/mongodb/templates/service.yaml b/kubernetes/Charts/mongodb/templates/service.yaml new file mode 100644 index 0000000..e4b79dc --- /dev/null +++ b/kubernetes/Charts/mongodb/templates/service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: mongodb + labels: + app: reddit + component: mongo + release: {{ .Release.Name }} +spec: + ports: + - port: 27017 + protocol: TCP + targetPort: 27017 + selector: + app: reddit + component: mongo + release: {{ .Release.Name }} diff --git a/kubernetes/modules/k8s-node-group/outputs.tf b/kubernetes/Charts/mongodb/values.yaml similarity index 100% rename from kubernetes/modules/k8s-node-group/outputs.tf rename to kubernetes/Charts/mongodb/values.yaml diff --git a/kubernetes/Charts/post/Chart.yaml b/kubernetes/Charts/post/Chart.yaml new file mode 100644 index 0000000..51da9c7 --- /dev/null +++ b/kubernetes/Charts/post/Chart.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +appVersion: 1.0.0 +name: post +version: 1.0.0 +description: OTUS reddit application Post +maintainers: + - name: Someone diff --git a/kubernetes/Charts/post/templates/_helpers.tpl b/kubernetes/Charts/post/templates/_helpers.tpl new file mode 100644 index 0000000..1a9a062 --- /dev/null +++ b/kubernetes/Charts/post/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "post.fullname" -}} +{{- printf "%s-%s" .Release.Name .Chart.Name }} +{{- end -}} diff --git a/kubernetes/Charts/post/templates/deployment.yaml b/kubernetes/Charts/post/templates/deployment.yaml new file mode 100644 index 0000000..940886c --- /dev/null +++ b/kubernetes/Charts/post/templates/deployment.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "post.fullname" . }} + labels: + app: reddit + component: post + release: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app: reddit + component: post + release: {{ .Release.Name }} + template: + metadata: + name: post + labels: + app: reddit + component: post + release: {{ .Release.Name }} + spec: + containers: + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + name: post + ports: + - containerPort: {{ .Values.service.internalPort }} + env: + - name: POST_DATABASE_HOST + value: {{ .Values.databaseHost | default (printf "%s-mongodb" .Release.Name) }} diff --git a/kubernetes/Charts/post/templates/service.yaml b/kubernetes/Charts/post/templates/service.yaml new file mode 100644 index 0000000..ea97060 --- /dev/null +++ b/kubernetes/Charts/post/templates/service.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "post.fullname" . }} + labels: + app: reddit + component: post + release: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.service.externalPort }} + protocol: TCP + targetPort: {{ .Values.service.internalPort }} + selector: + app: reddit + component: post + release: {{ .Release.Name }} +... diff --git a/kubernetes/Charts/post/values.yaml b/kubernetes/Charts/post/values.yaml new file mode 100644 index 0000000..c95e848 --- /dev/null +++ b/kubernetes/Charts/post/values.yaml @@ -0,0 +1,10 @@ +--- +service: + internalPort: 5000 + externalPort: 5000 + +image: + repository: voitenkov/post + tag: latest + +databaseHost: diff --git a/kubernetes/Charts/reddit/Chart.yaml b/kubernetes/Charts/reddit/Chart.yaml new file mode 100644 index 0000000..04f5ace --- /dev/null +++ b/kubernetes/Charts/reddit/Chart.yaml @@ -0,0 +1,6 @@ +name: reddit +version: 0.1.0 +description: OTUS sample reddit application +maintainers: + - name: Andrey Voytenkov + email: avoytenkov@yandex.ru diff --git a/kubernetes/Charts/reddit/charts/comment-1.0.0.tgz b/kubernetes/Charts/reddit/charts/comment-1.0.0.tgz new file mode 100644 index 0000000..0d58521 Binary files /dev/null and b/kubernetes/Charts/reddit/charts/comment-1.0.0.tgz differ diff --git a/kubernetes/Charts/reddit/charts/mongodb-1.0.0.tgz b/kubernetes/Charts/reddit/charts/mongodb-1.0.0.tgz new file mode 100644 index 0000000..533776d Binary files /dev/null and b/kubernetes/Charts/reddit/charts/mongodb-1.0.0.tgz differ diff --git a/kubernetes/Charts/reddit/charts/post-1.0.0.tgz b/kubernetes/Charts/reddit/charts/post-1.0.0.tgz new file mode 100644 index 0000000..eecc351 Binary files /dev/null and b/kubernetes/Charts/reddit/charts/post-1.0.0.tgz differ diff --git a/kubernetes/Charts/reddit/charts/ui-1.0.0.tgz b/kubernetes/Charts/reddit/charts/ui-1.0.0.tgz new file mode 100644 index 0000000..5d02055 Binary files /dev/null and b/kubernetes/Charts/reddit/charts/ui-1.0.0.tgz differ diff --git a/kubernetes/Charts/reddit/requirements.lock b/kubernetes/Charts/reddit/requirements.lock new file mode 100644 index 0000000..195be06 --- /dev/null +++ b/kubernetes/Charts/reddit/requirements.lock @@ -0,0 +1,15 @@ +dependencies: +- name: ui + repository: file://../ui + version: 1.0.0 +- name: post + repository: file://../post + version: 1.0.0 +- name: comment + repository: file://../comment + version: 1.0.0 +- name: mongodb + repository: file://../mongodb + version: 1.0.0 +digest: sha256:4e3fd8c501a5e823549c2246af7369684da75b79bdb63ced4664585374300ca7 +generated: "2023-11-26T15:42:59.119083442+02:00" diff --git a/kubernetes/Charts/reddit/requirements.yaml b/kubernetes/Charts/reddit/requirements.yaml new file mode 100644 index 0000000..cd3a914 --- /dev/null +++ b/kubernetes/Charts/reddit/requirements.yaml @@ -0,0 +1,18 @@ +--- +dependencies: + - name: ui + version: 1.0.0 + repository: "file://../ui" + + - name: post + version: 1.0.0 + repository: "file://../post" + + - name: comment + version: 1.0.0 + repository: "file://../comment" + + - name: mongodb + version: 1.0.0 + repository: "file://../mongodb" +... diff --git a/kubernetes/Charts/reddit/values.yaml b/kubernetes/Charts/reddit/values.yaml new file mode 100644 index 0000000..c2024ec --- /dev/null +++ b/kubernetes/Charts/reddit/values.yaml @@ -0,0 +1,25 @@ +comment: + image: + repository: voitenkov/comment + tag: latest + service: + externalPort: 9292 + internalPort: 9292 + databaseHost: mongodb + +post: + image: + repository: voitenkov/post + tag: latest + service: + externalPort: 5000 + internalPort: 5000 + databaseHost: mongodb + +ui: + image: + repository: voitenkov/ui + tag: latest + service: + externalPort: 80 + internalPort: 9292 diff --git a/kubernetes/Charts/ui/Chart.yaml b/kubernetes/Charts/ui/Chart.yaml new file mode 100644 index 0000000..b2d1f80 --- /dev/null +++ b/kubernetes/Charts/ui/Chart.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +appVersion: 1.0.0 +name: ui +version: 1.0.0 +description: OTUS reddit application UI +maintainers: + - name: Someone diff --git a/kubernetes/Charts/ui/templates/_helpers.tpl b/kubernetes/Charts/ui/templates/_helpers.tpl new file mode 100644 index 0000000..c61a4c3 --- /dev/null +++ b/kubernetes/Charts/ui/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "ui.fullname" -}} +{{- printf "%s-%s" .Release.Name .Chart.Name }} +{{- end -}} diff --git a/kubernetes/Charts/ui/templates/deployment.yaml b/kubernetes/Charts/ui/templates/deployment.yaml new file mode 100644 index 0000000..6da994c --- /dev/null +++ b/kubernetes/Charts/ui/templates/deployment.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "ui.fullname" . }} + labels: + app: reddit + component: ui + release: {{ .Release.Name }} +spec: + replicas: 3 + strategy: + type: Recreate + selector: + matchLabels: + app: reddit + component: ui + release: {{ .Release.Name }} + template: + metadata: + name: ui + labels: + app: reddit + component: ui + release: {{ .Release.Name }} + spec: + containers: + - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + name: ui + ports: + - containerPort: {{ .Values.service.internalPort }} + env: + - name: POST_SERVICE_HOST + value: {{ .Values.postHost | default (printf "%s-post" .Release.Name) }} + - name: POST_SERVICE_PORT + value: {{ .Values.postPort | default "5000" | quote }} + - name: COMMENT_SERVICE_HOST + value: {{ .Values.commentHost | default (printf "%s-comment" .Release.Name) }} + - name: COMMENT_SERVICE_PORT + value: {{ .Values.commentPort | default "9292" | quote }} + - name: ENV + valueFrom: + fieldRef: + fieldPath: metadata.namespace +... diff --git a/kubernetes/Charts/ui/templates/ingress.yaml b/kubernetes/Charts/ui/templates/ingress.yaml new file mode 100644 index 0000000..f99990e --- /dev/null +++ b/kubernetes/Charts/ui/templates/ingress.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "ui.fullname" . }} +spec: + ingressClassName: nginx + rules: + - host: {{ .Values.ingress.host | default .Release.Name }} + http: + paths: + - pathType: Prefix + backend: + service: + name: ui + port: + number: 80 + path: / diff --git a/kubernetes/Charts/ui/templates/service.yaml b/kubernetes/Charts/ui/templates/service.yaml new file mode 100644 index 0000000..ca26d92 --- /dev/null +++ b/kubernetes/Charts/ui/templates/service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: ui + labels: + app: reddit + component: ui +spec: + type: NodePort + ports: + - port: 80 + nodePort: 32092 + protocol: TCP + targetPort: 9292 + selector: + app: reddit + component: ui diff --git a/kubernetes/Charts/ui/values.yaml b/kubernetes/Charts/ui/values.yaml new file mode 100644 index 0000000..59d91c3 --- /dev/null +++ b/kubernetes/Charts/ui/values.yaml @@ -0,0 +1,16 @@ +--- +service: + internalPort: 9292 + externalPort: 80 + +image: + repository: voitenkov/ui + tag: latest + +ingress: + host: ui.reddit.voytenkov.ru + +postHost: +postPort: +commentHost: +commentPort: diff --git a/kubernetes/infra/.gitignore b/kubernetes/infra/.gitignore deleted file mode 100755 index 1af13f4..0000000 --- a/kubernetes/infra/.gitignore +++ /dev/null @@ -1,46 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# terraform lock files -.terraform.lock.hcl - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc - -# keys -.secrets/* -secrets.* - -# ansible -*.retry -key.json -vault.key diff --git a/kubernetes/infra/activate-yc-profile.sh b/kubernetes/infra/activate-yc-profile.sh deleted file mode 100755 index 2e024b5..0000000 --- a/kubernetes/infra/activate-yc-profile.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -PROFILE=$(yc config profile get otus-devops-infra) - -if [[ $PROFILE = service* ]]; then - - # Activate YC CLI profile for sa-otus-devops-infra-tf service account (if exists) - yc config profile activate otus-devops-infra - export TF_VAR_cloud_id=$(yc config get cloud-id) - export TF_VAR_folder_id=$(yc config get folder-id) - -else - - # Create new YC CLI profile for sa-otus-devops-infra-tf service account - yc config profile activate otus-devops - export TF_VAR_cloud_id=$(echo $(yc resource-manager cloud get otus-devops --format json)|jq -r '.id') - export TF_VAR_folder_id=$(echo $(yc resource-manager folder get infra-folder --format json)|jq -r '.id') - - yc iam key create --service-account-name sa-otus-devops-infra-tf --folder-name infra-folder --output ./.secrets/key.json - yc config profile create otus-devops-infra - yc config set service-account-key ./.secrets/key.json - yc config set cloud-id $TF_VAR_cloud_id - yc config set folder-id $TF_VAR_folder_id - -fi - -unset TF_VAR_token -export TF_VAR_zone="ru-central1-a" - -# Set static keys for access to TS state S3 storage -echo "" -echo "************* Pls don't forget to run separate secrets.sh! ***********" diff --git a/kubernetes/infra/main.tf b/kubernetes/infra/main.tf deleted file mode 100755 index c7c8829..0000000 --- a/kubernetes/infra/main.tf +++ /dev/null @@ -1,222 +0,0 @@ -locals { - cidr_internet = "0.0.0.0/0" # All IPv4 addresses. - cidr_local = "10.1.0.0/16" -} - -resource "yandex_vpc_network" "network-otus-devops-prod" { - name = "network-${var.project}-${var.environment}" -} - -module "a1-subnet" { - source = "../modules/subnet" - subnet_name = "subnet-${var.project}-${var.environment}-a1" - subnet_network_id = yandex_vpc_network.network-otus-devops-prod.id - subnet_zone = "ru-central1-a" - subnet_v4_cidr_blocks = [local.cidr_local] - - depends_on = [yandex_vpc_network.network-otus-devops-prod] -} - -resource "yandex_vpc_security_group" "sg-otus-devops-prod-k8s-main" { - name = "sg-${var.project}-${var.environment}-k8s-main" - description = "Правила группы обеспечивают базовую работоспособность кластера. Примените ее к кластеру и группам узлов." - network_id = yandex_vpc_network.network-otus-devops-prod.id - - ingress { - protocol = "TCP" - description = "Правило разрешает проверки доступности с диапазона адресов балансировщика нагрузки. Нужно для работы отказоустойчивого кластера и сервисов балансировщика." - predefined_target = "loadbalancer_healthchecks" - from_port = 0 - to_port = 65535 - } - ingress { - protocol = "ANY" - description = "Правило разрешает взаимодействие мастер-узел и узел-узел внутри группы безопасности." - predefined_target = "self_security_group" - from_port = 0 - to_port = 65535 - } - ingress { - protocol = "ICMP" - description = "Правило разрешает отладочные ICMP-пакеты из внутренних подсетей." - v4_cidr_blocks = ["172.16.0.0/12", "10.0.0.0/8", "192.168.0.0/16"] - } - egress { - protocol = "ANY" - description = "Правило разрешает весь исходящий трафик. Узлы могут связаться с Yandex Container Registry, Object Storage, Docker Hub и т. д." - v4_cidr_blocks = [local.cidr_internet] - from_port = 0 - to_port = 65535 - } -} - -resource "yandex_vpc_security_group" "sg-otus-devops-prod-k8s-public-services" { - name = "sg-${var.project}-${var.environment}-k8s-public-services" - description = "Правила группы разрешают подключение к сервисам из интернета. Примените правила только для групп узлов." - network_id = yandex_vpc_network.network-otus-devops-prod.id - - ingress { - protocol = "TCP" - description = "Правило разрешает входящий трафик из интернета на диапазон портов NodePort. Добавьте или измените порты на нужные вам." - v4_cidr_blocks = [local.cidr_internet] - from_port = 30000 - to_port = 32767 - } -} - -resource "yandex_vpc_security_group" "sg-otus-devops-prod-k8s-nodes-ssh-access" { - name = "sg-${var.project}-${var.environment}-k8s-nodes-ssh-access" - description = "Правила группы разрешают подключение к узлам кластера по SSH. Примените правила только для групп узлов." - network_id = yandex_vpc_network.network-otus-devops-prod.id - - ingress { - protocol = "TCP" - description = "Правило разрешает подключение к узлам по SSH с указанных IP-адресов." - v4_cidr_blocks = ["172.16.0.0/12", "10.0.0.0/8", "192.168.0.0/16"] - port = 22 - } -} - -resource "yandex_vpc_security_group" "sg-otus-devops-prod-k8s-master-whitelist" { - name = "sg-${var.project}-${var.environment}-k8s-master-whitelist" - description = "Правила группы разрешают доступ к API Kubernetes из интернета. Примените правила только к кластеру." - network_id = yandex_vpc_network.network-otus-devops-prod.id - - ingress { - protocol = "TCP" - description = "Правило разрешает подключение к API Kubernetes через порт 6443 из указанной сети." - v4_cidr_blocks = [local.cidr_internet] - port = 6443 - } - - ingress { - protocol = "TCP" - description = "Правило разрешает подключение к API Kubernetes через порт 443 из указанной сети." - v4_cidr_blocks = [local.cidr_internet] - port = 443 - } -} - -resource "yandex_vpc_security_group" "sg-otus-devops-prod-k8s-master-public-services" { - name = "sg-${var.project}-${var.environment}-k8s-master-public-services" - description = "Правила из курса Деплой инфраструктуры по модели GitOps." - network_id = yandex_vpc_network.network-otus-devops-prod.id - - ingress { - protocol = "TCP" - description = "Правило из курса Деплой инфраструктуры по модели GitOps" - v4_cidr_blocks = [local.cidr_internet] - port = 443 - } - ingress { - protocol = "TCP" - description = "Правило из курса Деплой инфраструктуры по модели GitOps" - v4_cidr_blocks = [local.cidr_internet] - port = 80 - } - ingress { - protocol = "tcp" - description = "Правило из курса Деплой инфраструктуры по модели GitOps" - v4_cidr_blocks = ["198.18.235.0/24","198.18.248.0/24"] - from_port = 0 - to_port = 65535 - } -} - -module "k8s-cluster-sa" { - source = "../modules/sa" - sa_name = "sa-${var.project}-${var.environment}-k8s-cluster" - sa_description = "Service account for Kubernetes cluster in ${var.project} ${var.environment} environment" - sa_folder_id = var.folder_id - sa_role = "editor" -} - -module "k8s-node-group-sa" { - source = "../modules/sa" - sa_name = "sa-${var.project}-${var.environment}-k8s-node-group" - sa_description = "Service account for Node group of Kubernetes cluster in ${var.project} ${var.environment} environment" - sa_folder_id = var.folder_id - sa_role = "container-registry.images.puller" -} - -module "c1-k8s-cluster" { - source = "../modules/k8s-cluster-calico" - k8s_cluster_name = "cluster-1" - k8s_cluster_project = var.project - k8s_cluster_environment = var.environment - k8s_cluster_network_id = yandex_vpc_network.network-otus-devops-prod.id - k8s_cluster_version = "1.27" - k8s_cluster_subnet_id = module.a1-subnet.id - k8s_cluster_public_ip = true - k8s_cluster_security_group_ids = [ - yandex_vpc_security_group.sg-otus-devops-prod-k8s-main.id, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-master-whitelist.id - ] - k8s_cluster_service_account_name = module.k8s-cluster-sa.name - k8s_cluster_node_service_account_name = module.k8s-node-group-sa.name - - depends_on = [ - module.a1-subnet, - module.k8s-cluster-sa, - module.k8s-node-group-sa, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-main, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-master-whitelist, - ] -} - -module "default-pool-k8s-node-group" { - source = "../modules/k8s-node-group" - k8s_node_group_name = "default-pool" - k8s_node_group_project = var.project - k8s_node_group_environment = var.environment - k8s_node_group_cluster = "cluster-1" - k8s_node_group_cluster_id = module.c1-k8s-cluster.id - k8s_node_group_version = "1.27" - k8s_node_group_auto_scale_initial = 1 - k8s_node_group_auto_scale_min = 0 - k8s_node_group_auto_scale_max = 1 - k8s_node_group_preemptible = true - k8s_node_group_memory = 4 - k8s_node_group_cores = 2 - k8s_node_group_nat = true - k8s_node_group_subnet_ids = [module.a1-subnet.id] - k8s_node_group_security_group_ids = [ - yandex_vpc_security_group.sg-otus-devops-prod-k8s-main.id, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-nodes-ssh-access.id, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-public-services.id - ] - k8s_node_group_username = "devops1" - k8s_node_group_ssh_public_key = file("./.secrets/devops1/id_rsa.pub") - - depends_on = [ - module.c1-k8s-cluster, - module.a1-subnet, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-main, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-nodes-ssh-access, - yandex_vpc_security_group.sg-otus-devops-prod-k8s-public-services, - ] -} - -resource "yandex_dns_zone" "z1-dns-zone-otus-devops" { - name = "dns-zone-${var.project}-1" - description = "DNS zone for ${var.domain1} domain" - zone = "${var.domain1}." - public = true -} - -resource "yandex_dns_recordset" "r1-dns-rs-otus-devops-prod" { - zone_id = yandex_dns_zone.z1-dns-zone-otus-devops.id - name = "*.${var.subdomain1_1}.${var.domain1}." - type = "A" - ttl = 600 - data = ["${var.external_ip1}"] - - depends_on = [yandex_dns_zone.z1-dns-zone-otus-devops] -} - -resource "yandex_compute_disk" "disk-otus-devops-prod-k8s" { - name = "k8s" - type = "network-hdd" - zone = "ru-central1-a" - size = 4 -} diff --git a/kubernetes/infra/provider.tf b/kubernetes/infra/provider.tf deleted file mode 100755 index d5c9862..0000000 --- a/kubernetes/infra/provider.tf +++ /dev/null @@ -1,9 +0,0 @@ -provider "yandex" { - service_account_key_file = "./.secrets/key.json" - cloud_id = var.cloud_id - folder_id = var.folder_id - zone = "ru-central1-a" - - # Not used here: - # token = "" -} diff --git a/kubernetes/infra/variables.tf b/kubernetes/infra/variables.tf deleted file mode 100755 index 30f19b9..0000000 --- a/kubernetes/infra/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "cloud_id" { - type = string - description = "YC Cloud ID" -} - -variable "folder_id" { - type = string - description = "YC Folder ID" -} - -variable "project" { - type = string - description = "Name of project (cloud)" -} - -variable "environment" { - type = string - description = "Name of environment" -} - -variable "domain1" { - type = string - description = "Name of domain 1" -} - -variable "subdomain1_1" { - type = string - description = "Name of subdomain 1 of domain 1" -} - -variable "external_ip1" { - type = string - description = "External IP for ingress controller service of cluster 1" -} diff --git a/kubernetes/infra/versions.tf b/kubernetes/infra/versions.tf deleted file mode 100755 index 75b09ab..0000000 --- a/kubernetes/infra/versions.tf +++ /dev/null @@ -1,19 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } - - backend "s3" { - endpoint = "storage.yandexcloud.net" - bucket = "s3-otus-devops-microservices-tfstate" - region = "ru-central1-a" - key = "terraform/otus-devops-microservices.tfstate" - skip_region_validation = true - skip_credentials_validation = true - } -} diff --git a/kubernetes/modules/bucket/main.tf b/kubernetes/modules/bucket/main.tf deleted file mode 100644 index 1f2e414..0000000 --- a/kubernetes/modules/bucket/main.tf +++ /dev/null @@ -1,16 +0,0 @@ -locals { - bucket = "s3-${var.bucket_project}-${var.bucket_environment}-${var.bucket_name}" -} - -resource "yandex_storage_bucket" "bucket" { - folder_id = var.bucket_folder_id - bucket = local.bucket - access_key = var.bucket_access_key - secret_key = var.bucket_secret_key - - anonymous_access_flags { - read = true - list = false - config_read = false - } -} diff --git a/kubernetes/modules/bucket/outputs.tf b/kubernetes/modules/bucket/outputs.tf deleted file mode 100644 index 6cc6cd5..0000000 --- a/kubernetes/modules/bucket/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "name" { - value = yandex_storage_bucket.bucket.bucket -} diff --git a/kubernetes/modules/bucket/variables.tf b/kubernetes/modules/bucket/variables.tf deleted file mode 100644 index f5de558..0000000 --- a/kubernetes/modules/bucket/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "bucket_folder_id" { - type = string - description = "Bucket folder ID" - nullable = false -} - -variable "bucket_project" { - type = string - description = "Bucket project (cloud)" - nullable = false -} - -variable "bucket_environment" { - type = string - description = "Bucket environment" - nullable = false -} - -variable "bucket_name" { - type = string - description = "Bucket name" - nullable = false -} - -variable "bucket_access_key" { - description = "Bucket static access key" - type = string -} - -variable "bucket_secret_key" { - description = "Bucket secret for static access key" - type = string -} diff --git a/kubernetes/modules/bucket/versions.tf b/kubernetes/modules/bucket/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/bucket/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/cloud/main.tf b/kubernetes/modules/cloud/main.tf deleted file mode 100644 index 5832f3b..0000000 --- a/kubernetes/modules/cloud/main.tf +++ /dev/null @@ -1,66 +0,0 @@ -locals { - cloud_id = yandex_resourcemanager_cloud.cloud.id - folder_id = yandex_resourcemanager_folder.folder.id - folder_name = "adm-folder" - folder_description = "Folder for S3 backend for ${var.cloud_project} cloud Terraform state and administrative entities" - sa_tfstate_name = "sa-${var.cloud_project}-adm-tfstate" - sa_tfstate_description = "Service account for S3 backend for ${var.cloud_project} cloud Terraform state" - sa_tfstate_static_key_description = "Static access key for S3 backend for ${var.cloud_project} cloud Terraform state" - s3_tfstate_bucket = "s3-${var.cloud_project}-adm-tfstate" -} - -resource "yandex_resourcemanager_cloud" "cloud" { - name = var.cloud_project - organization_id = var.cloud_organization_id -} - -resource "yandex_billing_cloud_binding" "cloud_binding" { - billing_account_id = var.cloud_billing_account_id - cloud_id = local.cloud_id - - depends_on = [yandex_resourcemanager_cloud.cloud] -} - -resource "yandex_resourcemanager_folder" "folder" { - cloud_id = local.cloud_id - name = local.folder_name - description = local.folder_description - - depends_on = [yandex_billing_cloud_binding.cloud_binding] -} - -resource "yandex_iam_service_account" "sa-tfstate" { - folder_id = local.folder_id - name = local.sa_tfstate_name - description = local.sa_tfstate_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_member" "sa-tfstate-storage-admin" { - folder_id = local.folder_id - role = "storage.admin" # admin role is need for bucket versioning - member = "serviceAccount:${yandex_iam_service_account.sa-tfstate.id}" - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_iam_service_account_static_access_key" "sa-tfstate-static-key" { - service_account_id = yandex_iam_service_account.sa-tfstate.id - description = local.sa_tfstate_static_key_description - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_storage_bucket" "s3-tfstate" { - folder_id = local.folder_id - bucket = local.s3_tfstate_bucket - access_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - secret_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - - versioning { - enabled = true - } - - depends_on = [yandex_iam_service_account_static_access_key.sa-tfstate-static-key] -} diff --git a/kubernetes/modules/cloud/otputs.tf b/kubernetes/modules/cloud/otputs.tf deleted file mode 100644 index 13cd3ab..0000000 --- a/kubernetes/modules/cloud/otputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "tfstate_access_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - sensitive = true -} - -output "tfstate_secret_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - sensitive = true -} diff --git a/kubernetes/modules/cloud/variables.tf b/kubernetes/modules/cloud/variables.tf deleted file mode 100644 index 6538f22..0000000 --- a/kubernetes/modules/cloud/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "cloud_project" { - type = string - description = "Name of project (cloud)" -} - -variable "cloud_organization_id" { - type = string - description = "YC Organization ID" -} - -variable "cloud_billing_account_id" { - type = string - description = "YC billing account ID" -} diff --git a/kubernetes/modules/cloud/versions.tf b/kubernetes/modules/cloud/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/cloud/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/folder/main.tf b/kubernetes/modules/folder/main.tf deleted file mode 100644 index 1484a2e..0000000 --- a/kubernetes/modules/folder/main.tf +++ /dev/null @@ -1,79 +0,0 @@ -locals { - project_environment = "${var.folder_project} ${var.folder_environment}" - cloud_id = "${data.yandex_resourcemanager_cloud.cloud.cloud_id}" - cloud_name = var.folder_project - folder_id = "${yandex_resourcemanager_folder.folder.id}" - folder_name = "${var.folder_environment}-folder" - folder_description = "Folder for ${local.project_environment} environment" - sa_tf_name = "sa-${var.folder_project}-${var.folder_environment}-tf" - sa_tf_description = "Service account for Terraform deploy in ${local.project_environment} environment" - sa_tfstate_name = "sa-${var.folder_project}-${var.folder_environment}-tfstate" - sa_tfstate_description = "Service account for S3 backend for Terraform state in ${local.project_environment} environment" - sa_tfstate_static_key_description = "Static access key for S3 backend for Terraform state in ${local.project_environment} environment" - s3_tfstate_bucket = "s3-${var.folder_project}-${var.folder_environment}-tfstate" -} - -data "yandex_resourcemanager_cloud" "cloud" { - name = local.cloud_name -} - -resource "yandex_resourcemanager_folder" "folder" { - cloud_id = local.cloud_id - name = local.folder_name - description = local.folder_description -} - -resource "yandex_iam_service_account" "sa-tf" { - folder_id = local.folder_id - name = local.sa_tf_name - description = local.sa_tf_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_binding" "folder-admin" { - folder_id = local.folder_id - role = "admin" - members = [ - "serviceAccount:${yandex_iam_service_account.sa-tf.id}" - ] - - depends_on = [yandex_iam_service_account.sa-tf] -} - -resource "yandex_iam_service_account" "sa-tfstate" { - folder_id = local.folder_id - name = local.sa_tfstate_name - description = local.sa_tfstate_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_member" "sa-tfstate-storage-admin" { - folder_id = local.folder_id - role = "storage.admin" # admin role is need for bucket versioning - member = "serviceAccount:${yandex_iam_service_account.sa-tfstate.id}" - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_iam_service_account_static_access_key" "sa-tfstate-static-key" { - service_account_id = yandex_iam_service_account.sa-tfstate.id - description = local.sa_tfstate_static_key_description - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_storage_bucket" "s3-tfstate" { - folder_id = local.folder_id - bucket = local.s3_tfstate_bucket - access_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - secret_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - - versioning { - enabled = true - } - - depends_on = [ - yandex_iam_service_account_static_access_key.sa-tfstate-static-key] -} diff --git a/kubernetes/modules/folder/otputs.tf b/kubernetes/modules/folder/otputs.tf deleted file mode 100644 index 13cd3ab..0000000 --- a/kubernetes/modules/folder/otputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "tfstate_access_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - sensitive = true -} - -output "tfstate_secret_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - sensitive = true -} diff --git a/kubernetes/modules/folder/variables.tf b/kubernetes/modules/folder/variables.tf deleted file mode 100644 index 7e41198..0000000 --- a/kubernetes/modules/folder/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "folder_project" { - type = string - description = "Name of project (cloud) folder belongs to" -} - -variable "folder_environment" { - type = string - description = "Name of environment related to folder" -} diff --git a/kubernetes/modules/folder/versions.tf b/kubernetes/modules/folder/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/folder/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/instance/main.tf b/kubernetes/modules/instance/main.tf deleted file mode 100644 index d2b39e9..0000000 --- a/kubernetes/modules/instance/main.tf +++ /dev/null @@ -1,61 +0,0 @@ -locals { - instance_name = "vm-${var.instance_project}-${var.instance_environment}-${var.instance_name}" - instance_description = "DevOps workstation No. ${var.instance_no} in ${var.instance_project} ${var.instance_environment} environment" - instance_ssh_public_key = file("./.secrets/${var.instance_name}/${var.instance_public_key}") -} - -data "yandex_iam_service_account" "service_account" { - name = var.instance_service_account_name -} - -data "template_file" "user_data" { - template = file("../templates/${var.instance_user_data_file}.yml.tftpl") - - vars = { - username = var.instance_name - ssh_public_key = local.instance_ssh_public_key - } -} - -resource "yandex_compute_instance" "instance" { - allow_stopping_for_update = true - name = local.instance_name - description = local.instance_description - hostname = var.instance_name - zone = var.instance_zone - platform_id = var.instance_platform_id - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - - labels = { - tags = var.instance_name - } - - scheduling_policy { - preemptible = var.instance_preemptible - } - - resources { - cores = var.instance_cores - core_fraction = var.instance_core_fraction - memory = var.instance_memory - } - - boot_disk { - initialize_params { - image_id = var.instance_image_id - size = var.instance_disk_size - } - } - - network_interface { - subnet_id = var.instance_subnet_id - nat = var.instance_nat - security_group_ids = var.instance_security_group_ids - nat_ip_address = var.instance_nat_ip_address - } - - metadata = { - user-data = data.template_file.user_data.rendered - serial-port-enable = var.instance_serial_port_enable - } -} diff --git a/kubernetes/modules/instance/outputs.tf b/kubernetes/modules/instance/outputs.tf deleted file mode 100644 index e7db1f1..0000000 --- a/kubernetes/modules/instance/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "internal_ip_address" { - value = yandex_compute_instance.instance.network_interface.0.ip_address -} - -output "external_ip_address" { - value = yandex_compute_instance.instance.network_interface.0.nat_ip_address -} diff --git a/kubernetes/modules/instance/variables.tf b/kubernetes/modules/instance/variables.tf deleted file mode 100644 index 88c92fa..0000000 --- a/kubernetes/modules/instance/variables.tf +++ /dev/null @@ -1,129 +0,0 @@ -variable "instance_project" { - type = string - description = "Instance project (cloud)" - nullable = false -} - -variable "instance_environment" { - type = string - description = "Instance environment" - nullable = false -} - -variable "instance_no" { - type = number - default = 1 - description = "Instance No." - nullable = false -} - -variable "instance_name" { - type = string - description = "Instance name" - nullable = false -} - -variable "instance_user_data_file" { - type = string - description = "Instance user data file" - nullable = false -} - -variable "instance_public_key" { - type = string - description = "Instance public key" - default = "id_rsa.pub" - nullable = false -} - -variable "instance_zone" { - type = string - description = "Yandex Cloud compute default zone" - default = "ru-central1-a" -} - -variable "instance_platform_id" { - default = "standard-v3" - type = string - description = "Platform ID for instance" - nullable = false -} - -variable "instance_service_account_name" { - type = string - description = "Instance service account name" - nullable = false -} - -variable "instance_preemptible" { - default = false - type = bool - description = "Instance scheduling policy" - nullable = false -} - -variable "instance_cores" { - default = 2 - type = number - description = "Instance cores quantity" - nullable = false -} - -variable "instance_core_fraction" { - default = 100 - type = number - description = "Instance core fraction" - nullable = false -} - -variable "instance_memory" { - default = 2 - type = number - description = "Instance memory amount" - nullable = false -} - -variable "instance_image_id" { - type = string - default = "fd8emvfmfoaordspe1jr" # ubuntu-22-04-lts-v20230130 - description = "Image ID for boot disk" -} - -variable "instance_disk_size" { - default = 30 - type = number - description = "Instance disk size" - nullable = false -} - -variable "instance_subnet_id" { - type = string - description = "Instance network interface subnet" - nullable = false -} - -variable "instance_nat" { - default = false - type = bool - description = "Instance NAT enable/disable" - nullable = false -} - -variable "instance_security_group_ids" { - type = list - description = "Instance security group IDs" -} - -variable "instance_nat_ip_address" { - type = string - description = "Instance public ip address" - nullable = false - default = "" -} - -variable "instance_serial_port_enable" { - default = 0 - type = number - description = "Instance serial port enable/disable" - nullable = false -} diff --git a/kubernetes/modules/instance/versions.tf b/kubernetes/modules/instance/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/instance/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/k8s-cluster-calico/main.tf b/kubernetes/modules/k8s-cluster-calico/main.tf deleted file mode 100644 index 4147163..0000000 --- a/kubernetes/modules/k8s-cluster-calico/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - k8s_cluster_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_description = "Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" - k8s_cluster_node_group_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" -} - -data "yandex_iam_service_account" "service_account" { - name = var.k8s_cluster_service_account_name -} - -data "yandex_iam_service_account" "node_service_account" { - name = var.k8s_cluster_node_service_account_name -} - -resource "yandex_kubernetes_cluster" "k8s-cluster" { - name = local.k8s_cluster_name - description = local.k8s_cluster_description - network_id = var.k8s_cluster_network_id - - master { - version = var.k8s_cluster_version - - zonal { - zone = var.k8s_cluster_zone - subnet_id = var.k8s_cluster_subnet_id - } - - public_ip = var.k8s_cluster_public_ip - security_group_ids = var.k8s_cluster_security_group_ids - } - - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - node_service_account_id = data.yandex_iam_service_account.node_service_account.service_account_id - network_policy_provider = "CALICO" -} diff --git a/kubernetes/modules/k8s-cluster-calico/outputs.tf b/kubernetes/modules/k8s-cluster-calico/outputs.tf deleted file mode 100644 index 35f5f30..0000000 --- a/kubernetes/modules/k8s-cluster-calico/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "K8s cluster ID" - value = yandex_kubernetes_cluster.k8s-cluster.id -} diff --git a/kubernetes/modules/k8s-cluster-calico/variables.tf b/kubernetes/modules/k8s-cluster-calico/variables.tf deleted file mode 100644 index 24d2a4d..0000000 --- a/kubernetes/modules/k8s-cluster-calico/variables.tf +++ /dev/null @@ -1,70 +0,0 @@ -variable "k8s_cluster_project" { - type = string - description = "K8s cluster project (cloud)" - nullable = false -} - -variable "k8s_cluster_environment" { - type = string - description = "K8s cluster environment" - nullable = false -} - -variable "k8s_cluster_name" { - type = string - description = "K8s cluster name" - nullable = false -} - -variable "k8s_cluster_network_id" { - type = string - description = "K8s_cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_version" { - type = string - description = "K8s cluster version" -} - -variable "k8s_cluster_release_channel" { - type = string - description = "K8s cluster release channel" - default = "STABLE" -} - -variable "k8s_cluster_zone" { - type = string - description = "K8s cluster zone" - default = "ru-central1-a" -} - -variable "k8s_cluster_subnet_id" { - type = string - description = "K8s cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_public_ip" { - type = bool - description = "K8s cluster public IP" - default = false - nullable = false -} - -variable "k8s_cluster_security_group_ids" { - type = list - description = "K8s cluster security group IDs" -} - -variable "k8s_cluster_service_account_name" { - type = string - description = "K8s cluster service account name" - nullable = false -} - -variable "k8s_cluster_node_service_account_name" { - type = string - description = "K8s cluster node service account name" - nullable = false -} diff --git a/kubernetes/modules/k8s-cluster-calico/versions.tf b/kubernetes/modules/k8s-cluster-calico/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/k8s-cluster-calico/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/k8s-cluster/main.tf b/kubernetes/modules/k8s-cluster/main.tf deleted file mode 100644 index ed97be5..0000000 --- a/kubernetes/modules/k8s-cluster/main.tf +++ /dev/null @@ -1,37 +0,0 @@ -locals { - k8s_cluster_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_description = "Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" - k8s_cluster_node_group_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" -} - -data "yandex_iam_service_account" "service_account" { - name = var.k8s_cluster_service_account_name -} - -data "yandex_iam_service_account" "node_service_account" { - name = var.k8s_cluster_node_service_account_name -} - -resource "yandex_kubernetes_cluster" "k8s-cluster" { - name = local.k8s_cluster_name - description = local.k8s_cluster_description - network_id = var.k8s_cluster_network_id - - master { - version = var.k8s_cluster_version - - zonal { - zone = var.k8s_cluster_zone - subnet_id = var.k8s_cluster_subnet_id - } - - public_ip = var.k8s_cluster_public_ip - security_group_ids = var.k8s_cluster_security_group_ids - } - - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - node_service_account_id = data.yandex_iam_service_account.node_service_account.service_account_id - cluster_ipv4_range = var.k8s_cluster_cluster_ipv4_range - service_ipv4_range = var.k8s_cluster_service_ipv4_range -} diff --git a/kubernetes/modules/k8s-cluster/outputs.tf b/kubernetes/modules/k8s-cluster/outputs.tf deleted file mode 100644 index 35f5f30..0000000 --- a/kubernetes/modules/k8s-cluster/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "K8s cluster ID" - value = yandex_kubernetes_cluster.k8s-cluster.id -} diff --git a/kubernetes/modules/k8s-cluster/variables.tf b/kubernetes/modules/k8s-cluster/variables.tf deleted file mode 100644 index 33d3fbc..0000000 --- a/kubernetes/modules/k8s-cluster/variables.tf +++ /dev/null @@ -1,84 +0,0 @@ -variable "k8s_cluster_project" { - type = string - description = "K8s cluster project (cloud)" - nullable = false -} - -variable "k8s_cluster_environment" { - type = string - description = "K8s cluster environment" - nullable = false -} - -variable "k8s_cluster_name" { - type = string - description = "K8s cluster name" - nullable = false -} - -variable "k8s_cluster_network_id" { - type = string - description = "K8s_cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_version" { - type = string - description = "K8s cluster version" -} - -variable "k8s_cluster_release_channel" { - type = string - description = "K8s cluster release channel" - default = "STABLE" -} - -variable "k8s_cluster_zone" { - type = string - description = "K8s cluster zone" - default = "ru-central1-a" -} - -variable "k8s_cluster_subnet_id" { - type = string - description = "K8s cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_public_ip" { - type = bool - description = "K8s cluster public IP" - default = false - nullable = false -} - -variable "k8s_cluster_security_group_ids" { - type = list - description = "K8s cluster security group IDs" -} - -variable "k8s_cluster_service_account_name" { - type = string - description = "K8s cluster service account name" - nullable = false -} - -variable "k8s_cluster_node_service_account_name" { - type = string - description = "K8s cluster node service account name" - nullable = false -} - -variable "k8s_cluster_cluster_ipv4_range" { - default = "10.96.0.0/16" - type = string - description = "K8s cluster ipv4 CIDR" - nullable = false -} - -variable "k8s_cluster_service_ipv4_range" { - default = "10.112.0.0/16" - type = string - description = "K8s service ipv4 CIDR" - nullable = false -} diff --git a/kubernetes/modules/k8s-cluster/versions.tf b/kubernetes/modules/k8s-cluster/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/k8s-cluster/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/k8s-node-group/main.tf b/kubernetes/modules/k8s-node-group/main.tf deleted file mode 100644 index 85930bd..0000000 --- a/kubernetes/modules/k8s-node-group/main.tf +++ /dev/null @@ -1,60 +0,0 @@ -locals { - k8s_node_group_name = "k8s-${var.k8s_node_group_project}-${var.k8s_node_group_environment}-${var.k8s_node_group_cluster}-${var.k8s_node_group_name}" - k8s_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_node_group_project} ${var.k8s_node_group_environment} environment (${var.k8s_node_group_cluster}/${var.k8s_node_group_name})" - k8s_node_group_ssh_keys = "${var.k8s_node_group_username}:${var.k8s_node_group_ssh_public_key}" -} - -resource "yandex_kubernetes_node_group" "k8s-node-group" { - name = local.k8s_node_group_name - description = local.k8s_node_group_description - cluster_id = var.k8s_node_group_cluster_id - version = var.k8s_node_group_version - - node_labels = { - "node-group" = var.k8s_node_group_name - } - - node_taints = var.k8s_node_group_node_taints - - scale_policy { - auto_scale { - initial = var.k8s_node_group_auto_scale_initial - min = var.k8s_node_group_auto_scale_min - max = var.k8s_node_group_auto_scale_max - } - } - - allocation_policy { - location { - zone = var.k8s_node_group_zone - } - } - - instance_template { - platform_id = var.k8s_node_group_platform_id - - scheduling_policy { - preemptible = var.k8s_node_group_preemptible - } - - resources { - memory = var.k8s_node_group_memory - cores = var.k8s_node_group_cores - } - - boot_disk { - type = var.k8s_node_group_disk_type - size = var.k8s_node_group_disk_size - } - - network_interface { - nat = var.k8s_node_group_nat - subnet_ids = var.k8s_node_group_subnet_ids - security_group_ids = var.k8s_node_group_security_group_ids - } - - metadata = { - ssh-keys = local.k8s_node_group_ssh_keys - } - } -} diff --git a/kubernetes/modules/k8s-node-group/variables.tf b/kubernetes/modules/k8s-node-group/variables.tf deleted file mode 100644 index ab51b20..0000000 --- a/kubernetes/modules/k8s-node-group/variables.tf +++ /dev/null @@ -1,137 +0,0 @@ -variable "k8s_node_group_project" { - type = string - description = "K8s node group project (cloud)" - nullable = false -} - -variable "k8s_node_group_environment" { - type = string - description = "K8s node group environment" - nullable = false -} - -variable "k8s_node_group_name" { - type = string - description = "K8s node group name" - nullable = false -} - -variable "k8s_node_group_cluster" { - type = string - description = "K8s node group cluster name" - nullable = false -} - -variable "k8s_node_group_cluster_id" { - type = string - description = "K8s node group cluster ID" - nullable = false -} - -variable "k8s_node_group_version" { - type = string - description = "K8s node group version" -} - -variable "k8s_node_group_auto_scale_initial" { - type = number - description = "K8s node auto scale initial number of instances" - default = 0 -} - -variable "k8s_node_group_auto_scale_min" { - type = number - description = "K8s node auto scale minimum number of instances" - default = 0 -} - -variable "k8s_node_group_auto_scale_max" { - type = number - description = "K8s node auto scale maximum number of instances" - default = 1 -} - -variable "k8s_node_group_zone" { - type = string - description = "K8s node group zone" - default = "ru-central1-a" -} - -variable "k8s_node_group_platform_id" { - default = "standard-v3" - type = string - description = "Platform ID for node group" - nullable = false -} - -variable "k8s_node_group_node_taints" { - default = [] - type = list - description = "K8s node group node taints" - nullable = false -} - -variable "k8s_node_group_preemptible" { - default = false - type = bool - description = "K8s node group scheduling policy" - nullable = false -} - -variable "k8s_node_group_cores" { - default = 2 - type = number - description = "K8s node group cores quantity" - nullable = false -} - -variable "k8s_node_group_memory" { - default = 4 - type = number - description = "K8s node group memory amount" - nullable = false -} - -variable "k8s_node_group_disk_type" { - default = "network-hdd" - type = string - description = "K8s node group disk type" - nullable = false -} - -variable "k8s_node_group_disk_size" { - default = 64 - type = number - description = "K8s node group disk size" - nullable = false -} - -variable "k8s_node_group_nat" { - type = bool - description = "K8s_node_group NAT" - default = false - nullable = false -} - -variable "k8s_node_group_subnet_ids" { - type = list - description = "K8s node group network interface subnet IDs" - nullable = false -} - -variable "k8s_node_group_security_group_ids" { - type = list - description = "K8s node group security group IDs" -} - -variable "k8s_node_group_username" { - type = string - description = "K8s node group username" - nullable = false -} - -variable "k8s_node_group_ssh_public_key" { - type = string - description = "K8s node ssh public key" - nullable = false -} diff --git a/kubernetes/modules/k8s-node-group/versions.tf b/kubernetes/modules/k8s-node-group/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/k8s-node-group/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/sa/main.tf b/kubernetes/modules/sa/main.tf deleted file mode 100644 index 8149017..0000000 --- a/kubernetes/modules/sa/main.tf +++ /dev/null @@ -1,18 +0,0 @@ -data "yandex_iam_service_account" "service_account" { - name = var.sa_name - - depends_on = [yandex_iam_service_account.service_account] -} - -resource "yandex_iam_service_account" "service_account" { - name = var.sa_name - description = var.sa_description -} - -resource "yandex_resourcemanager_folder_iam_member" "folder_iam_member" { - folder_id = var.sa_folder_id - role = var.sa_role - member = "serviceAccount:${yandex_iam_service_account.service_account.id}" - - depends_on = [yandex_iam_service_account.service_account] -} diff --git a/kubernetes/modules/sa/outputs.tf b/kubernetes/modules/sa/outputs.tf deleted file mode 100644 index e9ed564..0000000 --- a/kubernetes/modules/sa/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "name" { - value = yandex_iam_service_account.service_account.name -} - -output "id" { - value = data.yandex_iam_service_account.service_account.service_account_id -} diff --git a/kubernetes/modules/sa/variables.tf b/kubernetes/modules/sa/variables.tf deleted file mode 100644 index 7b69cd4..0000000 --- a/kubernetes/modules/sa/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "sa_name" { - type = string - description = "Service account name" -} - -variable "sa_description" { - type = string - description = "Service account description" -} - -variable "sa_folder_id" { - type = string - description = "Service account folder ID" -} - -variable "sa_role" { - type = string - description = "Service account role" -} diff --git a/kubernetes/modules/sa/versions.tf b/kubernetes/modules/sa/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/sa/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/modules/subnet/main.tf b/kubernetes/modules/subnet/main.tf deleted file mode 100644 index 4dbf8d3..0000000 --- a/kubernetes/modules/subnet/main.tf +++ /dev/null @@ -1,13 +0,0 @@ -data "yandex_vpc_subnet" "subnet" { - name = var.subnet_name - - depends_on = [yandex_vpc_subnet.subnet] -} - - -resource "yandex_vpc_subnet" "subnet" { - name = var.subnet_name - zone = var.subnet_zone - network_id = var.subnet_network_id - v4_cidr_blocks = var.subnet_v4_cidr_blocks -} diff --git a/kubernetes/modules/subnet/outputs.tf b/kubernetes/modules/subnet/outputs.tf deleted file mode 100644 index 901b86f..0000000 --- a/kubernetes/modules/subnet/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "VPC subnet ID" - value = data.yandex_vpc_subnet.subnet.subnet_id -} diff --git a/kubernetes/modules/subnet/variables.tf b/kubernetes/modules/subnet/variables.tf deleted file mode 100644 index 083b336..0000000 --- a/kubernetes/modules/subnet/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -variable "subnet_name" { - type = string - description = "Subnet name" -} - -variable "subnet_zone" { - type = string - description = "Subnet availability zone" - default = "ru-central1-a" -} - -variable "subnet_network_id" { - type = string - description = "Subnet network ID" -} - -variable "subnet_v4_cidr_blocks" { - type = list - description = "Subnet v4 CIDR blocks" -} diff --git a/kubernetes/modules/subnet/versions.tf b/kubernetes/modules/subnet/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/kubernetes/modules/subnet/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/kubernetes/templates/ubuntu-default.yml.tftpl b/kubernetes/templates/ubuntu-default.yml.tftpl deleted file mode 100755 index dc1d294..0000000 --- a/kubernetes/templates/ubuntu-default.yml.tftpl +++ /dev/null @@ -1,12 +0,0 @@ -#cloud-config -package_update: true -package_upgrade: true -users: - - default - - name: ${username} - primary_group: ${username} - sudo: ALL=(ALL) NOPASSWD:ALL - groups: sudo - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_public_key} diff --git a/kubernetes/templates/ubuntu-devops.yml.tftpl b/kubernetes/templates/ubuntu-devops.yml.tftpl deleted file mode 100755 index af4373c..0000000 --- a/kubernetes/templates/ubuntu-devops.yml.tftpl +++ /dev/null @@ -1,50 +0,0 @@ -#cloud-config -package_update: true -package_upgrade: true -packages: - - apt-transport-https - - ca-certificates - - curl - - fish - - gnupg - - lsb-release - - mc - - net-tools - -# create the docker group -groups: - - docker -users: - - default - - name: ${username} - primary_group: ${username} - sudo: ALL=(ALL) NOPASSWD:ALL - groups: sudo, docker - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_public_key} - -runcmd: - - curl https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg # Add Docker’s official GPG key - - curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg # Download the Google Cloud public signing key: - - curl https://baltocdn.com/helm/signing.asc | sudo gpg --dearmor -o /usr/share/keyrings/helm.gpg # Add Helm public GPG key - - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null # set up the stable repository - - echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list # Add the Kubernetes apt repository - - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list - - curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash - - sudo apt-get update -y - - sudo apt-get install -y kubectl helm gitlab-runner - - sudo apt-get install -y docker-ce docker-ce-cli containerd.io -# - curl https://storage.yandexcloud.net/yandexcloud-yc/install.sh | bash -s -- -a -# - curl -fsSLo go1.20.2.linux-amd64.tar.gz https://go.dev/dl/go1.20.2.linux-amd64.tar.gz -# - sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.20.2.linux-amd64.tar.gz -# - echo 'export PATH=/usr/local/go/bin:$PATH' >> ~/.bashrc -# - echo 'export GOPATH=~/go' >> ~/.bashrc -# - echo 'export PATH=$GOPATH/bin:$PATH' >> ~/.bashrc -# - echo 'export GOPROXY=https://proxy.golang.org' >> ~/.bashrc -# - echo 'export HELM_EXPERIMENTAL_OCI=1' >> ~/.bashrc -# - source ~/.bashrc -# - mkdir $GOPATH -# - go install go.mozilla.org/sops/v3/cmd/sops@latest -# - go install filippo.io/age/cmd/...@latest -# - helm plugin install https://github.com/jkroepke/helm-secrets --version v3.12.0 diff --git a/kubernetes/templates/ubuntu-k8s-bootstrap.yml.tftpl b/kubernetes/templates/ubuntu-k8s-bootstrap.yml.tftpl deleted file mode 100755 index b01373d..0000000 --- a/kubernetes/templates/ubuntu-k8s-bootstrap.yml.tftpl +++ /dev/null @@ -1,39 +0,0 @@ -#cloud-config -package_update: true -package_upgrade: true -packages: - - apt-transport-https - - ca-certificates - - curl - - fish - - gnupg - - lsb-release - - mc - - net-tools - - python3.10-venv - -users: - - default - - name: ansible - primary_group: ansible - sudo: ALL=(ALL) NOPASSWD:ALL - groups: sudo - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_public_key} - -runcmd: - - curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg # Download the Google Cloud public signing key: - - curl https://baltocdn.com/helm/signing.asc | sudo gpg --dearmor -o /usr/share/keyrings/helm.gpg # Add Helm public GPG key - - echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list # Add the Kubernetes apt repository - - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list - - sudo apt-get update -y - - sudo apt-get install -y kubectl helm - - git clone https://github.com/kubernetes-sigs/kubespray.git - - VENVDIR=kubespray-venv - - KUBESPRAYDIR=kubespray - - python3 -m venv $VENVDIR - - source $VENVDIR/bin/activate - - cd $KUBESPRAYDIR - - pip install -U -r requirements.txt - - cp -rfp inventory/sample inventory/mycluster diff --git a/kubernetes/templates/ubuntu-k8s-kubespray.yml.tftpl b/kubernetes/templates/ubuntu-k8s-kubespray.yml.tftpl deleted file mode 100755 index ebf0bea..0000000 --- a/kubernetes/templates/ubuntu-k8s-kubespray.yml.tftpl +++ /dev/null @@ -1,41 +0,0 @@ -#cloud-config -package_update: true -package_upgrade: true -users: - - default - - name: ansible - primary_group: ansible - sudo: ALL=(ALL) NOPASSWD:ALL - groups: sudo - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_public_key} -runcmd: - - sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab - - sudo swapoff -a - - sudo cat < /etc/sysctl.d/99-kubernetes-cri.conf - - net.bridge.bridge-nf-calliptables = 1 - - net.ipv4.ip_forward = 1 - - net.bridge.bridge-nf-call-ip6tables = 1 - - EOF - - sudo sysctl --system - - sudo cat < /etc/sysctl.d/99-kubernetes-cri.conf - - net.bridge.bridge-nf-calliptables = 1 - - net.ipv4.ip_forward = 1 - - net.bridge.bridge-nf-call-ip6tables = 1 - - EOF - - sudo sysctl --system - - sudo cat < /dev/null - - sudo apt-get update - - sudo apt-get install -y containerd.io - - sudo mkdir -p /etc/containerd - - containerd config default | sudo tee /etc/containerd/config.toml -# Start containerd - - sudo systemctl restart containerd - - sudo systemctl enable containerd -# Kubernetes utils - - curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg # Download the Google Cloud public signing key - - echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list # Add the Kubernetes apt repository - - sudo apt-get update -y - - sudo apt-get -y install kubelet=1.28.0-00 kubeadm=1.28.0-00 kubectl=1.28.0-00 - - sudo apt-mark hold kubelet kubeadm kubectl - - sudo kubeadm config images pull --kubernetes-version v1.28.0 diff --git a/monitoring/modules/bucket/main.tf b/monitoring/modules/bucket/main.tf deleted file mode 100644 index 1f2e414..0000000 --- a/monitoring/modules/bucket/main.tf +++ /dev/null @@ -1,16 +0,0 @@ -locals { - bucket = "s3-${var.bucket_project}-${var.bucket_environment}-${var.bucket_name}" -} - -resource "yandex_storage_bucket" "bucket" { - folder_id = var.bucket_folder_id - bucket = local.bucket - access_key = var.bucket_access_key - secret_key = var.bucket_secret_key - - anonymous_access_flags { - read = true - list = false - config_read = false - } -} diff --git a/monitoring/modules/bucket/outputs.tf b/monitoring/modules/bucket/outputs.tf deleted file mode 100644 index 6cc6cd5..0000000 --- a/monitoring/modules/bucket/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "name" { - value = yandex_storage_bucket.bucket.bucket -} diff --git a/monitoring/modules/bucket/variables.tf b/monitoring/modules/bucket/variables.tf deleted file mode 100644 index f5de558..0000000 --- a/monitoring/modules/bucket/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "bucket_folder_id" { - type = string - description = "Bucket folder ID" - nullable = false -} - -variable "bucket_project" { - type = string - description = "Bucket project (cloud)" - nullable = false -} - -variable "bucket_environment" { - type = string - description = "Bucket environment" - nullable = false -} - -variable "bucket_name" { - type = string - description = "Bucket name" - nullable = false -} - -variable "bucket_access_key" { - description = "Bucket static access key" - type = string -} - -variable "bucket_secret_key" { - description = "Bucket secret for static access key" - type = string -} diff --git a/monitoring/modules/bucket/versions.tf b/monitoring/modules/bucket/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/bucket/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/cloud/main.tf b/monitoring/modules/cloud/main.tf deleted file mode 100644 index 5832f3b..0000000 --- a/monitoring/modules/cloud/main.tf +++ /dev/null @@ -1,66 +0,0 @@ -locals { - cloud_id = yandex_resourcemanager_cloud.cloud.id - folder_id = yandex_resourcemanager_folder.folder.id - folder_name = "adm-folder" - folder_description = "Folder for S3 backend for ${var.cloud_project} cloud Terraform state and administrative entities" - sa_tfstate_name = "sa-${var.cloud_project}-adm-tfstate" - sa_tfstate_description = "Service account for S3 backend for ${var.cloud_project} cloud Terraform state" - sa_tfstate_static_key_description = "Static access key for S3 backend for ${var.cloud_project} cloud Terraform state" - s3_tfstate_bucket = "s3-${var.cloud_project}-adm-tfstate" -} - -resource "yandex_resourcemanager_cloud" "cloud" { - name = var.cloud_project - organization_id = var.cloud_organization_id -} - -resource "yandex_billing_cloud_binding" "cloud_binding" { - billing_account_id = var.cloud_billing_account_id - cloud_id = local.cloud_id - - depends_on = [yandex_resourcemanager_cloud.cloud] -} - -resource "yandex_resourcemanager_folder" "folder" { - cloud_id = local.cloud_id - name = local.folder_name - description = local.folder_description - - depends_on = [yandex_billing_cloud_binding.cloud_binding] -} - -resource "yandex_iam_service_account" "sa-tfstate" { - folder_id = local.folder_id - name = local.sa_tfstate_name - description = local.sa_tfstate_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_member" "sa-tfstate-storage-admin" { - folder_id = local.folder_id - role = "storage.admin" # admin role is need for bucket versioning - member = "serviceAccount:${yandex_iam_service_account.sa-tfstate.id}" - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_iam_service_account_static_access_key" "sa-tfstate-static-key" { - service_account_id = yandex_iam_service_account.sa-tfstate.id - description = local.sa_tfstate_static_key_description - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_storage_bucket" "s3-tfstate" { - folder_id = local.folder_id - bucket = local.s3_tfstate_bucket - access_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - secret_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - - versioning { - enabled = true - } - - depends_on = [yandex_iam_service_account_static_access_key.sa-tfstate-static-key] -} diff --git a/monitoring/modules/cloud/otputs.tf b/monitoring/modules/cloud/otputs.tf deleted file mode 100644 index 13cd3ab..0000000 --- a/monitoring/modules/cloud/otputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "tfstate_access_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - sensitive = true -} - -output "tfstate_secret_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - sensitive = true -} diff --git a/monitoring/modules/cloud/variables.tf b/monitoring/modules/cloud/variables.tf deleted file mode 100644 index 6538f22..0000000 --- a/monitoring/modules/cloud/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "cloud_project" { - type = string - description = "Name of project (cloud)" -} - -variable "cloud_organization_id" { - type = string - description = "YC Organization ID" -} - -variable "cloud_billing_account_id" { - type = string - description = "YC billing account ID" -} diff --git a/monitoring/modules/cloud/versions.tf b/monitoring/modules/cloud/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/cloud/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/folder/main.tf b/monitoring/modules/folder/main.tf deleted file mode 100644 index 1484a2e..0000000 --- a/monitoring/modules/folder/main.tf +++ /dev/null @@ -1,79 +0,0 @@ -locals { - project_environment = "${var.folder_project} ${var.folder_environment}" - cloud_id = "${data.yandex_resourcemanager_cloud.cloud.cloud_id}" - cloud_name = var.folder_project - folder_id = "${yandex_resourcemanager_folder.folder.id}" - folder_name = "${var.folder_environment}-folder" - folder_description = "Folder for ${local.project_environment} environment" - sa_tf_name = "sa-${var.folder_project}-${var.folder_environment}-tf" - sa_tf_description = "Service account for Terraform deploy in ${local.project_environment} environment" - sa_tfstate_name = "sa-${var.folder_project}-${var.folder_environment}-tfstate" - sa_tfstate_description = "Service account for S3 backend for Terraform state in ${local.project_environment} environment" - sa_tfstate_static_key_description = "Static access key for S3 backend for Terraform state in ${local.project_environment} environment" - s3_tfstate_bucket = "s3-${var.folder_project}-${var.folder_environment}-tfstate" -} - -data "yandex_resourcemanager_cloud" "cloud" { - name = local.cloud_name -} - -resource "yandex_resourcemanager_folder" "folder" { - cloud_id = local.cloud_id - name = local.folder_name - description = local.folder_description -} - -resource "yandex_iam_service_account" "sa-tf" { - folder_id = local.folder_id - name = local.sa_tf_name - description = local.sa_tf_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_binding" "folder-admin" { - folder_id = local.folder_id - role = "admin" - members = [ - "serviceAccount:${yandex_iam_service_account.sa-tf.id}" - ] - - depends_on = [yandex_iam_service_account.sa-tf] -} - -resource "yandex_iam_service_account" "sa-tfstate" { - folder_id = local.folder_id - name = local.sa_tfstate_name - description = local.sa_tfstate_description - - depends_on = [yandex_resourcemanager_folder.folder] -} - -resource "yandex_resourcemanager_folder_iam_member" "sa-tfstate-storage-admin" { - folder_id = local.folder_id - role = "storage.admin" # admin role is need for bucket versioning - member = "serviceAccount:${yandex_iam_service_account.sa-tfstate.id}" - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_iam_service_account_static_access_key" "sa-tfstate-static-key" { - service_account_id = yandex_iam_service_account.sa-tfstate.id - description = local.sa_tfstate_static_key_description - - depends_on = [yandex_iam_service_account.sa-tfstate] -} - -resource "yandex_storage_bucket" "s3-tfstate" { - folder_id = local.folder_id - bucket = local.s3_tfstate_bucket - access_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - secret_key = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - - versioning { - enabled = true - } - - depends_on = [ - yandex_iam_service_account_static_access_key.sa-tfstate-static-key] -} diff --git a/monitoring/modules/folder/otputs.tf b/monitoring/modules/folder/otputs.tf deleted file mode 100644 index 13cd3ab..0000000 --- a/monitoring/modules/folder/otputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "tfstate_access_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.access_key - sensitive = true -} - -output "tfstate_secret_key" { - value = yandex_iam_service_account_static_access_key.sa-tfstate-static-key.secret_key - sensitive = true -} diff --git a/monitoring/modules/folder/variables.tf b/monitoring/modules/folder/variables.tf deleted file mode 100644 index 7e41198..0000000 --- a/monitoring/modules/folder/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "folder_project" { - type = string - description = "Name of project (cloud) folder belongs to" -} - -variable "folder_environment" { - type = string - description = "Name of environment related to folder" -} diff --git a/monitoring/modules/folder/versions.tf b/monitoring/modules/folder/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/folder/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/instance/main.tf b/monitoring/modules/instance/main.tf deleted file mode 100644 index d2b39e9..0000000 --- a/monitoring/modules/instance/main.tf +++ /dev/null @@ -1,61 +0,0 @@ -locals { - instance_name = "vm-${var.instance_project}-${var.instance_environment}-${var.instance_name}" - instance_description = "DevOps workstation No. ${var.instance_no} in ${var.instance_project} ${var.instance_environment} environment" - instance_ssh_public_key = file("./.secrets/${var.instance_name}/${var.instance_public_key}") -} - -data "yandex_iam_service_account" "service_account" { - name = var.instance_service_account_name -} - -data "template_file" "user_data" { - template = file("../templates/${var.instance_user_data_file}.yml.tftpl") - - vars = { - username = var.instance_name - ssh_public_key = local.instance_ssh_public_key - } -} - -resource "yandex_compute_instance" "instance" { - allow_stopping_for_update = true - name = local.instance_name - description = local.instance_description - hostname = var.instance_name - zone = var.instance_zone - platform_id = var.instance_platform_id - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - - labels = { - tags = var.instance_name - } - - scheduling_policy { - preemptible = var.instance_preemptible - } - - resources { - cores = var.instance_cores - core_fraction = var.instance_core_fraction - memory = var.instance_memory - } - - boot_disk { - initialize_params { - image_id = var.instance_image_id - size = var.instance_disk_size - } - } - - network_interface { - subnet_id = var.instance_subnet_id - nat = var.instance_nat - security_group_ids = var.instance_security_group_ids - nat_ip_address = var.instance_nat_ip_address - } - - metadata = { - user-data = data.template_file.user_data.rendered - serial-port-enable = var.instance_serial_port_enable - } -} diff --git a/monitoring/modules/instance/outputs.tf b/monitoring/modules/instance/outputs.tf deleted file mode 100644 index e7db1f1..0000000 --- a/monitoring/modules/instance/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "internal_ip_address" { - value = yandex_compute_instance.instance.network_interface.0.ip_address -} - -output "external_ip_address" { - value = yandex_compute_instance.instance.network_interface.0.nat_ip_address -} diff --git a/monitoring/modules/instance/variables.tf b/monitoring/modules/instance/variables.tf deleted file mode 100644 index 88c92fa..0000000 --- a/monitoring/modules/instance/variables.tf +++ /dev/null @@ -1,129 +0,0 @@ -variable "instance_project" { - type = string - description = "Instance project (cloud)" - nullable = false -} - -variable "instance_environment" { - type = string - description = "Instance environment" - nullable = false -} - -variable "instance_no" { - type = number - default = 1 - description = "Instance No." - nullable = false -} - -variable "instance_name" { - type = string - description = "Instance name" - nullable = false -} - -variable "instance_user_data_file" { - type = string - description = "Instance user data file" - nullable = false -} - -variable "instance_public_key" { - type = string - description = "Instance public key" - default = "id_rsa.pub" - nullable = false -} - -variable "instance_zone" { - type = string - description = "Yandex Cloud compute default zone" - default = "ru-central1-a" -} - -variable "instance_platform_id" { - default = "standard-v3" - type = string - description = "Platform ID for instance" - nullable = false -} - -variable "instance_service_account_name" { - type = string - description = "Instance service account name" - nullable = false -} - -variable "instance_preemptible" { - default = false - type = bool - description = "Instance scheduling policy" - nullable = false -} - -variable "instance_cores" { - default = 2 - type = number - description = "Instance cores quantity" - nullable = false -} - -variable "instance_core_fraction" { - default = 100 - type = number - description = "Instance core fraction" - nullable = false -} - -variable "instance_memory" { - default = 2 - type = number - description = "Instance memory amount" - nullable = false -} - -variable "instance_image_id" { - type = string - default = "fd8emvfmfoaordspe1jr" # ubuntu-22-04-lts-v20230130 - description = "Image ID for boot disk" -} - -variable "instance_disk_size" { - default = 30 - type = number - description = "Instance disk size" - nullable = false -} - -variable "instance_subnet_id" { - type = string - description = "Instance network interface subnet" - nullable = false -} - -variable "instance_nat" { - default = false - type = bool - description = "Instance NAT enable/disable" - nullable = false -} - -variable "instance_security_group_ids" { - type = list - description = "Instance security group IDs" -} - -variable "instance_nat_ip_address" { - type = string - description = "Instance public ip address" - nullable = false - default = "" -} - -variable "instance_serial_port_enable" { - default = 0 - type = number - description = "Instance serial port enable/disable" - nullable = false -} diff --git a/monitoring/modules/instance/versions.tf b/monitoring/modules/instance/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/instance/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/k8s-cluster/main.tf b/monitoring/modules/k8s-cluster/main.tf deleted file mode 100644 index 96ffd55..0000000 --- a/monitoring/modules/k8s-cluster/main.tf +++ /dev/null @@ -1,38 +0,0 @@ -locals { - k8s_cluster_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_description = "Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" - k8s_cluster_node_group_name = "k8s-${var.k8s_cluster_project}-${var.k8s_cluster_environment}-${var.k8s_cluster_name}" - k8s_cluster_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_cluster_project} ${var.k8s_cluster_environment} environment (${var.k8s_cluster_name})" -} - -data "yandex_iam_service_account" "service_account" { - name = var.k8s_cluster_service_account_name -} - -data "yandex_iam_service_account" "node_service_account" { - name = var.k8s_cluster_node_service_account_name -} - -resource "yandex_kubernetes_cluster" "k8s-cluster" { - name = local.k8s_cluster_name - description = local.k8s_cluster_description - network_id = var.k8s_cluster_network_id - - master { - version = var.k8s_cluster_version - - zonal { - zone = var.k8s_cluster_zone - subnet_id = var.k8s_cluster_subnet_id - } - - public_ip = var.k8s_cluster_public_ip - security_group_ids = var.k8s_cluster_security_group_ids - } - - service_account_id = data.yandex_iam_service_account.service_account.service_account_id - node_service_account_id = data.yandex_iam_service_account.node_service_account.service_account_id - cluster_ipv4_range = var.k8s_cluster_cluster_ipv4_range - service_ipv4_range = var.k8s_cluster_service_ipv4_range - -} diff --git a/monitoring/modules/k8s-cluster/outputs.tf b/monitoring/modules/k8s-cluster/outputs.tf deleted file mode 100644 index 35f5f30..0000000 --- a/monitoring/modules/k8s-cluster/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "K8s cluster ID" - value = yandex_kubernetes_cluster.k8s-cluster.id -} diff --git a/monitoring/modules/k8s-cluster/variables.tf b/monitoring/modules/k8s-cluster/variables.tf deleted file mode 100644 index 33d3fbc..0000000 --- a/monitoring/modules/k8s-cluster/variables.tf +++ /dev/null @@ -1,84 +0,0 @@ -variable "k8s_cluster_project" { - type = string - description = "K8s cluster project (cloud)" - nullable = false -} - -variable "k8s_cluster_environment" { - type = string - description = "K8s cluster environment" - nullable = false -} - -variable "k8s_cluster_name" { - type = string - description = "K8s cluster name" - nullable = false -} - -variable "k8s_cluster_network_id" { - type = string - description = "K8s_cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_version" { - type = string - description = "K8s cluster version" -} - -variable "k8s_cluster_release_channel" { - type = string - description = "K8s cluster release channel" - default = "STABLE" -} - -variable "k8s_cluster_zone" { - type = string - description = "K8s cluster zone" - default = "ru-central1-a" -} - -variable "k8s_cluster_subnet_id" { - type = string - description = "K8s cluster network interface subnet" - nullable = false -} - -variable "k8s_cluster_public_ip" { - type = bool - description = "K8s cluster public IP" - default = false - nullable = false -} - -variable "k8s_cluster_security_group_ids" { - type = list - description = "K8s cluster security group IDs" -} - -variable "k8s_cluster_service_account_name" { - type = string - description = "K8s cluster service account name" - nullable = false -} - -variable "k8s_cluster_node_service_account_name" { - type = string - description = "K8s cluster node service account name" - nullable = false -} - -variable "k8s_cluster_cluster_ipv4_range" { - default = "10.96.0.0/16" - type = string - description = "K8s cluster ipv4 CIDR" - nullable = false -} - -variable "k8s_cluster_service_ipv4_range" { - default = "10.112.0.0/16" - type = string - description = "K8s service ipv4 CIDR" - nullable = false -} diff --git a/monitoring/modules/k8s-cluster/versions.tf b/monitoring/modules/k8s-cluster/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/k8s-cluster/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/k8s-node-group/main.tf b/monitoring/modules/k8s-node-group/main.tf deleted file mode 100644 index 85930bd..0000000 --- a/monitoring/modules/k8s-node-group/main.tf +++ /dev/null @@ -1,60 +0,0 @@ -locals { - k8s_node_group_name = "k8s-${var.k8s_node_group_project}-${var.k8s_node_group_environment}-${var.k8s_node_group_cluster}-${var.k8s_node_group_name}" - k8s_node_group_description = "Node group for Managed Service for Kubernetes cluster in ${var.k8s_node_group_project} ${var.k8s_node_group_environment} environment (${var.k8s_node_group_cluster}/${var.k8s_node_group_name})" - k8s_node_group_ssh_keys = "${var.k8s_node_group_username}:${var.k8s_node_group_ssh_public_key}" -} - -resource "yandex_kubernetes_node_group" "k8s-node-group" { - name = local.k8s_node_group_name - description = local.k8s_node_group_description - cluster_id = var.k8s_node_group_cluster_id - version = var.k8s_node_group_version - - node_labels = { - "node-group" = var.k8s_node_group_name - } - - node_taints = var.k8s_node_group_node_taints - - scale_policy { - auto_scale { - initial = var.k8s_node_group_auto_scale_initial - min = var.k8s_node_group_auto_scale_min - max = var.k8s_node_group_auto_scale_max - } - } - - allocation_policy { - location { - zone = var.k8s_node_group_zone - } - } - - instance_template { - platform_id = var.k8s_node_group_platform_id - - scheduling_policy { - preemptible = var.k8s_node_group_preemptible - } - - resources { - memory = var.k8s_node_group_memory - cores = var.k8s_node_group_cores - } - - boot_disk { - type = var.k8s_node_group_disk_type - size = var.k8s_node_group_disk_size - } - - network_interface { - nat = var.k8s_node_group_nat - subnet_ids = var.k8s_node_group_subnet_ids - security_group_ids = var.k8s_node_group_security_group_ids - } - - metadata = { - ssh-keys = local.k8s_node_group_ssh_keys - } - } -} diff --git a/monitoring/modules/k8s-node-group/outputs.tf b/monitoring/modules/k8s-node-group/outputs.tf deleted file mode 100644 index e69de29..0000000 diff --git a/monitoring/modules/k8s-node-group/variables.tf b/monitoring/modules/k8s-node-group/variables.tf deleted file mode 100644 index ab51b20..0000000 --- a/monitoring/modules/k8s-node-group/variables.tf +++ /dev/null @@ -1,137 +0,0 @@ -variable "k8s_node_group_project" { - type = string - description = "K8s node group project (cloud)" - nullable = false -} - -variable "k8s_node_group_environment" { - type = string - description = "K8s node group environment" - nullable = false -} - -variable "k8s_node_group_name" { - type = string - description = "K8s node group name" - nullable = false -} - -variable "k8s_node_group_cluster" { - type = string - description = "K8s node group cluster name" - nullable = false -} - -variable "k8s_node_group_cluster_id" { - type = string - description = "K8s node group cluster ID" - nullable = false -} - -variable "k8s_node_group_version" { - type = string - description = "K8s node group version" -} - -variable "k8s_node_group_auto_scale_initial" { - type = number - description = "K8s node auto scale initial number of instances" - default = 0 -} - -variable "k8s_node_group_auto_scale_min" { - type = number - description = "K8s node auto scale minimum number of instances" - default = 0 -} - -variable "k8s_node_group_auto_scale_max" { - type = number - description = "K8s node auto scale maximum number of instances" - default = 1 -} - -variable "k8s_node_group_zone" { - type = string - description = "K8s node group zone" - default = "ru-central1-a" -} - -variable "k8s_node_group_platform_id" { - default = "standard-v3" - type = string - description = "Platform ID for node group" - nullable = false -} - -variable "k8s_node_group_node_taints" { - default = [] - type = list - description = "K8s node group node taints" - nullable = false -} - -variable "k8s_node_group_preemptible" { - default = false - type = bool - description = "K8s node group scheduling policy" - nullable = false -} - -variable "k8s_node_group_cores" { - default = 2 - type = number - description = "K8s node group cores quantity" - nullable = false -} - -variable "k8s_node_group_memory" { - default = 4 - type = number - description = "K8s node group memory amount" - nullable = false -} - -variable "k8s_node_group_disk_type" { - default = "network-hdd" - type = string - description = "K8s node group disk type" - nullable = false -} - -variable "k8s_node_group_disk_size" { - default = 64 - type = number - description = "K8s node group disk size" - nullable = false -} - -variable "k8s_node_group_nat" { - type = bool - description = "K8s_node_group NAT" - default = false - nullable = false -} - -variable "k8s_node_group_subnet_ids" { - type = list - description = "K8s node group network interface subnet IDs" - nullable = false -} - -variable "k8s_node_group_security_group_ids" { - type = list - description = "K8s node group security group IDs" -} - -variable "k8s_node_group_username" { - type = string - description = "K8s node group username" - nullable = false -} - -variable "k8s_node_group_ssh_public_key" { - type = string - description = "K8s node ssh public key" - nullable = false -} diff --git a/monitoring/modules/k8s-node-group/versions.tf b/monitoring/modules/k8s-node-group/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/k8s-node-group/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/sa/main.tf b/monitoring/modules/sa/main.tf deleted file mode 100644 index 8149017..0000000 --- a/monitoring/modules/sa/main.tf +++ /dev/null @@ -1,18 +0,0 @@ -data "yandex_iam_service_account" "service_account" { - name = var.sa_name - - depends_on = [yandex_iam_service_account.service_account] -} - -resource "yandex_iam_service_account" "service_account" { - name = var.sa_name - description = var.sa_description -} - -resource "yandex_resourcemanager_folder_iam_member" "folder_iam_member" { - folder_id = var.sa_folder_id - role = var.sa_role - member = "serviceAccount:${yandex_iam_service_account.service_account.id}" - - depends_on = [yandex_iam_service_account.service_account] -} diff --git a/monitoring/modules/sa/outputs.tf b/monitoring/modules/sa/outputs.tf deleted file mode 100644 index e9ed564..0000000 --- a/monitoring/modules/sa/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "name" { - value = yandex_iam_service_account.service_account.name -} - -output "id" { - value = data.yandex_iam_service_account.service_account.service_account_id -} diff --git a/monitoring/modules/sa/variables.tf b/monitoring/modules/sa/variables.tf deleted file mode 100644 index 7b69cd4..0000000 --- a/monitoring/modules/sa/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "sa_name" { - type = string - description = "Service account name" -} - -variable "sa_description" { - type = string - description = "Service account description" -} - -variable "sa_folder_id" { - type = string - description = "Service account folder ID" -} - -variable "sa_role" { - type = string - description = "Service account role" -} diff --git a/monitoring/modules/sa/versions.tf b/monitoring/modules/sa/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/sa/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/monitoring/modules/subnet/main.tf b/monitoring/modules/subnet/main.tf deleted file mode 100644 index 4dbf8d3..0000000 --- a/monitoring/modules/subnet/main.tf +++ /dev/null @@ -1,13 +0,0 @@ -data "yandex_vpc_subnet" "subnet" { - name = var.subnet_name - - depends_on = [yandex_vpc_subnet.subnet] -} - - -resource "yandex_vpc_subnet" "subnet" { - name = var.subnet_name - zone = var.subnet_zone - network_id = var.subnet_network_id - v4_cidr_blocks = var.subnet_v4_cidr_blocks -} diff --git a/monitoring/modules/subnet/outputs.tf b/monitoring/modules/subnet/outputs.tf deleted file mode 100644 index 901b86f..0000000 --- a/monitoring/modules/subnet/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "id" { - description = "VPC subnet ID" - value = data.yandex_vpc_subnet.subnet.subnet_id -} diff --git a/monitoring/modules/subnet/variables.tf b/monitoring/modules/subnet/variables.tf deleted file mode 100644 index 083b336..0000000 --- a/monitoring/modules/subnet/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -variable "subnet_name" { - type = string - description = "Subnet name" -} - -variable "subnet_zone" { - type = string - description = "Subnet availability zone" - default = "ru-central1-a" -} - -variable "subnet_network_id" { - type = string - description = "Subnet network ID" -} - -variable "subnet_v4_cidr_blocks" { - type = list - description = "Subnet v4 CIDR blocks" -} diff --git a/monitoring/modules/subnet/versions.tf b/monitoring/modules/subnet/versions.tf deleted file mode 100644 index 09479df..0000000 --- a/monitoring/modules/subnet/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.1.6" - required_providers { - yandex = { - source = "yandex-cloud/yandex" - version = ">= 0.87.0" - } - } -} diff --git a/reddit/Dockerfile b/reddit/Dockerfile deleted file mode 100644 index 66674bc..0000000 --- a/reddit/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM ubuntu:18.04 - -RUN apt-get update -y -RUN apt-get install -y mongodb-server ruby-full ruby-dev build-essential git telnet iputils-ping iputils-tracepath apt-file -RUN gem install bundler -v 2.3.26 -RUN git clone -b monolith https://github.com/express42/reddit.git - -COPY mongod.conf /etc/mongod.conf -COPY db_config /reddit/db_config -COPY start.sh /start.sh - -RUN cd /reddit && rm Gemfile.lock && bundle install -RUN chmod 0777 /start.sh -CMD [ "/start.sh" ] diff --git a/reddit/start.sh b/reddit/start.sh deleted file mode 100644 index 3ff20a8..0000000 --- a/reddit/start.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -/usr/bin/mongod --fork --logpath /var/log/mongod.log --config /etc/mongodb.conf -source /reddit/db_config -cd /reddit && puma || exit diff --git a/src/.env.example b/src/.env.example deleted file mode 100644 index e9e97f4..0000000 --- a/src/.env.example +++ /dev/null @@ -1,6 +0,0 @@ -REDDIT_PORT=9292 -MONGO_VERSION='3.2' -UI_VERSION='3.0' -POST_VERSION='1.0' -COMMENT_VERSION='1.0' -USERNAME='TEST' diff --git a/src/.gitignore b/src/.gitignore deleted file mode 100644 index 85c3039..0000000 --- a/src/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -# docker-compose.yml -build_info.txt -prometheus/ -.env - -## python specific -*.pyc diff --git a/src/README.md b/src/README.md deleted file mode 100644 index b675662..0000000 --- a/src/README.md +++ /dev/null @@ -1 +0,0 @@ -# Micorservices diff --git a/src/comment/.gitlab-ci.yml b/src/comment/.gitlab-ci.yml new file mode 100644 index 0000000..26ab6a8 --- /dev/null +++ b/src/comment/.gitlab-ci.yml @@ -0,0 +1,130 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main diff --git a/src/comment/Dockerfile b/src/comment/Dockerfile index bbd61f2..d71cc15 100644 --- a/src/comment/Dockerfile +++ b/src/comment/Dockerfile @@ -6,7 +6,7 @@ ENV APP_HOME /app WORKDIR $APP_HOME COPY . $APP_HOME RUN bundle install -ENV COMMENT_DATABASE_HOST comment_db +ENV COMMENT_DATABASE_HOST mongo_db ENV COMMENT_DATABASE comments CMD ["puma"] diff --git a/src/comment/build_info.txt b/src/comment/build_info.txt new file mode 100644 index 0000000..e23b7a6 --- /dev/null +++ b/src/comment/build_info.txt @@ -0,0 +1,2 @@ +5397f2e +kubernetes-4 diff --git a/src/comment/docker_build.sh b/src/comment/docker_build.sh index a4c8e82..d935a50 100644 --- a/src/comment/docker_build.sh +++ b/src/comment/docker_build.sh @@ -3,4 +3,4 @@ echo `git show --format="%h" HEAD | head -1` > build_info.txt echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt -docker build -t $USER_NAME/comment . +docker build -t $USER_NAME/comment:logging . diff --git a/src/docker-compose.override.yml b/src/docker-compose.override.yml deleted file mode 100644 index 92596b0..0000000 --- a/src/docker-compose.override.yml +++ /dev/null @@ -1,3 +0,0 @@ -services: - ui: - command: "puma --debug -w 2" diff --git a/src/docker-compose.yml b/src/docker-compose.yml deleted file mode 100644 index 1c9df16..0000000 --- a/src/docker-compose.yml +++ /dev/null @@ -1,43 +0,0 @@ -version: '3.3' -services: - post_db: - image: mongo:${MONGO_VERSION} - volumes: - - post_db:/data/db - networks: - - back_net - ui: - build: ./ui - image: ${USERNAME}/ui:${UI_VERSION} - ports: - - ${REDDIT_PORT}:9292/tcp - networks: - - front_net - depends_on: - - post - - comment - post: - build: ./post-py - image: ${USERNAME}/post:${POST_VERSION} - networks: - - front_net - - back_net - depends_on: - - post_db - comment: - build: ./comment - image: ${USERNAME}/comment:${COMMENT_VERSION} - networks: - - front_net - - back_net - depends_on: - - post_db - -volumes: - post_db: - -networks: - back_net: -# name: back_net - front_net: -# name: front_net diff --git a/src/post/.gitlab-ci.yml b/src/post/.gitlab-ci.yml new file mode 100644 index 0000000..26ab6a8 --- /dev/null +++ b/src/post/.gitlab-ci.yml @@ -0,0 +1,130 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main diff --git a/src/post-py/Dockerfile b/src/post/Dockerfile similarity index 70% rename from src/post-py/Dockerfile rename to src/post/Dockerfile index 57db968..e58535f 100644 --- a/src/post-py/Dockerfile +++ b/src/post/Dockerfile @@ -3,12 +3,12 @@ FROM python:3.6.0-alpine WORKDIR /app COPY . /app/ -RUN apk --no-cache --update add build-base \ +RUN apk --no-cache --update add build-base gcc musl-dev \ && pip install --upgrade pip \ && pip install -r /app/requirements.txt \ && apk del build-base -ENV POST_DATABASE_HOST post_db +ENV POST_DATABASE_HOST mongo_db ENV POST_DATABASE posts CMD ["python3", "post_app.py"] diff --git a/src/post-py/VERSION b/src/post/VERSION similarity index 100% rename from src/post-py/VERSION rename to src/post/VERSION diff --git a/src/post/build_info.txt b/src/post/build_info.txt new file mode 100644 index 0000000..e23b7a6 --- /dev/null +++ b/src/post/build_info.txt @@ -0,0 +1,2 @@ +5397f2e +kubernetes-4 diff --git a/src/post-py/docker_build.sh b/src/post/docker_build.sh similarity index 100% rename from src/post-py/docker_build.sh rename to src/post/docker_build.sh diff --git a/src/post-py/helpers.py b/src/post/helpers.py similarity index 100% rename from src/post-py/helpers.py rename to src/post/helpers.py diff --git a/src/post-py/post_app.py b/src/post/post_app.py similarity index 100% rename from src/post-py/post_app.py rename to src/post/post_app.py diff --git a/src/post-py/requirements.txt b/src/post/requirements.txt similarity index 100% rename from src/post-py/requirements.txt rename to src/post/requirements.txt diff --git a/src/ui/.gitignore b/src/ui/.gitignore new file mode 100644 index 0000000..d31f3ca --- /dev/null +++ b/src/ui/.gitignore @@ -0,0 +1 @@ +*log diff --git a/src/ui/.gitlab-ci.yml b/src/ui/.gitlab-ci.yml new file mode 100644 index 0000000..26ab6a8 --- /dev/null +++ b/src/ui/.gitlab-ci.yml @@ -0,0 +1,130 @@ +image: alpine:latest + +stages: + - build + - test + - review + - release + - cleanup + +.extended_build: + image: docker:git + services: + - docker:18.09.7-dind + variables: + DOCKER_DRIVER: overlay2 + CI_APPLICATION_REPOSITORY: $CI_REGISTRY/$CI_PROJECT_PATH + CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG + CI_CONTAINER_NAME: ci_job_build_${CI_JOB_ID} + GITLAB_URL: "https://gitlab.reddit.voytenkov.ru/voitenkov" + before_script: + - > + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + +.extended_deploy: + image: dtzar/helm-kubectl:3.13 + variables: + GIT_STRATEGY: none + KUBE_NAMESPACE: review + KUBE_CONTEXT: voitenkov/reddit-deploy:yc-k8s + host: $CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + name: $CI_ENVIRONMENT_SLUG + before_script: + # installing dependencies + - apk add -U openssl curl tar gzip bash ca-certificates git + - wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub + - curl https://storage.googleapis.com/pub/gsutil.tar.gz | tar -xz -C $HOME + - export PATH=${PATH}:$HOME/gsutil + - curl -o /usr/bin/sync-repo.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/sync-repo.sh + - chmod a+x /usr/bin/sync-repo.sh + # ensuring namespace + - kubectl config use-context $KUBE_CONTEXT + - kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE" + +build: + stage: build + extends: .extended_build + script: + # Building + - echo "Building and pushing Dockerfile-based application..." + - echo `git show --format="%h" HEAD | head -1` > build_info.txt + - echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt + - docker buildx build -t $CI_REGISTRY_IMAGE:$CI_APPLICATION_TAG --push . + - echo "" + only: + - branches + +test: + stage: test + script: + - exit 0 + only: + - branches + +release: + stage: release + extends: .extended_build + script: + # Releasing + - echo "Updating docker images ..." + - docker pull "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:$(cat VERSION)" + - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + # latest is needed for feature flags + - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA" "$CI_REGISTRY_IMAGE:latest" + - docker push "$CI_REGISTRY_IMAGE:latest" + only: + - main + +review: + stage: review + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + url: http://$CI_PROJECT_PATH_SLUG-$CI_COMMIT_REF_SLUG + on_stop: stop_review + script: + - export track="${1-stable}" + - > + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + - echo "Clone deploy repository..." + - git clone https://gitlab.reddit.voytenkov.ru/voitenkov/reddit-deploy.git + - echo "Download helm dependencies..." + - helm dep update reddit-deploy/reddit + - echo "Deploy helm release $name to $KUBE_NAMESPACE" + - echo "Upgrading existing release..." + - > + helm upgrade --install \ + --wait \ + --atomic \ + --set ui.ingress.host="$host" \ + --set $CI_PROJECT_NAME.image.repository=$CI_REGISTRY_IMAGE \ + --set $CI_PROJECT_NAME.image.tag=$CI_APPLICATION_TAG \ + --namespace="$KUBE_NAMESPACE" \ + --version="$CI_PIPELINE_ID-$CI_JOB_ID" \ + "$name" \ + reddit-deploy/reddit/ + except: + - main + +stop_review: + stage: cleanup + extends: .extended_deploy + environment: + name: review/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME + action: stop + script: + - export track="${1-stable}" + - helm delete "$name" --namespace="$KUBE_NAMESPACE" || true + when: manual + allow_failure: true + only: + - branches + except: + - main diff --git a/src/ui/Capfile b/src/ui/Capfile new file mode 100644 index 0000000..c85aa52 --- /dev/null +++ b/src/ui/Capfile @@ -0,0 +1,15 @@ +# Load DSL and set up stages +require "capistrano/setup" + +# Include default deployment tasks +require "capistrano/deploy" +require "capistrano/scm/git" +install_plugin Capistrano::SCM::Git + +require 'capistrano/bundler' +require 'capistrano/rvm' +require 'capistrano/puma' +install_plugin Capistrano::Puma + +# Load custom tasks from `lib/capistrano/tasks` if you have any defined +Dir.glob("lib/capistrano/tasks/*.rake").each { |r| import r } diff --git a/src/ui/Dockerfile b/src/ui/Dockerfile index 7ff5103..ec27f97 100644 --- a/src/ui/Dockerfile +++ b/src/ui/Dockerfile @@ -1,11 +1,12 @@ -FROM ubuntu:16.04 -RUN apt-get update \ - && apt-get install -y ruby-full ruby-dev build-essential \ - && gem install bundler -v 2.3.26 --no-ri --no-rdoc +FROM ruby:2.2.10-alpine +RUN apk update --no-cache \ + && apk add --no-cache build-base \ + && rm -rf /var/cache/apk/* ENV APP_HOME /app WORKDIR $APP_HOME COPY . $APP_HOME -RUN bundle install +RUN bundle install \ + && apk del build-base ENV POST_SERVICE_HOST post ENV POST_SERVICE_PORT 5000 ENV COMMENT_SERVICE_HOST comment diff --git a/src/ui/Dockerfile.1 b/src/ui/Dockerfile.1 deleted file mode 100644 index ec27f97..0000000 --- a/src/ui/Dockerfile.1 +++ /dev/null @@ -1,14 +0,0 @@ -FROM ruby:2.2.10-alpine -RUN apk update --no-cache \ - && apk add --no-cache build-base \ - && rm -rf /var/cache/apk/* -ENV APP_HOME /app -WORKDIR $APP_HOME -COPY . $APP_HOME -RUN bundle install \ - && apk del build-base -ENV POST_SERVICE_HOST post -ENV POST_SERVICE_PORT 5000 -ENV COMMENT_SERVICE_HOST comment -ENV COMMENT_SERVICE_PORT 9292 -CMD ["puma"] diff --git a/src/ui/Gemfile b/src/ui/Gemfile index dfc92d5..3ce71c0 100644 --- a/src/ui/Gemfile +++ b/src/ui/Gemfile @@ -1,13 +1,16 @@ source 'https://rubygems.org' -gem 'sinatra', '~> 2.0.2' -gem 'sinatra-contrib' +gem 'sinatra', '~> 2.0.1' gem 'haml' gem 'bson_ext' -gem 'faraday' +gem 'bcrypt' gem 'puma' -gem 'prometheus-client' -gem "rack", '>= 2.0.6' -gem 'rufus-scheduler' -gem 'tzinfo-data' -gem 'zipkin-tracer' +gem 'mongo' +gem 'json' + +group :development do + gem 'capistrano', require: false + gem 'capistrano-rvm', require: false + gem 'capistrano-bundler', require: false + gem 'capistrano3-puma', require: false +end diff --git a/src/ui/Gemfile.lock b/src/ui/Gemfile.lock index d5d5400..f62baeb 100644 --- a/src/ui/Gemfile.lock +++ b/src/ui/Gemfile.lock @@ -1,88 +1,68 @@ GEM remote: https://rubygems.org/ specs: - activesupport (5.2.2) - concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 0.7, < 2) - minitest (~> 5.1) - tzinfo (~> 1.1) - backports (3.11.4) - bson (1.12.5) - bson_ext (1.12.5) - bson (~> 1.12.5) - concurrent-ruby (1.1.4) - et-orbi (1.1.6) - tzinfo - faraday (0.15.4) - multipart-post (>= 1.2, < 3) - finagle-thrift (1.4.2) - thrift (~> 0.9.3) - fugit (1.1.6) - et-orbi (~> 1.1, >= 1.1.6) - raabro (~> 1.1) - haml (5.0.4) + airbrussh (1.3.0) + sshkit (>= 1.6.1, != 1.7.0) + bcrypt (3.1.11) + bson (4.2.2) + bson_ext (1.5.1) + capistrano (3.9.0) + airbrussh (>= 1.0.0) + i18n + rake (>= 10.0.0) + sshkit (>= 1.9.0) + capistrano-bundler (1.2.0) + capistrano (~> 3.1) + sshkit (~> 1.2) + capistrano-rvm (0.1.2) + capistrano (~> 3.0) + sshkit (~> 1.2) + capistrano3-puma (3.1.1) + capistrano (~> 3.7) + capistrano-bundler + puma (~> 3.4) + haml (5.0.2) temple (>= 0.8.0) tilt - i18n (1.3.0) - concurrent-ruby (~> 1.0) - minitest (5.11.3) - multi_json (1.13.1) - multipart-post (2.0.0) - mustermann (1.0.3) - prometheus-client (0.8.0) - quantile (~> 0.2.1) - puma (3.12.0) - quantile (0.2.1) - raabro (1.1.6) - rack (2.0.6) - rack-protection (2.0.4) + i18n (0.8.6) + json (2.1.0) + mongo (2.4.3) + bson (>= 4.2.1, < 5.0.0) + mustermann (1.0.2) + net-scp (1.2.1) + net-ssh (>= 2.6.5) + net-ssh (4.1.0) + puma (3.10.0) + rack (2.0.5) + rack-protection (2.0.2) rack - rufus-scheduler (3.5.2) - fugit (~> 1.1, >= 1.1.5) - sinatra (2.0.4) + rake (12.0.0) + sinatra (2.0.2) mustermann (~> 1.0) rack (~> 2.0) - rack-protection (= 2.0.4) + rack-protection (= 2.0.2) tilt (~> 2.0) - sinatra-contrib (2.0.4) - activesupport (>= 4.0.0) - backports (>= 2.8.2) - multi_json - mustermann (~> 1.0) - rack-protection (= 2.0.4) - sinatra (= 2.0.4) - tilt (>= 1.3, < 3) - sucker_punch (2.1.1) - concurrent-ruby (~> 1.0) + sshkit (1.14.0) + net-scp (>= 1.1.2) + net-ssh (>= 2.8.0) temple (0.8.0) - thread_safe (0.3.6) - thrift (0.9.3.0) - tilt (2.0.9) - tzinfo (1.2.5) - thread_safe (~> 0.1) - tzinfo-data (1.2018.7) - tzinfo (>= 1.0.0) - zipkin-tracer (0.30.0) - faraday (~> 0.8) - finagle-thrift (~> 1.4.2) - rack (>= 1.0) - sucker_punch (~> 2.0) + tilt (2.0.8) PLATFORMS ruby DEPENDENCIES + bcrypt bson_ext - faraday + capistrano + capistrano-bundler + capistrano-rvm + capistrano3-puma haml - prometheus-client + json + mongo puma - rack (>= 2.0.6) - rufus-scheduler - sinatra (~> 2.0.2) - sinatra-contrib - tzinfo-data - zipkin-tracer + sinatra (~> 2.0.1) BUNDLED WITH - 1.17.2 + 1.16.1 diff --git a/src/ui/README.md b/src/ui/README.md new file mode 100644 index 0000000..8d173ce --- /dev/null +++ b/src/ui/README.md @@ -0,0 +1,22 @@ +# Monolith application + +## Deploy using Capistrano + +#### Requirements for the target host: +* Ruby (>2.2.0) installed via `rvm` +* MongDB +* ports `22` and `9292` should be reachable by you + +#### Steps: +1. Install required gems: +`bundle install` +2. Set env vars: +```bash +export SERVER_IP= # public IP address of the target host +export REPO_NAME= # repo name to fetch the code from, e.g. Artemmkin/reddit +export DEPLOY_USER=deploy # username used to connect via SSH +``` +3. Deploy using capistrano: +```bash +bundle exec cap production deploy:initial +``` diff --git a/src/ui/VERSION b/src/ui/VERSION deleted file mode 100644 index 8acdd82..0000000 --- a/src/ui/VERSION +++ /dev/null @@ -1 +0,0 @@ -0.0.1 diff --git a/src/ui/app.rb b/src/ui/app.rb new file mode 100644 index 0000000..c28efc2 --- /dev/null +++ b/src/ui/app.rb @@ -0,0 +1,160 @@ +require 'sinatra' +require 'json/ext' # for .to_json +require 'haml' +require 'uri' +require 'mongo' +require 'bcrypt' +require './helpers' + + +configure do + db = Mongo::Client.new([ ENV['DATABASE_URL'] || '127.0.0.1:27017' ], database: 'user_posts', heartbeat_frequency: 2) + set :mongo_db, db[:posts] + set :comments_db, db[:comments] + set :users_db, db[:users] + set :bind, '0.0.0.0' + enable :sessions +end + +before do + session[:flashes] = [] if session[:flashes].class != Array +end + + +get '/' do + @title = 'All posts' + begin + @posts = JSON.parse(settings.mongo_db.find.sort(timestamp: -1).to_a.to_json) + rescue + session[:flashes] << { type: 'alert-danger', message: 'Can\'t show blog posts, some problems with database. Refresh?' } + end + @flashes = session[:flashes] + session[:flashes] = nil + haml :index +end + + +get '/new' do + @title = 'New post' + @flashes = session[:flashes] + session[:flashes] = nil + haml :create +end + +post '/new' do + db = settings.mongo_db + if params['link'] =~ URI::regexp + begin + result = db.insert_one title: params['title'], created_at: Time.now.to_i, link: params['link'], votes: 0 + db.find(_id: result.inserted_id).to_a.first.to_json + rescue + session[:flashes] << { type: 'alert-danger', message: 'Can\'t save your post, some problems with the post service' } + else + session[:flashes] << { type: 'alert-success', message: 'Post successuly published' } + end + redirect '/' + else + session[:flashes] << { type: 'alert-danger', message: 'Invalid URL' } + redirect back + end +end + + +get '/signup' do + @title = 'Signup' + @flashes = session[:flashes] + session[:flashes] = nil + haml :signup +end + + +get '/login' do + @title = 'Login' + @flashes = session[:flashes] + session[:flashes] = nil + haml :login +end + + +post '/signup' do + db = settings.users_db + password_salt = BCrypt::Engine.generate_salt + password_hash = BCrypt::Engine.hash_secret(params[:password], password_salt) + u = db.find(_id: params[:username]).to_a.first.to_json + if u == "null" + result = db.insert_one _id: params[:username], salt: password_salt, passwordhash: password_hash + session[:username] = params[:username] + session[:flashes] << { type: 'alert-success', message: 'User created' } + redirect '/' + else + session[:flashes] << { type: 'alert-danger', message: 'User already exists' } + redirect back + end +end + + +post '/login' do + db = settings.users_db + u = db.find(_id: params[:username]).to_a.first.to_json + if u != "null" + user = JSON.parse(u) + if user["passwordhash"] == BCrypt::Engine.hash_secret(params[:password], user["salt"]) + session[:username] = params[:username] + redirect '/' + else + session[:flashes] << { type: 'alert-danger', message: 'Wrong username or password' } + redirect back + end + else + session[:flashes] << { type: 'alert-danger', message: 'Wrong username or password' } + redirect back + end +end + + +get '/logout' do + session[:username] = nil + redirect back +end + + +put '/post/:id/vote/:type' do + if logged_in? + id = object_id(params[:id]) + post = JSON.parse(document_by_id(params[:id])) + post['votes'] += params[:type].to_i + + settings.mongo_db.find(:_id => id). + find_one_and_update('$set' => {:votes => post['votes']}) + document_by_id(id) + else + session[:flashes] << { type: 'alert-danger', message: 'You need to log in before you can vote' } + end + redirect back +end + + +get '/post/:id' do + @title = 'Post' + @post = JSON.parse(document_by_id(params[:id])) + id = object_id(params[:id]) + @comments = JSON.parse(settings.comments_db.find(post_id: "#{id}").to_a.to_json) + @flashes = session[:flashes] + session[:flashes] = nil + haml :show +end + + +post '/post/:id/comment' do + content_type :json + db = settings.comments_db + begin + result = db.insert_one post_id: params[:id], name: session[:username], body: params['body'], created_at: Time.now.to_i + db.find(_id: result.inserted_id).to_a.first.to_json + rescue + session[:flashes] << { type: 'alert-danger', message: 'Can\'t save your comment, some problems with the comment service' } + else + session[:flashes] << { type: 'alert-success', message: 'Comment successuly published' } + end + redirect back +end diff --git a/src/ui/build_info.txt b/src/ui/build_info.txt new file mode 100644 index 0000000..e23b7a6 --- /dev/null +++ b/src/ui/build_info.txt @@ -0,0 +1,2 @@ +5397f2e +kubernetes-4 diff --git a/src/ui/config.ru b/src/ui/config.ru index 92cb1ee..76a6edf 100644 --- a/src/ui/config.ru +++ b/src/ui/config.ru @@ -1,14 +1,2 @@ -require 'bundler/setup' -require 'rack' -require 'prometheus/middleware/collector' -require 'prometheus/middleware/exporter' -require_relative 'ui_app' -require_relative 'middleware' -require 'zipkin-tracer' - -use Metrics -use Rack::Deflater, if: ->(_, _, _, body) { body.any? && body[0].length > 512 } -use Prometheus::Middleware::Collector -use Prometheus::Middleware::Exporter - +require './app' run Sinatra::Application diff --git a/src/ui/config/deploy.rb b/src/ui/config/deploy.rb new file mode 100644 index 0000000..0e535ec --- /dev/null +++ b/src/ui/config/deploy.rb @@ -0,0 +1,69 @@ +server ENV['SERVER_IP'], port: 22, user: ENV['DEPLOY_USER'], roles: [:web, :app, :db], primary: true +set :repo_name, ENV['REPO_NAME'] + +set :application, 'reddit' +set :repo_url, "git@github.com:#{fetch(:repo_name)}.git" +set :branch, 'monolith' +set :user, ENV['DEPLOY_USER'] +set :puma_threads, [4, 16] +set :puma_workers, 0 + +set :pty, true +set :use_sudo, false +set :stage, :production +set :deploy_via, :remote_cache +set :deploy_to, "/home/#{fetch(:user)}/#{fetch(:application)}" +set :puma_bind, "tcp://0.0.0.0:9292" +set :puma_state, "#{shared_path}/tmp/pids/puma.state" +set :puma_pid, "#{shared_path}/tmp/pids/puma.pid" +set :puma_access_log, "#{release_path}/log/puma.error.log" +set :puma_error_log, "#{release_path}/log/puma.access.log" +set :ssh_options, { forward_agent: true } +set :puma_preload_app, true +set :puma_worker_timeout, nil +set :puma_init_active_record, false # Change to false when not using ActiveRecord +set :linked_dirs, %w(tmp/pids tmp/sockets log) + +namespace :puma do + desc 'Create Directories for Puma Pids and Socket' + task :make_dirs do + on roles(:app) do + execute "mkdir #{shared_path}/tmp/sockets -p" + execute "mkdir #{shared_path}/tmp/pids -p" + end + end + + before :start, :make_dirs +end + +namespace :deploy do + desc "Make sure local git is in sync with remote." + task :check_revision do + on roles(:app) do + unless `git rev-parse HEAD` == `git rev-parse origin/monolith` + puts "WARNING: HEAD is not the same as origin/monolith" + puts "Run `git push` to sync changes." + exit + end + end + end + + desc 'Initial Deploy' + task :initial do + on roles(:app) do + before 'deploy:restart', 'puma:start' + invoke 'deploy' + end + end + + desc 'Restart application' + task :restart do + on roles(:app), in: :sequence, wait: 5 do + invoke 'puma:restart' + end + end + + before :starting, :check_revision + after :finishing, :cleanup + after :finishing, :restart +end diff --git a/src/ui/config/deploy/production.rb b/src/ui/config/deploy/production.rb new file mode 100644 index 0000000..4bb7a71 --- /dev/null +++ b/src/ui/config/deploy/production.rb @@ -0,0 +1,61 @@ +# server-based syntax +# ====================== +# Defines a single server with a list of roles and multiple properties. +# You can define all roles on a single server, or split them: + +# server "example.com", user: "deploy", roles: %w{app db web}, my_property: :my_value +# server "example.com", user: "deploy", roles: %w{app web}, other_property: :other_value +# server "db.example.com", user: "deploy", roles: %w{db} + + + +# role-based syntax +# ================== + +# Defines a role with one or multiple servers. The primary server in each +# group is considered to be the first unless any hosts have the primary +# property set. Specify the username and a domain or IP for the server. +# Don't use `:all`, it's a meta role. + +# role :app, %w{deploy@example.com}, my_property: :my_value +# role :web, %w{user1@primary.com user2@additional.com}, other_property: :other_value +# role :db, %w{deploy@example.com} + + + +# Configuration +# ============= +# You can set any configuration variable like in config/deploy.rb +# These variables are then only loaded and set in this stage. +# For available Capistrano configuration variables see the documentation page. +# http://capistranorb.com/documentation/getting-started/configuration/ +# Feel free to add new variables to customise your setup. + + + +# Custom SSH Options +# ================== +# You may pass any option but keep in mind that net/ssh understands a +# limited set of options, consult the Net::SSH documentation. +# http://net-ssh.github.io/net-ssh/classes/Net/SSH.html#method-c-start +# +# Global options +# -------------- +# set :ssh_options, { +# keys: %w(/home/rlisowski/.ssh/id_rsa), +# forward_agent: false, +# auth_methods: %w(password) +# } +# +# The server-based syntax can be used to override options: +# ------------------------------------ +# server "example.com", +# user: "user_name", +# roles: %w{web app}, +# ssh_options: { +# user: "user_name", # overrides user setting above +# keys: %w(/home/user_name/.ssh/id_rsa), +# forward_agent: false, +# auth_methods: %w(publickey password) +# # password: "please use keys" +# } diff --git a/src/ui/config/deploy/staging.rb b/src/ui/config/deploy/staging.rb new file mode 100644 index 0000000..4bb7a71 --- /dev/null +++ b/src/ui/config/deploy/staging.rb @@ -0,0 +1,61 @@ +# server-based syntax +# ====================== +# Defines a single server with a list of roles and multiple properties. +# You can define all roles on a single server, or split them: + +# server "example.com", user: "deploy", roles: %w{app db web}, my_property: :my_value +# server "example.com", user: "deploy", roles: %w{app web}, other_property: :other_value +# server "db.example.com", user: "deploy", roles: %w{db} + + + +# role-based syntax +# ================== + +# Defines a role with one or multiple servers. The primary server in each +# group is considered to be the first unless any hosts have the primary +# property set. Specify the username and a domain or IP for the server. +# Don't use `:all`, it's a meta role. + +# role :app, %w{deploy@example.com}, my_property: :my_value +# role :web, %w{user1@primary.com user2@additional.com}, other_property: :other_value +# role :db, %w{deploy@example.com} + + + +# Configuration +# ============= +# You can set any configuration variable like in config/deploy.rb +# These variables are then only loaded and set in this stage. +# For available Capistrano configuration variables see the documentation page. +# http://capistranorb.com/documentation/getting-started/configuration/ +# Feel free to add new variables to customise your setup. + + + +# Custom SSH Options +# ================== +# You may pass any option but keep in mind that net/ssh understands a +# limited set of options, consult the Net::SSH documentation. +# http://net-ssh.github.io/net-ssh/classes/Net/SSH.html#method-c-start +# +# Global options +# -------------- +# set :ssh_options, { +# keys: %w(/home/rlisowski/.ssh/id_rsa), +# forward_agent: false, +# auth_methods: %w(password) +# } +# +# The server-based syntax can be used to override options: +# ------------------------------------ +# server "example.com", +# user: "user_name", +# roles: %w{web app}, +# ssh_options: { +# user: "user_name", # overrides user setting above +# keys: %w(/home/user_name/.ssh/id_rsa), +# forward_agent: false, +# auth_methods: %w(publickey password) +# # password: "please use keys" +# } diff --git a/src/ui/docker_build.sh b/src/ui/docker_build.sh index 5dd1c0e..0153412 100644 --- a/src/ui/docker_build.sh +++ b/src/ui/docker_build.sh @@ -3,4 +3,4 @@ echo `git show --format="%h" HEAD | head -1` > build_info.txt echo `git rev-parse --abbrev-ref HEAD` >> build_info.txt -docker build -t $USER_NAME/ui . +docker build -t $USER_NAME/ui:logging . diff --git a/src/ui/helpers.rb b/src/ui/helpers.rb index dc94d0a..2e5fade 100644 --- a/src/ui/helpers.rb +++ b/src/ui/helpers.rb @@ -1,82 +1,29 @@ -def flash_danger(message) - session[:flashes] << { type: 'alert-danger', message: message } -end - -def flash_success(message) - session[:flashes] << { type: 'alert-success', message: message } -end - -def log_event(type, name, message, params = '{}') - case type - when 'error' - logger.error('service=ui | ' \ - "event=#{name} | " \ - "request_id=#{request.env['REQUEST_ID']} | " \ - "message=\'#{message}\' | " \ - "params: #{params.to_json}") - when 'info' - logger.info('service=ui | ' \ - "event=#{name} | " \ - "request_id=#{request.env['REQUEST_ID']} | " \ - "message=\'#{message}\' | " \ - "params: #{params.to_json}") - when 'warning' - logger.warn('service=ui | ' \ - "event=#{name} | " \ - "request_id=#{request.env['REQUEST_ID']} | " \ - "message=\'#{message}\' | " \ - "params: #{params.to_json}") +helpers do + # a helper method to turn a string ID + # representation into a BSON::ObjectId + def object_id val + begin + BSON::ObjectId.from_string(val) + rescue BSON::ObjectId::Invalid + nil + end end -end -def http_request(method, url, params = {}) - unless defined?(request).nil? - settings.http_client.headers[:request_id] = request.env['REQUEST_ID'].to_s + def document_by_id id + id = object_id(id) if String === id + if id.nil? + {}.to_json + else + document = settings.mongo_db.find(:_id => id).to_a.first + (document || {}).to_json + end end - case method - when 'get' - response = settings.http_client.get url - JSON.parse(response.body) - when 'post' - settings.http_client.post url, params + def logged_in? + if session[:username].nil? + return false + else + return true + end end end - -def http_healthcheck_handler(post_url, comment_url, version) - post_status = check_service_health(post_url) - comment_status = check_service_health(comment_url) - - status = if comment_status == 1 && post_status == 1 - 1 - else - 0 - end - - healthcheck = { status: status, - dependent_services: { - comment: comment_status, - post: post_status - }, - version: version } - healthcheck.to_json -end - -def check_service_health(url) - name = http_request('get', "#{url}/healthcheck") -rescue StandardError - 0 -else - name['status'] -end - -def set_health_gauge(metric, value) - metric.set( - { - version: VERSION, - commit_hash: BUILD_INFO[0].strip, - branch: BUILD_INFO[1].strip - }, - value - ) -end diff --git a/src/ui/middleware.rb b/src/ui/middleware.rb deleted file mode 100644 index 8f70cca..0000000 --- a/src/ui/middleware.rb +++ /dev/null @@ -1,32 +0,0 @@ -require 'prometheus/client' - -class Metrics - def initialize(app) - @app = app - prometheus = Prometheus::Client.registry - @request_count = Prometheus::Client::Counter.new( - :ui_request_count, - 'App Request Count' - ) - @request_response_time = Prometheus::Client::Histogram.new( - :ui_request_response_time, - 'Request response time' - ) - prometheus.register(@request_response_time) - prometheus.register(@request_count) - end - - def call(env) - request_started_on = Time.now - env['REQUEST_ID'] = SecureRandom.uuid # add unique ID to each request - @status, @headers, @response = @app.call(env) - request_ended_on = Time.now - # prometheus metrics - @request_response_time.observe({ path: env['REQUEST_PATH'] }, - request_ended_on - request_started_on) - @request_count.increment(method: env['REQUEST_METHOD'], - path: env['REQUEST_PATH'], - http_status: @status) - [@status, @headers, @response] - end -end diff --git a/src/ui/ui_app.rb b/src/ui/ui_app.rb deleted file mode 100644 index 85befd6..0000000 --- a/src/ui/ui_app.rb +++ /dev/null @@ -1,232 +0,0 @@ -require 'sinatra' -require 'sinatra/reloader' -require 'json/ext' -require 'haml' -require 'uri' -require 'prometheus/client' -require 'rufus-scheduler' -require 'logger' -require 'faraday' -require 'zipkin-tracer' -require_relative 'helpers' - -# Dependent services -POST_SERVICE_HOST ||= ENV['POST_SERVICE_HOST'] || '127.0.0.1' -POST_SERVICE_PORT ||= ENV['POST_SERVICE_PORT'] || '4567' -COMMENT_SERVICE_HOST ||= ENV['COMMENT_SERVICE_HOST'] || '127.0.0.1' -COMMENT_SERVICE_PORT ||= ENV['COMMENT_SERVICE_PORT'] || '4567' -ZIPKIN_ENABLED ||= ENV['ZIPKIN_ENABLED'] || false -POST_URL ||= "http://#{POST_SERVICE_HOST}:#{POST_SERVICE_PORT}" -COMMENT_URL ||= "http://#{COMMENT_SERVICE_HOST}:#{COMMENT_SERVICE_PORT}" - -# App version and build info -if File.exist?('VERSION') - VERSION ||= File.read('VERSION').strip -else - VERSION ||= "version_missing" -end - -if File.exist?('build_info.txt') - BUILD_INFO = File.readlines('build_info.txt') -else - BUILD_INFO = Array.new(2, "build_info_missing") -end - -@@host_info=ENV['HOSTNAME'] -@@env_info=ENV['ENV'] - -# Zipkin opts -set :zipkin_enabled, ZIPKIN_ENABLED -zipkin_config = { - service_name: 'ui_app', - service_port: 9292, - sample_rate: 1, - sampled_as_boolean: false, - log_tracing: true, - json_api_host: 'http://zipkin:9411/api/v1/spans' - } - -configure do - # https://github.com/openzipkin/zipkin-ruby#sending-traces-on-incoming-requests - http_client = Faraday.new do |faraday| - faraday.use ZipkinTracer::FaradayHandler - faraday.request :url_encoded # form-encode POST params - # faraday.response :logger - faraday.adapter Faraday.default_adapter # make requests with Net::HTTP - end - set :http_client, http_client - set :bind, '0.0.0.0' - set :server, :puma - set :logging, false - set :mylogger, Logger.new(STDOUT) - enable :sessions -end - -if settings.zipkin_enabled? - use ZipkinTracer::RackHandler, zipkin_config -end - -# create and register metrics -prometheus = Prometheus::Client.registry -ui_health_gauge = Prometheus::Client::Gauge.new( - :ui_health, - 'Health status of UI service' -) -ui_health_post_gauge = Prometheus::Client::Gauge.new( - :ui_health_post_availability, - 'Check if Post service is available to UI' -) -ui_health_comment_gauge = Prometheus::Client::Gauge.new( - :ui_health_comment_availability, - 'Check if Comment service is available to UI' -) -prometheus.register(ui_health_gauge) -prometheus.register(ui_health_post_gauge) -prometheus.register(ui_health_comment_gauge) - -# Schedule health check function -scheduler = Rufus::Scheduler.new -scheduler.every '5s' do - check = JSON.parse(http_healthcheck_handler(POST_URL, COMMENT_URL, VERSION)) - set_health_gauge(ui_health_gauge, check['status']) - set_health_gauge(ui_health_post_gauge, check['dependent_services']['post']) - set_health_gauge(ui_health_comment_gauge, check['dependent_services']['comment']) -end - -# before each request -before do - session[:flashes] = [] if session[:flashes].class != Array - env['rack.logger'] = settings.mylogger # set custom logger -end - -# after each request -after do - request_id = env['REQUEST_ID'] || 'null' - logger.info("service=ui | event=request | path=#{env['REQUEST_PATH']} | " \ - "request_id=#{request_id} | " \ - "remote_addr=#{env['REMOTE_ADDR']} | " \ - "method= #{env['REQUEST_METHOD']} | " \ - "response_status=#{response.status}") -end - -# show all posts -get '/' do - @title = 'All posts' - begin - @posts = http_request('get', "#{POST_URL}/posts") - rescue StandardError => e - flash_danger('Can\'t show blog posts, some problems with the post ' \ - 'service. Refresh?') - log_event('error', 'show_all_posts', - "Failed to read from Post service. Reason: #{e.message}") - else - log_event('info', 'show_all_posts', - 'Successfully showed the home page with posts') - end - @flashes = session[:flashes] - session[:flashes] = nil - haml :index -end - -# show a form for creating a new post -get '/new' do - @title = 'New post' - @flashes = session[:flashes] - session[:flashes] = nil - haml :create -end - -# talk to Post service in order to creat a new post -post '/new/?' do - if params['link'] =~ URI::DEFAULT_PARSER.regexp[:ABS_URI] - begin - http_request('post', "#{POST_URL}/add_post", title: params['title'], - link: params['link'], - created_at: Time.now.to_i) - rescue StandardError => e - flash_danger("Can't save your post, some problems with the post service") - log_event('error', 'post_create', - "Failed to create a post. Reason: #{e.message}", params) - else - flash_success('Post successuly published') - log_event('info', 'post_create', 'Successfully created a post', params) - end - redirect '/' - else - flash_danger('Invalid URL') - log_event('warning', 'post_create', 'Invalid URL', params) - redirect back - end -end - -# talk to Post service in order to vote on a post -post '/post/:id/vote/:type' do - begin - http_request('post', "#{POST_URL}/vote", id: params[:id], - type: params[:type]) - rescue StandardError => e - flash_danger('Can\'t vote, some problems with the post service') - log_event('error', 'vote', - "Failed to vote. Reason: #{e.message}", params) - else - log_event('info', 'vote', 'Successful vote', params) - end - redirect back -end - -# show a specific post -get '/post/:id' do - begin - @post = http_request('get', "#{POST_URL}/post/#{params[:id]}") - rescue StandardError => e - log_event('error', 'show_post', - "Counldn't show the post. Reason: #{e.message}", params) - halt 404, 'Not found' - end - - begin - @comments = http_request('get', "#{COMMENT_URL}/#{params[:id]}/comments") - rescue StandardError => e - log_event('error', 'show_post', - "Counldn't show the comments. Reason: #{e.message}", params) - flash_danger("Can't show comments, some problems with the comment service") - else - log_event('info', 'show_post', - 'Successfully showed the post', params) - end - @flashes = session[:flashes] - session[:flashes] = nil - haml :show -end - -# talk to Comment service in order to comment on a post -post '/post/:id/comment' do - begin - http_request('post', "#{COMMENT_URL}/add_comment", - post_id: params[:id], - name: params[:name], - email: params[:email], - created_at: Time.now.to_i, - body: params[:body]) - rescue StandardError => e - log_event('error', 'create_comment', - "Counldn't create a comment. Reason: #{e.message}", params) - flash_danger("Can\'t save the comment, - some problems with the comment service") - else - log_event('info', 'create_comment', - 'Successfully created a new post', params) - - flash_success('Comment successuly published') - end - redirect back -end - -# health check endpoint -get '/healthcheck' do - http_healthcheck_handler(POST_URL, COMMENT_URL, VERSION) -end - -get '/*' do - halt 404, 'Page not found' -end diff --git a/src/ui/views/create.haml b/src/ui/views/create.haml index 172e3da..68bde5c 100644 --- a/src/ui/views/create.haml +++ b/src/ui/views/create.haml @@ -1,10 +1,14 @@ -%h2 Add blog post -%form{ action: '/new', method: 'post', role: 'form'} - .form-group - %label{for: 'title'} Title: - %input{name:'title', placeholder: 'cool title', class: 'form-control', id: 'title'} - .form-group - %label{for: 'link'} Link: - %input{name:'link', placeholder: 'awesome link', class: 'form-control', id: 'link'} - .form-group - %input{class: 'btn btn-primary', type: 'submit', value:'Post it!'} +%h2 Add a new post +- if logged_in? + %form{ action: '/new', method: 'post', role: 'form'} + .form-group + %label{for: 'title'} Title: + %input{name:'title', placeholder: 'cool title', class: 'form-control', id: 'title'} + .form-group + %label{for: 'link'} Link: + %input{name:'link', placeholder: 'awesome link', class: 'form-control', id: 'link'} + .form-group + %input{class: 'btn btn-primary', type: 'submit', value:'Post it!'} +- else + .alert{class: "alert-danger"} + %strong You need to sign in before adding a new post :( diff --git a/src/ui/views/index.haml b/src/ui/views/index.haml index 96b7e76..bb65bbf 100644 --- a/src/ui/views/index.haml +++ b/src/ui/views/index.haml @@ -7,12 +7,12 @@ %div{class: 'row'} .col-sm-1 %form{:action => "/post/#{post['_id']['$oid']}/vote/1", :method => "post", id: "form-upvote" } - %input{:type => "hidden", :name => "_method", :value => "post"} + %input{:type => "hidden", :name => "_method", :value => "put"} %button{type: "submit", class: "btn btn-default btn-sm"} %span{ class: "glyphicon glyphicon-menu-up" } %h4{class: 'pull-center'} #{post['votes']} %form{:action => "/post/#{post['_id']['$oid']}/vote/-1", :method => "post", id: "form-downvote"} - %input{:type => "hidden", :name => "_method", :value=> "post"} + %input{:type => "hidden", :name => "_method", :value=> "put"} %button{type: "submit", class: "btn btn-default btn-sm"} %span{ class: "glyphicon glyphicon-menu-down" } .col-sm-8 diff --git a/src/ui/views/layout.haml b/src/ui/views/layout.haml index 3072b09..48b881d 100644 --- a/src/ui/views/layout.haml +++ b/src/ui/views/layout.haml @@ -4,19 +4,30 @@ %meta(charset="utf-8") %meta(http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1") %meta(name="viewport" content="width=device-width, initial-scale=1.0") - %title="Microservices Reddit :: #{@title}" + %title="Monolith Reddit :: #{@title}" %link{ href: 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css', integrity: "sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7", type: 'text/css', rel: 'stylesheet', crossorigin: 'anonymous' } %link{ href: 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap-theme.min.css', integrity: 'sha384-fLW2N01lMqjakBkx3l/M9EahuwpSfeNvV63J5ezn3uZzapT0u7EYsXMjQV+0En5r', type: 'text/css', rel: 'stylesheet', crossorigin: 'anonymous' } %script{ href: 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js', integrity: 'sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS', crossorigin: 'anonymous'} + %script{ src: 'https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js' } %body .navbar.navbar-default.navbar-static-top .container - %button.navbar-toggle(type="button" data-toggle="collapse" data-target=".navbar-responsive-collapse") - %span.icon-bar - %span.icon-bar - %span.icon-bar - %a.navbar-brand(href="/") Microservices Reddit in #{@@env_info} #{@@host_info} container - .navbar-collapse.collapse.navbar-responsive-collapse + .navbar-header + %button.navbar-toggle(type="button" data-toggle="collapse" data-target=".navbar-responsive-collapse") + %span.icon-bar + %span.icon-bar + %span.icon-bar + %a.navbar-brand(href="/") Monolith Reddit + .navbar-collapse.collapse + %ul.nav.navbar-nav.navbar-right + - if logged_in? + %li + %a.nav-link(href="/logout") Logout + - else + %li + %a(href="/signup") Sign up + %li + %a(href="/login") Login .container .row .col-lg-9 diff --git a/src/ui/views/login.haml b/src/ui/views/login.haml new file mode 100644 index 0000000..017fe7b --- /dev/null +++ b/src/ui/views/login.haml @@ -0,0 +1,10 @@ +%h2 Log In +%form{ action: '/login', method: 'post', role: 'form'} + .form-group + %label{for: 'username'} Username: + %input{name:'username', placeholder: 'Your username', class: 'form-control', id: 'username'} + .form-group + %label{for: 'password'} Password: + %input{name:'password', placeholder: 'Your password', class: 'form-control', id: 'password'} + .form-group + %input{class: 'btn btn-primary', type: 'submit', value:'Log in'} diff --git a/src/ui/views/show.haml b/src/ui/views/show.haml index 07f160f..ee3de56 100644 --- a/src/ui/views/show.haml +++ b/src/ui/views/show.haml @@ -5,12 +5,12 @@ %div{class: 'row'} .col-sm-1 %form{action: "#{@post['_id']['$oid']}/vote/1", method: "post"} - %input{:type => "hidden", :name => "_method", :value => "post"} + %input{:type => "hidden", :name => "_method", :value => "put"} %button{type: "submit", class: "btn btn-default btn-sm"} %span{ class: "glyphicon glyphicon-menu-up" } %h4{class: 'pull-center'} #{@post['votes']} %form{:action => "#{@post['_id']['$oid']}/vote/-1", :method => "post"} - %input{:type => "hidden", :name => "_method", :value=> "post"} + %input{:type => "hidden", :name => "_method", :value=> "put"} %button{type: "submit", class: "btn btn-default btn-sm"} %span{ class: "glyphicon glyphicon-menu-down" } .col-sm-8 @@ -31,19 +31,15 @@ .panel.panel-default .panel-heading %strong #{comment['name']} - - unless comment['email'].empty? - (#{comment['email']}) %span{class: "text-muted pull-right"} %em #{Time.at(comment['created_at'].to_i).strftime('%H:%M')} #{Time.at(comment['created_at'].to_i).strftime('%d-%m-%Y')} .panel-body #{comment['body']} -%form{action: "/post/#{@post['_id']['$oid']}/comment", method: 'post', role: 'form'} - .col-sm-4 - .form-group - %input{name: 'name', type: 'text', class: 'form-control', placeholder: 'name'} - .col-sm-4 - .form-group - %input{name: 'email', type: 'email', class: 'form-control', placeholder: 'email'} - .col-sm-8 - .form-group - %textarea{name: 'body', class: 'form-control', placeholder: 'put a nice comment :)'} - %button{class: 'btn btn-block btn-primary'} Post my comment +- if logged_in? + %form{action: "/post/#{@post['_id']['$oid']}/comment", method: 'post', role: 'form'} + .col-sm-8 + .form-group + %textarea{name: 'body', class: 'form-control', placeholder: 'put a nice comment :)'} + %button{class: 'btn btn-block btn-primary'} Post my comment +- else + .alert{class: "alert-info"} + %strong Log in or sign up to add a new comment! :) diff --git a/src/ui/views/signup.haml b/src/ui/views/signup.haml new file mode 100644 index 0000000..44e18b5 --- /dev/null +++ b/src/ui/views/signup.haml @@ -0,0 +1,10 @@ +%h2 Sign Up +%form{ action: '/signup', method: 'post', role: 'form'} + .form-group + %label{for: 'username'} Username: + %input{name:'username', placeholder: 'Your username', class: 'form-control', id: 'username'} + .form-group + %label{for: 'password'} Password: + %input{name:'password', placeholder: 'Your password', class: 'form-control', id: 'password'} + .form-group + %input{class: 'btn btn-primary', type: 'submit', value:'Sign up!'}