From 1f79acf2199aa2962a35c4bb77250d718a1d3d0b Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 11 Aug 2020 18:13:39 -0500 Subject: [PATCH 01/54] Very preliminary support for praefect chart --- charts/gitlab/charts/praefect/Chart.yaml | 19 +++ .../charts/praefect/templates/configmap.yaml | 60 ++++++++ .../charts/praefect/templates/service.yaml | 34 +++++ .../praefect/templates/statefulset.yaml | 134 ++++++++++++++++++ charts/gitlab/charts/praefect/values.yaml | 14 ++ templates/_praefect.tpl | 3 + values.yaml | 1 + 7 files changed, 265 insertions(+) create mode 100644 charts/gitlab/charts/praefect/Chart.yaml create mode 100644 charts/gitlab/charts/praefect/templates/configmap.yaml create mode 100644 charts/gitlab/charts/praefect/templates/service.yaml create mode 100644 charts/gitlab/charts/praefect/templates/statefulset.yaml create mode 100644 charts/gitlab/charts/praefect/values.yaml create mode 100644 templates/_praefect.tpl diff --git a/charts/gitlab/charts/praefect/Chart.yaml b/charts/gitlab/charts/praefect/Chart.yaml new file mode 100644 index 0000000000..eda0ce9c1b --- /dev/null +++ b/charts/gitlab/charts/praefect/Chart.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +name: praefect +version: 4.1.4 +appVersion: master +description: A manager aiming to maintain replicas for each repository. +keywords: +- gitlab +- gitaly +- praefect +home: https://about.gitlab.com/ +icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg +sources: +- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/praefect +- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitaly +- https://gitlab.com/gitlab-org/gitaly/-/tree/master/cmd/praefect +maintainers: +- name: GitLab Inc. + email: support@gitlab.com diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml new file mode 100644 index 0000000000..863972cb54 --- /dev/null +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -0,0 +1,60 @@ +{{- if .Values.global.praefect.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} +data: + configure: | + set -e + mkdir -p /init-secrets/praefect /init-secrets/shell + cp -v -r -L /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret + cp -v -r -L /init-config/gitaly_token /init-secrets/praefect/gitaly_token + config.toml: | + # TCP address to listen on + listen_addr = '0.0.0.0:2305' + + # Optional: export metrics via Prometheus + prometheus_listen_addr = '0.0.0.0:9652' + + [failover] + enabled = true + election_strategy = 'sql' + read_only_after_failover = false + + [auth] + token = 'foo' + transitioning = false + + [logging] + level = 'debug' + format = 'json' + + [[virtual_storage]] + name = 'default' + [[virtual_storage.node]] + storage = 'foo' + address = 'tcp://foo:8075' + token = 'foo' + primary = true + [[virtual_storage.node]] + storage = 'foo' + address = 'tcp://foo:8075' + token = 'foo' + primary = false + [[virtual_storage.node]] + storage = 'foo' + address = 'tcp://foo:8075' + token = 'foo' + primary = false + + [database] + host = 'foo' + port = 5432 + user = 'praefect' + password = 'foo' + dbname = 'praefect' + sslmode = 'disable' +{{- end -}} diff --git a/charts/gitlab/charts/praefect/templates/service.yaml b/charts/gitlab/charts/praefect/templates/service.yaml new file mode 100644 index 0000000000..e79e589a0a --- /dev/null +++ b/charts/gitlab/charts/praefect/templates/service.yaml @@ -0,0 +1,34 @@ +{{- if .Values.global.praefect.enabled -}} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9236" + prometheus.io/scrape: "true" + labels: + app: praefect + chart: gitaly-4.0.1 + heritage: Tiller + release: ibaum-gitlab + name: ibaum-gitlab-praefect + namespace: foo +spec: + clusterIP: None + ports: + - name: praefect + port: 8075 + protocol: TCP + targetPort: 8075 + - name: praefect-metrics + port: 9236 + protocol: TCP + targetPort: 9236 + selector: + app: praefect + release: ibaum-gitlab + sessionAffinity: None + type: ClusterIP +status: + loadBalancer: {} +{{- end -}} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml new file mode 100644 index 0000000000..e11351030a --- /dev/null +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -0,0 +1,134 @@ +{{- if .Values.global.praefect.enabled -}} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ $.Release.Name }} + serviceName: {{ template "gitlab.praefect.serviceName" . }} + replicas: {{ template "gitlab.gitaly.replicas" . }} + podManagementPolicy: Parallel + template: + metadata: + labels: + app: {{ template "name" . }} + release: {{ $.Release.Name }} + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: {{ template "name" . }} + release: {{ $.Release.Name }} + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: /etc/gitaly/templates + - name: CONFIG_DIRECTORY + value: /etc/praefect + - name: PRAEFECT_CONFIG_FILE + value: /etc/praefect/config.toml + - name: SSL_CERT_DIR + value: /etc/ssl/certs + - name: PRAEFECT_PROMETHEUS_LISTEN_ADDR + value: :9236 + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + name: {{ $.Chart.Name }} + image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" $ }} + command: + - /usr/local/bin/praefect + - -config + - /etc/praefect/config.toml + ports: + - containerPort: {{ $.Values.service.internalPort }} + protocol: TCP + resources: + requests: + cpu: 100m + memory: 200Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/ssl/certs/ + name: etc-ssl-certs + readOnly: true + - mountPath: /etc/gitlab-secrets + name: praefect-secrets + readOnly: true + - mountPath: /etc/praefect + name: praefect-config + readOnly: true + dnsPolicy: ClusterFirst + initContainers: + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh', '-x', '/config/configure'] + image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} + env: + {{- include "gitlab.extraEnv" $ | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + - name: praefect-config + mountPath: /config + readOnly: true + - name: praefect-secrets + mountPath: /init-secrets + readOnly: false + - name: init-praefect-secrets + mountPath: /init-config + readOnly: true + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + restartPolicy: Always + schedulerName: default-scheduler + securityContext: + fsGroup: 1000 + runAsUser: 1000 + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + defaultMode: 420 + name: {{ template "fullname" . }} + name: praefect-config + - emptyDir: + medium: Memory + name: praefect-secrets + - name: init-praefect-secrets + projected: + defaultMode: 288 + sources: + - secret: + items: + - key: {{ template "gitlab.gitaly.authToken.key" . }} + path: gitaly_token + name: {{ template "gitlab.gitaly.authToken.secret" . }} + - secret: + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" }} + path: .gitlab_shell_secret + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + - emptyDir: + medium: Memory + name: etc-ssl-certs + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate +{{- end -}} diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml new file mode 100644 index 0000000000..5add0e0462 --- /dev/null +++ b/charts/gitlab/charts/praefect/values.yaml @@ -0,0 +1,14 @@ +# Default values for praefect. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +praefect: {} + +image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitaly +service: + internalPort: 2305 + +init: + resources: {} + image: {} diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl new file mode 100644 index 0000000000..f2940b824d --- /dev/null +++ b/templates/_praefect.tpl @@ -0,0 +1,3 @@ +{{- define "gitlab.praefect.serviceName" -}} +{{- coalesce ( .Values.praefect.serviceName ) .Values.global.praefect.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "praefect" )) -}} +{{- end -}} diff --git a/values.yaml b/values.yaml index adb74219b9..a1288a0248 100644 --- a/values.yaml +++ b/values.yaml @@ -118,6 +118,7 @@ global: enabled: false # secretName: + praefect: {} ## doc/charts/globals.md#configure-minio-settings minio: enabled: true -- GitLab From bcc53bd2639c6510a1e53c4c3c96669b581ed146 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 12 Aug 2020 20:48:05 -0500 Subject: [PATCH 02/54] Switch to use multiple gitaly pods inside a StateFulset for praefect * Change replicas in the gitaly statefulset to the desired number of instances. --- charts/gitlab/charts/gitaly/requirements.yaml | 7 ++++++ .../gitlab/charts/praefect/requirements.yaml | 3 +++ .../charts/praefect/templates/configmap.yaml | 25 ++++++------------- .../charts/praefect/templates/service.yaml | 2 -- .../praefect/templates/statefulset.yaml | 4 +-- charts/gitlab/requirements.yaml | 5 ++++ charts/gitlab/templates/_gitaly.tpl | 2 +- templates/_praefect.tpl | 4 +++ values.yaml | 3 ++- 9 files changed, 31 insertions(+), 24 deletions(-) create mode 100644 charts/gitlab/charts/gitaly/requirements.yaml create mode 100644 charts/gitlab/charts/praefect/requirements.yaml create mode 100644 charts/gitlab/requirements.yaml diff --git a/charts/gitlab/charts/gitaly/requirements.yaml b/charts/gitlab/charts/gitaly/requirements.yaml new file mode 100644 index 0000000000..b5ed570712 --- /dev/null +++ b/charts/gitlab/charts/gitaly/requirements.yaml @@ -0,0 +1,7 @@ +dependencies: + - name: praefect + version: 4.1.4 + condition: global.praefect.enabled + import-values: + - child: gitaly + parent: myimports diff --git a/charts/gitlab/charts/praefect/requirements.yaml b/charts/gitlab/charts/praefect/requirements.yaml new file mode 100644 index 0000000000..297b11a6ab --- /dev/null +++ b/charts/gitlab/charts/praefect/requirements.yaml @@ -0,0 +1,3 @@ +dependencies: + - name: gitaly + version: 4.1.4 diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 863972cb54..145a737eac 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -1,4 +1,3 @@ -{{- if .Values.global.praefect.enabled -}} apiVersion: v1 kind: ConfigMap metadata: @@ -34,27 +33,19 @@ data: [[virtual_storage]] name = 'default' + {{- range $i, $storage := .Values.global.gitaly.internal.names }} [[virtual_storage.node]] - storage = 'foo' - address = 'tcp://foo:8075' + storage = 'ibaum-gitlab-gitaly-{{ $i }}' + address = 'tcp://ibaum-gitlab-gitaly-{{ $i }}:8075' token = 'foo' - primary = true - [[virtual_storage.node]] - storage = 'foo' - address = 'tcp://foo:8075' - token = 'foo' - primary = false - [[virtual_storage.node]] - storage = 'foo' - address = 'tcp://foo:8075' - token = 'foo' - primary = false + + {{- end }} [database] - host = 'foo' - port = 5432 + host = '{{ template "gitlab.psql.host" . }}' + port = {{ template "gitlab.psql.port" . }} user = 'praefect' password = 'foo' dbname = 'praefect' sslmode = 'disable' -{{- end -}} + # EOF diff --git a/charts/gitlab/charts/praefect/templates/service.yaml b/charts/gitlab/charts/praefect/templates/service.yaml index e79e589a0a..dfec914bbb 100644 --- a/charts/gitlab/charts/praefect/templates/service.yaml +++ b/charts/gitlab/charts/praefect/templates/service.yaml @@ -1,4 +1,3 @@ -{{- if .Values.global.praefect.enabled -}} --- apiVersion: v1 kind: Service @@ -31,4 +30,3 @@ spec: type: ClusterIP status: loadBalancer: {} -{{- end -}} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index e11351030a..438be6e14c 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -1,4 +1,3 @@ -{{- if .Values.global.praefect.enabled -}} --- apiVersion: apps/v1 kind: StatefulSet @@ -13,7 +12,7 @@ spec: app: {{ template "name" . }} release: {{ $.Release.Name }} serviceName: {{ template "gitlab.praefect.serviceName" . }} - replicas: {{ template "gitlab.gitaly.replicas" . }} + replicas: {{ template "gitlab.praefect.replicas" . }} podManagementPolicy: Parallel template: metadata: @@ -131,4 +130,3 @@ spec: rollingUpdate: partition: 0 type: RollingUpdate -{{- end -}} diff --git a/charts/gitlab/requirements.yaml b/charts/gitlab/requirements.yaml new file mode 100644 index 0000000000..afa07481cd --- /dev/null +++ b/charts/gitlab/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: +- name: praefect + version: 4.1.4 + repository: http://localhost:10191 + condition: global.praefect.enabled diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index 4a74a5a6c3..dad5ccc283 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -64,5 +64,5 @@ default: Return the number of replicas set for Gitaly statefulset */}} {{- define "gitlab.gitaly.replicas" -}} -{{- if .Values.global.gitaly.host }} 0 {{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} +{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.gitaly.replicas }}{{ .Values.global.gitaly.replicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} {{- end -}} diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl index f2940b824d..dcc5ac5c07 100644 --- a/templates/_praefect.tpl +++ b/templates/_praefect.tpl @@ -1,3 +1,7 @@ {{- define "gitlab.praefect.serviceName" -}} {{- coalesce ( .Values.praefect.serviceName ) .Values.global.praefect.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "praefect" )) -}} {{- end -}} + +{{- define "gitlab.praefect.replicas" -}} +1 +{{- end -}} diff --git a/values.yaml b/values.yaml index a1288a0248..e52ddf7e48 100644 --- a/values.yaml +++ b/values.yaml @@ -118,7 +118,8 @@ global: enabled: false # secretName: - praefect: {} + praefect: + enabled: false ## doc/charts/globals.md#configure-minio-settings minio: enabled: true -- GitLab From 02efd37d24e952e432ab408eb582e49aa21b299a Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 13 Aug 2020 17:06:10 -0500 Subject: [PATCH 03/54] Modularize and clean up praefect deploy --- .../charts/praefect/templates/configmap.yaml | 43 +++++--- .../praefect/templates/statefulset.yaml | 104 +++++++++--------- 2 files changed, 85 insertions(+), 62 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 145a737eac..9294700d67 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -11,33 +11,50 @@ data: mkdir -p /init-secrets/praefect /init-secrets/shell cp -v -r -L /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret cp -v -r -L /init-config/gitaly_token /init-secrets/praefect/gitaly_token - config.toml: | + config.toml.erb: | # TCP address to listen on - listen_addr = '0.0.0.0:2305' + listen_addr = '0.0.0.0:{{ .Values.service.internalPort }}' - # Optional: export metrics via Prometheus - prometheus_listen_addr = '0.0.0.0:9652' + {{- if .Values.metrics.enabled }} + prometheus_listen_addr = 'localhost:{{ .Values.metrics.port }}' + {{- end }} [failover] - enabled = true - election_strategy = 'sql' - read_only_after_failover = false + enabled = {{ .Values.failover.enabled }} + election_strategy = '{{ .Values.electionStrategy }}' + read_only_after_failover = {{ .Values.failover.readonlyAfter }} [auth] - token = 'foo' + token = "<%= File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %>" transitioning = false [logging] - level = 'debug' - format = 'json' + {{- with .Values.logging }} + {{- if .level }} + level = "{{ .level }}" + {{- end }} + {{- if .format }} + format = "{{ .format }}" + {{- end }} + {{- if .sentryDsn }} + sentry_dsn = "{{ .sentryDsn }}" + {{- end }} + {{- if .rubySentryDsn }} + ruby_sentry_dsn = "{{ .rubySentryDsn }}" + {{- end }} + dir = "/var/log/gitaly" + {{- if .sentryEnvironment }} + sentry_environment = "{{ .sentryEnvironment }}" + {{- end }} + {{- end }} [[virtual_storage]] name = 'default' {{- range $i, $storage := .Values.global.gitaly.internal.names }} [[virtual_storage.node]] - storage = 'ibaum-gitlab-gitaly-{{ $i }}' - address = 'tcp://ibaum-gitlab-gitaly-{{ $i }}:8075' - token = 'foo' + storage = '{{ $.Release.Name }}-gitaly-{{ $i }}' + address = 'tcp://{{ $.Release.Name }}-gitaly-{{ $i }}.{{ $.Release.Name }}-gitaly:8075' + token = "<%= File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %>" {{- end }} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 438be6e14c..dbec39a25b 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -19,6 +19,12 @@ spec: labels: app: {{ template "name" . }} release: {{ $.Release.Name }} + {{- include "gitlab.podLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} spec: affinity: podAntiAffinity: @@ -30,33 +36,63 @@ spec: release: {{ $.Release.Name }} topologyKey: kubernetes.io/hostname weight: 1 + initContainers: + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh', '-x', '/config/configure'] + image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} + env: + {{- include "gitlab.extraEnv" $ | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + - name: praefect-config + mountPath: /config + readOnly: true + - name: init-praefect-secrets + mountPath: /init-config + readOnly: true + - name: praefect-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} +{{- include "pullsecrets" .Values.image | indent 6 }} containers: - - env: + {{- include "gitlab.extraContainers" . | nindent 6 }} + - name: {{ $.Chart.Name }} + image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" . }} + ports: + - containerPort: {{ $.Values.service.internalPort }} + {{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.metrics.port }} + {{- end }} + env: - name: CONFIG_TEMPLATE_DIRECTORY - value: /etc/gitaly/templates + value: '/etc/gitaly/templates' - name: CONFIG_DIRECTORY - value: /etc/praefect + value: '/etc/gitaly' - name: PRAEFECT_CONFIG_FILE - value: /etc/praefect/config.toml + value: '/etc/gitaly/config.toml' - name: SSL_CERT_DIR - value: /etc/ssl/certs + value: '/etc/ssl/certs' - name: PRAEFECT_PROMETHEUS_LISTEN_ADDR - value: :9236 + value: ':{{ .Values.metrics.port }}' - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: {{ $.Chart.Name }} - image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" - {{ template "gitlab.imagePullPolicy" $ }} + {{- include "gitlab.tracing.env" . | nindent 8 }} + {{- include "gitlab.extraEnv" . | nindent 8 }} command: - /usr/local/bin/praefect - -config - - /etc/praefect/config.toml - ports: - - containerPort: {{ $.Values.service.internalPort }} - protocol: TCP + - /etc/gitaly/config.toml resources: requests: cpu: 100m @@ -64,42 +100,16 @@ spec: terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - - mountPath: /etc/ssl/certs/ - name: etc-ssl-certs - readOnly: true - - mountPath: /etc/gitlab-secrets - name: praefect-secrets - readOnly: true - - mountPath: /etc/praefect - name: praefect-config - readOnly: true - dnsPolicy: ClusterFirst - initContainers: - {{- include "gitlab.extraInitContainers" $ | nindent 8 }} - {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} - - name: configure - command: ['sh', '-x', '/config/configure'] - image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} - env: - {{- include "gitlab.extraEnv" $ | nindent 10 }} - volumeMounts: - {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} - - name: praefect-config - mountPath: /config - readOnly: true + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 10 }} - name: praefect-secrets - mountPath: /init-secrets - readOnly: false - - name: init-praefect-secrets - mountPath: /init-config + mountPath: /etc/gitlab-secrets readOnly: true - resources: - {{- toYaml $.Values.init.resources | nindent 12 }} + - name: praefect-config + mountPath: /etc/gitaly/templates + dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - securityContext: - fsGroup: 1000 - runAsUser: 1000 terminationGracePeriodSeconds: 30 volumes: - configMap: @@ -126,7 +136,3 @@ spec: - emptyDir: medium: Memory name: etc-ssl-certs - updateStrategy: - rollingUpdate: - partition: 0 - type: RollingUpdate -- GitLab From e9b2e5934b07176b4fbd8664f62c1eb5bafb6ada Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 13 Aug 2020 17:43:14 -0500 Subject: [PATCH 04/54] Update praefect defaults --- charts/gitlab/charts/praefect/values.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index 5add0e0462..d5f08fc90d 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -4,11 +4,21 @@ praefect: {} +failover: + enabled: true + readonlyAfter: false + +electionStrategy: sql + image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly service: - internalPort: 2305 + internalPort: 8075 init: resources: {} image: {} + +metrics: + enabled: true + port: 9236 -- GitLab From 24e3c6b8decb66bb276d3f074d211bb1c352906d Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 13 Aug 2020 18:11:01 -0500 Subject: [PATCH 05/54] Add security context info --- charts/gitlab/charts/praefect/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index d5f08fc90d..ce2616da4e 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -22,3 +22,8 @@ init: metrics: enabled: true port: 9236 + +## Allow to overwrite under which User and Group we're running. +securityContext: + runAsUser: 1000 + fsGroup: 1000 -- GitLab From b09d71f64c9eb9e4c72a78ca647547c5bf1f0bdf Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 13 Aug 2020 18:41:51 -0500 Subject: [PATCH 06/54] Start getting a working gitlab.yml entry for praefect --- charts/gitlab/templates/_gitlab.yaml.tpl | 4 ++++ charts/gitlab/templates/_praefect.tpl | 16 ++++++++++++++++ templates/_praefect.tpl | 4 ---- 3 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 charts/gitlab/templates/_praefect.tpl diff --git a/charts/gitlab/templates/_gitlab.yaml.tpl b/charts/gitlab/templates/_gitlab.yaml.tpl index 9c93b019e3..b5dd615e65 100644 --- a/charts/gitlab/templates/_gitlab.yaml.tpl +++ b/charts/gitlab/templates/_gitlab.yaml.tpl @@ -7,7 +7,11 @@ gitaly: {{- define "gitlab.appConfig.repositories" -}} repositories: storages: # You must have at least a `default` storage path. + {{- if $.Values.global.praefect.enabled }} + {{- include "gitlab.praefect.storages" . | nindent 4 }} + {{- else }} {{- include "gitlab.gitaly.storages" . | nindent 4 }} + {{- end }} {{- end -}} diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl new file mode 100644 index 0000000000..f03b69c92a --- /dev/null +++ b/charts/gitlab/templates/_praefect.tpl @@ -0,0 +1,16 @@ +{{/* +Return the default praefect storage line for gitlab.yml +*/}} +{{- define "gitlab.praefect.storages" -}} +default: + path: /var/opt/gitlab/repo + gitaly_address: {{ template "gitlab.praefect.serviceName" . }}:8075 +{{- end -}} + + +{{/* +Return the resolvable name of the praefect service +*/}} +{{- define "gitlab.praefect.serviceName" -}} +{{ $.Release.Name }}-praefect +{{- end -}} diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl index dcc5ac5c07..9dc82a65ed 100644 --- a/templates/_praefect.tpl +++ b/templates/_praefect.tpl @@ -1,7 +1,3 @@ -{{- define "gitlab.praefect.serviceName" -}} -{{- coalesce ( .Values.praefect.serviceName ) .Values.global.praefect.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "praefect" )) -}} -{{- end -}} - {{- define "gitlab.praefect.replicas" -}} 1 {{- end -}} -- GitLab From 38953ea9fd3b2a1974ec127d720de3b168c43f6f Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 17 Aug 2020 11:51:30 -0500 Subject: [PATCH 07/54] More updates for praefect * Add a startup script to the configmap. Runs entrypoint.sh and migrations before starting the daemon * Fix repositories entry for gitlab.yml to specify protocol. * Rough out creating the database --- charts/gitlab/charts/praefect/templates/configmap.yaml | 10 ++++++++++ .../gitlab/charts/praefect/templates/statefulset.yaml | 7 ++----- charts/gitlab/templates/_praefect.tpl | 2 +- templates/initdb-configmap.yaml | 4 ++++ 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 9294700d67..fe4d55b747 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -6,6 +6,16 @@ metadata: labels: {{- include "gitlab.standardLabels" . | nindent 4 }} data: + praefect-start: | + set -e + # create the config files + /scripts/entrypoint.sh + + # Run the migrations + /usr/local/bin/praefect -config /etc/gitaly/config.toml sql-migrate + + # Start praefect + /usr/local/bin/praefect -config /etc/gitaly/config.toml configure: | set -e mkdir -p /init-secrets/praefect /init-secrets/shell diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index dbec39a25b..0bd0fefe74 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -40,7 +40,7 @@ spec: {{- include "gitlab.extraInitContainers" $ | nindent 8 }} {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} - name: configure - command: ['sh', '-x', '/config/configure'] + command: ['sh', '/config/configure'] image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} env: {{- include "gitlab.extraEnv" $ | nindent 10 }} @@ -89,10 +89,7 @@ spec: fieldPath: metadata.name {{- include "gitlab.tracing.env" . | nindent 8 }} {{- include "gitlab.extraEnv" . | nindent 8 }} - command: - - /usr/local/bin/praefect - - -config - - /etc/gitaly/config.toml + command: [ "sh", "/etc/gitaly/templates/praefect-start" ] resources: requests: cpu: 100m diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index f03b69c92a..860cfd7048 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -4,7 +4,7 @@ Return the default praefect storage line for gitlab.yml {{- define "gitlab.praefect.storages" -}} default: path: /var/opt/gitlab/repo - gitaly_address: {{ template "gitlab.praefect.serviceName" . }}:8075 + gitaly_address: tcp:{{ template "gitlab.praefect.serviceName" . }}:8075 {{- end -}} diff --git a/templates/initdb-configmap.yaml b/templates/initdb-configmap.yaml index 032f68ec41..f0f069b720 100644 --- a/templates/initdb-configmap.yaml +++ b/templates/initdb-configmap.yaml @@ -15,5 +15,9 @@ data: fi enable_extensions.sh: | PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d {{ template "gitlab.psql.database" .}} -U postgres -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;' + {{- if .Values.praefect.enabled }} + create_praefect_db.sh: | + PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d template1 -U postgres -c "CREATE ROLE praefect WITH PASSWORD foo; CREATE DATABASE praefect WITH OWNER praefect;" + {{- end }} # Leave this here - This line denotes end of block to the parser. {{- end -}} -- GitLab From e2ac553f93c6d14d952ee4f5df267d84b7172c26 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 17 Aug 2020 12:00:28 -0500 Subject: [PATCH 08/54] Update praefect service entry to be properly modular --- .../charts/praefect/templates/service.yaml | 29 +++++++++---------- charts/gitlab/charts/praefect/values.yaml | 3 ++ 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/service.yaml b/charts/gitlab/charts/praefect/templates/service.yaml index dfec914bbb..19dde73625 100644 --- a/charts/gitlab/charts/praefect/templates/service.yaml +++ b/charts/gitlab/charts/praefect/templates/service.yaml @@ -2,31 +2,30 @@ apiVersion: v1 kind: Service metadata: + name: {{ include "gitlab.praefect.serviceName" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} annotations: - prometheus.io/port: "9236" + {{- if .Values.metrics.enabled }} prometheus.io/scrape: "true" - labels: - app: praefect - chart: gitaly-4.0.1 - heritage: Tiller - release: ibaum-gitlab - name: ibaum-gitlab-praefect - namespace: foo + prometheus.io/port: "{{ .Values.metrics.metricsPort }}" + {{- end }} + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} spec: + type: {{ .Values.service.type }} clusterIP: None ports: - - name: praefect - port: 8075 + - name: {{ include "gitlab.praefect.serviceName" . }} + port: {{ .Values.service.externalPort }} protocol: TCP - targetPort: 8075 + targetPort: {{ .Values.service.internalPort }} - name: praefect-metrics port: 9236 protocol: TCP targetPort: 9236 selector: - app: praefect - release: ibaum-gitlab - sessionAffinity: None - type: ClusterIP + app: {{ template "name" . }} + release: {{ .Release.Name }} status: loadBalancer: {} diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index ce2616da4e..6e26804a23 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -13,7 +13,10 @@ electionStrategy: sql image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly service: + name: praefect + type: ClusterIP internalPort: 8075 + externalPort: 8075 init: resources: {} -- GitLab From 80648e2dc140b8233738212daab28f39fbe648f8 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 17 Aug 2020 12:51:38 -0500 Subject: [PATCH 09/54] Fix praefect variable reference --- templates/initdb-configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/initdb-configmap.yaml b/templates/initdb-configmap.yaml index f0f069b720..20d1020b9a 100644 --- a/templates/initdb-configmap.yaml +++ b/templates/initdb-configmap.yaml @@ -15,7 +15,7 @@ data: fi enable_extensions.sh: | PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d {{ template "gitlab.psql.database" .}} -U postgres -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;' - {{- if .Values.praefect.enabled }} + {{- if $.Values.global.praefect.enabled }} create_praefect_db.sh: | PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d template1 -U postgres -c "CREATE ROLE praefect WITH PASSWORD foo; CREATE DATABASE praefect WITH OWNER praefect;" {{- end }} -- GitLab From d8baf681d2b131b1636ac25c25a88c3addf2f8b4 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 17 Aug 2020 15:25:40 -0500 Subject: [PATCH 10/54] Tweaks based on errors * Quickfix idempotency for praefect db steps * Fix tcp url for gitlab.yml --- charts/gitlab/templates/_praefect.tpl | 2 +- templates/initdb-configmap.yaml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index 860cfd7048..77429199d3 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -4,7 +4,7 @@ Return the default praefect storage line for gitlab.yml {{- define "gitlab.praefect.storages" -}} default: path: /var/opt/gitlab/repo - gitaly_address: tcp:{{ template "gitlab.praefect.serviceName" . }}:8075 + gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:8075 {{- end -}} diff --git a/templates/initdb-configmap.yaml b/templates/initdb-configmap.yaml index 20d1020b9a..5421dde089 100644 --- a/templates/initdb-configmap.yaml +++ b/templates/initdb-configmap.yaml @@ -17,7 +17,9 @@ data: PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d {{ template "gitlab.psql.database" .}} -U postgres -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;' {{- if $.Values.global.praefect.enabled }} create_praefect_db.sh: | - PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d template1 -U postgres -c "CREATE ROLE praefect WITH PASSWORD foo; CREATE DATABASE praefect WITH OWNER praefect;" + export PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) + psql -d template1 -U postgres -c "CREATE ROLE praefect WITH LOGIN PASSWORD 'foo' ;" || true + psql -d template1 -U postgres -c "CREATE DATABASE praefect WITH owner praefect;" || true {{- end }} # Leave this here - This line denotes end of block to the parser. {{- end -}} -- GitLab From c9e8bfe4fc6fffe056eb2acd2693525301f90d74 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 18 Aug 2020 15:04:49 -0500 Subject: [PATCH 11/54] Use shared-secrets for praefect db user * Move init steps to a Job * Use erb template to populate password --- .../charts/praefect/templates/configmap.yaml | 18 ++++++- .../charts/praefect/templates/jobspec.yaml | 52 +++++++++++++++++++ .../praefect/templates/statefulset.yaml | 7 ++- .../templates/_generate_secrets.sh | 4 ++ templates/_praefect.tpl | 14 +++++ templates/initdb-configmap.yaml | 6 --- values.yaml | 1 + 7 files changed, 93 insertions(+), 9 deletions(-) create mode 100644 charts/gitlab/charts/praefect/templates/jobspec.yaml diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index fe4d55b747..b172b292aa 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -21,6 +21,7 @@ data: mkdir -p /init-secrets/praefect /init-secrets/shell cp -v -r -L /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret cp -v -r -L /init-config/gitaly_token /init-secrets/praefect/gitaly_token + cp -v -r -L /init-config/db_password /init-secrets/praefect/db_password config.toml.erb: | # TCP address to listen on listen_addr = '0.0.0.0:{{ .Values.service.internalPort }}' @@ -72,7 +73,20 @@ data: host = '{{ template "gitlab.psql.host" . }}' port = {{ template "gitlab.psql.port" . }} user = 'praefect' - password = 'foo' + password = '<%= File.read("/etc/gitlab-secrets/praefect/db_password") %>' dbname = 'praefect' sslmode = 'disable' - # EOF + create_praefect_db.sh: | + set -ex + export PGPASSWORD=$(cat /secrets/postgresql_db_secret) + export PGHOST={{ template "gitlab.psql.host" . }} + export PGUSER=postgres + export PRAEFECT_PASSWORD=$(echo -n $(cat /secrets/praefect_db_secret)praefect | md5sum | awk '{print $1}') + while ! pg_isready + do + echo "Waiting for ${PGHOST} to be ready" + sleep 1 + done + psql -c "CREATE ROLE praefect WITH LOGIN PASSWORD 'md5${PRAEFECT_PASSWORD}' ;" + psql -c "CREATE DATABASE praefect WITH owner praefect;" + # EOF diff --git a/charts/gitlab/charts/praefect/templates/jobspec.yaml b/charts/gitlab/charts/praefect/templates/jobspec.yaml new file mode 100644 index 0000000000..60b6613053 --- /dev/null +++ b/charts/gitlab/charts/praefect/templates/jobspec.yaml @@ -0,0 +1,52 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "fullname" . }}-job + namespace: {{ .Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} +spec: + template: + metadata: + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- include "gitlab.podLabels" . | nindent 8 }} + spec: + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + restartPolicy: OnFailure + containers: + - name: {{ .Chart.Name }} + image: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ee:latest + command: ['sh', '/scripts/create_praefect_db.sh'] + {{ template "gitlab.imagePullPolicy" . }} + volumeMounts: + - name: scripts + mountPath: /scripts + - name: secrets + mountPath: /secrets + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: scripts + configMap: + name: {{ template "fullname" . }} + - name: secrets + projected: + sources: + - secret: + name: {{ template "gitlab.praefect.dbSecret.secret" . }} + items: + - key: {{ template "gitlab.praefect.dbSecret.key" . }} + path: praefect_db_secret + - secret: + name: {{ template "gitlab.psql.password.secret" . }} + items: + - key: postgresql-postgres-password + path: postgresql_db_secret diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 0bd0fefe74..0b6483abdd 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -127,9 +127,14 @@ spec: name: {{ template "gitlab.gitaly.authToken.secret" . }} - secret: items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" }} + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: .gitlab_shell_secret name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + - secret: + items: + - key: {{ template "gitlab.praefect.dbSecret.key" . }} + path: db_password + name: {{ template "gitlab.praefect.dbSecret.secret" . }} - emptyDir: medium: Memory name: etc-ssl-certs diff --git a/charts/shared-secrets/templates/_generate_secrets.sh b/charts/shared-secrets/templates/_generate_secrets.sh index 35725ac650..0c0ef48c03 100644 --- a/charts/shared-secrets/templates/_generate_secrets.sh +++ b/charts/shared-secrets/templates/_generate_secrets.sh @@ -133,3 +133,7 @@ generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} - generate_secret_if_needed "gitlab-grafana-initial-password" --from-literal=password=$(gen_random 'a-zA-Z0-9' 64) {{ end }} +# Praefect DB password +{{ if .Values.global.praefect.enabled }} +generate_secret_if_needed {{ template "gitlab.praefect.dbSecret.secret" . }} --from-literal={{ template "gitlab.praefect.dbSecret.key" . }}=$(gen_random 'a-zA-Z0-9', 32) +{{ end }} diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl index 9dc82a65ed..08bf330cb3 100644 --- a/templates/_praefect.tpl +++ b/templates/_praefect.tpl @@ -1,3 +1,17 @@ {{- define "gitlab.praefect.replicas" -}} 1 {{- end -}} + +{{/* +Return Praefect's dbSecert secret name +*/}} +{{- define "gitlab.praefect.dbSecret.secret" -}} +{{- default (printf "%s-praefect-dbsecret" .Release.Name) .Values.global.praefect.dbSecret.secret | quote -}} +{{- end -}} + +{{/* +Return Praefect's dbSecert secret key +*/}} +{{- define "gitlab.praefect.dbSecret.key" -}} +{{- default "secret" .Values.global.praefect.dbSecret.key | quote -}} +{{- end -}} diff --git a/templates/initdb-configmap.yaml b/templates/initdb-configmap.yaml index 5421dde089..032f68ec41 100644 --- a/templates/initdb-configmap.yaml +++ b/templates/initdb-configmap.yaml @@ -15,11 +15,5 @@ data: fi enable_extensions.sh: | PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) psql -d {{ template "gitlab.psql.database" .}} -U postgres -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;' - {{- if $.Values.global.praefect.enabled }} - create_praefect_db.sh: | - export PGPASSWORD=$(cat ${POSTGRES_POSTGRES_PASSWORD_FILE}) - psql -d template1 -U postgres -c "CREATE ROLE praefect WITH LOGIN PASSWORD 'foo' ;" || true - psql -d template1 -U postgres -c "CREATE DATABASE praefect WITH owner praefect;" || true - {{- end }} # Leave this here - This line denotes end of block to the parser. {{- end -}} diff --git a/values.yaml b/values.yaml index e52ddf7e48..e78c2870de 100644 --- a/values.yaml +++ b/values.yaml @@ -120,6 +120,7 @@ global: praefect: enabled: false + dbSecret: {} ## doc/charts/globals.md#configure-minio-settings minio: enabled: true -- GitLab From e6d1df11eb62c216cba1afb33e1d0d70887505fa Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 19 Aug 2020 11:25:11 -0500 Subject: [PATCH 12/54] Create storage names when praefect is enabled --- charts/gitlab/charts/gitaly/templates/configmap.yml | 2 +- charts/gitlab/templates/_gitaly.tpl | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/configmap.yml b/charts/gitlab/charts/gitaly/templates/configmap.yml index 0d02a3212a..f6a566c0f7 100644 --- a/charts/gitlab/charts/gitaly/templates/configmap.yml +++ b/charts/gitlab/charts/gitaly/templates/configmap.yml @@ -41,7 +41,7 @@ data: key_path = '/etc/gitlab-secrets/gitaly/gitaly.key' {{- end }} - <% @storages = [ {{- range (coalesce .Values.internal.names .Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} ] %> + <% @storages = [ {{ include "gitlab.gitaly.storageNames" . }} ] %> <% @index=`echo ${HOSTNAME##*-}`.to_i %> <% if @storages.length > @index %> [[storage]] diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index dad5ccc283..51f45005ea 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -64,5 +64,14 @@ default: Return the number of replicas set for Gitaly statefulset */}} {{- define "gitlab.gitaly.replicas" -}} -{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.gitaly.replicas }}{{ .Values.global.gitaly.replicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} +{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.praefect.replicas }}{{ .Values.global.praefect.replicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} +{{- end -}} + + +{{- define "gitlab.gitaly.storageNames" -}} +{{- if $.Values.global.praefect.enabled -}} +{{ range until ($.Values.global.praefect.replicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }} {{- end }} +{{- else -}} +{{- range (coalesce .Values.internal.names .Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} +{{- end -}} {{- end -}} -- GitLab From 0a7062c8cd4c1f1aa134a09b9cfd9d12cf2819ce Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 19 Aug 2020 15:35:37 -0500 Subject: [PATCH 13/54] Fix bug where praefect wasn't setting up virtual_storage correctly --- charts/gitlab/charts/praefect/templates/configmap.yaml | 6 +++--- charts/gitlab/templates/_gitaly.tpl | 4 ++-- charts/gitlab/templates/_praefect.tpl | 8 ++++++++ values.yaml | 1 + 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index b172b292aa..d4919f370d 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -61,10 +61,10 @@ data: [[virtual_storage]] name = 'default' - {{- range $i, $storage := .Values.global.gitaly.internal.names }} + {{- range compact (include "gitlab.praefect.podNames" . | splitList "," ) }} [[virtual_storage.node]] - storage = '{{ $.Release.Name }}-gitaly-{{ $i }}' - address = 'tcp://{{ $.Release.Name }}-gitaly-{{ $i }}.{{ $.Release.Name }}-gitaly:8075' + storage = '{{ . }}' + address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:8075' token = "<%= File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %>" {{- end }} diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index 51f45005ea..0d1b800988 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -64,13 +64,13 @@ default: Return the number of replicas set for Gitaly statefulset */}} {{- define "gitlab.gitaly.replicas" -}} -{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.praefect.replicas }}{{ .Values.global.praefect.replicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} +{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.praefect.enabled }}{{ .Values.global.praefect.replicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} {{- end -}} {{- define "gitlab.gitaly.storageNames" -}} {{- if $.Values.global.praefect.enabled -}} -{{ range until ($.Values.global.praefect.replicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }} {{- end }} +{{ range until ($.Values.global.praefect.replicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }}, {{- end }} {{- else -}} {{- range (coalesce .Values.internal.names .Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} {{- end -}} diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index 77429199d3..111ed2e68a 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -14,3 +14,11 @@ Return the resolvable name of the praefect service {{- define "gitlab.praefect.serviceName" -}} {{ $.Release.Name }}-praefect {{- end -}} + + +{{/* +Return a list of Gitaly pod names +*/}} +{{- define "gitlab.praefect.podNames" -}} +{{ range until ($.Values.global.praefect.replicas | int) }}{{ printf "%s-gitaly-%d" $.Release.Name . }},{{- end}} +{{- end -}} diff --git a/values.yaml b/values.yaml index e78c2870de..b372842219 100644 --- a/values.yaml +++ b/values.yaml @@ -120,6 +120,7 @@ global: praefect: enabled: false + replicas: 3 dbSecret: {} ## doc/charts/globals.md#configure-minio-settings minio: -- GitLab From 8dc7e5dcfc4f28e79cf1394651a4d2d35a46923a Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 20 Aug 2020 15:27:32 -0500 Subject: [PATCH 14/54] Updates based on testing * Update naming of template to be more chart specific * Add CHANGELOG * Make create_prafect_db.sh properly idempotent --- changelogs/unreleased/praefect-chart.yml | 5 +++++ charts/gitlab/charts/gitaly/requirements.yaml | 7 ------- .../charts/praefect/templates/configmap.yaml | 20 +++++++++++++++---- charts/gitlab/templates/_praefect.tpl | 2 +- 4 files changed, 22 insertions(+), 12 deletions(-) create mode 100644 changelogs/unreleased/praefect-chart.yml delete mode 100644 charts/gitlab/charts/gitaly/requirements.yaml diff --git a/changelogs/unreleased/praefect-chart.yml b/changelogs/unreleased/praefect-chart.yml new file mode 100644 index 0000000000..7986726f55 --- /dev/null +++ b/changelogs/unreleased/praefect-chart.yml @@ -0,0 +1,5 @@ +--- +title: Add support for Praefect +merge_request: 1493 +author: +type: added diff --git a/charts/gitlab/charts/gitaly/requirements.yaml b/charts/gitlab/charts/gitaly/requirements.yaml deleted file mode 100644 index b5ed570712..0000000000 --- a/charts/gitlab/charts/gitaly/requirements.yaml +++ /dev/null @@ -1,7 +0,0 @@ -dependencies: - - name: praefect - version: 4.1.4 - condition: global.praefect.enabled - import-values: - - child: gitaly - parent: myimports diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index d4919f370d..0b977051f4 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -61,7 +61,7 @@ data: [[virtual_storage]] name = 'default' - {{- range compact (include "gitlab.praefect.podNames" . | splitList "," ) }} + {{- range compact (include "gitlab.praefect.gitalyPodNames" . | splitList "," ) }} [[virtual_storage.node]] storage = '{{ . }}' address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:8075' @@ -77,16 +77,28 @@ data: dbname = 'praefect' sslmode = 'disable' create_praefect_db.sh: | - set -ex + set -e + export PGPASSWORD=$(cat /secrets/postgresql_db_secret) export PGHOST={{ template "gitlab.psql.host" . }} export PGUSER=postgres export PRAEFECT_PASSWORD=$(echo -n $(cat /secrets/praefect_db_secret)praefect | md5sum | awk '{print $1}') + while ! pg_isready do echo "Waiting for ${PGHOST} to be ready" sleep 1 done - psql -c "CREATE ROLE praefect WITH LOGIN PASSWORD 'md5${PRAEFECT_PASSWORD}' ;" - psql -c "CREATE DATABASE praefect WITH owner praefect;" + + # Check if the role already exists, and if not, create it + if [ -z $(psql -tqc "select 1 from pg_roles where rolname='praefect'") ] + then + psql -c "CREATE ROLE praefect WITH LOGIN PASSWORD 'md5${PRAEFECT_PASSWORD}' ;" + fi + + # Check if the database already exists, and if not, create it + if [ -z $(psql -tqc "select 1 from pg_database where datname='praefect'") ] + then + psql -c "CREATE DATABASE praefect WITH owner praefect;" + fi # EOF diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index 111ed2e68a..ebd9bb0a9d 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -19,6 +19,6 @@ Return the resolvable name of the praefect service {{/* Return a list of Gitaly pod names */}} -{{- define "gitlab.praefect.podNames" -}} +{{- define "gitlab.praefect.gitalyPodNames" -}} {{ range until ($.Values.global.praefect.replicas | int) }}{{ printf "%s-gitaly-%d" $.Release.Name . }},{{- end}} {{- end -}} -- GitLab From 76c31a9b07640c2c6ee3c4156597e3206c9e3afa Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Fri, 21 Aug 2020 12:12:35 -0500 Subject: [PATCH 15/54] Make the Prafect job use variables for the container it is going to use --- charts/gitlab/charts/praefect/Chart.yaml | 2 +- charts/gitlab/charts/praefect/templates/jobspec.yaml | 2 +- charts/gitlab/values.yaml | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/praefect/Chart.yaml b/charts/gitlab/charts/praefect/Chart.yaml index eda0ce9c1b..95cb0a36a6 100644 --- a/charts/gitlab/charts/praefect/Chart.yaml +++ b/charts/gitlab/charts/praefect/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 name: praefect version: 4.1.4 appVersion: master -description: A manager aiming to maintain replicas for each repository. +description: Praefect is a router and transaction manager for Gitaly, and a required component for running a Gitaly Cluster. keywords: - gitlab - gitaly diff --git a/charts/gitlab/charts/praefect/templates/jobspec.yaml b/charts/gitlab/charts/praefect/templates/jobspec.yaml index 60b6613053..020bcb1006 100644 --- a/charts/gitlab/charts/praefect/templates/jobspec.yaml +++ b/charts/gitlab/charts/praefect/templates/jobspec.yaml @@ -23,7 +23,7 @@ spec: restartPolicy: OnFailure containers: - name: {{ .Chart.Name }} - image: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ee:latest + image: "{{ include "image.repository" . }}:{{ include "gitlab.versionTag" . }}" command: ['sh', '/scripts/create_praefect_db.sh'] {{ template "gitlab.imagePullPolicy" . }} volumeMounts: diff --git a/charts/gitlab/values.yaml b/charts/gitlab/values.yaml index f44cff103c..ca35e531fd 100644 --- a/charts/gitlab/values.yaml +++ b/charts/gitlab/values.yaml @@ -21,6 +21,8 @@ global: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee geo-logcursor: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-geo-logcursor + praefect: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ee communityImages: # Default repositories used to pull Gitlab Community Edition images. # See the image.repository and workhorse.repository template helpers. @@ -34,6 +36,8 @@ global: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce workhorse: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce + praefect: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ce gitlab-runner: enabled: false -- GitLab From 01c0f4d5b557a0c1b6683196ed8b0ae59223f802 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Fri, 21 Aug 2020 12:13:47 -0500 Subject: [PATCH 16/54] Use values for the metrics port --- charts/gitlab/charts/praefect/templates/service.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/service.yaml b/charts/gitlab/charts/praefect/templates/service.yaml index 19dde73625..f9f2b158e3 100644 --- a/charts/gitlab/charts/praefect/templates/service.yaml +++ b/charts/gitlab/charts/praefect/templates/service.yaml @@ -21,9 +21,9 @@ spec: protocol: TCP targetPort: {{ .Values.service.internalPort }} - name: praefect-metrics - port: 9236 + port: {{ .Values.metrics.port }} protocol: TCP - targetPort: 9236 + targetPort: {{ .Values.metrics.port }} selector: app: {{ template "name" . }} release: {{ .Release.Name }} -- GitLab From 67cce72b014f9e1bf34cc8344804aada6b2389c2 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 25 Aug 2020 16:47:43 -0500 Subject: [PATCH 17/54] Rough draft on praefect documentation --- doc/charts/gitlab/praefect/index.md | 46 +++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 doc/charts/gitlab/praefect/index.md diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md new file mode 100644 index 0000000000..423e54a2ab --- /dev/null +++ b/doc/charts/gitlab/praefect/index.md @@ -0,0 +1,46 @@ +--- +stage: Enablement +group: Distribution +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +--- + +# Using the Praefect chart + +The praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) inside a GitLab installment deployed with the helm charts. + +## Requirements + +This chart depends on the resources in the Gitaly chart. By default, it will spin up 3 Gitaly Replicas. + +## Configuration + +The chart is disabled by default. To enable it as part of a chart deploy set `global.praefect.enabled=true`. + +The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.replicas` to the desired number of replicas. + +### Installation command line options + +The table below contains all the possible charts configurations that can be supplied to +the `helm install` command using the `--set` flags. + +| Parameter | Default | Description | +| ------------------------------ | ------------------------------------------ | ---------------------------------------- | +| failover.enabled | true | Whether Praefect should perform failover on node failure | +| failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | +| electionStrategy | sql | https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election | +| image.repository | registry.gitlab.com/gitlab-org/build/cng/gitaly | The default image repository to use. Praefect is bundled as part of the Gitaly image | +| service.name | praefect | The name of the service to create | +| service.type | ClusterIP | The type of service to create | +| service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | +| service.externalPort | 8075 | The port number the praefect service should expose in the cluster | +| init.resources | | | +| init.image | | | +| logging.level | | Log level | +| logging.format | json | Log format | +| logging.sentryDsn | | Sentry DSN URL - Exceptions from Go server | +| logging.rubySentryDsn | | Sentry DSN URL - Exceptions from `gitaly-ruby` | +| logging.sentryEnvironment | | Sentry environment to be used for logging | +| metrics.enabled | true | | +| metrics.port | 9236 | | +| securityContext.runAsUser | 1000 | | +| securityContext.fsGroup | 1000 | | -- GitLab From 6dd7b7bc4d9426b5f647d82abed810160f4380f0 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 25 Aug 2020 17:04:46 -0500 Subject: [PATCH 18/54] Clear up doc lint errors --- doc/charts/gitlab/praefect/index.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 423e54a2ab..3505fec7a4 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Using the Praefect chart -The praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) inside a GitLab installment deployed with the helm charts. +The praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) inside a GitLab installment deployed with the Helm charts. ## Requirements @@ -27,16 +27,16 @@ the `helm install` command using the `--set` flags. | ------------------------------ | ------------------------------------------ | ---------------------------------------- | | failover.enabled | true | Whether Praefect should perform failover on node failure | | failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | -| electionStrategy | sql | https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election | -| image.repository | registry.gitlab.com/gitlab-org/build/cng/gitaly | The default image repository to use. Praefect is bundled as part of the Gitaly image | -| service.name | praefect | The name of the service to create | +| electionStrategy | sql | `https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election` | +| image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | +| service.name | `praefect `| The name of the service to create | | service.type | ClusterIP | The type of service to create | | service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | -| service.externalPort | 8075 | The port number the praefect service should expose in the cluster | +| service.externalPort | 8075 | The port number the Praefect service should expose in the cluster | | init.resources | | | | init.image | | | | logging.level | | Log level | -| logging.format | json | Log format | +| logging.format | `json` | Log format | | logging.sentryDsn | | Sentry DSN URL - Exceptions from Go server | | logging.rubySentryDsn | | Sentry DSN URL - Exceptions from `gitaly-ruby` | | logging.sentryEnvironment | | Sentry environment to be used for logging | -- GitLab From fe4abaa3be53ed5a0c8c0c9aebef63d39dae8d09 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 25 Aug 2020 17:06:36 -0500 Subject: [PATCH 19/54] Round 2 of doc lint clearing --- doc/charts/gitlab/praefect/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 3505fec7a4..7aaab488ab 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Using the Praefect chart -The praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) inside a GitLab installment deployed with the Helm charts. +The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) inside a GitLab installment deployed with the Helm charts. ## Requirements @@ -29,7 +29,7 @@ the `helm install` command using the `--set` flags. | failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | | electionStrategy | sql | `https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election` | | image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | -| service.name | `praefect `| The name of the service to create | +| service.name | `praefect` | The name of the service to create | | service.type | ClusterIP | The type of service to create | | service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | | service.externalPort | 8075 | The port number the Praefect service should expose in the cluster | -- GitLab From 7efbd701e4a717866b870e1b327510d9b7b45375 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 27 Aug 2020 15:59:16 -0500 Subject: [PATCH 20/54] Rename global.praefect.replicas to globa.praefect.gitalyReplicas * Be clearer on the purpose of the value --- charts/gitlab/templates/_gitaly.tpl | 4 ++-- charts/gitlab/templates/_praefect.tpl | 2 +- doc/charts/gitlab/praefect/index.md | 2 +- values.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index 0d1b800988..cb666ed6af 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -64,13 +64,13 @@ default: Return the number of replicas set for Gitaly statefulset */}} {{- define "gitlab.gitaly.replicas" -}} -{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.praefect.enabled }}{{ .Values.global.praefect.replicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} +{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.praefect.enabled }}{{ .Values.global.praefect.gitalyReplicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} {{- end -}} {{- define "gitlab.gitaly.storageNames" -}} {{- if $.Values.global.praefect.enabled -}} -{{ range until ($.Values.global.praefect.replicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }}, {{- end }} +{{ range until ($.Values.global.praefect.gitalyReplicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }}, {{- end }} {{- else -}} {{- range (coalesce .Values.internal.names .Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} {{- end -}} diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index ebd9bb0a9d..f68f2c7928 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -20,5 +20,5 @@ Return the resolvable name of the praefect service Return a list of Gitaly pod names */}} {{- define "gitlab.praefect.gitalyPodNames" -}} -{{ range until ($.Values.global.praefect.replicas | int) }}{{ printf "%s-gitaly-%d" $.Release.Name . }},{{- end}} +{{ range until ($.Values.global.praefect.gitalyReplicas | int) }}{{ printf "%s-gitaly-%d" $.Release.Name . }},{{- end}} {{- end -}} diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 7aaab488ab..37a8cd8db2 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -16,7 +16,7 @@ This chart depends on the resources in the Gitaly chart. By default, it will spi The chart is disabled by default. To enable it as part of a chart deploy set `global.praefect.enabled=true`. -The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.replicas` to the desired number of replicas. +The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.gitalyReplicas` to the desired number of replicas. ### Installation command line options diff --git a/values.yaml b/values.yaml index b372842219..9ba2f66fab 100644 --- a/values.yaml +++ b/values.yaml @@ -120,7 +120,7 @@ global: praefect: enabled: false - replicas: 3 + gitalyReplicas: 3 dbSecret: {} ## doc/charts/globals.md#configure-minio-settings minio: -- GitLab From ce4eff9ca90423fd5e5df73aba900e2230ed30a7 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 27 Aug 2020 15:59:54 -0500 Subject: [PATCH 21/54] Switch readonlyAfter to derfault to false * Match the upstream default behavior --- charts/gitlab/charts/praefect/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index 6e26804a23..9f4642ce3b 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -6,7 +6,7 @@ praefect: {} failover: enabled: true - readonlyAfter: false + readonlyAfter: true electionStrategy: sql -- GitLab From 970f67844613cc708328981974930b0f6e5c757c Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 27 Aug 2020 16:14:18 -0500 Subject: [PATCH 22/54] Make praefect db configurable * Allow users to specify host, port, db, user name * Allow to disable DB create job --- .../charts/praefect/templates/configmap.yaml | 8 ++++---- .../charts/praefect/templates/jobspec.yaml | 2 ++ templates/_praefect.tpl | 16 ++++++++++++++++ values.yaml | 3 +++ 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 0b977051f4..33ef811cf5 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -70,11 +70,11 @@ data: {{- end }} [database] - host = '{{ template "gitlab.psql.host" . }}' - port = {{ template "gitlab.psql.port" . }} - user = 'praefect' + host = '{{ template "gitlab.praefect.psql.host" . }}' + port = {{ template "gitlab.praefect.psql.port" . }} + user = '{{ template "gitlab.praefect.psql.user" . }}' password = '<%= File.read("/etc/gitlab-secrets/praefect/db_password") %>' - dbname = 'praefect' + dbname = '{{ template "gitlab.praefect.psql.dbName" }}' sslmode = 'disable' create_praefect_db.sh: | set -e diff --git a/charts/gitlab/charts/praefect/templates/jobspec.yaml b/charts/gitlab/charts/praefect/templates/jobspec.yaml index 020bcb1006..823643304a 100644 --- a/charts/gitlab/charts/praefect/templates/jobspec.yaml +++ b/charts/gitlab/charts/praefect/templates/jobspec.yaml @@ -1,3 +1,4 @@ +{{- if .Values.global.praefect.createDb -}} apiVersion: batch/v1 kind: Job metadata: @@ -50,3 +51,4 @@ spec: items: - key: postgresql-postgres-password path: postgresql_db_secret +{{- end -}} diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl index 08bf330cb3..4c78a55803 100644 --- a/templates/_praefect.tpl +++ b/templates/_praefect.tpl @@ -15,3 +15,19 @@ Return Praefect's dbSecert secret key {{- define "gitlab.praefect.dbSecret.key" -}} {{- default "secret" .Values.global.praefect.dbSecret.key | quote -}} {{- end -}} + +{{- define "gitlab.praefect.psql.host" -}} +{{- coalesce .Values.global.praefect.psql.host (include "gitlab.psql.host" .) }} +{{- end -}} + +{{- define "gitlab.praefect.psql.port" -}} +{{- coalesce .Values.global.praefect.psql.port (include "gitlab.psql.port" .) }} +{{- end -}} + +{{- define "gitlab.praefect.psql.user" -}} +{{- default "praefect" .Values.global.praefect.psql.user }} +{{- end -}} + +{{- define "gitlab.praefect.psql.dbName" -}} +{{- default "praefect" .Values.global.praefect.psql.dbName }} +{{- end -}} diff --git a/values.yaml b/values.yaml index 9ba2f66fab..ecf16a7f6b 100644 --- a/values.yaml +++ b/values.yaml @@ -120,8 +120,11 @@ global: praefect: enabled: false + createDb: true gitalyReplicas: 3 dbSecret: {} + psql: {} + ## doc/charts/globals.md#configure-minio-settings minio: enabled: true -- GitLab From 48ac5cebfa834bc4976e4f6f90f7a8ea5757b3af Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 31 Aug 2020 11:27:44 -0500 Subject: [PATCH 23/54] Update configmap to use praefect.psql settings instead of psql --- charts/gitlab/charts/praefect/templates/configmap.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 33ef811cf5..34d6afb349 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -74,13 +74,13 @@ data: port = {{ template "gitlab.praefect.psql.port" . }} user = '{{ template "gitlab.praefect.psql.user" . }}' password = '<%= File.read("/etc/gitlab-secrets/praefect/db_password") %>' - dbname = '{{ template "gitlab.praefect.psql.dbName" }}' + dbname = '{{ template "gitlab.praefect.psql.dbName" . }}' sslmode = 'disable' create_praefect_db.sh: | set -e export PGPASSWORD=$(cat /secrets/postgresql_db_secret) - export PGHOST={{ template "gitlab.psql.host" . }} + export PGHOST={{ template "gitlab.praefect.psql.host" . }} export PGUSER=postgres export PRAEFECT_PASSWORD=$(echo -n $(cat /secrets/praefect_db_secret)praefect | md5sum | awk '{print $1}') @@ -97,8 +97,8 @@ data: fi # Check if the database already exists, and if not, create it - if [ -z $(psql -tqc "select 1 from pg_database where datname='praefect'") ] + if [ -z $(psql -tqc "select 1 from pg_database where datname='{{ template "gitlab.praefect.psql.dbName" . }}'") ] then - psql -c "CREATE DATABASE praefect WITH owner praefect;" + psql -c "CREATE DATABASE {{ template "gitlab.praefect.psql.dbName" . }} WITH owner {{ template "gitlab.praefect.psql.user" . }};" fi # EOF -- GitLab From 37d09a26939e6871e87c3cf3c67b325b37473d2d Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 31 Aug 2020 11:28:12 -0500 Subject: [PATCH 24/54] Switch to local replica value for praefect statefulset --- charts/gitlab/charts/praefect/templates/statefulset.yaml | 2 +- charts/gitlab/charts/praefect/values.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 0b6483abdd..57a113e900 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -12,7 +12,7 @@ spec: app: {{ template "name" . }} release: {{ $.Release.Name }} serviceName: {{ template "gitlab.praefect.serviceName" . }} - replicas: {{ template "gitlab.praefect.replicas" . }} + replicas: {{ $.Values.replicas }} podManagementPolicy: Parallel template: metadata: diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index 9f4642ce3b..34daf88c73 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -30,3 +30,5 @@ metrics: securityContext: runAsUser: 1000 fsGroup: 1000 + +replicas: 1 -- GitLab From 7d2f38515a5ee57c22f28bec1fd7ad375f56fcea Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 31 Aug 2020 11:28:33 -0500 Subject: [PATCH 25/54] Start adding globals section --- doc/charts/globals.md | 29 +++++++++++++++++++++++++++++ templates/_praefect.tpl | 16 ++++++++++++---- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 1f107a5a15..a7b55ff805 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -20,6 +20,7 @@ for more information on how the global variables work. - [Grafana](#configure-grafana-integration) - [Registry](#configure-registry-settings) - [Gitaly](#configure-gitaly-settings) +- [Praefect](#configure-praefect-settings) - [MinIO](#configure-minio-settings) - [appConfig](#configure-appconfig-settings) - [Rails](#configure-rails-settings) @@ -626,6 +627,34 @@ All Gitaly nodes **must** share the same authentication token. Configuring Gitaly to serve via TLS is detailed [in the Gitaly chart's documentation](gitlab/gitaly#running-gitaly-over-tls). +## Configure Praefect settings + +The global Praefect settings are located under the `glbal.praefect` key. + +Praefect is enabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default Postgresql instance. + +```yaml +global: + praefect: + enabled: false + createDb: true + gitalyReplicas: 3 + dbSecret: {} + psql: {} +``` + +| Name | Type | Default | Description | +| ---- | ---- | ------- | ----------- | +| enabled | Bool | false | Whether or not to enable Praefect | +| createDB | Bool | true | Whether the chart should create the database and the database user | +| gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be create | +| dbSecret.secret | String | | The name of the secret to use for authenticating with the database | +| dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | +| psql.host | String | | The hostname of the database server to use | +| psql.port | String | | The port number of the database server | +| psql.user | String | praefect | The database user to use | +| psql.dbName | String | praefect | The name of the database to use + ## Configure MinIO settings The GitLab global MinIO settings are located under the `global.minio` key. For more diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl index 4c78a55803..9144403a19 100644 --- a/templates/_praefect.tpl +++ b/templates/_praefect.tpl @@ -1,7 +1,3 @@ -{{- define "gitlab.praefect.replicas" -}} -1 -{{- end -}} - {{/* Return Praefect's dbSecert secret name */}} @@ -16,18 +12,30 @@ Return Praefect's dbSecert secret key {{- default "secret" .Values.global.praefect.dbSecret.key | quote -}} {{- end -}} +{{/* +Return Praefect's database hostname +*/}} {{- define "gitlab.praefect.psql.host" -}} {{- coalesce .Values.global.praefect.psql.host (include "gitlab.psql.host" .) }} {{- end -}} +{{/* +Return Praefect's database port +*/}} {{- define "gitlab.praefect.psql.port" -}} {{- coalesce .Values.global.praefect.psql.port (include "gitlab.psql.port" .) }} {{- end -}} +{{/* +Return Praefect's database username +*/}} {{- define "gitlab.praefect.psql.user" -}} {{- default "praefect" .Values.global.praefect.psql.user }} {{- end -}} +{{/* +Return Praefect's database name +*/}} {{- define "gitlab.praefect.psql.dbName" -}} {{- default "praefect" .Values.global.praefect.psql.dbName }} {{- end -}} -- GitLab From 0156c9504c1a2263dfb62e504c10eae2ab7bfc2d Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 31 Aug 2020 11:46:20 -0500 Subject: [PATCH 26/54] Use proper names when appropriate, backtick out when not --- doc/charts/globals.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index a7b55ff805..bf1dc67e45 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -631,7 +631,7 @@ Configuring Gitaly to serve via TLS is detailed [in the Gitaly chart's documenta The global Praefect settings are located under the `glbal.praefect` key. -Praefect is enabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default Postgresql instance. +Praefect is enabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default PostgreSQL instance. ```yaml global: @@ -643,17 +643,17 @@ global: psql: {} ``` -| Name | Type | Default | Description | -| ---- | ---- | ------- | ----------- | -| enabled | Bool | false | Whether or not to enable Praefect | -| createDB | Bool | true | Whether the chart should create the database and the database user | -| gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be create | -| dbSecret.secret | String | | The name of the secret to use for authenticating with the database | -| dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | -| psql.host | String | | The hostname of the database server to use | -| psql.port | String | | The port number of the database server | -| psql.user | String | praefect | The database user to use | -| psql.dbName | String | praefect | The name of the database to use +| Name | Type | Default | Description | +| ---- | ---- | ------- | ----------- | +| enabled | Bool | false | Whether or not to enable Praefect | +| createDB | Bool | true | Whether the chart should create the database and the database user | +| gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be create | +| dbSecret.secret | String | | The name of the secret to use for authenticating with the database | +| dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | +| psql.host | String | | The hostname of the database server to use | +| psql.port | String | | The port number of the database server | +| psql.user | String | `praefect ` | The database user to use | +| psql.dbName | String | `praefect ` | The name of the database to use ## Configure MinIO settings -- GitLab From 32c48c59c84a646139d7fb87cbd47cec09d559be Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 31 Aug 2020 11:50:26 -0500 Subject: [PATCH 27/54] Remove extraneous spaces --- doc/charts/globals.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index bf1dc67e45..3d3a72d13c 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -652,8 +652,8 @@ global: | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | | psql.host | String | | The hostname of the database server to use | | psql.port | String | | The port number of the database server | -| psql.user | String | `praefect ` | The database user to use | -| psql.dbName | String | `praefect ` | The name of the database to use +| psql.user | String | `praefect` | The database user to use | +| psql.dbName | String | `praefect` | The name of the database to use ## Configure MinIO settings -- GitLab From 857c76c84c975c5c2ab8f26d607fac7431b393ad Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 1 Sep 2020 11:15:33 -0500 Subject: [PATCH 28/54] Updates for globals documentation --- doc/charts/globals.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 3d3a72d13c..9e97e89888 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -629,9 +629,17 @@ Configuring Gitaly to serve via TLS is detailed [in the Gitaly chart's documenta ## Configure Praefect settings -The global Praefect settings are located under the `glbal.praefect` key. +The global Praefect settings are located under the `global.praefect` key. -Praefect is enabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default PostgreSQL instance. +Praefect is disabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default PostgreSQL instance. + +### Enabling + +To enable Praefect with default settings, set `global.praefect.enabled=true`. + +See the [Praefect documentation](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) for details on how to operate a Gitaly cluster using Praefect. + +### Global Settings ```yaml global: @@ -647,7 +655,7 @@ global: | ---- | ---- | ------- | ----------- | | enabled | Bool | false | Whether or not to enable Praefect | | createDB | Bool | true | Whether the chart should create the database and the database user | -| gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be create | +| gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be created | | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | | psql.host | String | | The hostname of the database server to use | -- GitLab From 365439facd01b5dbbe5d32646585a0f63f5cbbd9 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 1 Sep 2020 15:59:27 -0500 Subject: [PATCH 29/54] Add known limitations to the chart doc --- doc/charts/gitlab/praefect/index.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 37a8cd8db2..faa7307869 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -44,3 +44,8 @@ the `helm install` command using the `--set` flags. | metrics.port | 9236 | | | securityContext.runAsUser | 1000 | | | securityContext.fsGroup | 1000 | | + +### Known Limitations + +1. Currently only supports a managed, `default` virtual storage setup +1. One auth token is shared between all Gitaly, and Praefect nodes. -- GitLab From 7a48d2efc65a505d823f5967e79bcb4aa4448696 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Fri, 11 Sep 2020 12:40:19 -0500 Subject: [PATCH 30/54] Address some of the feedback from review * Add gitaly servicePort * Split out startup script from configmap * add autoMigrate value * Make some more options configurable --- .../charts/praefect/templates/configmap.yaml | 43 ++++++++++++------- .../praefect/templates/statefulset.yaml | 7 ++- charts/gitlab/requirements.yaml | 1 - doc/charts/gitlab/praefect/index.md | 43 ++++++++++--------- templates/_gitaly.tpl | 7 +++ values.yaml | 6 ++- 6 files changed, 68 insertions(+), 39 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 34d6afb349..7955153a19 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -6,16 +6,6 @@ metadata: labels: {{- include "gitlab.standardLabels" . | nindent 4 }} data: - praefect-start: | - set -e - # create the config files - /scripts/entrypoint.sh - - # Run the migrations - /usr/local/bin/praefect -config /etc/gitaly/config.toml sql-migrate - - # Start praefect - /usr/local/bin/praefect -config /etc/gitaly/config.toml configure: | set -e mkdir -p /init-secrets/praefect /init-secrets/shell @@ -23,6 +13,7 @@ data: cp -v -r -L /init-config/gitaly_token /init-secrets/praefect/gitaly_token cp -v -r -L /init-config/db_password /init-secrets/praefect/db_password config.toml.erb: | + <% token = File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %> # TCP address to listen on listen_addr = '0.0.0.0:{{ .Values.service.internalPort }}' @@ -36,7 +27,7 @@ data: read_only_after_failover = {{ .Values.failover.readonlyAfter }} [auth] - token = "<%= File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %>" + token = "<%= token %>" transitioning = false [logging] @@ -60,12 +51,12 @@ data: {{- end }} [[virtual_storage]] - name = 'default' + name = 'default2' {{- range compact (include "gitlab.praefect.gitalyPodNames" . | splitList "," ) }} [[virtual_storage.node]] storage = '{{ . }}' - address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:8075' - token = "<%= File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %>" + address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:{{ template "gitlab.gitaly.servicePort" $ }}' + token = "<%= token %>" {{- end }} @@ -75,7 +66,7 @@ data: user = '{{ template "gitlab.praefect.psql.user" . }}' password = '<%= File.read("/etc/gitlab-secrets/praefect/db_password") %>' dbname = '{{ template "gitlab.praefect.psql.dbName" . }}' - sslmode = 'disable' + sslmode = '{{ $.Values.global.praefect.psql.sslMode }}' create_praefect_db.sh: | set -e @@ -102,3 +93,25 @@ data: psql -c "CREATE DATABASE {{ template "gitlab.praefect.psql.dbName" . }} WITH owner {{ template "gitlab.praefect.psql.user" . }};" fi # EOF +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-scripts + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} +data: + praefect-start: | + set -e + # create the config files + /scripts/entrypoint.sh + + {{- if .Values.global.praefect.autoMigrate }} + # Run the migrations + /usr/local/bin/praefect -config /etc/gitaly/config.toml sql-migrate + {{- end }} + + # Start praefect + /usr/local/bin/praefect -config /etc/gitaly/config.toml + diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 57a113e900..759263a272 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -89,7 +89,7 @@ spec: fieldPath: metadata.name {{- include "gitlab.tracing.env" . | nindent 8 }} {{- include "gitlab.extraEnv" . | nindent 8 }} - command: [ "sh", "/etc/gitaly/templates/praefect-start" ] + command: [ "sh", "/scripts/praefect/praefect-start" ] resources: requests: cpu: 100m @@ -104,6 +104,8 @@ spec: readOnly: true - name: praefect-config mountPath: /etc/gitaly/templates + - name: praefect-scripts + mountPath: /scripts/praefect dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler @@ -113,6 +115,9 @@ spec: defaultMode: 420 name: {{ template "fullname" . }} name: praefect-config + - configMap: + defaultMode: 420 + name: {{ template "fullname" . }}-scripts - emptyDir: medium: Memory name: praefect-secrets diff --git a/charts/gitlab/requirements.yaml b/charts/gitlab/requirements.yaml index afa07481cd..39d8a9363e 100644 --- a/charts/gitlab/requirements.yaml +++ b/charts/gitlab/requirements.yaml @@ -1,5 +1,4 @@ dependencies: - name: praefect version: 4.1.4 - repository: http://localhost:10191 condition: global.praefect.enabled diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index faa7307869..81aa87906e 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -23,27 +23,28 @@ The default number of replicas to deploy is 3. This can be changed by setting `g The table below contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags. -| Parameter | Default | Description | -| ------------------------------ | ------------------------------------------ | ---------------------------------------- | -| failover.enabled | true | Whether Praefect should perform failover on node failure | -| failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | -| electionStrategy | sql | `https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election` | -| image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | -| service.name | `praefect` | The name of the service to create | -| service.type | ClusterIP | The type of service to create | -| service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | -| service.externalPort | 8075 | The port number the Praefect service should expose in the cluster | -| init.resources | | | -| init.image | | | -| logging.level | | Log level | -| logging.format | `json` | Log format | -| logging.sentryDsn | | Sentry DSN URL - Exceptions from Go server | -| logging.rubySentryDsn | | Sentry DSN URL - Exceptions from `gitaly-ruby` | -| logging.sentryEnvironment | | Sentry environment to be used for logging | -| metrics.enabled | true | | -| metrics.port | 9236 | | -| securityContext.runAsUser | 1000 | | -| securityContext.fsGroup | 1000 | | +| Parameter | Default | Description | +| ------------------------------ | ------------------------------------------ | ---------------------------------------- | +| failover.enabled | true | Whether Praefect should perform failover on node failure | +| failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | +| autoMigrate | true | Automatically run migrations on startup | +| electionStrategy | sql | `https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election` | +| image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | +| service.name | `praefect` | The name of the service to create | +| service.type | ClusterIP | The type of service to create | +| service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | +| service.externalPort | 8075 | The port number the Praefect service should expose in the cluster | +| init.resources | | | +| init.image | | | +| logging.level | | Log level | +| logging.format | `json` | Log format | +| logging.sentryDsn | | Sentry DSN URL - Exceptions from Go server | +| logging.rubySentryDsn | | Sentry DSN URL - Exceptions from `gitaly-ruby` | +| logging.sentryEnvironment | | Sentry environment to be used for logging | +| metrics.enabled | true | | +| metrics.port | 9236 | | +| securityContext.runAsUser | 1000 | | +| securityContext.fsGroup | 1000 | | ### Known Limitations diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 826b1f5288..bd4ae3e25c 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -35,6 +35,13 @@ Order of operations: {{- coalesce ( .Values.gitaly.serviceName ) .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} {{- end -}} +{{/* +Return the external port of the Gitaly service +*/}} +{{- define "gitlab.gitaly.servicePort" -}} +{{- coalesce .Values.global.gitaly.service.externalPort -}} +{{- end -}} + {{/* Return a qualified gitaly service name, for direct access to the gitaly headless service endpoint of a pod. diff --git a/values.yaml b/values.yaml index ecf16a7f6b..8044f6633f 100644 --- a/values.yaml +++ b/values.yaml @@ -114,16 +114,20 @@ global: internal: names: ['default'] external: [] + service: + externalPort: 8075 tls: enabled: false # secretName: praefect: enabled: false + autoMigrate: true createDb: true gitalyReplicas: 3 dbSecret: {} - psql: {} + psql: + sslMode: 'disable' ## doc/charts/globals.md#configure-minio-settings minio: -- GitLab From 8bde397736998cb2c472e08fb094578e438d16c6 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Fri, 11 Sep 2020 17:41:36 +0000 Subject: [PATCH 31/54] Apply 1 suggestion(s) to 1 file(s) --- doc/charts/globals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 9e97e89888..0468e3ecc7 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -658,7 +658,7 @@ global: | gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be created | | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | -| psql.host | String | | The hostname of the database server to use | +| psql.host | String | | The hostname of the database server to use (when using an external database) | | psql.port | String | | The port number of the database server | | psql.user | String | `praefect` | The database user to use | | psql.dbName | String | `praefect` | The name of the database to use -- GitLab From 4fe31d1a987c069eeca8e12eaadd19d367f21d49 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Fri, 11 Sep 2020 17:41:48 +0000 Subject: [PATCH 32/54] Apply 1 suggestion(s) to 1 file(s) --- doc/charts/globals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 0468e3ecc7..2ec6c9b7b7 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -659,7 +659,7 @@ global: | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | | psql.host | String | | The hostname of the database server to use (when using an external database) | -| psql.port | String | | The port number of the database server | +| psql.port | String | | The port number of the database server (when using an external database) | | psql.user | String | `praefect` | The database user to use | | psql.dbName | String | `praefect` | The name of the database to use -- GitLab From 40ad6440638a74ecbf59c77aec21da88afb6536d Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Sun, 13 Sep 2020 09:42:31 -0500 Subject: [PATCH 33/54] Address feedback in MR * Don't hardcode gitaly service port * Specifically use the task-runner image --- .../gitlab/charts/gitaly/templates/configmap.yml | 4 ++-- .../gitlab/charts/gitaly/templates/service.yaml | 16 ++++++++-------- .../charts/gitaly/templates/statefulset.yml | 2 +- charts/gitlab/charts/gitaly/values.yaml | 9 +-------- .../charts/praefect/templates/configmap.yaml | 5 ++--- .../charts/praefect/templates/jobspec.yaml | 2 +- .../charts/praefect/templates/statefulset.yaml | 6 +----- charts/gitlab/templates/_praefect.tpl | 2 +- charts/gitlab/values.yaml | 4 ---- templates/_gitaly.tpl | 7 ------- templates/_helpers.tpl | 11 +++++++++++ values.yaml | 6 ++++++ 12 files changed, 34 insertions(+), 40 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/configmap.yml b/charts/gitlab/charts/gitaly/templates/configmap.yml index f6a566c0f7..f360b1797c 100644 --- a/charts/gitlab/charts/gitaly/templates/configmap.yml +++ b/charts/gitlab/charts/gitaly/templates/configmap.yml @@ -21,13 +21,13 @@ data: bin_dir = "/usr/local/bin" # listen on a TCP socket. This is insecure (no authentication) - listen_addr = "0.0.0.0:{{ .Values.service.internalPort }}" + listen_addr = "0.0.0.0:{{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }}" # Directory where internal sockets reside internal_socket_dir = "/home/git" {{- if $.Values.global.gitaly.tls.enabled }} - tls_listen_addr = "0.0.0.0:{{ .Values.service.tls.internalPort }}" + tls_listen_addr = "0.0.0.0:{{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.internalPort }}" {{- end }} # If metrics collection is enabled, inform gitaly about that diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index 69c1cfaeb8..0e155755bc 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -13,20 +13,20 @@ metadata: {{- end }} {{- include "gitlab.serviceAnnotations" . | nindent 4 }} spec: - type: {{ .Values.service.type }} + type: {{ coalesce .Values.service.type .Values.global.gitaly.service.type }} clusterIP: "None" ports: - - port: {{ .Values.service.externalPort }} - name: {{ .Values.service.name }} - targetPort: {{ .Values.service.internalPort }} + - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }} + name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }} + targetPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} {{- if .Values.metrics.enabled }} - port: {{ .Values.metrics.metricsPort }} - name: {{ .Values.service.name }}-metrics + name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }}-metrics {{- end }} {{- if $.Values.global.gitaly.tls.enabled }} - - port: {{ .Values.service.tls.externalPort }} - name: {{ .Values.service.name }}-tls - targetPort: {{ .Values.service.tls.internalPort }} + - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }} + name: {{coalesce .Values.service.name .Values.global.gitaly.service.name }}-tls + targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }} {{- end }} selector: app: {{ template "name" . }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 98b7a67103..588ddc2ecb 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -94,7 +94,7 @@ spec: image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}" {{ template "gitlab.imagePullPolicy" . }} ports: - - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} {{- if .Values.metrics.enabled }} - containerPort: {{ .Values.metrics.metricsPort }} {{- end }} diff --git a/charts/gitlab/charts/gitaly/values.yaml b/charts/gitlab/charts/gitaly/values.yaml index 3339700068..b8b793a8f2 100644 --- a/charts/gitlab/charts/gitaly/values.yaml +++ b/charts/gitlab/charts/gitaly/values.yaml @@ -23,14 +23,7 @@ image: pullSecrets: [] # pullPolicy: IfNotPresent # tag: latest -service: - name: gitaly - type: ClusterIP - externalPort: 8075 - internalPort: 8075 - tls: - externalPort: 8076 - internalPort: 8076 +service: {} annotations: {} podLabels: {} diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 7955153a19..f72bc52853 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -8,8 +8,7 @@ metadata: data: configure: | set -e - mkdir -p /init-secrets/praefect /init-secrets/shell - cp -v -r -L /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret + mkdir -p /init-secrets/praefect cp -v -r -L /init-config/gitaly_token /init-secrets/praefect/gitaly_token cp -v -r -L /init-config/db_password /init-secrets/praefect/db_password config.toml.erb: | @@ -55,7 +54,7 @@ data: {{- range compact (include "gitlab.praefect.gitalyPodNames" . | splitList "," ) }} [[virtual_storage.node]] storage = '{{ . }}' - address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:{{ template "gitlab.gitaly.servicePort" $ }}' + address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:{{ $.Values.global.gitaly.service.externalPort }}' token = "<%= token %>" {{- end }} diff --git a/charts/gitlab/charts/praefect/templates/jobspec.yaml b/charts/gitlab/charts/praefect/templates/jobspec.yaml index 823643304a..78d48692e9 100644 --- a/charts/gitlab/charts/praefect/templates/jobspec.yaml +++ b/charts/gitlab/charts/praefect/templates/jobspec.yaml @@ -24,7 +24,7 @@ spec: restartPolicy: OnFailure containers: - name: {{ .Chart.Name }} - image: "{{ include "image.repository" . }}:{{ include "gitlab.versionTag" . }}" + image: {{ include "gitlab.task-runner.image" . }}:{{ include "gitlab.versionTag" . }} command: ['sh', '/scripts/create_praefect_db.sh'] {{ template "gitlab.imagePullPolicy" . }} volumeMounts: diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 759263a272..a3bece50b3 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -118,6 +118,7 @@ spec: - configMap: defaultMode: 420 name: {{ template "fullname" . }}-scripts + name: praefect-scripts - emptyDir: medium: Memory name: praefect-secrets @@ -130,11 +131,6 @@ spec: - key: {{ template "gitlab.gitaly.authToken.key" . }} path: gitaly_token name: {{ template "gitlab.gitaly.authToken.secret" . }} - - secret: - items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} - path: .gitlab_shell_secret - name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} - secret: items: - key: {{ template "gitlab.praefect.dbSecret.key" . }} diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index f68f2c7928..44395b3524 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -4,7 +4,7 @@ Return the default praefect storage line for gitlab.yml {{- define "gitlab.praefect.storages" -}} default: path: /var/opt/gitlab/repo - gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:8075 + gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ .Values.global.gitaly.service.externalPort }} {{- end -}} diff --git a/charts/gitlab/values.yaml b/charts/gitlab/values.yaml index ca35e531fd..f44cff103c 100644 --- a/charts/gitlab/values.yaml +++ b/charts/gitlab/values.yaml @@ -21,8 +21,6 @@ global: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee geo-logcursor: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-geo-logcursor - praefect: - repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ee communityImages: # Default repositories used to pull Gitlab Community Edition images. # See the image.repository and workhorse.repository template helpers. @@ -36,8 +34,6 @@ global: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce workhorse: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce - praefect: - repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-task-runner-ce gitlab-runner: enabled: false diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index bd4ae3e25c..826b1f5288 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -35,13 +35,6 @@ Order of operations: {{- coalesce ( .Values.gitaly.serviceName ) .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} {{- end -}} -{{/* -Return the external port of the Gitaly service -*/}} -{{- define "gitlab.gitaly.servicePort" -}} -{{- coalesce .Values.global.gitaly.service.externalPort -}} -{{- end -}} - {{/* Return a qualified gitaly service name, for direct access to the gitaly headless service endpoint of a pod. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 520c59e10c..6007d2cb76 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -418,6 +418,17 @@ Constructs busybox image name. {{- end -}} {{- end -}} +{{/* +Constructs the task-runner image name. +*/}} +{{- define "gitlab.task-runner.image" -}} +{{- if eq "ce" .Values.global.edition -}} +{{ index .Values "global" "communityImages" "task-runner" "repository" }} +{{- else -}} +{{ index .Values "global" "enterpriseImages" "task-runner" "repository" }} +{{- end -}} +{{- end -}} + {{/* Override upstream redis chart naming */}} diff --git a/values.yaml b/values.yaml index 8044f6633f..17e6b1100e 100644 --- a/values.yaml +++ b/values.yaml @@ -115,7 +115,13 @@ global: names: ['default'] external: [] service: + name: gitaly + type: ClusterIP externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 tls: enabled: false # secretName: -- GitLab From 9a5a869c508f3db4a0fe587088816405ed266202 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Sun, 13 Sep 2020 19:41:03 -0500 Subject: [PATCH 34/54] Specify empty tls group to clear spec error --- charts/gitlab/charts/gitaly/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/values.yaml b/charts/gitlab/charts/gitaly/values.yaml index b8b793a8f2..37c5c94458 100644 --- a/charts/gitlab/charts/gitaly/values.yaml +++ b/charts/gitlab/charts/gitaly/values.yaml @@ -23,7 +23,8 @@ image: pullSecrets: [] # pullPolicy: IfNotPresent # tag: latest -service: {} +service: + tls: {} annotations: {} podLabels: {} -- GitLab From 94cfa4598ffcb0b70b81baaae4bc87733165cd9e Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Mon, 14 Sep 2020 08:23:26 -0500 Subject: [PATCH 35/54] Revert accidentally commit --- charts/gitlab/charts/praefect/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index f72bc52853..065ba11a8d 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -50,7 +50,7 @@ data: {{- end }} [[virtual_storage]] - name = 'default2' + name = 'default' {{- range compact (include "gitlab.praefect.gitalyPodNames" . | splitList "," ) }} [[virtual_storage.node]] storage = '{{ . }}' -- GitLab From 1c0e7ca27e610453d719d95ed836bf63171fddbe Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 11:42:34 -0500 Subject: [PATCH 36/54] Fixes per MR * Remove unnecessary praefect value * Change chart dep to use >= * Remove praefect requirements --- charts/gitlab/charts/praefect/requirements.yaml | 3 --- charts/gitlab/charts/praefect/values.yaml | 2 -- charts/gitlab/requirements.yaml | 2 +- 3 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 charts/gitlab/charts/praefect/requirements.yaml diff --git a/charts/gitlab/charts/praefect/requirements.yaml b/charts/gitlab/charts/praefect/requirements.yaml deleted file mode 100644 index 297b11a6ab..0000000000 --- a/charts/gitlab/charts/praefect/requirements.yaml +++ /dev/null @@ -1,3 +0,0 @@ -dependencies: - - name: gitaly - version: 4.1.4 diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index 34daf88c73..fceb083981 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -2,8 +2,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -praefect: {} - failover: enabled: true readonlyAfter: true diff --git a/charts/gitlab/requirements.yaml b/charts/gitlab/requirements.yaml index 39d8a9363e..1415e33696 100644 --- a/charts/gitlab/requirements.yaml +++ b/charts/gitlab/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: praefect - version: 4.1.4 + version: >= 4.1.4 condition: global.praefect.enabled -- GitLab From a3c2c56f21cb284fc46f2021384a876aa98b2d50 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 13:33:14 -0500 Subject: [PATCH 37/54] Pass at some MR feedback * Make praefect pod resources configurable * Add PodDisruptionBudget for praefect * Prafect is now HA by default * Use consistent scoping in gitaly function --- charts/gitlab/charts/praefect/templates/pdb.yaml | 13 +++++++++++++ .../gitlab/charts/praefect/templates/service.yaml | 2 ++ .../charts/praefect/templates/statefulset.yaml | 4 +--- charts/gitlab/charts/praefect/values.yaml | 10 +++++++++- charts/gitlab/templates/_gitaly.tpl | 2 +- 5 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 charts/gitlab/charts/praefect/templates/pdb.yaml diff --git a/charts/gitlab/charts/praefect/templates/pdb.yaml b/charts/gitlab/charts/praefect/templates/pdb.yaml new file mode 100644 index 0000000000..13a115a70e --- /dev/null +++ b/charts/gitlab/charts/praefect/templates/pdb.yaml @@ -0,0 +1,13 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/praefect/templates/service.yaml b/charts/gitlab/charts/praefect/templates/service.yaml index f9f2b158e3..33fdaf03b9 100644 --- a/charts/gitlab/charts/praefect/templates/service.yaml +++ b/charts/gitlab/charts/praefect/templates/service.yaml @@ -20,10 +20,12 @@ spec: port: {{ .Values.service.externalPort }} protocol: TCP targetPort: {{ .Values.service.internalPort }} + {{- if .Values.metrics.enabled }} - name: praefect-metrics port: {{ .Values.metrics.port }} protocol: TCP targetPort: {{ .Values.metrics.port }} + {{- end }} selector: app: {{ template "name" . }} release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index a3bece50b3..28e0aceb7d 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -91,9 +91,7 @@ spec: {{- include "gitlab.extraEnv" . | nindent 8 }} command: [ "sh", "/scripts/praefect/praefect-start" ] resources: - requests: - cpu: 100m - memory: 200Mi + {{- toYaml .Values.resources | nindent 10 }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index fceb083981..c2066ceb52 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -29,4 +29,12 @@ securityContext: runAsUser: 1000 fsGroup: 1000 -replicas: 1 +replicas: 2 + +resources: + requests: + cpu: 100m + memory: 200Mi + +## For PodDisruptionBudget, how many pods can be unavailable at one time +maxUnavailable: 1 diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index cb666ed6af..dc48270d7c 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -72,6 +72,6 @@ Return the number of replicas set for Gitaly statefulset {{- if $.Values.global.praefect.enabled -}} {{ range until ($.Values.global.praefect.gitalyReplicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }}, {{- end }} {{- else -}} -{{- range (coalesce .Values.internal.names .Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} +{{- range (coalesce $.Values.internal.names $.Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} {{- end -}} {{- end -}} -- GitLab From ed7b095163283c6a4334834b457a873f10f0a5f9 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 14:39:23 -0500 Subject: [PATCH 38/54] Add serviceAccountName support to praefect statefulset --- charts/gitlab/charts/praefect/templates/statefulset.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 28e0aceb7d..6efd18ab8a 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -61,6 +61,9 @@ spec: runAsUser: {{ .Values.securityContext.runAsUser }} fsGroup: {{ .Values.securityContext.fsGroup }} {{- include "pullsecrets" .Values.image | indent 6 }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} containers: {{- include "gitlab.extraContainers" . | nindent 6 }} - name: {{ $.Chart.Name }} -- GitLab From 404346cc3f9d32a033f7ce1423b7821271e3112f Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 16:00:18 -0500 Subject: [PATCH 39/54] Use separate tokens for praefect and gitaly --- .../charts/migrations/templates/_jobspec.yaml | 4 +--- .../charts/praefect/templates/configmap.yaml | 13 ++++++++----- .../charts/praefect/templates/statefulset.yaml | 5 +++++ charts/gitlab/charts/praefect/values.yaml | 5 +++++ .../charts/sidekiq/templates/deployment.yaml | 4 ++++ .../charts/task-runner/templates/backup-job.yaml | 4 +--- .../charts/task-runner/templates/deployment.yaml | 4 +--- .../charts/webservice/templates/deployment.yaml | 4 +--- charts/gitlab/templates/_gitaly.tpl | 16 ++++++++++++++++ .../templates/_generate_secrets.sh | 5 ++++- templates/_praefect.tpl | 16 ++++++++++++++++ values.yaml | 1 + 12 files changed, 63 insertions(+), 18 deletions(-) diff --git a/charts/gitlab/charts/migrations/templates/_jobspec.yaml b/charts/gitlab/charts/migrations/templates/_jobspec.yaml index 2c808c8c79..0c3340b97f 100644 --- a/charts/gitlab/charts/migrations/templates/_jobspec.yaml +++ b/charts/gitlab/charts/migrations/templates/_jobspec.yaml @@ -128,9 +128,7 @@ spec: - key: secrets.yml path: rails-secrets/secrets.yml - secret: - name: {{ template "gitlab.gitaly.authToken.secret" . }} - items: - - key: {{ template "gitlab.gitaly.authToken.key" . }} + {{ include "gitlab.gitaly.clientSecret" . | nindent 14 }} path: gitaly/gitaly_token {{- include "gitlab.redis.secrets" . | nindent 10 }} {{- include "gitlab.psql.secret" . | nindent 10 }} diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 065ba11a8d..b2eae7e362 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -9,10 +9,13 @@ data: configure: | set -e mkdir -p /init-secrets/praefect - cp -v -r -L /init-config/gitaly_token /init-secrets/praefect/gitaly_token - cp -v -r -L /init-config/db_password /init-secrets/praefect/db_password + for f in gitaly_token praefect_token db_password + do + cp -v -r -L /init-config/${f} /init-secrets/praefect/${f} + done config.toml.erb: | - <% token = File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %> + <% gitaly_token = File.read('/etc/gitlab-secrets/praefect/gitaly_token').strip.dump[1..-2] %> + <% praefect_token = File.read('/etc/gitlab-secrets/praefect/praefect_token').strip.dump[1..-2] %> # TCP address to listen on listen_addr = '0.0.0.0:{{ .Values.service.internalPort }}' @@ -26,7 +29,7 @@ data: read_only_after_failover = {{ .Values.failover.readonlyAfter }} [auth] - token = "<%= token %>" + token = "<%= praefect_token %>" transitioning = false [logging] @@ -55,7 +58,7 @@ data: [[virtual_storage.node]] storage = '{{ . }}' address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:{{ $.Values.global.gitaly.service.externalPort }}' - token = "<%= token %>" + token = "<%= gitaly_token %>" {{- end }} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index 6efd18ab8a..dc854c43d9 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -132,6 +132,11 @@ spec: - key: {{ template "gitlab.gitaly.authToken.key" . }} path: gitaly_token name: {{ template "gitlab.gitaly.authToken.secret" . }} + - secret: + items: + - key: {{ template "gitlab.praefect.authToken.key" . }} + path: praefect_token + name: {{ template "gitlab.praefect.authToken.secret" . }} - secret: items: - key: {{ template "gitlab.praefect.dbSecret.key" . }} diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index c2066ceb52..c821d7d3b0 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -38,3 +38,8 @@ resources: ## For PodDisruptionBudget, how many pods can be unavailable at one time maxUnavailable: 1 + +serviceAccount: + enabled: false + create: false + annotations: {} diff --git a/charts/gitlab/charts/sidekiq/templates/deployment.yaml b/charts/gitlab/charts/sidekiq/templates/deployment.yaml index d728882004..570b0a1a94 100644 --- a/charts/gitlab/charts/sidekiq/templates/deployment.yaml +++ b/charts/gitlab/charts/sidekiq/templates/deployment.yaml @@ -13,6 +13,10 @@ {{- $minioSecret := include "gitlab.minio.credentials.secret" . -}} {{- $gitalySecret := include "gitlab.gitaly.authToken.secret" . -}} {{- $gitalyKey := include "gitlab.gitaly.authToken.key" . -}} +{{- if $.Values.global.praefect.enabled -}} +{{- $gitalySecret = include "gitlab.praefect.authToken.secret" . -}} +{{- $gitalyKey = include "gitlab.praefect.authToken.key" . -}} +{{- end -}} {{- $railsSecretName := include "gitlab.rails-secrets.secret" . -}} {{- $metricsEnabled := .Values.metrics.enabled -}} {{- $metricsPort := .Values.metrics.port -}} diff --git a/charts/gitlab/charts/task-runner/templates/backup-job.yaml b/charts/gitlab/charts/task-runner/templates/backup-job.yaml index 85d26a2a82..3c9c40feda 100644 --- a/charts/gitlab/charts/task-runner/templates/backup-job.yaml +++ b/charts/gitlab/charts/task-runner/templates/backup-job.yaml @@ -154,9 +154,7 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: shell/.gitlab_shell_secret - secret: - name: {{ template "gitlab.gitaly.authToken.secret" . }} - items: - - key: {{ template "gitlab.gitaly.authToken.key" . }} + {{ include "gitlab.gitaly.clientSecret" . | nindent 20 }} path: gitaly/gitaly_token {{- include "gitlab.redis.secrets" . | nindent 16 }} {{- include "gitlab.psql.secret" . | nindent 16 }} diff --git a/charts/gitlab/charts/task-runner/templates/deployment.yaml b/charts/gitlab/charts/task-runner/templates/deployment.yaml index 0eecd89276..6ec83f258e 100644 --- a/charts/gitlab/charts/task-runner/templates/deployment.yaml +++ b/charts/gitlab/charts/task-runner/templates/deployment.yaml @@ -198,9 +198,7 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: shell/.gitlab_shell_secret - secret: - name: {{ template "gitlab.gitaly.authToken.secret" . }} - items: - - key: {{ template "gitlab.gitaly.authToken.key" . }} + {{ include "gitlab.gitaly.clientSecret" . | nindent 14 }} path: gitaly/gitaly_token {{- include "gitlab.redis.secrets" . | nindent 10 }} {{- include "gitlab.psql.secret" . | nindent 10 }} diff --git a/charts/gitlab/charts/webservice/templates/deployment.yaml b/charts/gitlab/charts/webservice/templates/deployment.yaml index a56b224717..30754cd8a2 100644 --- a/charts/gitlab/charts/webservice/templates/deployment.yaml +++ b/charts/gitlab/charts/webservice/templates/deployment.yaml @@ -350,9 +350,7 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: shell/.gitlab_shell_secret - secret: - name: {{ template "gitlab.gitaly.authToken.secret" . }} - items: - - key: {{ template "gitlab.gitaly.authToken.key" . }} + {{ include "gitlab.gitaly.clientSecret" . | nindent 14 }} path: gitaly/gitaly_token {{- include "gitlab.redis.secrets" . | nindent 10 }} {{- include "gitlab.psql.secret" . | nindent 10 }} diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index dc48270d7c..23e2f6283a 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -75,3 +75,19 @@ Return the number of replicas set for Gitaly statefulset {{- range (coalesce $.Values.internal.names $.Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} {{- end -}} {{- end -}} + +{{/* +Return the appropriate block for the Gitaly client secret. +This differs depending on whether or not Praefect is enabled +*/}} +{{- define "gitlab.gitaly.clientSecret" -}} +{{- $secret := include "gitlab.gitaly.authToken.secret" . }} +{{- $key := include "gitlab.gitaly.authToken.key" . }} +{{- if $.Values.global.praefect.enabled -}} +{{- $secret = include "gitlab.praefect.authToken.secret" . }} +{{- $key = include "gitlab.praefect.authToken.key" . }} +{{- end -}} +name: {{ $secret }} +items: + - key: {{ $key }} +{{- end -}} diff --git a/charts/shared-secrets/templates/_generate_secrets.sh b/charts/shared-secrets/templates/_generate_secrets.sh index a70a86b3db..e8bacf46d8 100644 --- a/charts/shared-secrets/templates/_generate_secrets.sh +++ b/charts/shared-secrets/templates/_generate_secrets.sh @@ -138,7 +138,10 @@ generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} - generate_secret_if_needed "gitlab-grafana-initial-password" --from-literal=password=$(gen_random 'a-zA-Z0-9' 64) {{ end }} -# Praefect DB password {{ if .Values.global.praefect.enabled }} +# Praefect DB password generate_secret_if_needed {{ template "gitlab.praefect.dbSecret.secret" . }} --from-literal={{ template "gitlab.praefect.dbSecret.key" . }}=$(gen_random 'a-zA-Z0-9', 32) + +# Gitaly secret +generate_secret_if_needed {{ template "gitlab.praefect.authToken.secret" . }} --from-literal={{ template "gitlab.praefect.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 64) {{ end }} diff --git a/templates/_praefect.tpl b/templates/_praefect.tpl index 9144403a19..139329f174 100644 --- a/templates/_praefect.tpl +++ b/templates/_praefect.tpl @@ -39,3 +39,19 @@ Return Praefect's database name {{- define "gitlab.praefect.psql.dbName" -}} {{- default "praefect" .Values.global.praefect.psql.dbName }} {{- end -}} + +{{/* +Return the praefect secret name +Preference is local, global, default (`praefect-secret`) +*/}} +{{- define "gitlab.praefect.authToken.secret" -}} +{{- coalesce .Values.global.praefect.authToken.secret (printf "%s-praefect-secret" .Release.Name) | quote -}} +{{- end -}} + +{{/* +Return the praefect secret key +Preference is local, global, default (`token`) +*/}} +{{- define "gitlab.praefect.authToken.key" -}} +{{- coalesce .Values.global.praefect.authToken.key "token" | quote -}} +{{- end -}} diff --git a/values.yaml b/values.yaml index ab97144244..6cae441214 100644 --- a/values.yaml +++ b/values.yaml @@ -129,6 +129,7 @@ global: praefect: enabled: false + authToken: {} autoMigrate: true createDb: true gitalyReplicas: 3 -- GitLab From b24ba19d6287fa13c8779e04ae1252b66d205812 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 16:37:03 -0500 Subject: [PATCH 40/54] Move known limitations to the top, and add issue links --- doc/charts/gitlab/praefect/index.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 81aa87906e..250f364573 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -8,6 +8,11 @@ info: To determine the technical writer assigned to the Stage/Group associated w The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) inside a GitLab installment deployed with the Helm charts. +## Known Limitations + +1. Currently only supports a managed, `default` virtual storage setup.[^virtual_storage] +1. Currently TLS is not supported.[^tls] + ## Requirements This chart depends on the resources in the Gitaly chart. By default, it will spin up 3 Gitaly Replicas. @@ -46,7 +51,5 @@ the `helm install` command using the `--set` flags. | securityContext.runAsUser | 1000 | | | securityContext.fsGroup | 1000 | | -### Known Limitations - -1. Currently only supports a managed, `default` virtual storage setup -1. One auth token is shared between all Gitaly, and Praefect nodes. +[^virtual_storage]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307 +[^tls]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306 -- GitLab From 8e1e6aeafccd399df65c3f07c4aa60ee635e3d22 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 16:40:45 -0500 Subject: [PATCH 41/54] Don't use _ in footnote names --- doc/charts/gitlab/praefect/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 250f364573..825d2b8a1c 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -10,7 +10,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ ## Known Limitations -1. Currently only supports a managed, `default` virtual storage setup.[^virtual_storage] +1. Currently only supports a managed, `default` virtual storage setup.[^virtualStorage] 1. Currently TLS is not supported.[^tls] ## Requirements @@ -51,5 +51,5 @@ the `helm install` command using the `--set` flags. | securityContext.runAsUser | 1000 | | | securityContext.fsGroup | 1000 | | -[^virtual_storage]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307 +[^virtualStorage]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307 [^tls]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306 -- GitLab From 2dcd71d44266a39d4edb15faad73ada679561644 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 16:50:15 -0500 Subject: [PATCH 42/54] Use proper links --- doc/charts/gitlab/praefect/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 825d2b8a1c..d625495f87 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -10,7 +10,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ ## Known Limitations -1. Currently only supports a managed, `default` virtual storage setup.[^virtualStorage] +1. Currently only supports a managed, `default` virtual storage setup.[^virtualStorage] 1. Currently TLS is not supported.[^tls] ## Requirements @@ -51,5 +51,5 @@ the `helm install` command using the `--set` flags. | securityContext.runAsUser | 1000 | | | securityContext.fsGroup | 1000 | | -[^virtualStorage]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307 -[^tls]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306 +[^virtualStorage]: [Virtual Storage Issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) +[^tls]: [TLS issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) -- GitLab From 97f8630a0a2e59b74ea8f0d706ea9213dc0b93c3 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 16:59:49 -0500 Subject: [PATCH 43/54] Stop using footnote links --- doc/charts/gitlab/praefect/index.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index d625495f87..8cdf3e5d3f 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -10,8 +10,8 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ ## Known Limitations -1. Currently only supports a managed, `default` virtual storage setup.[^virtualStorage] -1. Currently TLS is not supported.[^tls] +1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) +1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported ## Requirements @@ -50,6 +50,3 @@ the `helm install` command using the `--set` flags. | metrics.port | 9236 | | | securityContext.runAsUser | 1000 | | | securityContext.fsGroup | 1000 | | - -[^virtualStorage]: [Virtual Storage Issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) -[^tls]: [TLS issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) -- GitLab From 28f417f98a0b248c4e53d011d5fd70b3343e69f2 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Tue, 15 Sep 2020 18:01:34 -0500 Subject: [PATCH 44/54] Restore to version specific dependency Using >= was breaking the condition, so praefect was always getting enabled --- charts/gitlab/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/requirements.yaml b/charts/gitlab/requirements.yaml index 1415e33696..39d8a9363e 100644 --- a/charts/gitlab/requirements.yaml +++ b/charts/gitlab/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: praefect - version: >= 4.1.4 + version: 4.1.4 condition: global.praefect.enabled -- GitLab From 8a22babc6ff9a9d6c742ed1e847bdeaa703fb823 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 16 Sep 2020 09:12:18 -0500 Subject: [PATCH 45/54] Don't specify praefect chart version for dependency --- charts/gitlab/requirements.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/gitlab/requirements.yaml b/charts/gitlab/requirements.yaml index 39d8a9363e..14a338c7ac 100644 --- a/charts/gitlab/requirements.yaml +++ b/charts/gitlab/requirements.yaml @@ -1,4 +1,3 @@ dependencies: - name: praefect - version: 4.1.4 condition: global.praefect.enabled -- GitLab From 286f956bd7ee9940ccc35975157531f69460a9c8 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 16 Sep 2020 09:29:57 -0500 Subject: [PATCH 46/54] Stop auto-creating the Praefect db --- .../charts/praefect/templates/configmap.yaml | 26 --------- .../charts/praefect/templates/jobspec.yaml | 54 ------------------- doc/charts/gitlab/praefect/index.md | 33 ++++++++++++ 3 files changed, 33 insertions(+), 80 deletions(-) delete mode 100644 charts/gitlab/charts/praefect/templates/jobspec.yaml diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index b2eae7e362..b3acb9e181 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -69,32 +69,6 @@ data: password = '<%= File.read("/etc/gitlab-secrets/praefect/db_password") %>' dbname = '{{ template "gitlab.praefect.psql.dbName" . }}' sslmode = '{{ $.Values.global.praefect.psql.sslMode }}' - create_praefect_db.sh: | - set -e - - export PGPASSWORD=$(cat /secrets/postgresql_db_secret) - export PGHOST={{ template "gitlab.praefect.psql.host" . }} - export PGUSER=postgres - export PRAEFECT_PASSWORD=$(echo -n $(cat /secrets/praefect_db_secret)praefect | md5sum | awk '{print $1}') - - while ! pg_isready - do - echo "Waiting for ${PGHOST} to be ready" - sleep 1 - done - - # Check if the role already exists, and if not, create it - if [ -z $(psql -tqc "select 1 from pg_roles where rolname='praefect'") ] - then - psql -c "CREATE ROLE praefect WITH LOGIN PASSWORD 'md5${PRAEFECT_PASSWORD}' ;" - fi - - # Check if the database already exists, and if not, create it - if [ -z $(psql -tqc "select 1 from pg_database where datname='{{ template "gitlab.praefect.psql.dbName" . }}'") ] - then - psql -c "CREATE DATABASE {{ template "gitlab.praefect.psql.dbName" . }} WITH owner {{ template "gitlab.praefect.psql.user" . }};" - fi - # EOF --- apiVersion: v1 kind: ConfigMap diff --git a/charts/gitlab/charts/praefect/templates/jobspec.yaml b/charts/gitlab/charts/praefect/templates/jobspec.yaml deleted file mode 100644 index 78d48692e9..0000000000 --- a/charts/gitlab/charts/praefect/templates/jobspec.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if .Values.global.praefect.createDb -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "fullname" . }}-job - namespace: {{ .Release.Namespace }} - labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} -spec: - template: - metadata: - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - {{- include "gitlab.podLabels" . | nindent 8 }} - spec: - {{- if .Values.tolerations }} - tolerations: - {{- toYaml .Values.tolerations | nindent 8 }} - {{- end }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - fsGroup: {{ .Values.securityContext.fsGroup }} - restartPolicy: OnFailure - containers: - - name: {{ .Chart.Name }} - image: {{ include "gitlab.task-runner.image" . }}:{{ include "gitlab.versionTag" . }} - command: ['sh', '/scripts/create_praefect_db.sh'] - {{ template "gitlab.imagePullPolicy" . }} - volumeMounts: - - name: scripts - mountPath: /scripts - - name: secrets - mountPath: /secrets - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumes: - - name: scripts - configMap: - name: {{ template "fullname" . }} - - name: secrets - projected: - sources: - - secret: - name: {{ template "gitlab.praefect.dbSecret.secret" . }} - items: - - key: {{ template "gitlab.praefect.dbSecret.key" . }} - path: praefect_db_secret - - secret: - name: {{ template "gitlab.psql.password.secret" . }} - items: - - key: postgresql-postgres-password - path: postgresql_db_secret -{{- end -}} diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 8cdf3e5d3f..377618e920 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -12,6 +12,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ 1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) 1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported +1. The database has to be [manually created]() ## Requirements @@ -23,6 +24,38 @@ The chart is disabled by default. To enable it as part of a chart deploy set `gl The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.gitalyReplicas` to the desired number of replicas. +### Creating the database + +Praefect uses its own database to track its state. This has to be manually created in order for Praefect to be functional. + +NOTE: **Note**: These instructions assume you are using the bundled PostgreSQL server. If you are using your own server, +there will be some variation in how you connect. + +1. Log into your database instance. + + ```shell + kubectl exec -it $(kubectl get pods -l app=postgresql -o custom-columns=NAME:.metadata.name --no-headers) -- bash + PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1 + ``` + +1. Create the database user + + ```sql + template1=# CREATE ROLE praefect WITH LOGIN; + ``` + +1. Set the database user password + + ```sql + template1=# \password praefect + Enter new password: + Enter it again: + +1. Create the database + ```sql + CREATE DATABASE praefect WITH OWNER praefect; + ``` + ### Installation command line options The table below contains all the possible charts configurations that can be supplied to -- GitLab From 8928e1e41dbd7e5005c47f4a6664d7dd2dcf132d Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 16 Sep 2020 10:51:25 -0500 Subject: [PATCH 47/54] Update praefect documention Link to automated db creation No more trailing spaces fix linting errors --- doc/charts/gitlab/praefect/index.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 377618e920..8953298e25 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -12,7 +12,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ 1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) 1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported -1. The database has to be [manually created]() +1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310) ## Requirements @@ -24,18 +24,19 @@ The chart is disabled by default. To enable it as part of a chart deploy set `gl The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.gitalyReplicas` to the desired number of replicas. -### Creating the database +### Creating the database -Praefect uses its own database to track its state. This has to be manually created in order for Praefect to be functional. +Praefect uses its own database to track its state. This has to be manually created in order for Praefect to be functional. -NOTE: **Note**: These instructions assume you are using the bundled PostgreSQL server. If you are using your own server, +NOTE: **Note:** +These instructions assume you are using the bundled PostgreSQL server. If you are using your own server, there will be some variation in how you connect. -1. Log into your database instance. +1. Log into your database instance. ```shell kubectl exec -it $(kubectl get pods -l app=postgresql -o custom-columns=NAME:.metadata.name --no-headers) -- bash - PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1 + PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1 ``` 1. Create the database user @@ -50,8 +51,10 @@ there will be some variation in how you connect. template1=# \password praefect Enter new password: Enter it again: + ``` + +1. Create the database -1. Create the database ```sql CREATE DATABASE praefect WITH OWNER praefect; ``` -- GitLab From 8bb94546b14d4121166af991406462fc5c8a2536 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Wed, 16 Sep 2020 18:25:22 -0500 Subject: [PATCH 48/54] Add recommended changes from MR * Remove unused values, definitions, etc * Document secret usage for manual db creation * Add missing components to component definitions --- .../charts/gitaly/templates/statefulset.yml | 4 --- .../charts/praefect/templates/configmap.yaml | 2 -- .../charts/praefect/templates/service.yaml | 2 -- .../praefect/templates/statefulset.yaml | 36 ++++++++++++------- charts/gitlab/charts/praefect/values.yaml | 6 ++++ doc/charts/gitlab/praefect/index.md | 22 ++++++++---- doc/charts/globals.md | 2 -- doc/installation/secrets.md | 25 +++++++++++++ templates/_helpers.tpl | 11 ------ values.yaml | 1 - 10 files changed, 71 insertions(+), 40 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 588ddc2ecb..3728c76cdc 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -111,10 +111,6 @@ spec: - name: GITALY_PROMETHEUS_LISTEN_ADDR value: ':{{ .Values.metrics.metricsPort }}' {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name {{- include "gitlab.tracing.env" . | nindent 12 }} {{- include "gitlab.extraEnv" . | nindent 12 }} volumeMounts: diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index b3acb9e181..b9b59b2cf1 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -80,8 +80,6 @@ metadata: data: praefect-start: | set -e - # create the config files - /scripts/entrypoint.sh {{- if .Values.global.praefect.autoMigrate }} # Run the migrations diff --git a/charts/gitlab/charts/praefect/templates/service.yaml b/charts/gitlab/charts/praefect/templates/service.yaml index 33fdaf03b9..73b2241c26 100644 --- a/charts/gitlab/charts/praefect/templates/service.yaml +++ b/charts/gitlab/charts/praefect/templates/service.yaml @@ -29,5 +29,3 @@ spec: selector: app: {{ template "name" . }} release: {{ .Release.Name }} -status: - loadBalancer: {} diff --git a/charts/gitlab/charts/praefect/templates/statefulset.yaml b/charts/gitlab/charts/praefect/templates/statefulset.yaml index dc854c43d9..58b672574c 100644 --- a/charts/gitlab/charts/praefect/templates/statefulset.yaml +++ b/charts/gitlab/charts/praefect/templates/statefulset.yaml @@ -26,16 +26,34 @@ spec: {{ $key }}: {{ $value | quote }} {{- end }} spec: + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} affinity: podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" labelSelector: matchLabels: - app: {{ template "name" . }} - release: {{ $.Release.Name }} + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: topologyKey: kubernetes.io/hostname - weight: 1 + labelSelector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} initContainers: {{- include "gitlab.extraInitContainers" $ | nindent 8 }} {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} @@ -85,14 +103,9 @@ spec: value: '/etc/ssl/certs' - name: PRAEFECT_PROMETHEUS_LISTEN_ADDR value: ':{{ .Values.metrics.port }}' - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name {{- include "gitlab.tracing.env" . | nindent 8 }} {{- include "gitlab.extraEnv" . | nindent 8 }} - command: [ "sh", "/scripts/praefect/praefect-start" ] + args: [ "sh", "/scripts/praefect/praefect-start" ] resources: {{- toYaml .Values.resources | nindent 10 }} terminationMessagePath: /dev/termination-log @@ -109,7 +122,6 @@ spec: mountPath: /scripts/praefect dnsPolicy: ClusterFirst restartPolicy: Always - schedulerName: default-scheduler terminationGracePeriodSeconds: 30 volumes: - configMap: diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index c821d7d3b0..6314b26ad2 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -43,3 +43,9 @@ serviceAccount: enabled: false create: false annotations: {} + +## Support for tolerations for pod scheduling +tolerations: [] + +## The Gitaly StatefulSet's priorityClassName +# priorityClassName: diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 8953298e25..72b2a79a37 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -45,13 +45,23 @@ there will be some variation in how you connect. template1=# CREATE ROLE praefect WITH LOGIN; ``` -1. Set the database user password +1. Set the database user password. - ```sql - template1=# \password praefect - Enter new password: - Enter it again: - ``` + By default, the `shared-secrets` chart will generate a secret for you. + + 1. Fetch the password with + + ```shell + kubectl get secret RELEASE_NAME-praefect-dbsecret -o json | jq -r '.["data"]["secret"]' | base64 --decode + ``` + + 1. Set the password in the psql prompt with: + + ```sql + template1=# \password praefect + Enter new password: + Enter it again: + ``` 1. Create the database diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 3c65d3075e..0aa464e227 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -650,7 +650,6 @@ See the [Praefect documentation](https://docs.gitlab.com/ee/administration/gital global: praefect: enabled: false - createDb: true gitalyReplicas: 3 dbSecret: {} psql: {} @@ -659,7 +658,6 @@ global: | Name | Type | Default | Description | | ---- | ---- | ------- | ----------- | | enabled | Bool | false | Whether or not to enable Praefect | -| createDB | Bool | true | Whether the chart should create the database and the database user | | gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be created | | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | diff --git a/doc/installation/secrets.md b/doc/installation/secrets.md index d60b947c8a..1d9057a4d1 100644 --- a/doc/installation/secrets.md +++ b/doc/installation/secrets.md @@ -44,10 +44,12 @@ documentation. - [Redis password](#redis-password) - [GitLab Shell secret](#gitlab-shell-secret) - [Gitaly secret](#gitaly-secret) + - [Praefect secret](#praefect-secret) - [GitLab Rails secret](#gitlab-rails-secret) - [GitLab Workhorse secret](#gitlab-workhorse-secret) - [GitLab Runner secret](#gitlab-runner-secret) - [PostgreSQL password](#postgresql-password) + - [Praefect DB password](#praefect-db-password) - [MinIO secret](#minio-secret) - [Registry HTTP secret](#registry-http-secret) - [Grafana password](#grafana-password) @@ -186,6 +188,17 @@ kubectl create secret generic -gitaly-secret --from-literal=token=$(head - This secret is referenced by the `global.gitaly.authToken.secret` setting. +### Praefect secret + +Generate a random 64 character alpha-numeric token for Praefect. Replace `` +with the name of the release. + +```shell +kubectl create secret generic -praefect-secret --from-literal=token=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64) +``` + +This secret is referenced by the `global.praefect.authToken.secret` setting. + ### GitLab Rails secret Replace `` with the name of the release. @@ -275,6 +288,18 @@ Replace `` with the name of the release. kubectl create secret generic -registry-httpsecret --from-literal=secret=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64 | base64) ``` +### Praefect DB password + +Generate a random 64 character alpha-numeric password. Replace `` with +the name of the release. + +```shell +kubectl create secret generic -praefect-dbsecret \ + --from-literal=secret=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64) \ +``` + +This secret is referenced by the `global.praefect.dbSecret` setting. + ## External services Some charts have further secrets to enable functionality that can not be automatically generated. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 06c20d741a..8fbc14011a 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -440,17 +440,6 @@ Constructs busybox image name. {{- end -}} {{- end -}} -{{/* -Constructs the task-runner image name. -*/}} -{{- define "gitlab.task-runner.image" -}} -{{- if eq "ce" .Values.global.edition -}} -{{ index .Values "global" "communityImages" "task-runner" "repository" }} -{{- else -}} -{{ index .Values "global" "enterpriseImages" "task-runner" "repository" }} -{{- end -}} -{{- end -}} - {{/* Override upstream redis chart naming */}} diff --git a/values.yaml b/values.yaml index 6d931cd328..2eb26f4e26 100644 --- a/values.yaml +++ b/values.yaml @@ -132,7 +132,6 @@ global: enabled: false authToken: {} autoMigrate: true - createDb: true gitalyReplicas: 3 dbSecret: {} psql: -- GitLab From a2e1d61a63486325e8092a243e16c7302ebc098d Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Thu, 17 Sep 2020 00:07:43 +0000 Subject: [PATCH 49/54] Apply 2 suggestion(s) to 1 file(s) --- doc/charts/gitlab/praefect/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 72b2a79a37..9fdc1e466c 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -13,6 +13,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ 1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) 1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported 1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310) +1. [Migrating from an existing gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to praefect is not supported ## Requirements @@ -52,7 +53,7 @@ there will be some variation in how you connect. 1. Fetch the password with ```shell - kubectl get secret RELEASE_NAME-praefect-dbsecret -o json | jq -r '.["data"]["secret"]' | base64 --decode + kubectl get secret RELEASE_NAME-praefect-dbsecret -o jsonpath="{.data.secret}" | base64 --decode ``` 1. Set the password in the psql prompt with: -- GitLab From 508d1b05c385dfcfa1660742d455e5356954d5d2 Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Thu, 17 Sep 2020 00:09:53 +0000 Subject: [PATCH 50/54] Apply 1 suggestion(s) to 1 file(s) --- doc/charts/gitlab/praefect/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 9fdc1e466c..4602019526 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -13,7 +13,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ 1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) 1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported 1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310) -1. [Migrating from an existing gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to praefect is not supported +1. [Migrating from an existing Gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to praefect is not supported ## Requirements -- GitLab From 771eabb455663555ba03de7ffae302290b1f2a81 Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Thu, 17 Sep 2020 00:13:06 +0000 Subject: [PATCH 51/54] Apply 1 suggestion(s) to 1 file(s) --- doc/charts/gitlab/praefect/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 4602019526..aec13c8814 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -13,7 +13,7 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ 1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) 1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported 1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310) -1. [Migrating from an existing Gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to praefect is not supported +1. [Migrating from an existing Gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to Praefect is not supported ## Requirements -- GitLab From cc57b9edf0c48c57563065f322c48d05e22fb516 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 17 Sep 2020 14:04:57 +0000 Subject: [PATCH 52/54] Apply 1 suggestion(s) to 1 file(s) --- doc/charts/gitlab/praefect/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index aec13c8814..3ef4935c8b 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -10,10 +10,10 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ ## Known Limitations -1. Currently only supports a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) -1. Currently [TLS](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306) is not supported -1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310) -1. [Migrating from an existing Gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to Praefect is not supported +1. Only a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) is supported. +1. [TLS is not supported](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306). +1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310). +1. [Migrating from an existing Gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to Praefect is not supported. ## Requirements -- GitLab From c2e38e995d66b83afd05a417c6b9716b8409bfa5 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 17 Sep 2020 14:05:04 +0000 Subject: [PATCH 53/54] Apply 1 suggestion(s) to 1 file(s) --- doc/charts/gitlab/praefect/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 3ef4935c8b..aae90dd51d 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -33,7 +33,7 @@ NOTE: **Note:** These instructions assume you are using the bundled PostgreSQL server. If you are using your own server, there will be some variation in how you connect. -1. Log into your database instance. +1. Log into your database instance: ```shell kubectl exec -it $(kubectl get pods -l app=postgresql -o custom-columns=NAME:.metadata.name --no-headers) -- bash -- GitLab From 391069e8d1615dc29934f5bf301ee29a3c5e7fb6 Mon Sep 17 00:00:00 2001 From: Ian Baum Date: Thu, 17 Sep 2020 14:05:52 +0000 Subject: [PATCH 54/54] Apply 9 suggestion(s) to 3 file(s) --- doc/charts/gitlab/praefect/index.md | 10 +++++----- doc/charts/globals.md | 4 ++-- doc/installation/secrets.md | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index aae90dd51d..ef4257d748 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -40,7 +40,7 @@ there will be some variation in how you connect. PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1 ``` -1. Create the database user +1. Create the database user: ```sql template1=# CREATE ROLE praefect WITH LOGIN; @@ -50,13 +50,13 @@ there will be some variation in how you connect. By default, the `shared-secrets` chart will generate a secret for you. - 1. Fetch the password with + 1. Fetch the password: ```shell kubectl get secret RELEASE_NAME-praefect-dbsecret -o jsonpath="{.data.secret}" | base64 --decode ``` - 1. Set the password in the psql prompt with: + 1. Set the password in the `psql` prompt: ```sql template1=# \password praefect @@ -64,7 +64,7 @@ there will be some variation in how you connect. Enter it again: ``` -1. Create the database +1. Create the database: ```sql CREATE DATABASE praefect WITH OWNER praefect; @@ -80,7 +80,7 @@ the `helm install` command using the `--set` flags. | failover.enabled | true | Whether Praefect should perform failover on node failure | | failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | | autoMigrate | true | Automatically run migrations on startup | -| electionStrategy | sql | `https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election` | +| electionStrategy | sql | See [election strategy](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#automatic-failover-and-leader-election) | | image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | | service.name | `praefect` | The name of the service to create | | service.type | ClusterIP | The type of service to create | diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 0aa464e227..c76a77e7e8 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -638,13 +638,13 @@ The global Praefect settings are located under the `global.praefect` key. Praefect is disabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default PostgreSQL instance. -### Enabling +### Enable Praefect To enable Praefect with default settings, set `global.praefect.enabled=true`. See the [Praefect documentation](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) for details on how to operate a Gitaly cluster using Praefect. -### Global Settings +### Global settings for Praefect ```yaml global: diff --git a/doc/installation/secrets.md b/doc/installation/secrets.md index 1d9057a4d1..b005dd361e 100644 --- a/doc/installation/secrets.md +++ b/doc/installation/secrets.md @@ -191,7 +191,7 @@ This secret is referenced by the `global.gitaly.authToken.secret` setting. ### Praefect secret Generate a random 64 character alpha-numeric token for Praefect. Replace `` -with the name of the release. +with the name of the release: ```shell kubectl create secret generic -praefect-secret --from-literal=token=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64) @@ -291,7 +291,7 @@ kubectl create secret generic -registry-httpsecret --from-literal=secret=$ ### Praefect DB password Generate a random 64 character alpha-numeric password. Replace `` with -the name of the release. +the name of the release: ```shell kubectl create secret generic -praefect-dbsecret \ -- GitLab