helm部署gitlab。chart最新版本:4.4.3
- namespace:
public-service-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: public-service
kubectl apply -f public-service-ns.yaml
- nfs存储:
yum install -y nfs-utils rpcbind
mkdir -p /data/gitlab/{gitaly,minio,postgresql,redis}
vim /etc/exports
/data/gitlab 192.168.30.0/24(rw,sync,no_root_squash)
chmod -R 755 /data/gitlab
exportfs -arv
systemctl enable rpcbind && systemctl start rpcbind
systemctl enable nfs && systemctl start nfs
nfs部署完毕。对于需要使用nfs的node节点,都要安装nfs:
yum install -y nfs-utils
gitlab-pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-gitaly
labels:
app: gitlab
component: gitaly
spec:
capacity:
storage: 50Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.30.129
path: /data/gitlab/gitaly
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-minio
labels:
app: gitlab
component: minio
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.30.129
path: /data/gitlab/minio
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-postgresql
labels:
app: gitlab
component: postgresql
spec:
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.30.129
path: /data/gitlab/postgresql
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-redis
labels:
app: gitlab
component: redis
spec:
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.30.129
path: /data/gitlab/redis
kubectl apply -f gitlab-pv.yaml
kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
gitlab-gitaly 50Gi RWO Recycle Available 5s
gitlab-minio 10Gi RWO Recycle Available 5s
gitlab-postgresql 8Gi RWO Recycle Available 5s
gitlab-redis 8Gi RWO Recycle Available 5s
- 配置:
helm repo add gitlab https://charts.gitlab.io/
helm repo update
helm pull gitlab/gitlab
tar xf gitlab-4.4.3.tgz
vim gitlab/values.yaml #更改
global:
hosts:
domain: lzxlinux.com
https: false
ingress:
configureCertmanager: false
enabled: true
tls:
enabled: false
certmanager:
createCustomResource: false
nameOverride: cert-manager
install: false
rbac:
create: false
nginx-ingress:
enabled: false
rbac:
create: false
serviceAccount:
create: false
prometheus:
install: false
rbac:
create: false
gitlab-runner:
install: false
rbac:
create: false
grafana:
sidecar:
dashboards:
enabled: false
label: gitlab_grafana_dashboard
datasources:
enabled: false
label: gitlab_grafana_datasource
vim gitlab/charts/certmanager-issuer/values.yaml
email: admin@admin.com
vim gitlab/charts/gitlab/charts/gitlab-exporter/values.yaml
enabled: false
vim gitlab/charts/gitlab/charts/gitaly/values.yaml
securityContext:
runAsUser: 0
fsGroup: 0
vim gitlab/charts/minio/values.yaml
securityContext:
runAsUser: 0
fsGroup: 0
vim gitlab/charts/postgresql/values.yaml
securityContext:
enabled: true
fsGroup: 0
runAsUser: 0
vim gitlab/charts/redis/values.yaml
securityContext:
enabled: true
fsGroup: 0
runAsUser: 0
vim gitlab/charts/gitlab/charts/gitaly/templates/statefulset.yml
{{- if .Values.global.gitaly.enabled -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "fullname" . }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "gitlab.immutableLabels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
serviceName: {{ template "gitlab.gitaly.serviceName" . }}
replicas: {{template "gitlab.gitaly.replicas" . }}
podManagementPolicy: Parallel
{{- if .Values.global.operator.enabled }}
updateStrategy:
rollingUpdate:
partition: {{template "gitlab.gitaly.replicas" . }}
{{- end }}
template:
metadata:
labels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
{{- include "gitlab.podLabels" . | nindent 8 }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }}
{{- range $key, $value := .Values.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.tolerations }}
tolerations:
{{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
terminationGracePeriodSeconds: 30
initContainers:
{{- include "gitlab.extraInitContainers" . | nindent 8 }}
{{- include "gitlab.certificates.initContainer" . | nindent 8 }}
- name: configure
command: ['sh', '/config/configure']
image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" $.Values.global.busybox) | quote }}
env:
{{- include "gitlab.extraEnv" . | nindent 10 }}
volumeMounts:
{{- include "gitlab.extraVolumeMounts" . | nindent 10 }}
- name: gitaly-config
mountPath: /config
readOnly: true
- name: init-gitaly-secrets
mountPath: /init-config
readOnly: true
- name: gitaly-secrets
mountPath: /init-secrets
readOnly: false
resources:
{{- toYaml .Values.init.resources | nindent 12 }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- include "pullsecrets" .Values.image | indent 6 }}
{{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: "kubernetes.io/hostname"
labelSelector:
matchLabels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
{{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
{{- end }}
{{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }}
serviceAccountName: {{ include "gitlab.serviceAccount.name" . }}
{{- end }}
containers:
{{- include "gitlab.extraContainers" . | nindent 8 }}
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}"
{{ template "gitlab.imagePullPolicy" . }}
ports:
- containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }}
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.metrics.metricsPort }}
{{- end }}
env:
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/etc/gitaly/templates'
- name: CONFIG_DIRECTORY
value: '/etc/gitaly'
- name: GITALY_CONFIG_FILE
value: '/etc/gitaly/config.toml'
- name: SSL_CERT_DIR
value: '/etc/ssl/certs'
{{- if .Values.metrics.enabled }}
- name: GITALY_PROMETHEUS_LISTEN_ADDR
value: ':{{ .Values.metrics.metricsPort }}'
{{- end }}
{{- include "gitlab.tracing.env" . | nindent 12 }}
{{- include "gitlab.extraEnv" . | nindent 12 }}
volumeMounts:
{{- include "gitlab.extraVolumeMounts" . | nindent 12 }}
{{- include "gitlab.certificates.volumeMount" . | nindent 12 }}
- name: gitaly-config
mountPath: '/etc/gitaly/templates'
- name: gitaly-secrets
mountPath: '/etc/gitlab-secrets'
readOnly: true
- name: repo-data
mountPath: '/home/git/repositories'
{{- if and .Values.persistence.enabled .Values.persistence.subPath }}
subPath: "{{ .Values.persistence.subPath }}"
{{- end }}
livenessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 10
readinessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
{{- include "gitlab.extraVolumes" . | nindent 6 }}
- name: gitaly-config
configMap:
name: {{ template "fullname" . }}
{{- if not .Values.persistence.enabled }}
- name: repo-data
emptyDir: {}
{{- end }}
- name: gitaly-secrets
emptyDir:
medium: "Memory"
- name: init-gitaly-secrets
projected:
defaultMode: 0440
sources:
- secret:
name: {{ template "gitlab.gitaly.authToken.secret" . }}
items:
- key: {{ template "gitlab.gitaly.authToken.key" . }}
path: "gitaly_token"
- secret:
name: {{ template "gitlab.gitlab-shell.authToken.secret" . }}
items:
- key: {{ template "gitlab.gitlab-shell.authToken.key" . }}
path: ".gitlab_shell_secret"
{{- if .Values.global.gitaly.tls.enabled }}
- secret:
name: {{ template "gitlab.gitaly.tls.secret" . }}
items:
- key: "tls.crt"
path: "gitaly.crt"
- key: "tls.key"
path: "gitaly.key"
{{- end }}
{{- include "gitlab.certificates.volumes" . | nindent 6 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{- toYaml .Values.nodeSelector | nindent 8 }}
{{- end -}}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: repo-data
labels:
app: gitlab
component: {{ template "name" . }}
annotations:
{{- range $key, $value := .Values.persistence.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end -}}
{{- end }}
selector:
matchLabels:
app: gitlab
component: {{ template "name" . }}
{{- if .Values.persistence.matchExpressions }}
matchExpressions:
{{- toYaml .Values.persistence.matchExpressions | nindent 12 }}
{{- end -}}
{{- end }}
{{- end }}
vim gitlab/charts/minio/templates/minio_pvc.yaml
{{- if and .Values.global.minio.enabled .Values.persistence.enabled }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ $.Release.Namespace }}
labels:
app: gitlab
component: {{ template "name" . }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.volumeName }}
volumeName: {{ .Values.persistence.volumeName }}
{{- end }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end -}}
{{- end }}
selector:
matchLabels:
app: gitlab
component: {{ template "name" . }}
{{- if .Values.persistence.matchExpressions }}
matchExpressions:
{{ toYaml .Values.persistence.matchExpressions | indent 6 }}
{{- end -}}
{{- end }}
vim gitlab/charts/postgresql/templates/statefulset.yaml
apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "postgresql.master.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- with .Values.master.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Values.slave.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: 1
updateStrategy:
type: {{ .Values.updateStrategy.type }}
{{- if (eq "Recreate" .Values.updateStrategy.type) }}
rollingUpdate: null
{{- end }}
selector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
role: master
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
app: {{ template "postgresql.name" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
role: master
{{- with .Values.master.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.master.podAnnotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
{{- include "postgresql.imagePullSecrets" . | indent 6 }}
{{- if .Values.master.nodeSelector }}
nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.master.affinity }}
affinity: {{- toYaml .Values.master.affinity | nindent 8 }}
{{- end }}
{{- if .Values.master.tolerations }}
tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
{{- if .Values.serviceAccount.enabled }}
serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
{{- end }}
{{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -cx
- |
{{- if .Values.persistence.enabled }}
mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
{{- end }}
{{- end }}
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
securityContext:
runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
{{- end }}
volumeMounts:
{{- if .Values.persistence.enabled }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- end }}
{{- if .Values.master.extraInitContainers }}
{{- tpl .Values.master.extraInitContainers . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.master.priorityClassName }}
priorityClassName: {{ .Values.master.priorityClassName }}
{{- end }}
containers:
- name: {{ template "postgresql.fullname" . }}
image: {{ template "postgresql.image" . }}
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: POSTGRESQL_PORT_NUMBER
value: "{{ template "postgresql.port" . }}"
- name: POSTGRESQL_VOLUME_DIR
value: "{{ .Values.persistence.mountPath }}"
{{- if .Values.postgresqlInitdbArgs }}
- name: POSTGRES_INITDB_ARGS
value: {{ .Values.postgresqlInitdbArgs | quote }}
{{- end }}
{{- if .Values.postgresqlInitdbWalDir }}
- name: POSTGRES_INITDB_WALDIR
value: {{ .Values.postgresqlInitdbWalDir | quote }}
{{- end }}
{{- if .Values.initdbUser }}
- name: POSTGRESQL_INITSCRIPTS_USERNAME
value: {{ .Values.initdbUser }}
{{- end }}
{{- if .Values.initdbPassword }}
- name: POSTGRESQL_INITSCRIPTS_PASSWORD
value: {{ .Values.initdbPassword }}
{{- end }}
{{- if .Values.persistence.mountPath }}
- name: PGDATA
value: {{ .Values.postgresqlDataDir | quote }}
{{- end }}
{{- if .Values.replication.enabled }}
- name: POSTGRES_REPLICATION_MODE
value: "master"
- name: POSTGRES_REPLICATION_USER
value: {{ include "postgresql.replication.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_REPLICATION_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
{{- else }}
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-replication-password
{{- end }}
{{- if not (eq .Values.replication.synchronousCommit "off")}}
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
value: {{ .Values.replication.synchronousCommit | quote }}
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
value: {{ .Values.replication.numSynchronousReplicas | quote }}
{{- end }}
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
{{- end }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
{{- else }}
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-postgres-password
{{- end }}
{{- end }}
- name: POSTGRES_USER
value: {{ include "postgresql.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
{{- if (include "postgresql.database" .) }}
- name: POSTGRES_DB
value: {{ (include "postgresql.database" .) | quote }}
{{- end }}
{{- if .Values.extraEnv }}
{{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }}
{{- end }}
- name: POSTGRESQL_ENABLE_LDAP
value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
{{- if .Values.ldap.enabled }}
- name: POSTGRESQL_LDAP_SERVER
value: {{ .Values.ldap.server }}
- name: POSTGRESQL_LDAP_PORT
value: {{ .Values.ldap.port | quote }}
- name: POSTGRESQL_LDAP_SCHEME
value: {{ .Values.ldap.scheme }}
{{- if .Values.ldap.tls }}
- name: POSTGRESQL_LDAP_TLS
value: "1"
{{- end}}
- name: POSTGRESQL_LDAP_PREFIX
value: {{ .Values.ldap.prefix | quote }}
- name: POSTGRESQL_LDAP_SUFFIX
value: {{ .Values.ldap.suffix | quote}}
- name: POSTGRESQL_LDAP_BASE_DN
value: {{ .Values.ldap.baseDN }}
- name: POSTGRESQL_LDAP_BIND_DN
value: {{ .Values.ldap.bindDN }}
{{- if (not (empty .Values.ldap.bind_password)) }}
- name: POSTGRESQL_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-ldap-password
{{- end}}
- name: POSTGRESQL_LDAP_SEARCH_ATTR
value: {{ .Values.ldap.search_attr }}
- name: POSTGRESQL_LDAP_SEARCH_FILTER
value: {{ .Values.ldap.search_filter }}
- name: POSTGRESQL_LDAP_URL
value: {{ .Values.ldap.url }}
{{- end}}
{{- if .Values.extraEnvVarsCM }}
envFrom:
- configMapRef:
name: {{ tpl .Values.extraEnvVarsCM . }}
{{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ template "postgresql.port" . }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
{{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
volumeMounts:
{{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d/
{{- end }}
{{- if .Values.initdbScriptsSecret }}
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/secret
{{- end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
mountPath: /bitnami/postgresql/conf/conf.d/
{{- end }}
{{- if .Values.usePasswordFile }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.persistence.enabled }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
- name: postgresql-config
mountPath: /bitnami/postgresql/conf
{{- end }}
{{- if .Values.master.extraVolumeMounts }}
{{- toYaml .Values.master.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.master.sidecars }}
{{- include "postgresql.tplValue" ( dict "value" .Values.master.sidecars "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "postgresql.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.metrics.securityContext.runAsUser }}
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }}
{{- if .Values.usePasswordFile }}
- name: DATA_SOURCE_PASS_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
- name: DATA_SOURCE_USER
value: {{ template "postgresql.username" . }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /
port: http-metrics
initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /
port: http-metrics
initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.metrics.customMetrics }}
- name: custom-metrics
mountPath: /conf
readOnly: true
args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
{{- end }}
ports:
- name: http-metrics
containerPort: 9187
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- end }}
volumes:
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
- name: postgresql-config
configMap:
name: {{ template "postgresql.configurationCM" . }}
{{- end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
configMap:
name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
{{- if .Values.usePasswordFile }}
- name: postgresql-password
secret:
secretName: {{ template "postgresql.secretName" . }}
{{- end }}
{{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
name: {{ template "postgresql.initdbScriptsCM" . }}
{{- end }}
{{- if .Values.initdbScriptsSecret }}
- name: custom-init-scripts-secret
secret:
secretName: {{ template "postgresql.initdbScriptsSecret" . }}
{{- end }}
{{- if .Values.master.extraVolumes }}
{{- toYaml .Values.master.extraVolumes | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:
name: {{ template "postgresql.metricsCM" . }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
{{- with .Values.persistence.existingClaim }}
claimName: {{ tpl . $ }}
{{- end }}
{{- else if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: data
labels:
app: gitlab
component: {{ template "postgresql.name" . }}
{{- with .Values.persistence.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{ include "postgresql.storageClass" . }}
selector:
matchLabels:
app: gitlab
component: {{ template "postgresql.name" . }}
{{- end }}
vim gitlab/charts/redis/templates/redis-master-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "redis.fullname" . }}-master
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
role: master
serviceName: {{ template "redis.fullname" . }}-headless
template:
metadata:
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
role: master
{{- if .Values.master.podLabels }}
{{ toYaml .Values.master.podLabels | indent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podLabels }}
{{ toYaml .Values.metrics.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }}
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- if .Values.master.podAnnotations }}
{{ toYaml .Values.master.podAnnotations | indent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{ toYaml .Values.metrics.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- include "redis.imagePullSecrets" . | indent 6 }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.securityContext.sysctls }}
sysctls:
{{ toYaml .Values.securityContext.sysctls | indent 8 }}
{{- end }}
{{- end }}
serviceAccountName: "{{ template "redis.serviceAccountName" . }}"
{{- if .Values.master.priorityClassName }}
priorityClassName: "{{ .Values.master.priorityClassName }}"
{{- end }}
{{- with .Values.master.affinity }}
affinity:
{{ tpl (toYaml .) $ | indent 8 }}
{{- end }}
{{- if .Values.master.nodeSelector }}
nodeSelector:
{{ toYaml .Values.master.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.master.tolerations }}
tolerations:
{{ toYaml .Values.master.tolerations | indent 8 }}
{{- end }}
{{- if .Values.master.schedulerName }}
schedulerName: "{{ .Values.master.schedulerName }}"
{{- end }}
containers:
- name: {{ template "redis.fullname" . }}
image: "{{ template "redis.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- /bin/bash
- -c
- |
{{- if (eq (.Values.securityContext.runAsUser | int) 0) }}
useradd redis
chown -R redis {{ .Values.master.persistence.path }}
{{- end }}
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then
cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf
fi
if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
fi
ARGS=("--port" "${REDIS_PORT}")
{{- if .Values.usePassword }}
ARGS+=("--requirepass" "${REDIS_PASSWORD}")
ARGS+=("--masterauth" "${REDIS_PASSWORD}")
{{- else }}
ARGS+=("--protected-mode" "no")
{{- end }}
ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
{{- if .Values.master.extraFlags }}
{{- range .Values.master.extraFlags }}
ARGS+=({{ . | quote }})
{{- end }}
{{- end }}
{{- if .Values.master.command }}
{{ .Values.master.command }} ${ARGS[@]}
{{- else }}
redis-server "${ARGS[@]}"
{{- end }}
env:
- name: REDIS_REPLICATION_MODE
value: master
{{- if .Values.usePassword }}
{{- if .Values.usePasswordFile }}
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
{{- else }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- else }}
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
{{- end }}
- name: REDIS_PORT
value: {{ .Values.redisPort | quote }}
ports:
- name: redis
containerPort: {{ .Values.redisPort }}
{{- if .Values.master.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.master.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.master.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.master.readinessProbe.enabled}}
readinessProbe:
initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.master.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.master.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_readiness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }}
{{- end }}
resources:
{{ toYaml .Values.master.resources | indent 10 }}
volumeMounts:
- name: health
mountPath: /health
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
{{- end }}
- name: redis-data
mountPath: {{ .Values.master.persistence.path }}
subPath: {{ .Values.master.persistence.subPath }}
- name: config
mountPath: /opt/bitnami/redis/mounted-etc
- name: redis-tmp-conf
mountPath: /opt/bitnami/redis/etc/
{{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
- name: sentinel
image: "{{ template "sentinel.image" . }}"
imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- /bin/bash
- -c
- |
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]];then
cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- if .Values.usePassword }}
printf "\nsentinel auth-pass {{ .Values.sentinel.masterSet }} $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- if .Values.sentinel.usePassword }}
printf "\nrequirepass $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- end }}
{{- end }}
{{- if .Values.sentinel.staticID }}
printf "\nsentinel myid $(echo $HOSTNAME | openssl sha1 | awk '{ print $2 }')" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- end }}
fi
echo "Getting information about current running sentinels"
existing_sentinels=$(timeout -s 9 {{ .Values.sentinel.initialCheckTimeout }} redis-cli --raw -h {{ template "redis.fullname" . }} -a "$REDIS_PASSWORD" -p {{ .Values.sentinel.service.sentinelPort }} SENTINEL sentinels {{ .Values.sentinel.masterSet }})
echo "$existing_sentinels" | awk -f /health/parse_sentinels.awk | tee -a /opt/bitnami/redis-sentinel/etc/sentinel.conf
redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel
env:
{{- if .Values.usePassword }}
{{- if .Values.usePasswordFile }}
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
{{- else }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- else }}
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
{{- end }}
- name: REDIS_SENTINEL_PORT
value: {{ .Values.sentinel.port | quote }}
ports:
- name: redis-sentinel
containerPort: {{ .Values.sentinel.port }}
{{- if .Values.sentinel.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.sentinel.readinessProbe.enabled}}
readinessProbe:
initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
{{- end }}
resources:
{{ toYaml .Values.sentinel.resources | indent 10 }}
volumeMounts:
- name: health
mountPath: /health
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
{{- end }}
- name: redis-data
mountPath: {{ .Values.master.persistence.path }}
subPath: {{ .Values.master.persistence.subPath }}
- name: config
mountPath: /opt/bitnami/redis-sentinel/mounted-etc
- name: sentinel-tmp-conf
mountPath: /opt/bitnami/redis-sentinel/etc/
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "redis.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
command:
- /bin/bash
- -c
- |
if [[ -f '/secrets/redis-password' ]]; then
export REDIS_PASSWORD=$(cat /secrets/redis-password)
fi
redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
env:
- name: REDIS_ALIAS
value: {{ template "redis.fullname" . }}
{{- if and .Values.usePassword (not .Values.usePasswordFile) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /secrets/
{{- end }}
ports:
- name: metrics
containerPort: 9121
resources:
{{ toYaml .Values.metrics.resources | indent 10 }}
{{- end }}
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and ( and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) ) .Values.securityContext.enabled) }}
{{- if or $needsVolumePermissions .Values.sysctlImage.enabled }}
initContainers:
{{- if $needsVolumePermissions }}
- name: volume-permissions
image: "{{ template "redis.volumePermissions.image" . }}"
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.master.persistence.path }}"]
securityContext:
runAsUser: 0
resources:
{{ toYaml .Values.volumePermissions.resources | indent 10 }}
volumeMounts:
- name: redis-data
mountPath: {{ .Values.master.persistence.path }}
subPath: {{ .Values.master.persistence.subPath }}
{{- end }}
{{- if .Values.sysctlImage.enabled }}
- name: init-sysctl
image: {{ template "redis.sysctl.image" . }}
imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }}
resources:
{{ toYaml .Values.sysctlImage.resources | indent 10 }}
{{- if .Values.sysctlImage.mountHostSys }}
volumeMounts:
- name: host-sys
mountPath: /host-sys
{{- end }}
command:
{{ toYaml .Values.sysctlImage.command | indent 10 }}
securityContext:
privileged: true
runAsUser: 0
{{- end }}
{{- end }}
volumes:
- name: health
configMap:
name: {{ template "redis.fullname" . }}-health
defaultMode: 0755
{{- if .Values.usePasswordFile }}
- name: redis-password
secret:
secretName: {{ template "redis.secretName" . }}
items:
- key: {{ template "redis.secretPasswordKey" . }}
path: redis-password
{{- end }}
- name: config
configMap:
name: {{ template "redis.fullname" . }}
{{- if not .Values.master.persistence.enabled }}
- name: "redis-data"
emptyDir: {}
{{- else }}
{{- if .Values.persistence.existingClaim }}
- name: "redis-data"
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim }}
{{- end }}
{{- end }}
{{- if .Values.sysctlImage.mountHostSys }}
- name: host-sys
hostPath:
path: /sys
{{- end }}
- name: redis-tmp-conf
emptyDir: {}
{{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
- name: sentinel-tmp-conf
emptyDir: {}
{{- end }}
{{- if and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: redis-data
labels:
app: gitlab
component: {{ template "redis.name" . }}
spec:
accessModes:
{{- range .Values.master.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.master.persistence.size | quote }}
{{ include "redis.master.storageClass" . }}
selector:
matchLabels:
app: gitlab
component: {{ template "redis.name" . }}
{{- end }}
updateStrategy:
type: {{ .Values.master.statefulset.updateStrategy }}
{{- if .Values.master.statefulset.rollingUpdatePartition }}
{{- if (eq "Recreate" .Values.master.statefulset.updateStrategy) }}
rollingUpdate: null
{{- else }}
rollingUpdate:
partition: {{ .Values.master.statefulset.rollingUpdatePartition }}
{{- end }}
{{- end }}
渲染模板,查看上面修改是否存在问题:
helm template --dry-run mygitlab gitlab/ -n public-service > gitlab.yaml
渲染之后经过修改,最终得到 gitlab.yaml。
gitlab.yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mygitlab-gitaly
namespace: public-service
labels:
app: gitaly
chart: gitaly-4.4.3
release: mygitlab
heritage: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app: gitaly
release: mygitlab
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mygitlab-gitlab-shell
namespace: public-service
labels:
app: gitlab-shell
chart: gitlab-shell-4.4.3
release: mygitlab
heritage: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app: gitlab-shell
release: mygitlab
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mygitlab-sidekiq-all-in-1-v1
namespace: public-service
labels:
app: sidekiq
chart: sidekiq-4.4.3
release: mygitlab
heritage: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app: sidekiq
release: mygitlab
queue-pod-name: all-in-1
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mygitlab-webservice
namespace: public-service
labels:
app: webservice
chart: webservice-4.4.3
release: mygitlab
heritage: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app: webservice
release: mygitlab
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mygitlab-minio-v1
namespace: public-service
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app: minio
release: mygitlab
component: app
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: mygitlab-registry-v1
namespace: public-service
labels:
app: registry
chart: registry-0.5.0
release: mygitlab
heritage: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app: registry
release: mygitlab
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-gitaly
namespace: public-service
labels:
app: gitaly
chart: gitaly-4.4.3
release: mygitlab
heritage: Helm
data:
configure: |
set -e
mkdir -p /init-secrets/gitaly /init-secrets/shell
cp -v -r -L /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret
cp -v -r -L /init-config/gitaly_token /init-secrets/gitaly/gitaly_token
config.toml.erb: |
bin_dir = "/usr/local/bin"
listen_addr = "0.0.0.0:8075"
internal_socket_dir = "/home/git"
prometheus_listen_addr = "localhost:9236"
<% @storages = [ "default", ] %>
<% @index=`echo ${HOSTNAME##*-}`.to_i %>
<% if @storages.length > @index %>
[[storage]]
name = "<%= @storages[@index] %>"
path = "/home/git/repositories"
<% else %>
<% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %>
<% end %>
[logging]
format = "json"
dir = "/var/log/gitaly"
[auth]
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token').strip.dump[1..-2] %>"
[git]
[gitaly-ruby]
dir = "/srv/gitaly-ruby"
rugged_git_config_search_path = "/usr/local/etc"
[gitlab-shell]
dir = "/srv/gitlab-shell"
[gitlab]
secret_file = "/etc/gitlab-secrets/shell/.gitlab_shell_secret"
url = "http://mygitlab-webservice:8181/"
[gitlab.http-settings]
self_signed_cert = false
[hooks]
custom_hooks_dir = "/home/git/custom_hooks"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-gitlab-shell-sshd
namespace: public-service
labels:
app: gitlab-shell
chart: gitlab-shell-4.4.3
release: mygitlab
heritage: Helm
data:
sshd_config: |
Port 2222
PermitRootLogin no
UsePrivilegeSeparation no
PidFile /srv/sshd/sshd.pid
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /authorized_keys %u %k
AuthorizedKeysCommandUser git
PasswordAuthentication no
AllowUsers git
AcceptEnv GIT_PROTOCOL
DisableForwarding yes
MaxStartups 10:30:100
LoginGraceTime 120
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-gitlab-shell
namespace: public-service
labels:
app: gitlab-shell
chart: gitlab-shell-4.4.3
release: mygitlab
heritage: Helm
data:
configure: |
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in shell ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in redis minio objectstorage postgres ldap omniauth smtp kas ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
fi
done
mkdir -p /${secret_dir}/ssh
cp -v -r -L /${config_dir}/ssh_host_* /${secret_dir}/ssh/
chmod 0400 /${secret_dir}/ssh/ssh_host_*
config.yml.erb: |
user: git
gitlab_url: "http://mygitlab-webservice:8181/"
secret_file: /etc/gitlab-secrets/shell/.gitlab_shell_secret
http_settings:
self_signed_cert: false
auth_file: "/home/git/.ssh/authorized_keys"
log_level: INFO
audit_usernames: false
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-migrations
namespace: public-service
labels:
app: migrations
chart: migrations-4.4.3
release: mygitlab
heritage: Helm
data:
installation_type: |
gitlab-helm-chart
database.yml.erb: |
production:
adapter: postgresql
encoding: unicode
database: gitlabhq_production
username: gitlab
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: "mygitlab-postgresql"
port: 5432
pool: 1
connect_timeout:
prepared_statements: false
resque.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
cable.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
adapter: redis
gitlab.yml.erb: |
production: &base
gitlab:
host: gitlab.lzxlinux.com
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
repositories:
storages: # You must have at least a `default` storage path.
default:
path: /var/opt/gitlab/repo
gitaly_address: tcp://mygitlab-gitaly-0.mygitlab-gitaly.public-service:8075
configure: |
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in rails-secrets migrations gitaly ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in redis minio objectstorage postgres ldap omniauth smtp kas ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
fi
done
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-sidekiq-all-in-1
namespace: public-service
labels:
app: sidekiq
chart: sidekiq-4.4.3
release: mygitlab
heritage: Helm
queue_pod_name: all-in-1
data:
sidekiq_queues.yml.erb: |
<%=
sq = YAML.load_file('/srv/gitlab/config/sidekiq_queues.yml')
sq.to_yaml
%>
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-sidekiq
namespace: public-service
labels:
app: sidekiq
chart: sidekiq-4.4.3
release: mygitlab
heritage: Helm
data:
installation_type: |
gitlab-helm-chart
database.yml.erb: |
production:
adapter: postgresql
encoding: unicode
database: gitlabhq_production
username: gitlab
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: "mygitlab-postgresql"
port: 5432
pool: 1
connect_timeout:
prepared_statements: false
smtp_settings.rb: |
resque.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
cable.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
adapter: redis
gitlab.yml.erb: |
production: &base
gitlab:
host: gitlab.lzxlinux.com
https: false
max_request_duration_seconds: 57
impersonation_enabled:
usage_ping_enabled: true
seat_link_enabled: true
default_can_create_group: true
username_changing_enabled: true
issue_closing_pattern:
default_theme:
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
builds: true
container_registry: true
webhook_timeout:
trusted_proxies:
time_zone: "UTC"
email_from: "gitlab@lzxlinux.com"
email_display_name: "GitLab"
email_reply_to: "noreply@lzxlinux.com"
email_subject_suffix: ""
gravatar:
plain_url:
ssl_url:
extra:
object_store:
enabled: true
direct_upload: true
background_upload: false
proxy_download: true
connection:
provider: AWS
region: us-east-1
host: minio.lzxlinux.com
endpoint: http://mygitlab-minio-svc:9000
path_style: true
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
objects:
artifacts:
bucket: gitlab-artifacts
lfs:
bucket: git-lfs
uploads:
bucket: gitlab-uploads
packages:
bucket: gitlab-packages
external_diffs:
bucket: gitlab-mr-diffs
terraform_state:
bucket: gitlab-terraform-state
dependency_proxy:
bucket: gitlab-dependency-proxy
artifacts:
enabled: true
lfs:
enabled: true
uploads:
enabled: true
packages:
enabled: true
external_diffs:
enabled:
when:
terraform_state:
enabled: false
dependency_proxy:
enabled: false
pseudonymizer:
manifest: config/pseudonymizer.yml
upload:
remote_directory: gitlab-pseudo
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: minio.lzxlinux.com
endpoint: http://mygitlab-minio-svc:9000
path_style: true
sentry:
enabled: false
dsn:
clientside_dsn:
environment:
pages:
enabled: false
mattermost:
enabled: false
registry:
enabled: true
host: registry.lzxlinux.com
api_url: http://mygitlab-registry:5000
key: /etc/gitlab/registry/gitlab-registry.key
issuer: gitlab-issuer
gitlab_ci:
ldap:
enabled: false
omniauth:
enabled: false
sync_profile_from_provider: []
sync_profile_attributes: ["email"]
allow_single_sign_on: ["saml"]
block_auto_created_users: true
auto_link_ldap_user: false
auto_link_saml_user: false
external_providers: []
kerberos:
enabled: false
shared:
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
repositories:
storages: # You must have at least a `default` storage path.
default:
path: /var/opt/gitlab/repo
gitaly_address: tcp://mygitlab-gitaly-0.mygitlab-gitaly.public-service:8075
backup:
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
gitlab_shell:
path: /home/git/gitlab-shell/
hooks_path: /home/git/gitlab-shell/hooks/
upload_pack: true
receive_pack: true
workhorse:
git:
bin_path: /usr/bin/git
webpack:
monitoring:
ip_whitelist:
- 127.0.0.0/8
sidekiq_exporter:
enabled: true
address: 0.0.0.0
port: 3807
sidekiq:
log_format: default
configure: |
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in gitaly registry rails-secrets ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in redis minio objectstorage postgres ldap omniauth smtp kas ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
fi
done
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-task-runner
namespace: public-service
labels:
app: task-runner
chart: task-runner-4.4.3
release: mygitlab
heritage: Helm
data:
database.yml.erb: |
production:
adapter: postgresql
encoding: unicode
database: gitlabhq_production
username: gitlab
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: "mygitlab-postgresql"
port: 5432
pool: 1
connect_timeout:
prepared_statements: false
smtp_settings.rb: |
resque.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
cable.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
adapter: redis
gitlab.yml.erb: |
production: &base
gitlab:
host: gitlab.lzxlinux.com
https: false
max_request_duration_seconds: 57
impersonation_enabled:
usage_ping_enabled: true
seat_link_enabled: true
default_can_create_group: true
username_changing_enabled: true
issue_closing_pattern:
default_theme:
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
builds: true
container_registry: true
webhook_timeout:
trusted_proxies:
time_zone: "UTC"
email_from: "gitlab@lzxlinux.com"
email_display_name: "GitLab"
email_reply_to: "noreply@lzxlinux.com"
email_subject_suffix: ""
object_store:
enabled: true
direct_upload: true
background_upload: false
proxy_download: true
connection:
provider: AWS
region: us-east-1
host: minio.lzxlinux.com
endpoint: http://mygitlab-minio-svc:9000
path_style: true
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
objects:
artifacts:
bucket: gitlab-artifacts
lfs:
bucket: git-lfs
uploads:
bucket: gitlab-uploads
packages:
bucket: gitlab-packages
external_diffs:
bucket: gitlab-mr-diffs
terraform_state:
bucket: gitlab-terraform-state
dependency_proxy:
bucket: gitlab-dependency-proxy
artifacts:
enabled: true
lfs:
enabled: true
uploads:
enabled: true
packages:
enabled: true
external_diffs:
enabled:
when:
terraform_state:
enabled: false
dependency_proxy:
enabled: false
pseudonymizer:
manifest: config/pseudonymizer.yml
upload:
remote_directory: gitlab-pseudo
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: minio.lzxlinux.com
endpoint: http://mygitlab-minio-svc:9000
path_style: true
pages:
enabled: false
mattermost:
enabled: false
registry:
enabled: true
host: registry.lzxlinux.com
api_url: http://mygitlab-registry:5000
key: /etc/gitlab/registry/gitlab-registry.key
issuer: gitlab-issuer
gitlab_ci:
ldap:
enabled: false
omniauth:
enabled: false
sync_profile_from_provider: []
sync_profile_attributes: ["email"]
allow_single_sign_on: ["saml"]
block_auto_created_users: true
auto_link_ldap_user: false
auto_link_saml_user: false
external_providers: []
kerberos:
enabled: false
shared:
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
repositories:
storages: # You must have at least a `default` storage path.
default:
path: /var/opt/gitlab/repo
gitaly_address: tcp://mygitlab-gitaly-0.mygitlab-gitaly.public-service:8075
backup:
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
gitlab_shell:
path: /home/git/gitlab-shell/
hooks_path: /home/git/gitlab-shell/hooks/
upload_pack: true
receive_pack: true
secret_file: /etc/gitlab/shell/.gitlab_shell_secret
workhorse:
git:
bin_path: /usr/bin/git
webpack:
monitoring:
ip_whitelist:
- 127.0.0.0/8
sidekiq_exporter:
extra:
configure: |
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in shell gitaly registry rails-secrets ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in redis minio objectstorage postgres ldap omniauth smtp kas ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
fi
done
if [ ! -f "/${secret_dir}/objectstorage/.s3cfg" ]; then
cat <<EOF > "/${secret_dir}/.s3cfg"
[default]
access_key = $(cat /init-secrets/minio/accesskey)
secret_key = $(cat /init-secrets/minio/secretkey)
bucket_location = us-east-1
host_base = minio.lzxlinux.com
host_bucket = minio.lzxlinux.com/%(bucket)
default_mime_type = binary/octet-stream
enable_multipart = True
multipart_max_chunks = 10000
multipart_chunk_size_mb = 128
recursive = True
recv_chunk = 65536
send_chunk = 65536
server_side_encryption = False
signature_v2 = True
socket_timeout = 300
use_mime_magic = False
verbosity = WARNING
website_endpoint = http://minio.lzxlinux.com
EOF
else
mv "/${secret_dir}/objectstorage/.s3cfg" "/${secret_dir}/.s3cfg"
fi
configure-gsutil: |
printf "$GOOGLE_APPLICATION_CREDENTIALS\nN\n\nN\n" | gsutil config -e
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-webservice
namespace: public-service
labels:
app: webservice
chart: webservice-4.4.3
release: mygitlab
heritage: Helm
data:
installation_type: |
gitlab-helm-chart
database.yml.erb: |
production:
adapter: postgresql
encoding: unicode
database: gitlabhq_production
username: gitlab
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: "mygitlab-postgresql"
port: 5432
pool: 1
connect_timeout:
prepared_statements: false
smtp_settings.rb: |
resque.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
cable.yml.erb: |
production:
url: redis://:<%= ERB::Util::url_encode(File.read("/etc/gitlab/redis/redis-password").strip) %>@mygitlab-redis-master:6379
id:
adapter: redis
gitlab.yml.erb: |
production: &base
gitlab:
host: gitlab.lzxlinux.com
https: false
max_request_duration_seconds: 57
impersonation_enabled:
usage_ping_enabled: true
seat_link_enabled: true
default_can_create_group: true
username_changing_enabled: true
issue_closing_pattern:
default_theme:
default_projects_features:
issues: true
merge_requests: true
wiki: true
snippets: true
builds: true
container_registry: true
webhook_timeout:
trusted_proxies:
time_zone: "UTC"
email_from: "gitlab@lzxlinux.com"
email_display_name: "GitLab"
email_reply_to: "noreply@lzxlinux.com"
email_subject_suffix: ""
gravatar:
plain_url:
ssl_url:
extra:
object_store:
enabled: true
direct_upload: true
background_upload: false
proxy_download: true
connection:
provider: AWS
region: us-east-1
host: minio.lzxlinux.com
endpoint: http://mygitlab-minio-svc:9000
path_style: true
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
objects:
artifacts:
bucket: gitlab-artifacts
lfs:
bucket: git-lfs
uploads:
bucket: gitlab-uploads
packages:
bucket: gitlab-packages
external_diffs:
bucket: gitlab-mr-diffs
terraform_state:
bucket: gitlab-terraform-state
dependency_proxy:
bucket: gitlab-dependency-proxy
artifacts:
enabled: true
lfs:
enabled: true
uploads:
enabled: true
packages:
enabled: true
external_diffs:
enabled:
when:
terraform_state:
enabled: false
dependency_proxy:
enabled: false
sentry:
enabled: false
dsn:
clientside_dsn:
environment:
pages:
enabled: false
mattermost:
enabled: false
gitlab_ci:
ldap:
enabled: false
omniauth:
enabled: false
sync_profile_from_provider: []
sync_profile_attributes: ["email"]
allow_single_sign_on: ["saml"]
block_auto_created_users: true
auto_link_ldap_user: false
auto_link_saml_user: false
external_providers: []
kerberos:
enabled: false
shared:
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
repositories:
storages: # You must have at least a `default` storage path.
default:
path: /var/opt/gitlab/repo
gitaly_address: tcp://mygitlab-gitaly-0.mygitlab-gitaly.public-service:8075
backup:
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
gitlab_shell:
path: /home/git/gitlab-shell/
hooks_path: /home/git/gitlab-shell/hooks/
upload_pack: true
receive_pack: true
ssh_port: 22
secret_file: /etc/gitlab/shell/.gitlab_shell_secret
workhorse:
secret_file: /etc/gitlab/gitlab-workhorse/secret
git:
bin_path: /usr/bin/git
webpack:
monitoring:
ip_whitelist:
- 0.0.0.0/0
web_exporter:
enabled: false
address: 0.0.0.0
port: 8083
sidekiq_exporter:
shutdown:
blackout_seconds: 10
rack_attack:
git_basic_auth:
registry:
enabled: true
host: registry.lzxlinux.com
api_url: http://mygitlab-registry:5000
key: /etc/gitlab/registry/gitlab-registry.key
issuer: gitlab-issuer
smartcard:
enabled: false
ca_file: '/etc/gitlab/rails-secrets/smartcard-ca.crt'
client_certificate_required_host: smartcard.lzxlinux.com
client_certificate_required_port: 443
san_extensions: false
required_for_git_access: false
configure: |
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in shell gitaly registry rails-secrets gitlab-workhorse ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in redis minio objectstorage postgres ldap omniauth smtp kas ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
fi
done
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-workhorse-config
namespace: public-service
labels:
app: webservice
chart: webservice-4.4.3
release: mygitlab
heritage: Helm
data:
installation_type: |
gitlab-helm-chart
workhorse-config.toml.erb: |
[redis]
URL = "redis://mygitlab-redis-master:6379"
Password = "<%= File.read("/etc/gitlab/redis/redis-password").strip.dump[1..-2] %>"
<%
require 'yaml'
supported_providers = %w(AWS AzureRM)
provider = ''
aws_access_key_id = ''
aws_secret_access_key = ''
azure_storage_account_name = ''
azure_storage_access_key = ''
if File.exists? '/etc/gitlab/minio/accesskey'
provider = 'AWS'
aws_access_key_id = File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2]
aws_secret_access_key = File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2]
end
if File.exists? '/etc/gitlab/objectstorage/object_store'
connection = YAML.safe_load(File.read('/etc/gitlab/objectstorage/object_store'))
provider = connection['provider']
if connection.has_key? 'aws_access_key_id'
aws_access_key_id = connection['aws_access_key_id']
aws_secret_access_key = connection['aws_secret_access_key']
elsif connection.has_key? 'azure_storage_account_name'
azure_storage_account_name = connection['azure_storage_account_name']
azure_storage_access_key = connection['azure_storage_access_key']
end
end
if supported_providers.include? provider
%>
[object_storage]
provider = "<%= provider %>"
<% if provider.eql? 'AWS' %>
[object_storage.s3]
aws_access_key_id = "<%= aws_access_key_id %>"
aws_secret_access_key = "<%= aws_secret_access_key %>"
<% elsif provider.eql? 'AzureRM' %>
[object_storage.azurerm]
azure_storage_account_name = "<%= azure_storage_account_name %>"
azure_storage_access_key = "<%= azure_storage_access_key %>"
<%
end
end
%>
configure: |
set -e
mkdir -p /init-secrets-workhorse/gitlab-workhorse
cp -v -r -L /init-config/gitlab-workhorse/secret /init-secrets-workhorse/gitlab-workhorse/secret
mkdir -p /init-secrets-workhorse/redis
cp -v -r -L /init-config/redis/redis-password /init-secrets-workhorse/redis/
if [ -d /init-config/minio ]; then
mkdir -p /init-secrets-workhorse/minio
cp -v -r -L /init-config/minio/* /init-secrets-workhorse/minio/
fi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-minio-config-cm
namespace: public-service
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
data:
initialize: |-
set -e ; # Have script exit in the event of a failed command.
connectToMinio() {
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/accesskey) ; SECRET=$(cat /config/secretkey) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to Minio server: http://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="mc config host add myminio http://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS -eq 0 ] ;
do
sleep 1 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
checkBucketExists() {
BUCKET=$1
CMD=$(/usr/bin/mc ls myminio/$BUCKET > /dev/null 2>&1)
return $?
}
createBucket() {
BUCKET=$1
POLICY=$2
PURGE=$3
if [ $PURGE = true ]; then
if checkBucketExists $BUCKET ; then
echo "Purging bucket '$BUCKET'."
set +e ; # don't exit if this fails
/usr/bin/mc rm -r --force myminio/$BUCKET
set -e ; # reset `e` as active
else
echo "Bucket '$BUCKET' does not exist, skipping purge."
fi
fi
if ! checkBucketExists $BUCKET ; then
echo "Creating bucket '$BUCKET'"
/usr/bin/mc mb myminio/$BUCKET
else
echo "Bucket '$BUCKET' already exists."
fi
echo "Setting policy of bucket '$BUCKET' to '$POLICY'."
/usr/bin/mc policy $POLICY myminio/$BUCKET
}
connectToMinio
createBucket registry none false
createBucket git-lfs none false
createBucket runner-cache none false
createBucket gitlab-uploads none false
createBucket gitlab-artifacts none false
createBucket gitlab-backups none false
createBucket gitlab-packages none false
createBucket tmp none false
createBucket gitlab-pseudo none false
createBucket gitlab-mr-diffs none false
createBucket gitlab-terraform-state none false
createBucket gitlab-dependency-proxy none false
configure: |-
sed -e 's@ACCESS_KEY@'"$(cat /config/accesskey)"'@' -e 's@SECRET_KEY@'"$(cat /config/secretkey)"'@' /config/config.json > /minio/config.json
config.json: |-
{
"version": "20",
"credential": {
"accessKey": "ACCESS_KEY",
"secretKey": "SECRET_KEY"
},
"region": "us-east-1",
"browser": "on",
"domain": "",
"logger": {
"console": {
"enable": true
},
"file": {
"enable": false,
"fileName": ""
}
},
"notify": {
"amqp": {
"1": {
"enable": false,
"url": "",
"exchange": "",
"routingKey": "",
"exchangeType": "",
"deliveryMode": 0,
"mandatory": false,
"immediate": false,
"durable": false,
"internal": false,
"noWait": false,
"autoDeleted": false
}
},
"nats": {
"1": {
"enable": false,
"address": "",
"subject": "",
"username": "",
"password": "",
"token": "",
"secure": false,
"pingInterval": 0,
"streaming": {
"enable": false,
"clusterID": "",
"clientID": "",
"async": false,
"maxPubAcksInflight": 0
}
}
},
"elasticsearch": {
"1": {
"enable": false,
"format": "namespace",
"url": "",
"index": ""
}
},
"redis": {
"1": {
"enable": false,
"format": "namespace",
"address": "",
"password": "",
"key": ""
}
},
"postgresql": {
"1": {
"enable": false,
"format": "namespace",
"connectionString": "",
"table": "",
"host": "",
"port": "",
"user": "",
"password": "",
"database": ""
}
},
"kafka": {
"1": {
"enable": false,
"brokers": null,
"topic": ""
}
},
"webhook": {
"1": {
"enable": false,
"endpoint": ""
}
},
"mysql": {
"1": {
"enable": false,
"format": "namespace",
"dsnString": "",
"table": "",
"host": "",
"port": "",
"user": "",
"password": "",
"database": ""
}
},
"mqtt": {
"1": {
"enable": false,
"broker": "",
"topic": "",
"qos": 0,
"clientId": "",
"username": "",
"password": ""
}
}
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-redis
namespace: public-service
labels:
app: redis
chart: redis-10.3.4
heritage: Helm
release: mygitlab
data:
redis.conf: |-
appendonly yes
save ""
master.conf: |-
dir /data
rename-command FLUSHDB ""
rename-command FLUSHALL ""
replica.conf: |-
dir /data
slave-read-only yes
rename-command FLUSHDB ""
rename-command FLUSHALL ""
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-redis-health
namespace: public-service
labels:
app: redis
chart: redis-10.3.4
heritage: Helm
release: mygitlab
data:
ping_readiness_local.sh: |-
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
response=$(
timeout -s 9 $1 \
redis-cli \
-a $REDIS_PASSWORD --no-auth-warning \
-h localhost \
-p $REDIS_PORT \
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
ping_liveness_local.sh: |-
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
response=$(
timeout -s 9 $1 \
redis-cli \
-a $REDIS_PASSWORD --no-auth-warning \
-h localhost \
-p $REDIS_PORT \
ping
)
if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then
echo "$response"
exit 1
fi
ping_readiness_master.sh: |-
password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
export REDIS_MASTER_PASSWORD=$password_aux
response=$(
timeout -s 9 $1 \
redis-cli \
-a $REDIS_MASTER_PASSWORD --no-auth-warning \
-h $REDIS_MASTER_HOST \
-p $REDIS_MASTER_PORT_NUMBER \
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
ping_liveness_master.sh: |-
password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
export REDIS_MASTER_PASSWORD=$password_aux
response=$(
timeout -s 9 $1 \
redis-cli \
-a $REDIS_MASTER_PASSWORD --no-auth-warning \
-h $REDIS_MASTER_HOST \
-p $REDIS_MASTER_PORT_NUMBER \
ping
)
if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then
echo "$response"
exit 1
fi
ping_readiness_local_and_master.sh: |-
script_dir="$(dirname "$0")"
exit_status=0
"$script_dir/ping_readiness_local.sh" $1 || exit_status=$?
"$script_dir/ping_readiness_master.sh" $1 || exit_status=$?
exit $exit_status
ping_liveness_local_and_master.sh: |-
script_dir="$(dirname "$0")"
exit_status=0
"$script_dir/ping_liveness_local.sh" $1 || exit_status=$?
"$script_dir/ping_liveness_master.sh" $1 || exit_status=$?
exit $exit_status
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-registry
namespace: public-service
labels:
app: registry
chart: registry-0.5.0
release: mygitlab
heritage: Helm
data:
configure: |-
if [ -e /config/accesskey ] ; then
sed -e 's@ACCESS_KEY@'"$(cat /config/accesskey)"'@' -e 's@SECRET_KEY@'"$(cat /config/secretkey)"'@' /config/config.yml > /registry/config.yml
else
cp -v -r -L /config/config.yml /registry/config.yml
fi
sed -i -e 's@HTTP_SECRET@'"$(cat /config/httpSecret)"'@' /registry/config.yml
if [ -d /config/notifications ]; then
for i in /config/notifications/*; do
filename=$(basename $i);
sed -i -e 's@'"${filename}"'@'"$(cat $i)"'@' /registry/config.yml;
done
fi
if [ -d /config/storage ]; then
mkdir -p /registry/storage
cp -v -r -L /config/storage/* /registry/storage/
echo '' >> /registry/storage/config
if ! $(egrep -A1 '^delete:\s*$' /registry/storage/config | egrep -q '\s{2,4}enabled:') ; then
echo 'delete:' >> /registry/storage/config
echo ' enabled: true' >> /registry/storage/config
fi
sed -i 's/^/ /' /registry/storage/config
sed -i '/storage:/ r /registry/storage/config' /registry/config.yml
rm /registry/storage/config
fi
cat /config/certificate.crt > /registry/certificate.crt
if [ -f /config/profiling-key.json ]; then
cp /config/profiling-key.json /registry/profiling-key.json
fi
config.yml: |
version: 0.1
log:
fields:
service: registry
level: warn
http:
debug:
addr: ':5001'
prometheus:
enabled: false
path: /metrics
draintimeout: 0
headers:
X-Content-Type-Options: [nosniff]
addr: :5000
secret: "HTTP_SECRET"
relativeurls: false
health:
storagedriver:
enabled: false
interval: 10s
threshold: 3
auth:
token:
realm: http://gitlab.lzxlinux.com/jwt/auth
service: container_registry
issuer: "gitlab-issuer"
rootcertbundle: /etc/docker/registry/certificate.crt
autoredirect: false
compatibility:
schema1:
enabled: false
validation:
disabled: true
profiling:
storage:
maintenance:
readonly:
enabled: false
s3:
accesskey: "ACCESS_KEY"
secretkey: "SECRET_KEY"
region: us-east-1
regionendpoint: http://mygitlab-minio-svc:9000
bucket: registry
secure: true
v4auth: true
rootdirectory: /
cache:
blobdescriptor: 'inmemory'
delete:
enabled: true
redirect:
disable: true
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-gitlab-chart-info
namespace: public-service
labels:
app: gitlab
chart: gitlab-4.4.3
release: mygitlab
heritage: Helm
data:
gitlabVersion: "13.4.3"
gitlabChartVersion: "4.4.3"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-postgresql-init-db
namespace: public-service
labels:
app: gitlab
chart: gitlab-4.4.3
release: mygitlab
heritage: Helm
data:
init_revision.sh: |
if [[ ! -f "$POSTGRESQL_VOLUME_DIR/.gitlab_1_scripts_initialized" ]] ; then
rm -f "$POSTGRESQL_VOLUME_DIR/.user_scripts_initialized"
touch "$POSTGRESQL_VOLUME_DIR/.gitlab_1_scripts_initialized"
fi
enable_extensions.sh: |
PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d gitlabhq_production -U postgres -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;'
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-shared-secrets
namespace: public-service
labels:
app: shared-secrets
chart: shared-secrets-0.1.0
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
data:
generate-secrets: |
namespace=public-service
release=mygitlab
env=production
pushd $(mktemp -d)
function gen_random(){
head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2
}
function fetch_rails_value(){
local value=$(yq read $1 "${2}")
if [ "${value}" != "null" ]; then echo "${value}"; fi
}
function label_secret(){
local secret_name=$1
kubectl --namespace=$namespace label \
secret $secret_name $(echo 'app.kubernetes.io/name=mygitlab' | sed -E 's/=[^ ]*/-/g')
kubectl --namespace=$namespace label \
--overwrite \
secret $secret_name app=shared-secrets chart=shared-secrets-0.1.0 release=mygitlab heritage=Helm
}
function generate_secret_if_needed(){
local secret_args=( "${@:2}")
local secret_name=$1
if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then
kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}
else
echo "secret \"$secret_name\" already exists"
fi;
label_secret $secret_name
}
generate_secret_if_needed "mygitlab-gitlab-initial-root-password" --from-literal="password"=$(gen_random 'a-zA-Z0-9' 64)
generate_secret_if_needed "mygitlab-redis-secret" --from-literal="secret"=$(gen_random 'a-zA-Z0-9' 64)
generate_secret_if_needed "mygitlab-postgresql-password" --from-literal=postgresql-password=$(gen_random 'a-zA-Z0-9' 64) --from-literal=postgresql-postgres-password=$(gen_random 'a-zA-Z0-9' 64)
generate_secret_if_needed "mygitlab-gitlab-shell-secret" --from-literal="secret"=$(gen_random 'a-zA-Z0-9' 64)
generate_secret_if_needed "mygitlab-gitaly-secret" --from-literal="token"=$(gen_random 'a-zA-Z0-9' 64)
generate_secret_if_needed "mygitlab-minio-secret" --from-literal=accesskey=$(gen_random 'a-zA-Z0-9' 64) --from-literal=secretkey=$(gen_random 'a-zA-Z0-9' 64)
generate_secret_if_needed "mygitlab-gitlab-runner-secret" --from-literal=runner-registration-token=$(gen_random 'a-zA-Z0-9' 64) --from-literal=runner-token=""
mkdir -p certs
openssl req -new -newkey rsa:4096 -subj "/CN=gitlab-issuer" -nodes -x509 -keyout certs/registry-example-com.key -out certs/registry-example-com.crt -days 3650
generate_secret_if_needed "mygitlab-registry-secret" --from-file=registry-auth.key=certs/registry-example-com.key --from-file=registry-auth.crt=certs/registry-example-com.crt
if [ -n "$env" ]; then
rails_secret="mygitlab-rails-secret"
if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then
kubectl --namespace=$namespace get secret $rails_secret -o jsonpath="{.data.secrets\.yml}" | base64 --decode > secrets.yml
secret_key_base=$(fetch_rails_value secrets.yml "${env}.secret_key_base")
otp_key_base=$(fetch_rails_value secrets.yml "${env}.otp_key_base")
db_key_base=$(fetch_rails_value secrets.yml "${env}.db_key_base")
openid_connect_signing_key=$(fetch_rails_value secrets.yml "${env}.openid_connect_signing_key")
ci_jwt_signing_key=$(fetch_rails_value secrets.yml "${env}.ci_jwt_signing_key")
fi;
secret_key_base="${secret_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
otp_key_base="${otp_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
db_key_base="${db_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
openid_connect_signing_key="${openid_connect_signing_key:-$(openssl genrsa 2048)}"
ci_jwt_signing_key="${ci_jwt_signing_key:-$(openssl genrsa 2048)}"
cat << EOF > rails-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: $rails_secret
type: Opaque
stringData:
secrets.yml: |-
$env:
secret_key_base: $secret_key_base
otp_key_base: $otp_key_base
db_key_base: $db_key_base
openid_connect_signing_key: |
$(echo "${openid_connect_signing_key}" | awk '{print " " $0}')
ci_jwt_signing_key: |
$(echo "${ci_jwt_signing_key}" | awk '{print " " $0}')
EOF
kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml
label_secret $rails_secret
fi
ssh-keygen -A
mkdir -p host_keys
cp /etc/ssh/ssh_host_* host_keys/
generate_secret_if_needed "mygitlab-gitlab-shell-host-keys" --from-file host_keys
generate_secret_if_needed "mygitlab-gitlab-workhorse-secret" --from-literal="shared_secret"=$(gen_random 'a-zA-Z0-9' 32 | base64)
generate_secret_if_needed "mygitlab-registry-httpsecret" --from-literal="secret"=$(gen_random 'a-z0-9' 128 | base64 -w 0)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mygitlab-gitlab-upgrade-check
namespace: public-service
labels:
app: gitlab
chart: gitlab-4.4.3
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-11"
"helm.sh/hook-delete-policy": before-hook-creation
data:
runcheck: |
set -e
notify() {
echo "$1"
echo -n "$1 " >> /dev/termination-log
}
greater_version()
{
test "$(printf '%s\n' "$@" | sort -V | tail -n 1)" = "$1";
}
secrets_dir="/etc/secrets/postgresql"
if [ -d "${secrets_dir}" ]; then
if [ ! "$(ls -A ${secrets_dir}/..data/)" = "" ]; then
if [ ! -f "${secrets_dir}/postgresql-postgres-password" ] || [ ! -f "${secrets_dir}/postgresql-password" ]; then
notify "You seem to be upgrading from a previous version of GitLab using the bundled PostgreSQL chart"
notify "There are some manual steps which need to be performed in order to upgrade the database"
notify "Please see the upgrade documentation for instructions on how to proceed:"
notify "https://docs.gitlab.com/charts/installation/upgrade.html"
exit 1
fi
fi
fi
MIN_VERSION=13.0
CHART_MIN_VERSION=4.0
if ! awk 'BEGIN{exit(!(ARGV[1] ~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/))}' "$GITLAB_VERSION"; then
exit 0
fi
NEW_MAJOR_VERSION=$(echo $GITLAB_VERSION | awk -F "." '{print $1}')
NEW_MINOR_VERSION=$(echo $GITLAB_VERSION | awk -F "." '{print $1"."$2}')
NEW_CHART_MAJOR_VERSION=$(echo $CHART_VERSION | awk -F "." '{print $1}')
NEW_CHART_MINOR_VERSION=$(echo $CHART_VERSION | awk -F "." '{print $1"."$2}')
if [ ! -f /chart-info/gitlabVersion ]; then
notify "It seems you are attempting an unsupported upgrade path."
notify "Please follow the upgrade documentation at https://docs.gitlab.com/ee/policy/maintenance.html#upgrade-recommendations"
exit 1
fi
OLD_VERSION_STRING=$(cat /chart-info/gitlabVersion)
OLD_CHART_VERSION_STRING=$(cat /chart-info/gitlabChartVersion)
if ! awk 'BEGIN{exit(!(ARGV[1] ~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/))}' "$OLD_VERSION_STRING"; then
exit 0
fi
OLD_MAJOR_VERSION=$(echo $OLD_VERSION_STRING | awk -F "." '{print $1}')
OLD_MINOR_VERSION=$(echo $OLD_VERSION_STRING | awk -F "." '{print $1"."$2}')
OLD_CHART_MAJOR_VERSION=$(echo $OLD_CHART_VERSION_STRING | awk -F "." '{print $1}')
OLD_CHART_MINOR_VERSION=$(echo $OLD_CHART_VERSION_STRING | awk -F "." '{print $1"."$2}')
if [ ${OLD_MAJOR_VERSION} -lt ${NEW_MAJOR_VERSION} ] || [ ${OLD_CHART_MAJOR_VERSION} -lt ${NEW_CHART_MAJOR_VERSION} ]; then
if ( ! greater_version $OLD_MINOR_VERSION $MIN_VERSION ) || ( ! greater_version $OLD_CHART_MINOR_VERSION $CHART_MIN_VERSION ); then
notify "It seems you are upgrading the GitLab Helm Chart from ${OLD_CHART_VERSION_STRING} (GitLab ${OLD_VERSION_STRING}) to ${CHART_VERSION} (GitLab ${GITLAB_VERSION})."
notify "It is required to upgrade to the latest ${CHART_MIN_VERSION}.x version first before proceeding."
notify "Please follow the upgrade documentation at https://docs.gitlab.com/charts/releases/4_0.html"
notify "and upgrade to GitLab Helm Chart version ${CHART_MIN_VERSION}.x before upgrading to ${CHART_VERSION}."
exit 1
fi
fi
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mygitlab-shared-secrets
namespace: public-service
labels:
app: shared-secrets
chart: shared-secrets-0.1.0
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mygitlab-shared-secrets
namespace: public-service
labels:
app: shared-secrets
chart: shared-secrets-0.1.0
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mygitlab-shared-secrets
namespace: public-service
labels:
app: shared-secrets
chart: shared-secrets-0.1.0
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mygitlab-shared-secrets
subjects:
- kind: ServiceAccount
name: mygitlab-shared-secrets
namespace: public-service
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mygitlab-minio
namespace: public-service
labels:
app: gitlab
component: minio
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "10Gi"
selector:
matchLabels:
app: gitlab
component: minio
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-gitaly
namespace: public-service
labels:
app: gitaly
chart: gitaly-4.4.3
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
clusterIP: None
ports:
- port: 8075
name: gitaly
targetPort: 8075
- port: 9236
name: gitaly-metrics
selector:
app: gitaly
release: mygitlab
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-gitlab-shell
namespace: public-service
labels:
app: gitlab-shell
chart: gitlab-shell-4.4.3
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
ports:
- port: 22
targetPort: 2222
protocol: TCP
name: ssh
selector:
app: gitlab-shell
release: mygitlab
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-webservice
namespace: public-service
labels:
app: webservice
chart: webservice-4.4.3
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http-webservice
- port: 8181
targetPort: 8181
protocol: TCP
name: http-workhorse
selector:
app: webservice
release: mygitlab
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-minio-svc
namespace: public-service
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
selector:
app: minio
release: mygitlab
component: app
ports:
- name: service
port: 9000
targetPort: 9000
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-postgresql-headless
namespace: public-service
labels:
app: postgresql
chart: postgresql-8.9.4
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
clusterIP: None
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app: postgresql
release: mygitlab
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-postgresql
namespace: public-service
labels:
app: postgresql
chart: postgresql-8.9.4
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
selector:
app: postgresql
release: mygitlab
role: master
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-redis-headless
namespace: public-service
labels:
app: redis
chart: redis-10.3.4
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
clusterIP: None
ports:
- name: redis
port: 6379
targetPort: redis
selector:
app: redis
release: mygitlab
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-redis-master
namespace: public-service
labels:
app: redis
chart: redis-10.3.4
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
ports:
- name: redis
port: 6379
targetPort: redis
selector:
app: redis
release: mygitlab
role: master
---
apiVersion: v1
kind: Service
metadata:
name: mygitlab-registry
namespace: public-service
labels:
app: registry
chart: registry-0.5.0
release: mygitlab
heritage: Helm
spec:
type: ClusterIP
ports:
- port: 5000
targetPort: 5000
protocol: TCP
name: registry
selector:
app: registry
release: mygitlab
---
apiVersion: batch/v1
kind: Job
metadata:
name: mygitlab-migrations-1
namespace: public-service
labels:
app: migrations
chart: migrations-4.4.3
release: mygitlab
heritage: Helm
spec:
activeDeadlineSeconds: 3600
backoffLimit: 6
template:
metadata:
labels:
app: migrations
release: mygitlab
spec:
initContainers:
- name: configure
image: busybox:latest
command: ['sh', '/config/configure']
resources:
requests:
cpu: 50m
volumeMounts:
- name: migrations-config
mountPath: /config
readOnly: true
- name: init-migrations-secrets
mountPath: /init-config
readOnly: true
- name: migrations-secrets
mountPath: /init-secrets
readOnly: false
containers:
- name: migrations
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ee:v13.4.3
imagePullPolicy: IfNotPresent
args:
- /scripts/wait-for-deps
- /scripts/db-migrate
env:
- name: GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "mygitlab-gitlab-runner-secret"
key: runner-registration-token
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
- name: BYPASS_SCHEMA_VERSION
value: 'true'
- name: ENABLE_BOOTSNAP
value: '1'
resources:
requests:
cpu: 250m
memory: 200Mi
volumeMounts:
- name: migrations-config
mountPath: '/var/opt/gitlab/templates'
- name: migrations-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: migrations-secrets
mountPath: /srv/gitlab/config/secrets.yml
subPath: rails-secrets/secrets.yml
- name: migrations-secrets
mountPath: /srv/gitlab/config/initial_root_password
subPath: migrations/initial_root_password
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
securityContext:
runAsUser: 1000
fsGroup: 1000
restartPolicy: OnFailure
volumes:
- name: migrations-config
configMap:
name: mygitlab-migrations
- name: init-migrations-secrets
projected:
defaultMode: 0400
sources:
- secret:
name: "mygitlab-rails-secret"
items:
- key: secrets.yml
path: rails-secrets/secrets.yml
- secret:
name: "mygitlab-gitaly-secret"
items:
- key: "token"
path: gitaly/gitaly_token
- secret:
name: "mygitlab-redis-secret"
items:
- key: "secret"
path: redis/redis-password
- secret:
name: "mygitlab-postgresql-password"
items:
- key: "postgresql-password"
path: postgres/psql-password
- secret:
name: "mygitlab-gitlab-initial-root-password"
items:
- key: "password"
path: migrations/initial_root_password
- name: migrations-secrets
emptyDir:
medium: "Memory"
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
---
apiVersion: batch/v1
kind: Job
metadata:
name: mygitlab-minio-create-buckets-1
namespace: public-service
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
spec:
activeDeadlineSeconds: 600
template:
metadata:
labels:
app: minio
release: mygitlab
component: create-buckets
spec:
restartPolicy: OnFailure
volumes:
- name: minio-configuration
projected:
sources:
- configMap:
name: mygitlab-minio-config-cm
- secret:
name: "mygitlab-minio-secret"
containers:
- name: minio-mc
image: minio/mc:RELEASE.2018-07-13T00-53-22Z
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "/config/initialize"]
env:
- name: MINIO_ENDPOINT
value: mygitlab-minio-svc
- name: MINIO_PORT
value: "9000"
resources:
requests:
cpu: 50m
volumeMounts:
- name: minio-configuration
mountPath: /config
---
apiVersion: batch/v1
kind: Job
metadata:
name: mygitlab-shared-secrets-1-7d3
namespace: public-service
labels:
app: shared-secrets
chart: shared-secrets-0.1.0
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
labels:
app: shared-secrets
release: mygitlab
spec:
containers:
- name: shared-secrets
image: registry.gitlab.com/gitlab-org/build/cng/kubectl:1.13.12
imagePullPolicy: IfNotPresent
command: ['/bin/bash', '/scripts/generate-secrets']
resources:
requests:
cpu: 50m
volumeMounts:
- name: scripts
mountPath: /scripts
- name: ssh
mountPath: /etc/ssh
securityContext:
runAsUser: 65534
fsGroup: 65534
serviceAccountName: mygitlab-shared-secrets
restartPolicy: Never
volumes:
- name: scripts
configMap:
name: mygitlab-shared-secrets
- name: ssh
emptyDir: {}
---
apiVersion: batch/v1
kind: Job
metadata:
name: mygitlab-gitlab-upgrade-check
namespace: public-service
labels:
app: gitlab
chart: gitlab-4.4.3
release: mygitlab
heritage: Helm
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
backoffLimit: 2
template:
metadata:
labels:
app: gitlab
release: mygitlab
spec:
containers:
- name: run-check
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ['/bin/sh', '/scripts/runcheck']
env:
- name: GITLAB_VERSION
value: '13.4.3'
- name: CHART_VERSION
value: '4.4.3'
resources:
requests:
cpu: 50m
volumeMounts:
- name: chart-info
mountPath: /chart-info
- name: scripts
mountPath: /scripts
- name: postgresql-secret
mountPath: /etc/secrets/postgresql
securityContext:
runAsUser: 65534
fsGroup: 65534
restartPolicy: Never
volumes:
- name: chart-info
configMap:
name: mygitlab-gitlab-chart-info
optional: true
- name: scripts
configMap:
name: mygitlab-gitlab-upgrade-check
- name: postgresql-secret
secret:
secretName: "mygitlab-postgresql-password"
optional: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mygitlab-gitlab-shell
namespace: public-service
labels:
app: gitlab-shell
chart: gitlab-shell-4.4.3
release: mygitlab
heritage: Helm
spec:
selector:
matchLabels:
app: gitlab-shell
release: mygitlab
template:
metadata:
labels:
app: gitlab-shell
release: mygitlab
annotations:
checksum/config: 46ab9b5d3fe8a8f0cc1e5ea72cf845665194a324cefeba0a20f0e8fc5d6fd5a6
checksum/config-sshd: 21b394f58ef0726c064cf79d081badea49333e086db091e7b997c7fb1bd3244a
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ['sh', '/config/configure']
env:
resources:
requests:
cpu: 50m
volumeMounts:
- name: shell-config
mountPath: /config
readOnly: true
- name: shell-init-secrets
mountPath: /init-config
readOnly: true
- name: shell-secrets
mountPath: /init-secrets
readOnly: false
containers:
- name: gitlab-shell
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v13.7.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 2222
name: ssh
env:
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/etc/gitlab-shell'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab-shell'
- name: KEYS_DIRECTORY
value: '/etc/gitlab-secrets/ssh'
resources:
requests:
cpu: 0
memory: 6M
livenessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
volumeMounts:
- name: shell-config
mountPath: '/etc/gitlab-shell'
- name: shell-secrets
mountPath: '/etc/gitlab-secrets'
readOnly: true
- name: sshd-config
mountPath: /etc/ssh/sshd_config
subPath: sshd_config
readOnly: true
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
securityContext:
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: gitlab-shell
release: mygitlab
volumes:
- name: shell-config
configMap:
name: mygitlab-gitlab-shell
- name: sshd-config
configMap:
name: mygitlab-gitlab-shell-sshd
- name: shell-init-secrets
projected:
defaultMode: 0440
sources:
- secret:
name: "mygitlab-gitlab-shell-host-keys"
- secret:
name: "mygitlab-gitlab-shell-secret"
items:
- key: "secret"
path: shell/.gitlab_shell_secret
- name: shell-secrets
emptyDir:
medium: "Memory"
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mygitlab-sidekiq-all-in-1-v1
namespace: public-service
labels:
app: sidekiq
chart: sidekiq-4.4.3
release: mygitlab
heritage: Helm
queue-pod-name: all-in-1
annotations:
spec:
selector:
matchLabels:
app: sidekiq
release: mygitlab
queue-pod-name: all-in-1
template:
metadata:
labels:
app: sidekiq
release: mygitlab
queue-pod-name: all-in-1
annotations:
checksum/configmap: 921fb38b031a078a15f3f3fb1cfde53f57505932286ece4c659eddf6ac605eaa
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
checksum/configmap-pod: 011e0bfb9573e059c114bcaf0f841300a4b3c63bad09b1fe76b4192e7801a320
spec:
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ['sh', '/config/configure']
env:
resources:
requests:
cpu: 50m
volumeMounts:
- name: sidekiq-config
mountPath: /config
readOnly: true
- name: init-sidekiq-secrets
mountPath: /init-config
readOnly: true
- name: sidekiq-secrets
mountPath: /init-secrets
readOnly: false
- name: dependencies
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v13.4.3
imagePullPolicy: IfNotPresent
args:
- /scripts/wait-for-deps
env:
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
- name: SIDEKIQ_CONCURRENCY
value: "25"
- name: SIDEKIQ_TIMEOUT
value: "5"
- name: ENABLE_BOOTSNAP
value: "1"
resources:
requests:
cpu: 50m
volumeMounts:
- name: sidekiq-config
mountPath: '/var/opt/gitlab/templates'
readOnly: true
- name: sidekiq-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: sidekiq-secrets
mountPath: /srv/gitlab/config/secrets.yml
subPath: rails-secrets/secrets.yml
readOnly: true
containers:
- name: sidekiq
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v13.4.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3807
name: metrics
env:
- name: prometheus_multiproc_dir
value: /metrics
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
- name: SIDEKIQ_CLUSTER
value: "true"
- name: SIDEKIQ_EXPERIMENTAL_QUEUE_SELECTOR
value: ""
- name: SIDEKIQ_CONCURRENCY
value: "25"
- name: SIDEKIQ_TIMEOUT
value: "5"
- name: SIDEKIQ_QUEUES
value:
- name: SIDEKIQ_NEGATE_QUEUES
value:
- name: SIDEKIQ_DAEMON_MEMORY_KILLER
value: "1"
- name: SIDEKIQ_MEMORY_KILLER_CHECK_INTERVAL
value: "3"
- name: SIDEKIQ_MEMORY_KILLER_MAX_RSS
value: "2000000"
- name: SIDEKIQ_MEMORY_KILLER_GRACE_TIME
value: "900"
- name: SIDEKIQ_MEMORY_KILLER_SHUTDOWN_WAIT
value: "30"
- name: ENABLE_BOOTSNAP
value: "1"
resources:
requests:
cpu: 50m
memory: 650M
livenessProbe:
httpGet:
path: /liveness
port: 3807
initialDelaySeconds: 20
periodSeconds: 60
timeoutSeconds: 30
successThreshold: 1
failureThreshold: 3
lifecycle:
preStop:
exec:
command: ["/bin/bash", "-c", "pkill -f 'sidekiq'"]
volumeMounts:
- name: sidekiq-metrics
mountPath: '/metrics'
- name: sidekiq-config
mountPath: '/var/opt/gitlab/templates'
readOnly: true
- name: sidekiq-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: sidekiq-secrets
mountPath: /srv/gitlab/config/secrets.yml
subPath: rails-secrets/secrets.yml
- name: sidekiq-config
mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb'
subPath: smtp_settings.rb
- name: sidekiq-config
mountPath: '/srv/gitlab/INSTALLATION_TYPE'
subPath: installation_type
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
securityContext:
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: sidekiq
release: mygitlab
volumes:
- name: sidekiq-metrics
emptyDir:
medium: "Memory"
- name: sidekiq-config
projected:
sources:
- configMap:
name: mygitlab-sidekiq
- configMap:
name: mygitlab-sidekiq-all-in-1
- name: init-sidekiq-secrets
projected:
defaultMode: 0400
sources:
- secret:
name: "mygitlab-rails-secret"
items:
- key: secrets.yml
path: rails-secrets/secrets.yml
- secret:
name: "mygitlab-gitaly-secret"
items:
- key: "token"
path: gitaly/gitaly_token
- secret:
name: "mygitlab-redis-secret"
items:
- key: "secret"
path: redis/redis-password
- secret:
name: "mygitlab-postgresql-password"
items:
- key: "postgresql-password"
path: postgres/psql-password
- secret:
name: "mygitlab-registry-secret"
items:
- key: registry-auth.key
path: registry/gitlab-registry.key
- secret:
name: "mygitlab-minio-secret"
items:
- key: accesskey
path: minio/accesskey
- key: secretkey
path: minio/secretkey
- name: sidekiq-secrets
emptyDir:
medium: "Memory"
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mygitlab-task-runner
namespace: public-service
labels:
app: task-runner
chart: task-runner-4.4.3
release: mygitlab
heritage: Helm
spec:
replicas: 1
strategy:
rollingUpdate: null
type: Recreate
selector:
matchLabels:
app: task-runner
release: mygitlab
template:
metadata:
labels:
app: task-runner
release: mygitlab
annotations:
checksum/config: c41ae826b096c5687245010fb995ab86ed87009d6288081a114073ae755e8d0b
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ['sh', '/config/configure']
resources:
requests:
cpu: 50m
volumeMounts:
- name: task-runner-config
mountPath: /config
readOnly: true
- name: init-task-runner-secrets
mountPath: /init-config
readOnly: true
- name: task-runner-secrets
mountPath: /init-secrets
readOnly: false
containers:
- name: task-runner
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ee:v13.4.3
imagePullPolicy: IfNotPresent
args:
- /bin/bash
- -c
- cp -v -r -L /etc/gitlab/.s3cfg $HOME/.s3cfg && while sleep 3600; do :; done # alpine sleep has no infinity
env:
- name: ARTIFACTS_BUCKET_NAME
value: gitlab-artifacts
- name: REGISTRY_BUCKET_NAME
value: registry
- name: LFS_BUCKET_NAME
value: git-lfs
- name: UPLOADS_BUCKET_NAME
value: gitlab-uploads
- name: PACKAGES_BUCKET_NAME
value: gitlab-packages
- name: EXTERNAL_DIFFS_BUCKET_NAME
value: gitlab-mr-diffs
- name: TERRAFORM_STATE_BUCKET_NAME
value: gitlab-terraform-state
- name: BACKUP_BUCKET_NAME
value: gitlab-backups
- name: BACKUP_BACKEND
value: s3
- name: TMP_BUCKET_NAME
value: tmp
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: ENABLE_BOOTSNAP
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
resources:
requests:
cpu: 50m
memory: 350M
volumeMounts:
- name: task-runner-config
mountPath: '/var/opt/gitlab/templates'
- name: task-runner-config
mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb'
subPath: smtp_settings.rb
- name: task-runner-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: task-runner-secrets
mountPath: /srv/gitlab/config/secrets.yml
subPath: rails-secrets/secrets.yml
- name: task-runner-tmp
mountPath: '/srv/gitlab/tmp'
readOnly: false
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
securityContext:
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: gitaly
release: mygitlab
volumes:
- name: task-runner-config
projected:
sources:
- configMap:
name: mygitlab-task-runner
- name: task-runner-tmp
emptyDir: {}
- name: init-task-runner-secrets
projected:
defaultMode: 0400
sources:
- secret:
name: "mygitlab-rails-secret"
items:
- key: secrets.yml
path: rails-secrets/secrets.yml
- secret:
name: "mygitlab-gitlab-shell-secret"
items:
- key: "secret"
path: shell/.gitlab_shell_secret
- secret:
name: "mygitlab-gitaly-secret"
items:
- key: "token"
path: gitaly/gitaly_token
- secret:
name: "mygitlab-redis-secret"
items:
- key: "secret"
path: redis/redis-password
- secret:
name: "mygitlab-postgresql-password"
items:
- key: "postgresql-password"
path: postgres/psql-password
- secret:
name: "mygitlab-registry-secret"
items:
- key: registry-auth.key
path: registry/gitlab-registry.key
- secret:
name: "mygitlab-minio-secret"
items:
- key: accesskey
path: minio/accesskey
- key: secretkey
path: minio/secretkey
- name: task-runner-secrets
emptyDir:
medium: "Memory"
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mygitlab-webservice
namespace: public-service
labels:
app: webservice
chart: webservice-4.4.3
release: mygitlab
heritage: Helm
spec:
replicas: 1
selector:
matchLabels:
app: webservice
release: mygitlab
template:
metadata:
labels:
app: webservice
release: mygitlab
annotations:
checksum/config: 802a297cd7611bf25bf5c44318a5859659dc86fe3ec578ec4605fbb8a408aa81
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ['sh']
args: [ '-c', 'sh -x /config-webservice/configure ; sh -x /config-workhorse/configure ; mkdir -p -m 3770 /tmp/gitlab']
resources:
requests:
cpu: 50m
volumeMounts:
- name: webservice-config
mountPath: /config-webservice
readOnly: true
- name: workhorse-config
mountPath: /config-workhorse
readOnly: true
- name: init-webservice-secrets
mountPath: /init-config
readOnly: true
- name: webservice-secrets
mountPath: /init-secrets
readOnly: false
- name: workhorse-secrets
mountPath: /init-secrets-workhorse
readOnly: false
- name: shared-tmp
mountPath: /tmp
readOnly: false
- name: dependencies
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v13.4.3
imagePullPolicy: IfNotPresent
args:
- /scripts/wait-for-deps
env:
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
- name: WORKHORSE_ARCHIVE_CACHE_DISABLED
value: "1"
- name: ENABLE_BOOTSNAP
value: "1"
resources:
requests:
cpu: 50m
volumeMounts:
- name: webservice-config
mountPath: '/var/opt/gitlab/templates'
- name: webservice-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: webservice-secrets
mountPath: /srv/gitlab/config/secrets.yml
subPath: rails-secrets/secrets.yml
readOnly: true
containers:
- name: webservice
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v13.4.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: webservice
env:
- name: GITLAB_WEBSERVER
value: puma
- name: TMPDIR
value: "/tmp/gitlab"
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
- name: prometheus_multiproc_dir
value: /metrics
- name: ENABLE_BOOTSNAP
value: "1"
- name: WORKER_PROCESSES
value: "2"
- name: WORKER_TIMEOUT
value: "60"
- name: INTERNAL_PORT
value: "8080"
- name: PUMA_THREADS_MIN
value: "4"
- name: PUMA_THREADS_MAX
value: "4"
- name: PUMA_WORKER_MAX_MEMORY
value: "1024"
- name: DISABLE_PUMA_WORKER_KILLER
value: "false"
- name: GITLAB_TRACING_URL
value: ""
- name: WORKHORSE_ARCHIVE_CACHE_DISABLED
value: "true"
resources:
limits:
cpu: 300m
memory: 2.0G
requests:
cpu: 300m
memory: 1.5G
lifecycle:
preStop:
exec:
command: ["/bin/bash", "-c", "pkill -SIGINT -o ruby"]
volumeMounts:
- name: webservice-metrics
mountPath: '/metrics'
- name: webservice-config
mountPath: '/var/opt/gitlab/templates'
- name: webservice-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: webservice-secrets
mountPath: /srv/gitlab/config/secrets.yml
subPath: rails-secrets/secrets.yml
- name: webservice-config
mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb'
subPath: smtp_settings.rb
- name: webservice-config
mountPath: '/srv/gitlab/INSTALLATION_TYPE'
subPath: installation_type
- name: shared-upload-directory
mountPath: /srv/gitlab/public/uploads/tmp
readOnly: false
- name: shared-tmp
mountPath: '/tmp'
readOnly: false
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
- name: gitlab-workhorse
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v13.4.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8181
name: workhorse
env:
- name: TMPDIR
value: "/tmp/gitlab"
- name: GITLAB_WORKHORSE_EXTRA_ARGS
value: ""
- name: GITLAB_WORKHORSE_LISTEN_PORT
value: "8181"
- name: GITLAB_WORKHORSE_LOG_FORMAT
value: "json"
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
resources:
requests:
cpu: 100m
memory: 100M
livenessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 20
periodSeconds: 60
timeoutSeconds: 30
successThreshold: 1
failureThreshold: 3
readinessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
volumeMounts:
- name: workhorse-config
mountPath: '/var/opt/gitlab/templates'
- name: workhorse-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: shared-upload-directory
mountPath: /srv/gitlab/public/uploads/tmp
readOnly: false
- name: shared-tmp
mountPath: '/tmp'
readOnly: false
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
securityContext:
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: webservice
release: mygitlab
volumes:
- name: shared-tmp
emptyDir: {}
- name: webservice-metrics
emptyDir:
medium: "Memory"
- name: webservice-config
configMap:
name: mygitlab-webservice
- name: workhorse-config
configMap:
name: mygitlab-workhorse-config
- name: init-webservice-secrets
projected:
defaultMode: 0400
sources:
- secret:
name: "mygitlab-rails-secret"
items:
- key: secrets.yml
path: rails-secrets/secrets.yml
- secret:
name: "mygitlab-gitlab-shell-secret"
items:
- key: "secret"
path: shell/.gitlab_shell_secret
- secret:
name: "mygitlab-gitaly-secret"
items:
- key: "token"
path: gitaly/gitaly_token
- secret:
name: "mygitlab-redis-secret"
items:
- key: "secret"
path: redis/redis-password
- secret:
name: "mygitlab-postgresql-password"
items:
- key: "postgresql-password"
path: postgres/psql-password
- secret:
name: "mygitlab-registry-secret"
items:
- key: registry-auth.key
path: registry/gitlab-registry.key
- secret:
name: "mygitlab-gitlab-workhorse-secret"
items:
- key: "shared_secret"
path: gitlab-workhorse/secret
- secret:
name: "mygitlab-minio-secret"
items:
- key: accesskey
path: minio/accesskey
- key: secretkey
path: minio/secretkey
- name: webservice-secrets
emptyDir:
medium: "Memory"
- name: workhorse-secrets
emptyDir:
medium: "Memory"
- name: shared-upload-directory
emptyDir: {}
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mygitlab-minio
namespace: public-service
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
spec:
strategy:
type: Recreate
rollingUpdate: null
selector:
matchLabels:
app: minio
release: mygitlab
component: app
template:
metadata:
name: mygitlab-minio
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
component: app
spec:
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ["sh", "/config/configure"]
resources:
requests:
cpu: 50m
volumeMounts:
- name: minio-configuration
mountPath: /config
- name: minio-server-config
mountPath: /minio
containers:
- name: minio
image: minio/minio:RELEASE.2017-12-28T01-21-00Z
imagePullPolicy: IfNotPresent
args: ["-C", "/tmp/.minio", "--quiet", "server", "/export"]
ports:
- name: service
containerPort: 9000
resources:
requests:
cpu: 100m
memory: 128Mi
livenessProbe:
tcpSocket:
port: 9000
timeoutSeconds: 1
volumeMounts:
- name: export
mountPath: /export
- name: minio-server-config
mountPath: "/tmp/.minio"
- name: podinfo
mountPath: /podinfo
readOnly: false
securityContext:
runAsUser: 0
fsGroup: 0
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- name: export
persistentVolumeClaim:
claimName: mygitlab-minio
- name: minio-configuration
projected:
sources:
- configMap:
name: mygitlab-minio-config-cm
- secret:
name: "mygitlab-minio-secret"
- name: minio-server-config
emptyDir:
medium: "Memory"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mygitlab-registry
namespace: public-service
labels:
app: registry
chart: registry-0.5.0
release: mygitlab
heritage: Helm
spec:
replicas: 2
selector:
matchLabels:
app: registry
release: mygitlab
template:
metadata:
labels:
app: registry
release: mygitlab
annotations:
checksum/configmap: 69bd8469e87e8e40463ee1f66fe73900ad3d77f5017f79a4277e6afe23d47814
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ["sh", "/config/configure"]
resources:
requests:
cpu: 50m
volumeMounts:
- name: registry-secrets
mountPath: /config
- name: registry-server-config
mountPath: /registry
containers:
- name: registry
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v2.11.0-gitlab
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 32Mi
livenessProbe:
httpGet:
path: /debug/health
port: 5001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /debug/health
port: 5001
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
volumeMounts:
- name: registry-server-config
mountPath: /etc/docker/registry/
readOnly: true
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
securityContext:
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: registry
release: mygitlab
terminationGracePeriodSeconds: 30
volumes:
- name: registry-server-config
emptyDir:
medium: "Memory"
- name: registry-secrets
projected:
sources:
- configMap:
name: mygitlab-registry
- secret:
name: "mygitlab-registry-secret"
items:
- key: registry-auth.crt
path: certificate.crt
- secret:
name: "mygitlab-registry-httpsecret"
items:
- key: "secret"
path: httpSecret
- secret:
name: "mygitlab-minio-secret"
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mygitlab-gitaly
namespace: public-service
labels:
app: gitaly
chart: gitaly
release: mygitlab
heritage: Helm
spec:
serviceName: mygitlab-gitaly
replicas: 1
podManagementPolicy: Parallel
selector:
matchLabels:
app: gitaly
release: mygitlab
template:
metadata:
labels:
app: gitaly
release: mygitlab
annotations:
checksum/config: 5931700e79c4a679dcdf02f2de56911130da8ff68385fc51f9f00bfc4004dc26
spec:
terminationGracePeriodSeconds: 30
initContainers:
- name: configure
image: busybox:latest
imagePullPolicy: IfNotPresent
command: ['sh', '/config/configure']
resources:
requests:
cpu: 50m
volumeMounts:
- name: gitaly-config
mountPath: /config
readOnly: true
- name: init-gitaly-secrets
mountPath: /init-config
readOnly: true
- name: gitaly-secrets
mountPath: /init-secrets
readOnly: false
containers:
- name: gitaly
image: registry.gitlab.com/gitlab-org/build/cng/gitaly:v13.4.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8075
- containerPort: 9236
env:
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/etc/gitaly/templates'
- name: CONFIG_DIRECTORY
value: '/etc/gitaly'
- name: GITALY_CONFIG_FILE
value: '/etc/gitaly/config.toml'
- name: SSL_CERT_DIR
value: '/etc/ssl/certs'
- name: GITALY_PROMETHEUS_LISTEN_ADDR
value: ':9236'
resources:
requests:
cpu: 100m
memory: 200Mi
livenessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 10
readinessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
readOnly: true
- name: gitaly-config
mountPath: '/etc/gitaly/templates'
- name: gitaly-secrets
mountPath: '/etc/gitlab-secrets'
readOnly: true
- name: repo-data
mountPath: '/home/git/repositories'
securityContext:
runAsUser: 0
fsGroup: 0
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: gitaly
release: mygitlab
volumes:
- name: gitaly-config
configMap:
name: mygitlab-gitaly
- name: gitaly-secrets
emptyDir:
medium: "Memory"
- name: init-gitaly-secrets
projected:
defaultMode: 0440
sources:
- secret:
name: "mygitlab-gitaly-secret"
items:
- key: "token"
path: "gitaly_token"
- secret:
name: "mygitlab-gitlab-shell-secret"
items:
- key: "secret"
path: ".gitlab_shell_secret"
- name: etc-ssl-certs
emptyDir:
medium: "Memory"
volumeClaimTemplates:
- metadata:
name: repo-data
labels:
app: gitlab
component: gitaly
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "50Gi"
selector:
matchLabels:
app: gitlab
component: gitaly
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mygitlab-postgresql
namespace: public-service
labels:
app: postgresql
chart: postgresql-8.9.4
release: mygitlab
heritage: Helm
spec:
serviceName: mygitlab-postgresql-headless
replicas: 1
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: postgresql
release: mygitlab
role: master
template:
metadata:
name: mygitlab-postgresql
labels:
app: postgresql
chart: postgresql-8.9.4
release: mygitlab
heritage: Helm
role: master
annotations:
postgresql.gitlab/init-revision: "1"
spec:
containers:
- name: mygitlab-postgresql
image: docker.io/bitnami/postgresql:11.9.0
imagePullPolicy: IfNotPresent
ports:
- name: tcp-postgresql
containerPort: 5432
env:
- name: BITNAMI_DEBUG
value: "false"
- name: POSTGRESQL_PORT_NUMBER
value: "5432"
- name: POSTGRESQL_VOLUME_DIR
value: "/bitnami/postgresql"
- name: PGDATA
value: "/bitnami/postgresql/data"
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
- name: POSTGRES_USER
value: "gitlab"
- name: POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
- name: POSTGRES_DB
value: "gitlabhq_production"
- name: POSTGRESQL_ENABLE_LDAP
value: "no"
resources:
requests:
cpu: 250m
memory: 256Mi
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "gitlab" -d "gitlabhq_production" -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
- |
exec pg_isready -U "gitlab" -d "gitlabhq_production" -h 127.0.0.1 -p 5432
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
securityContext:
runAsUser: 0
volumeMounts:
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d/
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
- name: dshm
mountPath: /dev/shm
- name: data
mountPath: /bitnami/postgresql
subPath:
- mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh
name: custom-init-scripts
subPath: init_revision.sh
securityContext:
fsGroup: 0
volumes:
- name: postgresql-password
secret:
secretName: "mygitlab-postgresql-password"
- name: custom-init-scripts
configMap:
name: mygitlab-postgresql-init-db
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
volumeClaimTemplates:
- metadata:
name: data
labels:
app: gitlab
component: postgresql
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "8Gi"
selector:
matchLabels:
app: gitlab
component: postgresql
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mygitlab-redis-master
namespace: public-service
labels:
app: redis
chart: redis-10.3.4
release: mygitlab
heritage: Helm
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: redis
release: mygitlab
role: master
serviceName: mygitlab-redis-headless
template:
metadata:
labels:
app: redis
chart: redis-10.3.4
release: mygitlab
role: master
annotations:
checksum/health: 5365a9d25a22feb97b472b68f1d573c712def2a8b62488808f8ab2da882775d6
checksum/configmap: d27cfcc9b5348bb41605aaee762aa5d7f177f8ef50ea1e3e219ac5c227ec3222
checksum/secret: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
spec:
containers:
- name: mygitlab-redis
image: docker.io/bitnami/redis:5.0.7-debian-9-r50
imagePullPolicy: IfNotPresent
ports:
- name: redis
containerPort: 6379
command:
- /bin/bash
- -c
- |
useradd redis
chown -R redis /data
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then
cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf
fi
if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
fi
ARGS=("--port" "${REDIS_PORT}")
ARGS+=("--requirepass" "${REDIS_PASSWORD}")
ARGS+=("--masterauth" "${REDIS_PASSWORD}")
ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
/run.sh ${ARGS[@]}
env:
- name: REDIS_REPLICATION_MODE
value: master
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
- name: REDIS_PORT
value: "6379"
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/ping_liveness_local.sh 5
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/ping_readiness_local.sh 5
securityContext:
runAsUser: 0
volumeMounts:
- name: health
mountPath: /health
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
- name: redis-data
mountPath: /data
subPath:
- name: config
mountPath: /opt/bitnami/redis/mounted-etc
- name: redis-tmp-conf
mountPath: /opt/bitnami/redis/etc/
securityContext:
fsGroup: 0
serviceAccountName: "default"
volumes:
- name: health
configMap:
name: mygitlab-redis-health
defaultMode: 0755
- name: redis-password
secret:
secretName: "mygitlab-redis-secret"
items:
- key: "secret"
path: redis-password
- name: config
configMap:
name: mygitlab-redis
- name: redis-tmp-conf
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: redis-data
labels:
app: gitlab
component: redis
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "8Gi"
selector:
matchLabels:
app: gitlab
component: redis
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mygitlab-webservice
namespace: public-service
labels:
app: webservice
chart: webservice-4.4.3
release: mygitlab
heritage: Helm
spec:
rules:
- host: gitlab.lzxlinux.com
http:
paths:
- path: /
backend:
serviceName: mygitlab-webservice
servicePort: 8181
- path: /admin/sidekiq
backend:
serviceName: mygitlab-webservice
servicePort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mygitlab-minio
namespace: public-service
labels:
app: minio
chart: minio-0.4.3
release: mygitlab
heritage: Helm
spec:
rules:
- host: minio.lzxlinux.com
http:
paths:
- path: /
backend:
serviceName: mygitlab-minio-svc
servicePort: 9000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mygitlab-registry
namespace: public-service
labels:
app: registry
chart: registry-0.5.0
release: mygitlab
heritage: Helm
spec:
rules:
- host: registry.lzxlinux.com
http:
paths:
- path: /
backend:
serviceName: mygitlab-registry
servicePort: 5000
- 部署:
kubectl apply -f gitlab.yaml
kubectl get pvc -n public-service
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
data-mygitlab-postgresql-0 Bound gitlab-postgresql 8Gi RWO 20s
mygitlab-minio Bound gitlab-minio 10Gi RWO 25s
redis-data-mygitlab-redis-master-0 Bound gitlab-redis 8Gi RWO 20s
repo-data-mygitlab-gitaly-0 Bound gitlab-gitaly 50Gi RWO 21s
kubectl get svc -n public-service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
mygitlab-gitaly ClusterIP None <none> 8075/TCP,9236/TCP 57s
mygitlab-gitlab-shell ClusterIP 10.111.199.214 <none> 22/TCP 57s
mygitlab-minio-svc ClusterIP 10.109.13.155 <none> 9000/TCP 57s
mygitlab-postgresql ClusterIP 10.98.45.20 <none> 5432/TCP 57s
mygitlab-postgresql-headless ClusterIP None <none> 5432/TCP 57s
mygitlab-redis-headless ClusterIP None <none> 6379/TCP 57s
mygitlab-redis-master ClusterIP 10.97.147.208 <none> 6379/TCP 56s
mygitlab-registry ClusterIP 10.98.35.216 <none> 5000/TCP 56s
mygitlab-webservice ClusterIP 10.105.65.185 <none> 8080/TCP,8181/TCP 57s
kubectl get pod -n public-service
NAME READY STATUS RESTARTS AGE
mygitlab-gitaly-0 1/1 Running 0 3m28s
mygitlab-gitlab-shell-75d9f5bbcb-w6r8v 1/1 Running 0 3m30s
mygitlab-gitlab-upgrade-check-4v69n 0/1 Completed 0 3m31s
mygitlab-migrations-1-sgcw6 1/1 Running 0 3m31s
mygitlab-minio-5d6769976b-9sgxb 1/1 Running 0 3m29s
mygitlab-minio-create-buckets-1-bgpzc 0/1 Completed 0 3m31s
mygitlab-postgresql-0 1/1 Running 0 3m27s
mygitlab-redis-master-0 1/1 Running 0 3m27s
mygitlab-registry-79bc9b5449-996z7 1/1 Running 0 3m28s
mygitlab-registry-79bc9b5449-whjxz 1/1 Running 0 3m28s
mygitlab-shared-secrets-1-7d3-n48pg 0/1 Completed 0 3m31s
mygitlab-sidekiq-all-in-1-v1-6c9f9977b6-2xdrt 1/1 Running 0 3m30s
mygitlab-task-runner-795fc84cd5-rmnm2 1/1 Running 0 3m29s
mygitlab-webservice-64f7dd6968-8t7bd 2/2 Running 0 3m29s
- 访问:
kubectl get secrets -n public-service mygitlab-gitlab-initial-root-password -o yaml
apiVersion: v1
data:
password: WXh4VjhScmt1M0FRb3hRd2I5WjFteHVmZlVIV0V3clU0QWY5Y0FXTXFnMUx3Tk9ITm1NUEc4WlJ6YTdkMjhRNQ==
kind: Secret
metadata:
creationTimestamp: "2020-10-14T10:39:28Z"
labels:
app: shared-secrets
chart: shared-secrets-0.1.0
heritage: Helm
release: mygitlab
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:password: {}
f:metadata:
f:labels:
.: {}
f:app: {}
f:chart: {}
f:heritage: {}
f:release: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-10-14T10:39:29Z"
name: mygitlab-gitlab-initial-root-password
namespace: public-service
resourceVersion: "333718"
selfLink: /api/v1/namespaces/public-service/secrets/mygitlab-gitlab-initial-root-password
uid: 578e667a-eeda-458f-809f-b4bf52f5f50c
type: Opaque
echo 'WXh4VjhScmt1M0FRb3hRd2I5WjFteHVmZlVIV0V3clU0QWY5Y0FXTXFnMUx3Tk9ITm1NUEc4WlJ6YTdkMjhRNQ==' | base64 -d
YxxV8Rrku3AQoxQwb9Z1mxuffUHWEwrU4Af9cAWMqg1LwNOHNmMPG8ZRza7d28Q5
添加hosts:gitlab.lzxlinux.com,默认账号:root,密码:YxxV8Rrku3AQoxQwb9Z1mxuffUHWEwrU4Af9cAWMqg1LwNOHNmMPG8ZRza7d28Q5。
默认生成的密码比较难记,可以修改:
helm部署gitlab完成。已存放至个人github:kubernetes
扫一扫
839
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
