diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 07cf909e51a3a8e12d486f8fc2131c3317bded69..3f13ebe5d3840c128f960e5acc4eb4308dfadeae 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -254,14 +254,23 @@ production: --set registry.registry.tokenIssuer="omnibus-gitlab-issuer" \ --set registry.registry.certBundle.secretName="gitlab-registry" \ --set registry.registry.certBundle.bundleName="registry-auth.crt" \ + --set gitlab.unicorn.enabled=true \ + --set gitlab.unicorn.redis.password.secret=gitlab-redis \ + --set gitlab.unicorn.redis.password.key=redis-password \ + --set gitlab.unicorn.psql.serviceName=omnibus \ + --set gitlab.unicorn.psql.password=d3adb33f \ --set gitlab.omnibus.enabled=true \ --set gitlab.omnibus.service.type=NodePort \ --set gitlab.omnibus.external_url="https://gitlab$DOMAIN" \ --set gitlab.omnibus.initial_root_password="$ROOT_PASSWORD" \ + --set gitlab.omnibus.unicorn.enabled=false \ + --set gitlab.omnibus.workhorse.auth_backend.serviceName=unicorn \ --set gitlab.omnibus.redis.enabled=true \ --set gitlab.omnibus.redis.password.secret=gitlab-redis \ --set gitlab.omnibus.redis.password.key=redis-password \ --set gitlab.omnibus.psql.enabled=true \ + --set gitlab.omnibus.psql.password=d3adb33f \ + --set gitlab.omnibus.psql.sql_user_password=bb4564b590a56552ada62d8bb338f554 \ --set gitlab.omnibus.registry.host="registry$DOMAIN" \ --set gitlab.omnibus.registry.port=443 \ --set gitlab.omnibus.registry.secret=gitlab-registry \ diff --git a/charts/gitlab/charts/omnibus/templates/_helpers.tpl b/charts/gitlab/charts/omnibus/templates/_helpers.tpl index f0d83d2edba6594091e5fcfa35125296669e8e9a..0e8c8b88881c89588c2ff0678448b82ddfd395e9 100644 --- a/charts/gitlab/charts/omnibus/templates/_helpers.tpl +++ b/charts/gitlab/charts/omnibus/templates/_helpers.tpl @@ -14,3 +14,18 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Return the workhorse auth backend +If the postgresql host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "workhorse.auth_backend" -}} +{{- $port := coalesce .Values.workhorse.auth_backend.port .Values.service.ports.unicorn 8080 | toString -}} +{{- if .Values.workhorse.auth_backend.host -}} +{{- printf "%s:%s" .Values.workhorse.auth_backend.host $port -}} +{{- else -}} +{{- $name := default "omnibus" .Values.workhorse.auth_backend.serviceName -}} +{{- printf "http://%s-%s:%s" .Release.Name $name $port -}} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/omnibus/templates/configmap.yaml b/charts/gitlab/charts/omnibus/templates/configmap.yaml index 1e7a7b395d3f26d6dd1c86db58525bc94afc9bd9..acf5a18d98a772e66fefbed6b3b0b2e495cb97d0 100644 --- a/charts/gitlab/charts/omnibus/templates/configmap.yaml +++ b/charts/gitlab/charts/omnibus/templates/configmap.yaml @@ -54,9 +54,10 @@ data: gitlab_workhorse['enable'] = {{ .Values.workhorse.enabled }} gitlab_workhorse['listen_network'] = 'tcp' gitlab_workhorse['listen_addr'] = '0.0.0.0:{{ .Values.service.ports.workhorse }}' - gitlab_workhorse['auth_backend'] = {{ .Values.workhorse.auth_backend | quote }} + gitlab_workhorse['auth_backend'] = '{{ template "workhorse.auth_backend" . }}' ################### # unicorn + unicorn['enable'] = {{ .Values.unicorn.enabled }} unicorn['listen'] = '*' unicorn['port'] = {{ .Values.service.ports.unicorn }} unicorn['worker_timeout'] = {{ .Values.unicorn.worker.timeout }} @@ -71,14 +72,21 @@ data: postgresql['listen_address'] = '0.0.0.0' postgresql['port'] = {{ .Values.service.ports.psql }} postgresql['shared_buffers'] = {{ .Values.psql.shared_buffers | quote }} - #postgresql['md5_auth_cidr_addresses'] = %w{{ .Values.trusted_proxies }} + postgresql['md5_auth_cidr_addresses'] = %w{{ .Values.trusted_proxies }} postgresql['trust_auth_cidr_addresses'] = ['127.0.0.1/24', '172.16.0.0/12'] + {{- if .Values.psql.sql_user_password }} + postgresql['sql_user_password'] = {{ .Values.psql.sql_user_password | quote }} + {{- end }} ################### # Redis redis['enable'] = {{ .Values.redis.enabled }} redis['bind'] = '0.0.0.0' redis['port'] = {{ .Values.service.ports.redis }} redis['password'] = File.read("/etc/gitlab-redis/password") + redis_exporter['flags'] = { + 'redis.addr' => "redis://{{ default "127.0.0.1" .Values.redis.host }}:{{ default .Values.service.ports.redis .Values.redis.port }}", + 'redis.password' => File.read("/etc/gitlab-redis/password") + } ################### # DISABLED SERVICES # registry, pages, mattermost, prometheus diff --git a/charts/gitlab/charts/omnibus/values.yaml b/charts/gitlab/charts/omnibus/values.yaml index fc962fcbf6287d1a569403105b49dc97d09fab36..aee3c43cfdbf5820d29e73a80b701e3132d63e24 100644 --- a/charts/gitlab/charts/omnibus/values.yaml +++ b/charts/gitlab/charts/omnibus/values.yaml @@ -12,7 +12,7 @@ service: clusterIP: '0.0.0.0' ports: nginx: 80 - redis: 6397 + redis: 6379 psql: 5432 shell: 22 unicorn: 8080 @@ -43,11 +43,12 @@ redis: psql: enabled: false shared_buffers: "1MB" - # host: '127.0.0.1' + # host: '0.0.0.0' # port: '5432' # database: 'gitlabhq_production' # username: 'gitlab' # password: nil + # sql_user_password: nil shell: enabled: false unicorn: @@ -58,7 +59,11 @@ unicorn: workhorse: enabled: false # point to Unicorn - auth_backend: "http://0.0.0.0:8080" + auth_backend: {} + # host: "http://0.0.0.0" + # serviceName: "unicorn" + # port: 8080 + gitaly: enabled: false diff --git a/charts/gitlab/charts/unicorn/templates/_helpers.tpl b/charts/gitlab/charts/unicorn/templates/_helpers.tpl index f0d83d2edba6594091e5fcfa35125296669e8e9a..904b57205a88454f8a4f572bc8e9f25fee06a894 100644 --- a/charts/gitlab/charts/unicorn/templates/_helpers.tpl +++ b/charts/gitlab/charts/unicorn/templates/_helpers.tpl @@ -14,3 +14,31 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Return the db hostname +If the postgresql host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "unicorn.psql.host" -}} +{{- if .Values.psql.host -}} +{{- .Values.psql.host | quote -}} +{{- else -}} +{{- $name := default "omnibus" .Values.psql.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} + +{{/* +Return the redis hostname +If the postgresql host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "unicorn.redis.host" -}} +{{- if .Values.redis.host -}} +{{- .Values.redis.host | quote -}} +{{- else -}} +{{- $name := default "omnibus" .Values.redis.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/unicorn/templates/configmap.yml b/charts/gitlab/charts/unicorn/templates/configmap.yml new file mode 100644 index 0000000000000000000000000000000000000000..cace5e0fe0ff0fab3bc289552decc2b391d0883a --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/configmap.yml @@ -0,0 +1,32 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} +data: + database.yml.erb: | + production: + adapter: postgresql + encoding: unicode + database: {{ default "gitlabhq_production" .Values.psql.database | quote }} + pool: 10 + username: {{ default "gitlab" .Values.psql.username | quote }} + password: {{ .Values.psql.password | quote }} + host: {{ template "unicorn.psql.host" . }} + port: {{ default 5432 .Values.psql.port }} + # load_balancing: + # hosts: + # - host1.example.com + # - host2.example.com + resque.yml.erb: | + production: + # Redis (single instance) + url: redis://:<%= File.read("/etc/gitlab-redis/password") %>@{{ template "unicorn.redis.host" . }}:{{ default 6379 .Values.redis.port }} + workhorse-config.toml.erb: | + [redis] + URL = "tcp://{{ template "unicorn.redis.host" . }}:{{ default 6379 .Values.redis.port }}" + Password = "<%= File.read("/etc/gitlab-redis/password") %>" +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/charts/gitlab/charts/unicorn/templates/deployment.yaml b/charts/gitlab/charts/unicorn/templates/deployment.yaml index 45af87995d7a5305a01efcd9cb2f775c05baa40c..faaca8dc2095691986ee72a0a00bc895a27be232 100644 --- a/charts/gitlab/charts/unicorn/templates/deployment.yaml +++ b/charts/gitlab/charts/unicorn/templates/deployment.yaml @@ -15,6 +15,8 @@ spec: labels: app: {{ template "name" . }} release: {{ .Release.Name }} + annotations: + checksum/config: {{ .Files.Get "configmap.yml" | sha256sum }} spec: containers: - name: {{ .Chart.Name }} @@ -22,16 +24,41 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: {{ .Values.service.internalPort }} - livenessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} - readinessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.service.workhorseInternalPort }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/var/opt/gitlab/config/gitlab/' + - name: GITLAB_HOST + value: {{ .Values.gitlab_host }} + volumeMounts: + - name: unicorn-config + mountPath: '/var/opt/gitlab/templates' + - name: unicorn-redis + mountPath: '/etc/gitlab-redis' + readOnly: true + # livenessProbe: + # httpGet: + # path: / + # port: {{ .Values.service.internalPort }} + # readinessProbe: + # httpGet: + # path: / + # port: {{ .Values.service.internalPort }} resources: {{ toYaml .Values.resources | indent 12 }} + volumes: + - name: unicorn-config + configMap: + name: {{ template "fullname" . }} + - name: unicorn-redis + secret: + secretName: {{ .Values.redis.password.secret }} + items: + - key: {{ .Values.redis.password.key }} + path: password + defaultMode: 0400 {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} diff --git a/charts/gitlab/charts/unicorn/templates/service.yaml b/charts/gitlab/charts/unicorn/templates/service.yaml index 05d087a57c59be689ae8c6408a44e99466feaeee..2162fa48fef85ade796f323e8ff829010c89de5a 100644 --- a/charts/gitlab/charts/unicorn/templates/service.yaml +++ b/charts/gitlab/charts/unicorn/templates/service.yaml @@ -15,6 +15,10 @@ spec: targetPort: {{ .Values.service.internalPort }} protocol: TCP name: {{ .Values.service.name }} + - port: {{ .Values.service.workhorseExternalPort }} + targetPort: {{ .Values.service.workhorseInternalPort }} + protocol: TCP + name: workhorse selector: app: {{ template "name" . }} release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index d8a1b4cef377d65c2ed5d80457c34d061656c8d2..3d1d3b2bbc65331f8cf0562d951e1bbfd41c6ebc 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -3,15 +3,31 @@ # Declare variables to be passed into your templates. replicaCount: 1 image: - repository: gitlab/unicorn - tag: stable + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-unicorn + tag: latest pullPolicy: IfNotPresent service: name: unicorn type: ClusterIP externalPort: 8080 internalPort: 8080 + workhorseExternalPort: 8181 + workhorseInternalPort: 8181 enabled: false +gitlab_host: localhost +redis: + # host: '0.0.0.0' + # serviceName: 'omnibus' + password: + secret: gitlab-redis + key: redis-password +psql: + # host: '0.0.0.0' + # serviceName: 'omnibus' + # port: '5432' + # database: 'gitlabhq_production' + # username: 'gitlab' + # password: nil resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/values.yaml b/values.yaml index 4ac0bd36f660aa887efb82c251db6f65a3255b69..539c03b5b3f57d7e95a6aca4bfbe86d55d163e98 100644 --- a/values.yaml +++ b/values.yaml @@ -15,6 +15,9 @@ nginx: registry: enabled: false +unicorn: + enabled: false + gitlab: omnibus: enabled: false