From d37ff435c718796a0591c1121b047ffe33ea82eb Mon Sep 17 00:00:00 2001 From: Lucas Li Date: Thu, 6 Mar 2025 14:12:47 +0900 Subject: [PATCH] Deprecate registry local database settings in favor of a global key --- charts/registry/templates/_database.tpl | 16 +- charts/registry/templates/deployment.yaml | 4 +- charts/registry/templates/migrations-job.yaml | 12 +- charts/registry/values.yaml | 11 +- doc/charts/globals.md | 10 +- doc/charts/registry/_index.md | 14 +- spec/configuration/image_pull_spec.rb | 5 + spec/configuration/registry_spec.rb | 151 ++++++++++++++---- .../integration/check_config/registry_spec.rb | 128 +++++++++++---- templates/NOTES.txt | 9 ++ templates/_checkConfig_registry.tpl | 8 +- values.yaml | 128 ++++++++++----- 12 files changed, 356 insertions(+), 140 deletions(-) diff --git a/charts/registry/templates/_database.tpl b/charts/registry/templates/_database.tpl index 25af0ab05b..16858089ee 100644 --- a/charts/registry/templates/_database.tpl +++ b/charts/registry/templates/_database.tpl @@ -3,14 +3,14 @@ Return database configuration, if settings available. */}} {{- define "registry.database.config" -}} {{/*Need to use enabled or configure flags for backwards compatibility*/}} -{{- if or .Values.database.enabled .Values.database.configure }} +{{- if or (and .Values.global.registry.psql.enabled .Values.database.enabled) .Values.database.configure }} database: - enabled: {{ .Values.database.enabled }} - host: {{ default (include "gitlab.psql.host" .) .Values.database.host | quote }} - port: {{ default (include "gitlab.psql.port" .) .Values.database.port }} - user: {{ .Values.database.user }} + enabled: {{ and .Values.global.registry.psql.enabled .Values.database.enabled }} + host: {{ coalesce (pluck "host" .Values.global.registry.psql .Values.database | first) (include "gitlab.psql.host" .) | quote }} + port: {{ coalesce (pluck "port" .Values.global.registry.psql .Values.database | first) (include "gitlab.psql.port" .) }} + user: {{ coalesce .Values.global.registry.username .Values.database.user }} password: "DB_PASSWORD_FILE" - dbname: {{ .Values.database.name }} + dbname: {{ coalesce .Values.global.registry.psql.database .Values.database.name }} sslmode: {{ .Values.database.sslmode }} {{- if .Values.database.ssl }} sslcert: /etc/docker/registry/ssl/client-certificate.pem @@ -78,9 +78,9 @@ Return Registry's database secret entry as a projected volume */}} {{- define "gitlab.registry.database.password.projectedVolume" -}} - secret: - name: {{ default (printf "%s-registry-database-password" .Release.Name) .Values.database.password.secret }} + name: {{ coalesce (pluck "secret" .Values.global.registry.psql.password .Values.database.password | first) (printf "%s-registry-database-password" .Release.Name) }} items: - - key: {{ default "password" .Values.database.password.key }} + - key: {{ coalesce (pluck "key" .Values.global.registry.psql.password .Values.database.password | first) "password" }} path: database_password {{- end -}} diff --git a/charts/registry/templates/deployment.yaml b/charts/registry/templates/deployment.yaml index 486c6a5622..ea9e30d8e7 100644 --- a/charts/registry/templates/deployment.yaml +++ b/charts/registry/templates/deployment.yaml @@ -88,7 +88,7 @@ spec: {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }} {{- include "gitlab.timeZone.env" . | nindent 12 }} - {{- if or .Values.database.enabled .Values.database.configure }} + {{- if or (and .Values.global.registry.psql.enabled .Values.database.enabled) .Values.database.configure }} - name: dependencies image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} @@ -216,7 +216,7 @@ spec: path: profiling-key.json {{- end }} {{- include "registry.notifications.secrets" $ | nindent 10 }} - {{- if or .Values.database.enabled .Values.database.configure }} + {{- if or (and .Values.global.registry.psql.enabled .Values.database.enabled) .Values.database.configure }} {{- include "gitlab.registry.database.password.projectedVolume" . | nindent 10 }} {{- include "gitlab.registry.psql.ssl" . | nindent 10 }} {{- end }} diff --git a/charts/registry/templates/migrations-job.yaml b/charts/registry/templates/migrations-job.yaml index 68266034ed..9d8d53d600 100644 --- a/charts/registry/templates/migrations-job.yaml +++ b/charts/registry/templates/migrations-job.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.enabled (or .Values.database.enabled .Values.database.configure) .Values.database.migrations.enabled }} +{{- if and .Values.enabled (or .Values.global.registry.psql.enabled .Values.database.enabled .Values.database.configure) .Values.database.migrations.enabled }} {{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} {{- $initImageCfg := include "gitlab.configure.config" .Values | fromYaml -}} apiVersion: batch/v1 @@ -46,12 +46,8 @@ spec: {{- include "gitlab.certificates.initContainer" . | nindent 6 }} - name: configure image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.init.image) | quote }} - {{- if .Values.init.image.pullPolicy }} - imagePullPolicy: {{ .Values.init.image.pullPolicy }} - {{- else }} {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 8 }} {{- include "gitlab.init.containerSecurityContext" $ | indent 8 }} - {{- end }} args: ['sh', '/config/configure'] volumeMounts: - name: registry-secrets @@ -71,16 +67,12 @@ spec: {{- include "gitlab.extraEnv" . | nindent 10 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" .) | nindent 10 }} restartPolicy: OnFailure - {{- include "gitlab.image.pullSecrets" (dict "global" .Values.global.image "local" .Values.image) | indent 6 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 6 }} containers: {{- include "gitlab.extraContainers" . | nindent 6 }} - name: migrations image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}{{ include "gitlab.image.tagSuffix" . }}" - {{- if .Values.image.pullPolicy }} - imagePullPolicy: {{ .Values.image.pullPolicy}} - {{- else }} {{- include "gitlab.image.pullPolicy" $imageCfg | indent 8 }} - {{- end }} args: - /scripts/wait-for-deps - /scripts/db-migrate diff --git a/charts/registry/values.yaml b/charts/registry/values.yaml index 503ca4d5fc..a08ff21fd6 100644 --- a/charts/registry/values.yaml +++ b/charts/registry/values.yaml @@ -120,6 +120,15 @@ global: registry: certificate: {} httpSecret: {} + psql: + enabled: true + username: registry + database: registry + # host: + # port: + password: {} + # secret: + # key: psql: ssl: {} @@ -392,7 +401,7 @@ serviceAccount: # https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#database database: configure: false - enabled: false + enabled: true user: registry password: {} # secret: RELEASE_NAME-registry-database-password diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 8432a24b17..9658eedfbd 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -788,11 +788,19 @@ global: serviceName: registry port: 5000 tokenIssuer: gitlab-issuer - + psql: + enabled: false + username: registry + database: registry + host: + port: + password: {} ``` For more details on `bucket`, `certificate`, `httpSecret`, and `notificationSecret` settings, see the documentation within the [registry chart](registry/_index.md). +For more details on `psql` settings, see the documentations within [registry metadata database](registry/metadata_database.md). + For details on `enabled`, `host`, `api` and `tokenIssuer` see documentation for [command line options](../installation/command-line-options.md) and [webcervice](gitlab/webservice/_index.md) `host` is used to override autogenerated external registry hostname reference. diff --git a/doc/charts/registry/_index.md b/doc/charts/registry/_index.md index b2e8abc52b..de1bd83ea7 100644 --- a/doc/charts/registry/_index.md +++ b/doc/charts/registry/_index.md @@ -224,13 +224,13 @@ If you chose to deploy this chart as a standalone, remove the `registry` at the | `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | | `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | | `database.configure` | `false` | Populate database configuration in the registry chart without enabling it. Required when [migrating an existing registry](metadata_database.md#existing-registries). | -| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | -| `database.host` | `global.psql.host` | The database server hostname. | -| `database.port` | `global.psql.port` | The database server port. | -| `database.user` | | The database username. | -| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | -| `database.password.key` | `password` | Secret key in which the database password is stored. | -| `database.name` | | The database name. | +| `database.enabled` | `false` | **DEPRECATED: use `global.registry.enabled`**. Enable metadata database. This is an experimental feature and must not be used in production environments. | +| `database.host` | `global.psql.host` | **DEPRECATED: use `global.registry.host`**. The database server hostname. | +| `database.port` | `global.psql.port` | **DEPRECATED: use `global.registry.port`**. The database server port. | +| `database.user` | | **DEPRECATED: use `global.registry.username`**. The database username. | +| `database.password.secret` | `RELEASE-registry-database-password` | **DEPRECATED: use `global.registry.password.secret`**. Name of the secret containing the database password. | +| `database.password.key` | `password` | **DEPRECATED: use `global.registry.password.key`**. Secret key in which the database password is stored. | +| `database.name` | | **DEPRECATED: use `global.registry.database`**. The database name. | | `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | | `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | | `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | diff --git a/spec/configuration/image_pull_spec.rb b/spec/configuration/image_pull_spec.rb index 1b77319cc0..e954a4440e 100644 --- a/spec/configuration/image_pull_spec.rb +++ b/spec/configuration/image_pull_spec.rb @@ -169,6 +169,9 @@ describe 'image configuration' do it 'should have both the global and local imagePullSecrets' do app_label = resource.dig('metadata', 'labels', 'app') + + app_label = 'registry' if app_label == 'registry-migrations' + expect(resource.dig('spec', 'template', 'spec', 'imagePullSecrets')).to \ include('name' => 'ps-global') expect(resource.dig('spec', 'template', 'spec', 'imagePullSecrets')).to \ @@ -186,6 +189,8 @@ describe 'image configuration' do app_label = 'kubectl' if app_label == 'certmanager-issuer' || resource&.dig('metadata', 'name')&.include?('shared-secrets') + app_label = 'registry' if app_label == 'registry-migrations' + pull_policy = "pp-#{app_label}" pull_policy = 'Never' if app_label == 'gitlab-shell' diff --git a/spec/configuration/registry_spec.rb b/spec/configuration/registry_spec.rb index fee96aec5e..91eeb9277b 100644 --- a/spec/configuration/registry_spec.rb +++ b/spec/configuration/registry_spec.rb @@ -266,9 +266,12 @@ describe 'registry configuration' do context 'when primary is provided' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: database: - enabled: true primary: "primary.record.fqdn" )).deep_merge(default_values) end @@ -296,9 +299,12 @@ describe 'registry configuration' do context 'when backgroundMigrations is enabled' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: database: - enabled: true backgroundMigrations: enabled: true maxJobRetries: 3 @@ -332,9 +338,12 @@ describe 'registry configuration' do context 'when backgroundMigrations is enabled and configured properly without maxJobRetries and jobInterval' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: database: - enabled: true backgroundMigrations: enabled: true )).deep_merge(default_values) @@ -373,9 +382,11 @@ describe 'registry configuration' do secretKeyRef: key: "keyC" name: "nameC" + registry: + psql: + enabled: true registry: database: - enabled: true primary: "primary.record.fqdn" )).deep_merge(default_values) end @@ -428,10 +439,13 @@ describe 'registry configuration' do with_them do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: #{enabled} registry: database: configure: #{configure} - enabled: #{enabled} )).deep_merge(default_values) end @@ -463,16 +477,72 @@ describe 'registry configuration' do end end + context "when both global and local database configuration enablement flags are present" do + using RSpec::Parameterized::TableSyntax + + # rubocop:disable Lint/BinaryOperatorWithIdenticalOperands + where(:global_enabled, :local_enabled, :include_db_config) do + false | false | false + true | false | false # Backwards compatibility with .registry.database.enabled. + false | true | false + true | true | true + end + # rubocop:enable Lint/BinaryOperatorWithIdenticalOperands + + with_them do + let(:values) do + YAML.safe_load(%( + global: + registry: + psql: + enabled: #{global_enabled} + registry: + database: + enabled: #{local_enabled} + )).deep_merge(default_values) + end + + let(:config) do + <<~CONFIG + database: + enabled: #{global_enabled || local_enabled} + host: "test-postgresql.default.svc" + port: 5432 + user: registry + password: "DB_PASSWORD_FILE" + dbname: registry + sslmode: disable + CONFIG + end + + it 'populates the database settings correctly' do + t = HelmTemplate.new(values) + expect(t.exit_code).to eq(0), "Unexpected error code #{t.exit_code} -- #{t.stderr}" + + if include_db_config + expect(t.dig('ConfigMap/test-registry', 'data', 'config.yml.tpl')).to include(config) + expect(t.dig('ConfigMap/test-registry', 'data', 'migrations-config.yml.tpl')).to include(config) + else + expect(t.dig('ConfigMap/test-registry', 'data', 'config.yml.tpl')).not_to include(config) + expect(t.dig('ConfigMap/test-registry', 'data', 'migrations-config.yml.tpl')).not_to include(config) + end + end + end + end + describe 'database loadBalancing config' do context 'when replicaCheckInterval is provided' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: redis: cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -506,12 +576,15 @@ describe 'registry configuration' do context 'when replicaCheckInterval is not provided' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: redis: cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -529,12 +602,15 @@ describe 'registry configuration' do context 'when nameserver.host and nameserver.port are provided' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: redis: cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -571,12 +647,15 @@ describe 'registry configuration' do context 'when nameserver.host and nameserver.port are not provided' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: redis: cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -603,12 +682,13 @@ describe 'registry configuration' do let(:values) do YAML.safe_load(%( global: + registry: + psql: + enabled: true redis: host: global.redis.example.com port: 16379 registry: - database: - enabled: true redis: cache: enabled: true @@ -633,9 +713,11 @@ describe 'registry configuration' do context 'when customer provides a custom redis cache configuration with a single host' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: - database: - enabled: true redis: cache: enabled: true @@ -691,9 +773,11 @@ describe 'registry configuration' do context 'when customer provides a custom redis cache configuration with a single host without port' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: - database: - enabled: true redis: cache: enabled: true @@ -719,6 +803,9 @@ describe 'registry configuration' do let(:values) do YAML.safe_load(%( global: + registry: + psql: + enabled: true redis: host: redis.example.com sentinels: @@ -727,8 +814,6 @@ describe 'registry configuration' do - host: sentinel2.example.com port: 26379 registry: - database: - enabled: true redis: cache: enabled: true @@ -753,9 +838,11 @@ describe 'registry configuration' do context 'when customer provides a custom redis cache configuration with local sentinels' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: - database: - enabled: true redis: cache: enabled: true @@ -787,6 +874,9 @@ describe 'registry configuration' do let(:values) do YAML.safe_load(%( global: + registry: + psql: + enabled: true redis: host: redis.example.com sentinels: @@ -795,8 +885,6 @@ describe 'registry configuration' do - host: global2.example.com port: 26379 registry: - database: - enabled: true redis: cache: enabled: true @@ -828,6 +916,9 @@ describe 'registry configuration' do let(:values) do YAML.safe_load(%( global: + registry: + psql: + enabled: true redis: host: redis.example.com sentinels: @@ -840,8 +931,6 @@ describe 'registry configuration' do secret: global-redis-sentinel-secret key: password registry: - database: - enabled: true redis: cache: enabled: true @@ -880,6 +969,9 @@ describe 'registry configuration' do let(:values) do YAML.safe_load(%( global: + registry: + psql: + enabled: true redis: host: redis.example.com sentinels: @@ -892,8 +984,6 @@ describe 'registry configuration' do secret: global-redis-sentinel-secret key: password registry: - database: - enabled: true redis: cache: enabled: true @@ -1145,6 +1235,9 @@ describe 'registry configuration' do let(:values) do YAML.safe_load(%( global: + registry: + psql: + enabled: true redis: host: redis.example.com sentinels: @@ -1153,8 +1246,6 @@ describe 'registry configuration' do - host: global2.example.com port: 26379 registry: - database: - enabled: true redis: cache: enabled: true @@ -1249,9 +1340,11 @@ describe 'registry configuration' do context 'when customer provides a custom redis rate-limiter and cache configuration' do let(:values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: - database: - enabled: true redis: cache: enabled: true diff --git a/spec/integration/check_config/registry_spec.rb b/spec/integration/check_config/registry_spec.rb index 0940fc9ad2..c48e6b2b2c 100644 --- a/spec/integration/check_config/registry_spec.rb +++ b/spec/integration/check_config/registry_spec.rb @@ -11,9 +11,10 @@ describe 'checkConfig registry' do image: tag: 13 - registry: - database: - enabled: true + global: + registry: + psql: + enabled: true )).deep_merge!(default_required_values) end @@ -23,9 +24,10 @@ describe 'checkConfig registry' do image: tag: 12 - registry: - database: - enabled: true + global: + registry: + psql: + enabled: true )).deep_merge!(default_required_values) end @@ -39,26 +41,34 @@ describe 'checkConfig registry' do describe 'registry.database (sslmode)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: database: - enabled: true sslmode: disable )).deep_merge!(default_required_values) end let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: database: - enabled: true sslmode: testing )).deep_merge!(default_required_values) end @@ -73,6 +83,11 @@ describe 'checkConfig registry' do describe 'registry.database.loadBalancing (record)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 @@ -82,7 +97,6 @@ describe 'checkConfig registry' do cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -91,6 +105,11 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 @@ -100,7 +119,6 @@ describe 'checkConfig registry' do cache: enabled: true database: - enabled: true loadBalancing: enabled: true )).deep_merge!(default_required_values) @@ -116,6 +134,11 @@ describe 'checkConfig registry' do describe 'registry.database.loadBalancing requires database.enabled to be true' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 @@ -125,7 +148,6 @@ describe 'checkConfig registry' do cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -134,6 +156,11 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: false + postgresql: image: tag: 13 @@ -143,7 +170,6 @@ describe 'checkConfig registry' do cache: enabled: true database: - enabled: false loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -160,6 +186,11 @@ describe 'checkConfig registry' do describe 'registry.database.loadBalancing requires redis.cache.enabled to be true' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 @@ -169,7 +200,6 @@ describe 'checkConfig registry' do cache: enabled: true database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -178,6 +208,11 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 @@ -187,7 +222,6 @@ describe 'checkConfig registry' do cache: enabled: false database: - enabled: true loadBalancing: enabled: true record: db-replica-registry.service.consul @@ -231,9 +265,11 @@ describe 'checkConfig registry' do describe 'registry.redis.cache (enabled)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true registry: - database: - enabled: true redis: cache: enabled: true @@ -242,9 +278,11 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: false registry: - database: - enabled: false redis: cache: enabled: true @@ -261,13 +299,15 @@ describe 'checkConfig registry' do describe 'registry.redis.cache (host)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -277,13 +317,16 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -301,13 +344,16 @@ describe 'checkConfig registry' do describe 'registry.redis.cache (sentinels)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -322,13 +368,16 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -351,13 +400,15 @@ describe 'checkConfig registry' do describe 'registry.redis.cache.password (secret)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -371,13 +422,16 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -398,13 +452,16 @@ describe 'checkConfig registry' do describe 'registry.redis.cache.password (key)' do let(:success_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true @@ -418,13 +475,16 @@ describe 'checkConfig registry' do let(:error_values) do YAML.safe_load(%( + global: + registry: + psql: + enabled: true + postgresql: image: tag: 13 registry: - database: - enabled: true redis: cache: enabled: true diff --git a/templates/NOTES.txt b/templates/NOTES.txt index d0465eda9f..d21b9afd96 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -159,6 +159,15 @@ redis: https://docs.gitlab.com/charts/installation/upgrade.html#use-of-globalredispassword {{- end -}} +{{- /* Deprecation notice for registry.database user/password/host/port settings */}} +{{- if or .Values.registry.database.enabled .Values.registry.database.user .Values.registry.database.password .Values.registry.database.host .Values.registry.database.port }} +{{ $NOTICE }} +registry.database: + The configuration keys `registry.database.enabled`, `registry.database.user`, `registry.database.password`, `registry.database.host`, and `registry.database.port` have been deprecated. + Please use `global.registry.psql` instead. For more details, please see: + https://gitlab.com/gitlab-org/charts/gitlab/-/issues/5972 +{{- end -}} + {{- /* If the user is managing RBAC externally with NGINX chart 4.0.6 */}} {{- if or (and (index .Values "nginx-ingress" "enabled") (not (index .Values "nginx-ingress" "rbac" "create"))) (and (index .Values "nginx-ingress-geo" "enabled") (not (index .Values "nginx-ingress-geo" "rbac" "create"))) }} diff --git a/templates/_checkConfig_registry.tpl b/templates/_checkConfig_registry.tpl index 71f75e15ee..132dfbd492 100644 --- a/templates/_checkConfig_registry.tpl +++ b/templates/_checkConfig_registry.tpl @@ -50,7 +50,7 @@ Ensure Registry database load balancing is configured properly and dependencies */}} {{- define "gitlab.checkConfig.registry.database.loadBalancing" -}} {{- if $.Values.registry.database.loadBalancing.enabled }} - {{- if not $.Values.registry.database.enabled }} + {{- if not (and $.Values.global.registry.psql.enabled $.Values.registry.database.enabled) }} registry: Enabling database load balancing requires the metadata database to be enabled. See https://docs.gitlab.com/charts/charts/registry#load-balancing @@ -74,19 +74,19 @@ registry: Ensure Registry Redis cache is configured properly and dependencies are met */}} {{- define "gitlab.checkConfig.registry.redis.cache" -}} -{{- if and $.Values.registry.redis.cache.enabled (not $.Values.registry.database.enabled) }} +{{- if and $.Values.registry.redis.cache.enabled (not (and $.Values.global.registry.psql.enabled $.Values.registry.database.enabled)) }} registry: Enabling the Redis cache requires the metadata database to be enabled. See https://docs.gitlab.com/charts/charts/registry#redis-cache {{- end -}} -{{- if and $.Values.registry.database.enabled $.Values.registry.redis.cache.enabled }} +{{- if and $.Values.global.registry.psql.enabled $.Values.registry.database.enabled $.Values.registry.redis.cache.enabled }} {{- if and (kindIs "string" $.Values.registry.redis.cache.host) (empty $.Values.registry.redis.cache.host) }} registry: Enabling the Redis cache requires the host to not be empty. See https://docs.gitlab.com/charts/charts/registry#redis-cache {{- end -}} {{- end -}} -{{- if and $.Values.registry.database.enabled $.Values.registry.redis.cache.enabled $.Values.registry.redis.cache.sentinels}} +{{- if and $.Values.global.registry.psql.enabled $.Values.registry.database.enabled $.Values.registry.redis.cache.enabled $.Values.registry.redis.cache.sentinels}} {{- if not $.Values.registry.redis.cache.host }} registry: Enabling the Redis cache with sentinels requires the registry.redis.cache.host to be set. diff --git a/values.yaml b/values.yaml index 9349241513..b11c4c3f96 100644 --- a/values.yaml +++ b/values.yaml @@ -27,7 +27,8 @@ global: common: labels: {} - image: {} + image: + {} # Registry value override is only available for the following Charts: # - Spamcheck # - Mailroom @@ -113,14 +114,16 @@ global: ## Enterprise license for this GitLab installation ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-enterprise-license ## If allowing shared-secrets generation, this is OPTIONAL. - license: {} + license: + {} # secret: RELEASE-gitlab-license # key: license ## Initial root password for this GitLab installation ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-root-password ## If allowing shared-secrets generation, this is OPTIONAL. - initialRootPassword: {} + initialRootPassword: + {} # secret: RELEASE-gitlab-initial-root-password # key: password @@ -132,7 +135,8 @@ global: keepalivesInterval: keepalivesCount: tcpUserTimeout: - password: {} + password: + {} # useSecret: # secret: # key: @@ -144,7 +148,8 @@ global: # applicationName: # preparedStatements: false # databaseTasks: true - main: {} + main: + {} # host: postgresql.hostedsomewhere.else # port: 123 # username: gitlab @@ -152,7 +157,8 @@ global: # applicationName: # preparedStatements: false # databaseTasks: true - ci: {} + ci: + {} # host: postgresql.hostedsomewhere.else # port: 123 # username: gitlab @@ -185,7 +191,8 @@ global: ## https://docs.gitlab.com/charts/charts/globals#configure-gitaly-settings gitaly: enabled: true - authToken: {} + authToken: + {} # secret: # key: # serviceName: @@ -233,7 +240,8 @@ global: ## https://docs.gitlab.com/charts/charts/globals#configure-minio-settings minio: enabled: true - credentials: {} + credentials: + {} # secret: ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings @@ -248,8 +256,8 @@ global: usernameChangingEnabled: true issueClosingPattern: defaultTheme: - defaultColorMode: - defaultSyntaxHighlightingTheme: + defaultColorMode: + defaultSyntaxHighlightingTheme: defaultProjectsFeatures: issues: true mergeRequests: true @@ -261,7 +269,8 @@ global: maxRequestDurationSeconds: ## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings - cron_jobs: {} + cron_jobs: + {} ## Flag stuck CI builds as failed # stuck_ci_jobs_worker: # cron: "0 * * * *" @@ -352,31 +361,36 @@ global: object_store: enabled: false proxy_download: true - storage_options: {} + storage_options: + {} # server_side_encryption: # server_side_encryption_kms_key_id - connection: {} + connection: + {} # secret: # key: lfs: enabled: true proxy_download: true bucket: git-lfs - connection: {} + connection: + {} # secret: # key: artifacts: enabled: true proxy_download: true bucket: gitlab-artifacts - connection: {} + connection: + {} # secret: # key: uploads: enabled: true proxy_download: true bucket: gitlab-uploads - connection: {} + connection: + {} # secret: # key: packages: @@ -445,7 +459,8 @@ global: key: secret pollInterval: 60 deliveryMethod: webhook - authToken: {} + authToken: + {} # secret: # key: @@ -472,7 +487,8 @@ global: key: secret pollInterval: 60 deliveryMethod: webhook - authToken: {} + authToken: + {} # secret: # key: @@ -492,7 +508,8 @@ global: # key: ## https://docs.gitlab.com/charts/charts/globals#kas-settings - gitlab_kas: {} + gitlab_kas: + {} # secret: # key: # enabled: @@ -501,7 +518,8 @@ global: # clientTimeoutSeconds: ## https://docs.gitlab.com/charts/charts/globals#suggested-reviewers-settings - suggested_reviewers: {} + suggested_reviewers: + {} # secret: # key: @@ -558,12 +576,14 @@ global: routingRules: [] # Config that only applies to the defaults on initial install - initialDefaults: {} + initialDefaults: + {} # signupEnabled: ## End of global.appConfig oauth: - gitlab-pages: {} + gitlab-pages: + {} # secret: # appIdKey: # appSecretKey: @@ -619,7 +639,8 @@ global: authToken: {} # secret: # key: - hostKeys: {} + hostKeys: + {} # secret: ## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol tcp: @@ -628,7 +649,8 @@ global: ## Rails application secrets ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret ## If allowing shared-secrets generation, this is OPTIONAL. - railsSecrets: {} + railsSecrets: + {} # secret: ## Rails generic setting, applicable to all Rails-based containers @@ -642,12 +664,25 @@ global: registry: bucket: registry - certificate: {} + psql: + enabled: true + username: registry + database: registry + # host: + # port: + password: {} + # secret: + # key: + + certificate: + {} # secret: - httpSecret: {} + httpSecret: + {} # secret: # key: - notificationSecret: {} + notificationSecret: + {} # secret: # key: tls: @@ -659,7 +694,8 @@ global: rateLimiting: password: {} # https://docs.docker.com/registry/notifications/#configuration - notifications: {} + notifications: + {} # endpoints: # - name: FooListener # url: https://foolistener.com/event @@ -703,13 +739,16 @@ global: enabled: true bucket: gitlab-pages # proxy_download: true - connection: {} + connection: + {} # secret: # key: - apiSecret: {} + apiSecret: + {} # secret: # key: - authSecret: {} + authSecret: + {} # secret: # key: namespaceInPath: false @@ -718,7 +757,8 @@ global: ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret ## If allowing shared-secrets generation, this is OPTIONAL. runner: - registrationToken: {} + registrationToken: + {} # secret: ## https://docs.gitlab.com/charts/charts/globals#outgoing-email @@ -765,7 +805,6 @@ global: deployment: annotations: {} - # Setting a global nodeAffinity only applies to the registry chart for now. # See issue https://gitlab.com/gitlab-com/gl-infra/production-engineering/-/issues/25403 for more information @@ -900,7 +939,8 @@ global: upgradeCheck: enabled: true - image: {} + image: + {} # repository: # tag: # pullPolicy: IfNotPresent @@ -917,7 +957,7 @@ upgradeCheck: allowPrivilegeEscalation: false runAsNonRoot: true capabilities: - drop: [ "ALL" ] + drop: ["ALL"] tolerations: [] annotations: {} configMapAnnotations: {} @@ -955,7 +995,7 @@ nginx-ingress: &nginx-ingress addHeaders: Referrer-Policy: strict-origin-when-cross-origin config: &nginx-ingress-controller-config - annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"" + annotation-value-word-blocklist: 'load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'',"' hsts: "true" hsts-include-subdomains: "false" hsts-max-age: "63072000" @@ -966,9 +1006,9 @@ nginx-ingress: &nginx-ingress server-tokens: "false" # Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration upstream-keepalive-connections: 100 # Limit of 100 held-open connections - upstream-keepalive-time: 30s # 30 second limit for connection reuse - upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections - upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling + upstream-keepalive-time: 30s # 30 second limit for connection reuse + upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections + upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling service: externalTrafficPolicy: "Local" @@ -1027,9 +1067,9 @@ nginx-ingress-geo: electionID: ingress-controller-leader-geo ingressClassResource: name: '{{ include "gitlab.geo.ingress.class.name" $ | quote }}' - controllerValue: 'k8s.io/nginx-ingress-geo' + controllerValue: "k8s.io/nginx-ingress-geo" # A pre-defined/static external IP can be configured with global.hosts.externalGeoIP. - externalIpTpl: '{{ .Values.global.hosts.externalGeoIP }}' + externalIpTpl: "{{ .Values.global.hosts.externalGeoIP }}" haproxy: install: false @@ -1070,7 +1110,7 @@ prometheus: allowPrivilegeEscalation: false runAsNonRoot: true capabilities: - drop: [ "ALL" ] + drop: ["ALL"] seccompProfile: type: "RuntimeDefault" podSecurityPolicy: @@ -1082,7 +1122,7 @@ prometheus: allowPrivilegeEscalation: false runAsNonRoot: true capabilities: - drop: [ "ALL" ] + drop: ["ALL"] seccompProfile: type: "RuntimeDefault" serverFiles: @@ -1308,7 +1348,7 @@ shared-secrets: allowPrivilegeEscalation: false runAsNonRoot: true capabilities: - drop: [ "ALL" ] + drop: ["ALL"] tolerations: [] podLabels: {} annotations: {} -- GitLab