diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d64ec34b5ef643c57ba68dab8cf5e04c8c8d7e44..f54e47583af3527909176b9d72a445c4b6d27c8d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -238,6 +238,8 @@ production: --set nginx.ingress.hosts[1].name="registry$DOMAIN" \ --set nginx.ingress.hosts[1].serviceName="registry" \ --set nginx.ingress.hosts[1].servicePort="registry" \ + --set nginx.shell.name="gitlab-shell" \ + --set nginx.shell.port="ssh" \ --set nginx.ingress.tls[0].secretName=helm-charts-win-tls \ --set nginx.ingress.tls[0].hosts[0]="gitlab$DOMAIN" \ --set nginx.ingress.tls[0].hosts[1]="registry$DOMAIN" \ @@ -262,6 +264,11 @@ production: --set gitlab.unicorn.redis.password.key=redis-password \ --set gitlab.unicorn.psql.serviceName=omnibus \ --set gitlab.unicorn.psql.password="$ROOT_PASSWORD" \ + --set gitlab.unicorn.shell.secret=gitlab-shell-secret \ + --set gitlab.unicorn.shell.key=secret \ + --set gitlab.gitlab-shell.enabled=true \ + --set gitlab.gitlab-shell.secret_token.secret=gitlab-shell-secret \ + --set gitlab.gitlab-shell.secret_token.key=secret \ --set gitlab.omnibus.enabled=true \ --set gitlab.omnibus.service.type=NodePort \ --set gitlab.omnibus.external_url="https://gitlab$DOMAIN" \ diff --git a/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl b/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl index f0d83d2edba6594091e5fcfa35125296669e8e9a..3ce63a2cc88f822a4871d2ad35caf1cc41c4eb79 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl +++ b/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl @@ -14,3 +14,31 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Return the unicorn hostname +If the unicorn host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "shell.unicorn.host" -}} +{{- if .Values.unicorn.host -}} +{{- .Values.unicorn.host -}} +{{- else -}} +{{- $name := default "unicorn" .Values.unicorn.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} + +{{/* +Return the redis hostname +If the postgresql host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "shell.redis.host" -}} +{{- if .Values.redis.host -}} +{{- .Values.redis.host -}} +{{- else -}} +{{- $name := default "omnibus" .Values.redis.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/gitlab-shell/templates/configmap.yml b/charts/gitlab/charts/gitlab-shell/templates/configmap.yml new file mode 100644 index 0000000000000000000000000000000000000000..4ddf5e8022c2c0e60e568ce06c6fe785afb33406 --- /dev/null +++ b/charts/gitlab/charts/gitlab-shell/templates/configmap.yml @@ -0,0 +1,50 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} +data: + config.yml.erb: | + # GitLab user. git by default + user: git + + # Url to gitlab instance. Used for api calls. Should end with a slash. + gitlab_url: "http://{{ template "shell.unicorn.host" . }}:{{ default 8080 .Values.unicorn.port }}/" + + secret_file: /etc/gitlab-secrets/.gitlab_shell_secret + + http_settings: + self_signed_cert: false + + # File used as authorized_keys for gitlab user + auth_file: "/home/git/.ssh/authorized_keys" + + # Redis settings used for pushing commit notices to gitlab + redis: + host: {{ template "shell.redis.host" . }} + port: {{ default 6379 .Values.redis.port }} + pass: "<%= File.read("/etc/gitlab-redis/password") %>" + database: nil + namespace: resque:gitlab + + # Log file. + # Default is gitlab-shell.log in the root directory. + log_file: "/var/log/gitlab-shell/gitlab-shell.log" + + # Log level. INFO by default + log_level: INFO + + # Audit usernames. + # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but + # incurs an extra API call on every gitlab-shell command. + audit_usernames: false + + <% if ENV['CUSTOM_HOOKS_DIR'] %> + # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) + # Default is hooks in the gitlab-shell directory. + custom_hooks_dir: "<%= ENV['CUSTOM_HOOKS_DIR'] %>" + <% end %> +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml b/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml index e0ac60df43b9cbf91c64566b97e2c6ced51f8ea8..32926425d53d5c23bbe9755bc2ff3513dc594a82 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml +++ b/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml @@ -15,23 +15,64 @@ spec: labels: app: {{ template "name" . }} release: {{ .Release.Name }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} spec: + securityContext: + fsGroup: 1000 containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: {{ .Values.service.internalPort }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitlab-shell' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab-shell' + - name: KEYS_DIRECTORY + value: '/etc/ssh/keys' + volumeMounts: + - name: shell-config + mountPath: '/etc/gitlab-shell' + - name: shell-secret + mountPath: '/etc/gitlab-secrets' + readOnly: true + - name: shell-redis + mountPath: '/etc/gitlab-redis' + readOnly: true livenessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} - readinessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + # readinessProbe: + # httpGet: + # path: / + # port: {{ .Values.service.internalPort }} resources: {{ toYaml .Values.resources | indent 12 }} + volumes: + - name: shell-config + configMap: + name: {{ template "fullname" . }} + - name: shell-secret + secret: + secretName: {{ .Values.secret_token.secret }} + items: + - key: {{ .Values.secret_token.key }} + path: ".gitlab_shell_secret" + defaultMode: 0440 + - name: shell-redis + secret: + secretName: {{ .Values.redis.password.secret }} + items: + - key: {{ .Values.redis.password.key }} + path: password + defaultMode: 0440 {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} diff --git a/charts/gitlab/charts/gitlab-shell/templates/service.yaml b/charts/gitlab/charts/gitlab-shell/templates/service.yaml index 3ff8772341d22bc42fc53b2ca6802158966924b9..9c12c9260f042f13768a0999cdde1663a24ffda8 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/service.yaml +++ b/charts/gitlab/charts/gitlab-shell/templates/service.yaml @@ -14,7 +14,7 @@ spec: - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} protocol: TCP - name: {{ .Values.service.name }} + name: ssh selector: app: {{ template "name" . }} release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/gitlab-shell/values.yaml b/charts/gitlab/charts/gitlab-shell/values.yaml index 345983764fed6be814c4d25ddd927e92b09cb05d..09c80d505679f2d7f719eb78a1029745f29d7c40 100644 --- a/charts/gitlab/charts/gitlab-shell/values.yaml +++ b/charts/gitlab/charts/gitlab-shell/values.yaml @@ -3,8 +3,8 @@ # Declare variables to be passed into your templates. replicaCount: 1 image: - repository: gitlab/gitlab-shell - tag: stable + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell + tag: b4db3ec0027b461b18ca386da323f1b57b4e014c pullPolicy: IfNotPresent service: name: gitlab-shell @@ -12,6 +12,19 @@ service: externalPort: 22 internalPort: 22 enabled: false +secret_token: + secret: gitlab-shell-secret + key: secret +unicorn: {} + # host: '0.0.0.0' + # serviceName: 'unicorn' + # port: 8080 +redis: + # host: '0.0.0.0' + # serviceName: 'omnibus' + password: + secret: gitlab-redis + key: redis-password resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/charts/gitlab/charts/omnibus/templates/_helpers.tpl b/charts/gitlab/charts/omnibus/templates/_helpers.tpl index 0e8c8b88881c89588c2ff0678448b82ddfd395e9..426d7c99365bb93bc4cc26a157551a80840b5b20 100644 --- a/charts/gitlab/charts/omnibus/templates/_helpers.tpl +++ b/charts/gitlab/charts/omnibus/templates/_helpers.tpl @@ -17,7 +17,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{/* Return the workhorse auth backend -If the postgresql host is provided, it will use that, otherwise it will fallback +If the backend host is provided, it will use that, otherwise it will fallback to the service name */}} {{- define "workhorse.auth_backend" -}} @@ -29,3 +29,17 @@ to the service name {{- printf "http://%s-%s:%s" .Release.Name $name $port -}} {{- end -}} {{- end -}} + +{{/* +Return the unicorn internal_api host +If host is specified in the values it will use that. +Else the serviceName will be used +*/}} +{{- define "unicorn.internal_api_host" -}} +{{- if .Values.unicorn.internal_api.host -}} +{{- .Values.unicorn.internal_api.host -}} +{{- else if .Values.unicorn.internal_api.serviceName -}} +{{- $name := default "omnibus" .Values.unicorn.internal_api.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/omnibus/templates/configmap.yaml b/charts/gitlab/charts/omnibus/templates/configmap.yaml index f21953a941b7a8892ef34040a4a8401781c54327..1632f99ca7696690679a2486085421234b2b9121 100644 --- a/charts/gitlab/charts/omnibus/templates/configmap.yaml +++ b/charts/gitlab/charts/omnibus/templates/configmap.yaml @@ -41,6 +41,11 @@ data: gitlab_rails['registry_api_url'] = "http://{{ .Release.Name }}-registry:5000" registry['internal_key'] = File.read("/etc/gitlab-registry/registry-certificate.crt") # gitlab_rails['registry_key_path'] = "/etc/gitlab-registry/registry-certificate.crt" + # Shell related + {{- $apiHost := include "unicorn.internal_api_host" . -}} + {{- if $apiHost }} + gitlab_rails['internal_api_url'] = "http://{{ $apiHost }}:{{ .Values.service.ports.unicorn }}" + {{- end }} ################### # nginx nginx['enable'] = {{ .Values.nginx.enabled }} @@ -68,6 +73,14 @@ data: ################### # gitlab-shell ################### + # gitaly + gitaly['enable'] = {{ .Values.gitaly.enabled }} + gitaly['socket_path'] = nil + gitaly['listen_addr'] = '0.0.0.0:{{ .Values.service.ports.gitaly }}' + {{- if .Values.gitaly.auth_token }} + gitaly['auth_token'] = {{ .Values.gitaly.auth_token }} + {{- end }} + ################### # PostgresQL postgresql['enable'] = {{ .Values.psql.enabled }} postgresql['listen_address'] = '0.0.0.0' diff --git a/charts/gitlab/charts/omnibus/templates/service.yaml b/charts/gitlab/charts/omnibus/templates/service.yaml index 078876b90b6ae4dcc73f37e0fc6f51c9cdc6efb1..ba73d11501805fb9bf6dd3748e9ce64e94725c77 100644 --- a/charts/gitlab/charts/omnibus/templates/service.yaml +++ b/charts/gitlab/charts/omnibus/templates/service.yaml @@ -47,6 +47,12 @@ spec: protocol: TCP name: og-workhorse {{- end }} + {{- if .Values.gitaly.enabled }} + - port: {{ .Values.service.ports.gitaly }} + targetPort: {{ .Values.service.ports.gitaly }} + protocol: TCP + name: og-gitaly + {{- end }} selector: app: {{ template "name" . }} release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/omnibus/values.yaml b/charts/gitlab/charts/omnibus/values.yaml index 57b0ff9e5836b48465d86d0b043a38a43f8a2b77..a5e1554cb27fe0302e98393f6e15b159d59ddbc5 100644 --- a/charts/gitlab/charts/omnibus/values.yaml +++ b/charts/gitlab/charts/omnibus/values.yaml @@ -56,6 +56,9 @@ unicorn: worker: timeout: 60 processes: 2 + internal_api: {} + # host: "0.0.0.0" + # serviceName: "unicorn" workhorse: enabled: false # point to Unicorn @@ -66,7 +69,7 @@ workhorse: gitaly: enabled: false - + # auth_token: nil # registry registry: host: registry.example.local diff --git a/charts/gitlab/charts/sidekiq/values.yaml b/charts/gitlab/charts/sidekiq/values.yaml index bbdd5c4e075c53e3a7126c1de7796681cb26ee36..7204bc73f497e5850c2ebc7729f03db351c894f7 100644 --- a/charts/gitlab/charts/sidekiq/values.yaml +++ b/charts/gitlab/charts/sidekiq/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq - tag: 75b0daa9b399327212a26065ad16f75844bb85df + tag: a07e8f7858ec848012384fad6a31a9565f8742b8 pullPolicy: IfNotPresent enabled: false redis: diff --git a/charts/gitlab/charts/unicorn/templates/configmap.yml b/charts/gitlab/charts/unicorn/templates/configmap.yml index cace5e0fe0ff0fab3bc289552decc2b391d0883a..e31eecabe0100967136f1cf82902ac8eb12d394e 100644 --- a/charts/gitlab/charts/unicorn/templates/configmap.yml +++ b/charts/gitlab/charts/unicorn/templates/configmap.yml @@ -28,5 +28,71 @@ data: [redis] URL = "tcp://{{ template "unicorn.redis.host" . }}:{{ default 6379 .Values.redis.port }}" Password = "<%= File.read("/etc/gitlab-redis/password") %>" + gitlab.yml.erb: | + production: &base + gitlab: + https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + trusted_proxies: + email_from: example@example.com + email_display_name: GitLab + email_reply_to: noreply@example.com + email_subject_suffix: '' + default_projects_features: + issues: true + merge_requests: true + wiki: true + snippets: true + builds: true + container_registry: true + incoming_email: + enabled: false + artifacts: + enabled: true + lfs: + enabled: true + object_store: + enabled: false + pages: + enabled: false + mattermost: + enabled: false + gravatar: + registry: + gitlab_ci: + ldap: + enabled: false + kerberos: + enabled: false + omniauth: + enabled: false + shared: + gitaly: + client_path: /home/git/gitaly/bin + token: gitalytokengitalytoken + repositories: + storages: # You must have at least a `default` storage path. + default: + path: /var/opt/gitlab/repo + gitaly_address: tcp://omnibus:8075 # TCP connections are supported too (e.g. tcp://host:port) + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + gitlab_shell: + path: /home/git/gitlab-shell/ + hooks_path: /home/git/gitlab-shell/hooks/ + secret_file: /etc/gitlab-shell/.gitlab_shell_secret + upload_pack: true + receive_pack: true + workhorse: + git: + bin_path: /usr/bin/git + webpack: + monitoring: + ip_whitelist: + - 127.0.0.0/8 + sidekiq_exporter: + extra: + rack_attack: + git_basic_auth: + # Leave this here - This line denotes end of block to the parser. {{- end }} diff --git a/charts/gitlab/charts/unicorn/templates/deployment.yaml b/charts/gitlab/charts/unicorn/templates/deployment.yaml index dbbca71f5a6244794519c48c9ce37a2728a6fc95..27e3dc181f6729b0f2fbbe7f40afeb91482da400 100644 --- a/charts/gitlab/charts/unicorn/templates/deployment.yaml +++ b/charts/gitlab/charts/unicorn/templates/deployment.yaml @@ -37,6 +37,9 @@ spec: volumeMounts: - name: unicorn-config mountPath: '/var/opt/gitlab/templates' + - name: unicorn-shell + mountPath: '/etc/gitlab-shell' + readOnly: true - name: unicorn-redis mountPath: '/etc/gitlab-redis' readOnly: true @@ -57,6 +60,13 @@ spec: - name: unicorn-config configMap: name: {{ template "fullname" . }} + - name: unicorn-shell + secret: + secretName: {{ .Values.shell.secret }} + items: + - key: {{ default "secret" .Values.shell.key }} + path: ".gitlab_shell_secret" + defaultMode: 0400 - name: unicorn-redis secret: secretName: {{ .Values.redis.password.secret }} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index c7223166305aeb341518c593fe7332a701c63a0a..c25a8c691cd82d63e1d2f7f274f91f74bebb740c 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -4,7 +4,7 @@ replicaCount: 1 image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-unicorn - tag: d858c6c3ced96c32cb2b7439edd79cd98e734f36 + tag: afeaa02cd39c81bc997c26838d904609ce03b1b2 pullPolicy: IfNotPresent service: name: unicorn @@ -28,6 +28,9 @@ psql: # database: 'gitlabhq_production' # username: 'gitlab' # password: nil +shell: + secret: gitlab-shell-secret + key: secret resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/doc/INSTALL.md b/doc/INSTALL.md index 0f2f34b3df410cdc60dc9ead859cd84425306b46..2d79cee90f03ecfc61b42e14adc5a82923824f36 100644 --- a/doc/INSTALL.md +++ b/doc/INSTALL.md @@ -60,8 +60,8 @@ See [helm][] documentation for installation & initialization. ## Create Secrets -For a functional deployment, three secrets are needed: Certificates, Registry -certificates, and Redis password. +For a functional deployment, these secrets are needed: Certificates, Registry +certificates, Redis password, and GitLab Shell Secret. ### Certificates @@ -110,6 +110,15 @@ $ kubectl create secret generic gitlab-redis --from-literal=redis-password= ./shell_secret +$ kubectl create secret generic gitlab-shell-secret --from-file=secret=shell_secret +``` + ## Configure TODO: add sanitized config yaml file to repo. diff --git a/values.yaml b/values.yaml index 539c03b5b3f57d7e95a6aca4bfbe86d55d163e98..52c8c8335b5667f9f54c165d8d06ab939f420a68 100644 --- a/values.yaml +++ b/values.yaml @@ -15,9 +15,10 @@ nginx: registry: enabled: false -unicorn: - enabled: false - gitlab: omnibus: enabled: false + unicorn: + enabled: false + gitlab-shell: + enabled: false