From 6194585d21c0e82b7e4423ffab524c5157991304 Mon Sep 17 00:00:00 2001 From: Marcel Amirault Date: Thu, 22 May 2025 19:50:45 +0900 Subject: [PATCH] Project-wide cleanup in charts docs Clean up tables, whitespace, bolding --- doc/advanced/geo/_index.md | 2 +- doc/charts/certmanager-issuer/_index.md | 28 +- doc/charts/gitlab/gitaly/_index.md | 286 ++++---- doc/charts/gitlab/gitlab-exporter/_index.md | 126 ++-- doc/charts/gitlab/gitlab-pages/_index.md | 330 ++++----- doc/charts/gitlab/gitlab-shell/_index.md | 288 ++++---- doc/charts/gitlab/kas/_index.md | 216 +++--- doc/charts/gitlab/mailroom/_index.md | 150 ++-- doc/charts/gitlab/migrations/_index.md | 12 +- doc/charts/gitlab/praefect/_index.md | 102 +-- doc/charts/gitlab/sidekiq/_index.md | 398 +++++------ doc/charts/gitlab/spamcheck/_index.md | 150 ++-- doc/charts/gitlab/toolbox/_index.md | 168 ++--- doc/charts/gitlab/webservice/_index.md | 456 ++++++------ doc/charts/globals.md | 151 ++-- doc/charts/minio/_index.md | 130 ++-- doc/charts/registry/_index.md | 514 +++++++------- doc/charts/shared-secrets.md | 52 +- doc/development/changelog.md | 16 +- doc/development/ci.md | 12 +- doc/development/clickhouse.md | 12 +- doc/development/release.md | 20 +- doc/development/rspec.md | 2 +- doc/development/style_guide.md | 8 +- doc/installation/cloud/aks.md | 26 +- doc/installation/cloud/eks.md | 14 +- doc/installation/cloud/gke.md | 34 +- doc/installation/cloud/openshift.md | 40 +- doc/installation/command-line-options.md | 728 ++++++++++---------- doc/installation/storage.md | 2 +- doc/installation/version_mappings.md | 642 ++++++++--------- doc/releases/9_0.md | 2 +- 32 files changed, 2558 insertions(+), 2559 deletions(-) diff --git a/doc/advanced/geo/_index.md b/doc/advanced/geo/_index.md index 389eff874a..0146f7c311 100644 --- a/doc/advanced/geo/_index.md +++ b/doc/advanced/geo/_index.md @@ -312,7 +312,7 @@ This assumes you are using the `gitlab` namespace. If you want to use a differen {{< alert type="note" >}} -**This step is required for Geo to function.** +**This step is required for Geo to function**. {{< /alert >}} diff --git a/doc/charts/certmanager-issuer/_index.md b/doc/charts/certmanager-issuer/_index.md index 546949ef7f..23671e9a88 100644 --- a/doc/charts/certmanager-issuer/_index.md +++ b/doc/charts/certmanager-issuer/_index.md @@ -48,18 +48,18 @@ certmanager-issuer: This table contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags: -| Parameter | Default | Description | -|-----------------------------------------------------|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `server` | `https://acme-v02.api.letsencrypt.org/directory` | Let's Encrypt server for use with the [ACME CertManager Issuer](https://cert-manager.io/docs/configuration/acme/). | +| Parameter | Default | Description | +|-----------------------------------------------------|--------------------------------------------------|-------------| +| `server` | `https://acme-v02.api.letsencrypt.org/directory` | Let's Encrypt server for use with the [ACME CertManager Issuer](https://cert-manager.io/docs/configuration/acme/). | | `email` | | You must provide an email to associate with your TLS certificates. Let's Encrypt uses this address to contact you about expiring certificates, and issues related to your account. | -| `rbac.create` | `true` | When `true`, creates RBAC-related resources to allow for manipulation of CertManager Issuer objects. | -| `resources.requests.cpu` | `50m` | Requested CPU resources for the Issuer creation Job. | -| `common.labels` | | Common labels to apply to the ServiceAccount, Job, ConfigMap, and Issuer. | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which Certmanager is started | -| `containerSecurityContext.runAsUser` | `65534` | User ID under which the container should be started | -| `containerSecurityContext.runAsGroup` | `65534` | Group ID under which the container should be started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `ttlSecondsAfterFinished` | `1800` | Controls when a finished job becomes eligible for cascading removal. | +| `rbac.create` | `true` | When `true`, creates RBAC-related resources to allow for manipulation of CertManager Issuer objects. | +| `resources.requests.cpu` | `50m` | Requested CPU resources for the Issuer creation Job. | +| `common.labels` | | Common labels to apply to the ServiceAccount, Job, ConfigMap, and Issuer. | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which Certmanager is started | +| `containerSecurityContext.runAsUser` | `65534` | User ID under which the container should be started | +| `containerSecurityContext.runAsGroup` | `65534` | Group ID under which the container should be started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `ttlSecondsAfterFinished` | `1800` | Controls when a finished job becomes eligible for cascading removal. | diff --git a/doc/charts/gitlab/gitaly/_index.md b/doc/charts/gitlab/gitaly/_index.md index e55c393d05..3e6f76fa34 100644 --- a/doc/charts/gitlab/gitaly/_index.md +++ b/doc/charts/gitlab/gitaly/_index.md @@ -42,130 +42,130 @@ as described in the [external Gitaly documentation](../../../advanced/external-g The table below contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags. -| Parameter | Default | Description | -|----------------------------------------------------------|---------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `annotations` | | Pod annotations | -| `backup.goCloudUrl` | | Object storage URL for [server side Gitaly backups](https://docs.gitlab.com/administration/gitaly/configure_gitaly/#configure-server-side-backups). | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `external[].hostname` | `- ""` | hostname of external node | -| `external[].name` | `- ""` | name of external node storage | -| `external[].port` | `- ""` | port of external node | -| `extraContainers` | | Multiline literal style string containing a list of containers to include | -| `extraInitContainers` | | List of extra init containers to include | -| `extraVolumeMounts` | | List of extra volumes mounts to do | -| `extraVolumes` | | List of extra volumes to create | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `gitaly.serviceName` | | The name of the generated Gitaly service. Overrides `global.gitaly.serviceName`, and defaults to `-gitaly` | -| `gpgSigning.enabled` | `false` | If [Gitaly GPG signing](https://docs.gitlab.com/administration/gitaly/configure_gitaly/#configure-commit-signing-for-gitlab-ui-commits) should be used. | -| `gpgSigning.secret` | | The name of the secret used for Gitaly GPG signing. | -| `gpgSigning.key` | | The key in the GPG secret containing Gitaly's GPG signing key. | -| `image.pullPolicy` | `Always` | Gitaly image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | Gitaly image repository | -| `image.tag` | `master` | Gitaly image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `internal.names[]` | `- default` | Ordered names of StatefulSet storages | -| `serviceLabels` | `{}` | Supplemental service labels | -| `service.externalPort` | `8075` | Gitaly service exposed port | -| `service.internalPort` | `8075` | Gitaly internal port | -| `service.name` | `gitaly` | The name of the Service port that Gitaly is behind in the Service object. | -| `service.type` | `ClusterIP` | Gitaly service type | -| `service.clusterIP` | `None` | You can specify your own cluster IP address as part of a Service creation request. This follows the same conventions as the Kubernetes' Service object's clusterIP. This must not be set if `service.type` is LoadBalancer. | -| `service.loadBalancerIP` | | An ephemeral IP address will be created if not set. This follows the same conventions as the Kubernetes' Service object's loadbalancerIP configuration. | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `shareProcessNamespace` | `false` | Allows making container processes visible to all other contains in the same pod | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the Gitaly container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow overwriting of the specific security context user ID under which the Gitaly container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the Gitaly container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `persistence.accessMode` | `ReadWriteOnce` | Gitaly persistence access mode | -| `persistence.annotations` | | Gitaly persistence annotations | -| `persistence.enabled` | `true` | Gitaly enable persistence flag | -| `persistance.labels` | | Gitaly persistence labels | -| `persistence.matchExpressions` | | Label-expression matches to bind | -| `persistence.matchLabels` | | Label-value matches to bind | -| `persistence.size` | `50Gi` | Gitaly persistence volume size | -| `persistence.storageClass` | | storageClassName for provisioning | -| `persistence.subPath` | | Gitaly persistence volume mount path | -| `priorityClassName` | | Gitaly StatefulSet priorityClassName | -| `logging.level` | | Log level | -| `logging.format` | `json` | Log format | -| `logging.sentryDsn` | | Sentry DSN URL - Exceptions from Go server | -| `logging.sentryEnvironment` | | Sentry environment to be used for logging | -| `shell.concurrency[]` | | Concurrency of each RPC endpoint. See [Limit RPC concurrency](https://docs.gitlab.com/administration/gitaly/concurrency_limiting/#limit-rpc-concurrency) and [Enable adaptiveness for RPC concurrency](https://docs.gitlab.com/administration/gitaly/concurrency_limiting/#enable-adaptiveness-for-rpc-concurrency) for the configuration keys. | -| `packObjectsCache.enabled` | `false` | Enable the Gitaly pack-objects cache | -| `packObjectsCache.dir` | `/home/git/repositories/+gitaly/PackObjectsCache` | Directory where cache files get stored | -| `packObjectsCache.max_age` | `5m` | Cache entries lifespan | -| `packObjectsCache.min_occurrences` | `1` | Minimum count requiredto create a cache entry | -| `git.catFileCacheSize` | | Cache size used by Git cat-file process | -| `git.config[]` | `[]` | Git configuration that Gitaly should set when spawning Git commands | -| `prometheus.grpcLatencyBuckets` | | Buckets corresponding to histogram latencies on GRPC method calls to be recorded by Gitaly. A string form of the array (for example, `"[1.0, 1.5, 2.0]"`) is required as input | -| `statefulset.strategy` | `{}` | Allows one to configure the update strategy utilized by the StatefulSet | -| `statefulset.livenessProbe.initialDelaySeconds` | 0 | Delay before liveness probe is initiated. If startupProbe is enabled, this will be set to 0. | -| `statefulset.livenessProbe.periodSeconds` | 10 | How often to perform the liveness probe | -| `statefulset.livenessProbe.timeoutSeconds` | 3 | When the liveness probe times out | -| `statefulset.livenessProbe.successThreshold` | 1 | Minimum consecutive successes for the liveness probe to be considered successful after having failed | -| `statefulset.livenessProbe.failureThreshold` | 3 | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | -| `statefulset.readinessProbe.initialDelaySeconds` | 0 | Delay before readiness probe is initiated. If startupProbe is enabled, this will be set to 0. | -| `statefulset.readinessProbe.periodSeconds` | 5 | How often to perform the readiness probe | -| `statefulset.readinessProbe.timeoutSeconds` | 3 | When the readiness probe times out | -| `statefulset.readinessProbe.successThreshold` | 1 | Minimum consecutive successes for the readiness probe to be considered successful after having failed | -| `statefulset.readinessProbe.failureThreshold` | 3 | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | -| `statefulset.startupProbe.enabled` | `true` | Whether a startup probe is enabled. | -| `statefulset.startupProbe.initialDelaySeconds` | 1 | Delay before startup probe is initiated | -| `statefulset.startupProbe.periodSeconds` | 1 | How often to perform the startup probe | -| `statefulset.startupProbe.timeoutSeconds` | 1 | When the startup probe times out | -| `statefulset.startupProbe.successThreshold` | 1 | Minimum consecutive successes for the startup probe to be considered successful after having failed | -| `statefulset.startupProbe.failureThreshold` | 60 | Minimum consecutive failures for the startup probe to be considered failed after having succeeded | -| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `9236` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.metricsPort` | | **DEPRECATED** Use `metrics.port` | -| `gomemlimit.enabled` | `true` | This will automatically set the `GOMEMLIMIT` environment variable for the Gitaly container to `resources.limits.memory`, if that limit is also set. Users can override this value by setting this value false and setting `GOMEMLIMIT` in `extraEnv`. This must meet [documented format criteria](https://pkg.go.dev/runtime#hdr-Environment_Variables). | -| `cgroups.enabled` |`false` | Gitaly has built-in cgroups control. When configured, Gitaly assigns Git processes to a cgroup based on the repository the Git command is operating in. This parameter will enable repository cgroups. Note only cgroups v2 will be supported if enabled. | -| `cgroups.initContainer.image.repository` | `registry.com/gitlab-org/build/cng/gitaly-init-cgroups` | Gitaly image repository | -| `cgroups.initContainer.image.tag` | `master` | Gitaly image tag | -| `cgroups.initContainer.image.pullPolicy` | `IfNotPresent` | Gitaly image pull policy | -| `cgroups.mountpoint` | `/etc/gitlab-secrets/gitaly-pod-cgroup` | Where the parent cgroup directory is mounted. | -| `cgroups.hierarchyRoot` | `gitaly` | Parent cgroup under which Gitaly creates groups, and is expected to be owned by the user and group Gitaly runs as. | -| `cgroups.memoryBytes` | | The total memory limit that is imposed collectively on all Git processes that Gitaly spawns. 0 implies no limit. | -| `cgroups.cpuShares` | | The CPU limit that is imposed collectively on all Git processes that Gitaly spawns. 0 implies no limit. The maximum is 1024 shares, which represents 100% of CPU. | -| `cgroups.cpuQuotaUs` | | Used to throttle the cgroups’ processes if they exceed this quota value. We set cpuQuotaUs to 100ms so 1 core is 100000. 0 implies no limit. | -| `cgroups.repositories.count` | | The number of cgroups in the cgroups pool. Each time a new Git command is spawned, Gitaly assigns it to one of these cgroups based on the repository the command is for. A circular hashing algorithm assigns Git commands to these cgroups, so a Git command for a repository is always assigned to the same cgroup. | -| `cgroups.repositories.memoryBytes` | | The total memory limit imposed on all Git processes contained in a repository cgroup. 0 implies no limit. This value cannot exceed that of the top level memoryBytes. | -| `cgroups.repositories.cpuShares` | | The CPU limit that is imposed on all Git processes contained in a repository cgroup. 0 implies no limit. The maximum is 1024 shares, which represents 100% of CPU. This value cannot exceed that of the top level cpuShares. | -| `cgroups.repositories.cpuQuotaUs` | | The cpuQuotaUs that is imposed on all Git processes contained in a repository cgroup. A Git process can’t use more then the given quota. We set cpuQuotaUs to 100ms so 1 core is 100000. 0 implies no limit. | -| `cgroups.repositories.maxCgroupsPerRepo` | 1 | The number of repository cgroups that Git processes targeting a specific repository can be distributed across. This enables more conservative CPU and memory limits to be configured for repository cgroups while still allowing for bursty workloads. For instance, with a `maxCgroupsPerRepo` of `2` and a `memoryBytes` limit of 10GB, independent Git operations against a specific repository can consume up to 20GB of memory. | -| `gracefulRestartTimeout` | `25` | Gitaly shutdown grace period, how long to wait for in-flight requests to complete (seconds). Pod `terminationGracePeriodSeconds` is set to this value + 5 seconds. | -| `timeout.uploadPackNegotiation` | | See [Configure the negotiation timeouts](https://docs.gitlab.com/administration/settings/gitaly_timeouts/#configure-the-negotiation-timeouts). | -| `timeout.uploadArchiveNegotiation` | | See [Configure the negotiation timeouts](https://docs.gitlab.com/administration/settings/gitaly_timeouts/#configure-the-negotiation-timeouts). | -| `dailyMaintenance.disabled` | | Allows to disable the daily background maintenance. | -| `dailyMaintenance.duration` | | Maximum duration of the daily background maintenance. For example "1h" or "45m". | -| `dailyMaintenance.startHour` | | Start minute of the daily background maintenance. | -| `dailyMaintenance.startMinute` | | Start minute of the daily background maintenance. | -| `dailyMaintenance.storages` | | Array of storage names to perform the daily background maintenance. For example [ "default" ]. | -| `bundleUri.goCloudUrl` | | See the [Bundle URIs documentation](https://docs.gitlab.com/administration/gitaly/bundle_uris/). | +| Parameter | Default | Description | +|----------------------------------------------------------|---------------------------------------------------------|-------------| +| `annotations` | | Pod annotations | +| `backup.goCloudUrl` | | Object storage URL for [server side Gitaly backups](https://docs.gitlab.com/administration/gitaly/configure_gitaly/#configure-server-side-backups). | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `external[].hostname` | `- ""` | hostname of external node | +| `external[].name` | `- ""` | name of external node storage | +| `external[].port` | `- ""` | port of external node | +| `extraContainers` | | Multiline literal style string containing a list of containers to include | +| `extraInitContainers` | | List of extra init containers to include | +| `extraVolumeMounts` | | List of extra volumes mounts to do | +| `extraVolumes` | | List of extra volumes to create | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `gitaly.serviceName` | | The name of the generated Gitaly service. Overrides `global.gitaly.serviceName`, and defaults to `-gitaly` | +| `gpgSigning.enabled` | `false` | If [Gitaly GPG signing](https://docs.gitlab.com/administration/gitaly/configure_gitaly/#configure-commit-signing-for-gitlab-ui-commits) should be used. | +| `gpgSigning.secret` | | The name of the secret used for Gitaly GPG signing. | +| `gpgSigning.key` | | The key in the GPG secret containing Gitaly's GPG signing key. | +| `image.pullPolicy` | `Always` | Gitaly image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | Gitaly image repository | +| `image.tag` | `master` | Gitaly image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `internal.names[]` | `- default` | Ordered names of StatefulSet storages | +| `serviceLabels` | `{}` | Supplemental service labels | +| `service.externalPort` | `8075` | Gitaly service exposed port | +| `service.internalPort` | `8075` | Gitaly internal port | +| `service.name` | `gitaly` | The name of the Service port that Gitaly is behind in the Service object. | +| `service.type` | `ClusterIP` | Gitaly service type | +| `service.clusterIP` | `None` | You can specify your own cluster IP address as part of a Service creation request. This follows the same conventions as the Kubernetes' Service object's clusterIP. This must not be set if `service.type` is LoadBalancer. | +| `service.loadBalancerIP` | | An ephemeral IP address will be created if not set. This follows the same conventions as the Kubernetes' Service object's loadbalancerIP configuration. | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `shareProcessNamespace` | `false` | Allows making container processes visible to all other contains in the same pod | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the Gitaly container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow overwriting of the specific security context user ID under which the Gitaly container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the Gitaly container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `persistence.accessMode` | `ReadWriteOnce` | Gitaly persistence access mode | +| `persistence.annotations` | | Gitaly persistence annotations | +| `persistence.enabled` | `true` | Gitaly enable persistence flag | +| `persistance.labels` | | Gitaly persistence labels | +| `persistence.matchExpressions` | | Label-expression matches to bind | +| `persistence.matchLabels` | | Label-value matches to bind | +| `persistence.size` | `50Gi` | Gitaly persistence volume size | +| `persistence.storageClass` | | storageClassName for provisioning | +| `persistence.subPath` | | Gitaly persistence volume mount path | +| `priorityClassName` | | Gitaly StatefulSet priorityClassName | +| `logging.level` | | Log level | +| `logging.format` | `json` | Log format | +| `logging.sentryDsn` | | Sentry DSN URL - Exceptions from Go server | +| `logging.sentryEnvironment` | | Sentry environment to be used for logging | +| `shell.concurrency[]` | | Concurrency of each RPC endpoint. See [Limit RPC concurrency](https://docs.gitlab.com/administration/gitaly/concurrency_limiting/#limit-rpc-concurrency) and [Enable adaptiveness for RPC concurrency](https://docs.gitlab.com/administration/gitaly/concurrency_limiting/#enable-adaptiveness-for-rpc-concurrency) for the configuration keys. | +| `packObjectsCache.enabled` | `false` | Enable the Gitaly pack-objects cache | +| `packObjectsCache.dir` | `/home/git/repositories/+gitaly/PackObjectsCache` | Directory where cache files get stored | +| `packObjectsCache.max_age` | `5m` | Cache entries lifespan | +| `packObjectsCache.min_occurrences` | `1` | Minimum count requiredto create a cache entry | +| `git.catFileCacheSize` | | Cache size used by Git cat-file process | +| `git.config[]` | `[]` | Git configuration that Gitaly should set when spawning Git commands | +| `prometheus.grpcLatencyBuckets` | | Buckets corresponding to histogram latencies on GRPC method calls to be recorded by Gitaly. A string form of the array (for example, `"[1.0, 1.5, 2.0]"`) is required as input | +| `statefulset.strategy` | `{}` | Allows one to configure the update strategy utilized by the StatefulSet | +| `statefulset.livenessProbe.initialDelaySeconds` | `0` | Delay before liveness probe is initiated. If startupProbe is enabled, this will be set to 0. | +| `statefulset.livenessProbe.periodSeconds` | `10` | How often to perform the liveness probe | +| `statefulset.livenessProbe.timeoutSeconds` | `3` | When the liveness probe times out | +| `statefulset.livenessProbe.successThreshold` | `1` | Minimum consecutive successes for the liveness probe to be considered successful after having failed | +| `statefulset.livenessProbe.failureThreshold` | `3` | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | +| `statefulset.readinessProbe.initialDelaySeconds` | `0` | Delay before readiness probe is initiated. If startupProbe is enabled, this will be set to 0. | +| `statefulset.readinessProbe.periodSeconds` | `5` | How often to perform the readiness probe | +| `statefulset.readinessProbe.timeoutSeconds` | `3` | When the readiness probe times out | +| `statefulset.readinessProbe.successThreshold` | `1` | Minimum consecutive successes for the readiness probe to be considered successful after having failed | +| `statefulset.readinessProbe.failureThreshold` | `3` | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | +| `statefulset.startupProbe.enabled` | `true` | Whether a startup probe is enabled. | +| `statefulset.startupProbe.initialDelaySeconds` | `1` | Delay before startup probe is initiated | +| `statefulset.startupProbe.periodSeconds` | `1` | How often to perform the startup probe | +| `statefulset.startupProbe.timeoutSeconds` | `1` | When the startup probe times out | +| `statefulset.startupProbe.successThreshold` | `1` | Minimum consecutive successes for the startup probe to be considered successful after having failed | +| `statefulset.startupProbe.failureThreshold` | `60` | Minimum consecutive failures for the startup probe to be considered failed after having succeeded | +| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `9236` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.metricsPort` | | **DEPRECATED** Use `metrics.port` | +| `gomemlimit.enabled` | `true` | This will automatically set the `GOMEMLIMIT` environment variable for the Gitaly container to `resources.limits.memory`, if that limit is also set. Users can override this value by setting this value false and setting `GOMEMLIMIT` in `extraEnv`. This must meet [documented format criteria](https://pkg.go.dev/runtime#hdr-Environment_Variables). | +| `cgroups.enabled` | `false` | Gitaly has built-in cgroups control. When configured, Gitaly assigns Git processes to a cgroup based on the repository the Git command is operating in. This parameter will enable repository cgroups. Note only cgroups v2 will be supported if enabled. | +| `cgroups.initContainer.image.repository` | `registry.com/gitlab-org/build/cng/gitaly-init-cgroups` | Gitaly image repository | +| `cgroups.initContainer.image.tag` | `master` | Gitaly image tag | +| `cgroups.initContainer.image.pullPolicy` | `IfNotPresent` | Gitaly image pull policy | +| `cgroups.mountpoint` | `/etc/gitlab-secrets/gitaly-pod-cgroup` | Where the parent cgroup directory is mounted. | +| `cgroups.hierarchyRoot` | `gitaly` | Parent cgroup under which Gitaly creates groups, and is expected to be owned by the user and group Gitaly runs as. | +| `cgroups.memoryBytes` | | The total memory limit that is imposed collectively on all Git processes that Gitaly spawns. 0 implies no limit. | +| `cgroups.cpuShares` | | The CPU limit that is imposed collectively on all Git processes that Gitaly spawns. 0 implies no limit. The maximum is 1024 shares, which represents 100% of CPU. | +| `cgroups.cpuQuotaUs` | | Used to throttle the cgroups' processes if they exceed this quota value. We set cpuQuotaUs to 100ms so 1 core is 100000. 0 implies no limit. | +| `cgroups.repositories.count` | | The number of cgroups in the cgroups pool. Each time a new Git command is spawned, Gitaly assigns it to one of these cgroups based on the repository the command is for. A circular hashing algorithm assigns Git commands to these cgroups, so a Git command for a repository is always assigned to the same cgroup. | +| `cgroups.repositories.memoryBytes` | | The total memory limit imposed on all Git processes contained in a repository cgroup. 0 implies no limit. This value cannot exceed that of the top level memoryBytes. | +| `cgroups.repositories.cpuShares` | | The CPU limit that is imposed on all Git processes contained in a repository cgroup. 0 implies no limit. The maximum is 1024 shares, which represents 100% of CPU. This value cannot exceed that of the top level cpuShares. | +| `cgroups.repositories.cpuQuotaUs` | | The cpuQuotaUs that is imposed on all Git processes contained in a repository cgroup. A Git process can't use more then the given quota. We set cpuQuotaUs to 100ms so 1 core is 100000. 0 implies no limit. | +| `cgroups.repositories.maxCgroupsPerRepo` | `1` | The number of repository cgroups that Git processes targeting a specific repository can be distributed across. This enables more conservative CPU and memory limits to be configured for repository cgroups while still allowing for bursty workloads. For instance, with a `maxCgroupsPerRepo` of `2` and a `memoryBytes` limit of 10GB, independent Git operations against a specific repository can consume up to 20GB of memory. | +| `gracefulRestartTimeout` | `25` | Gitaly shutdown grace period, how long to wait for in-flight requests to complete (seconds). Pod `terminationGracePeriodSeconds` is set to this value + 5 seconds. | +| `timeout.uploadPackNegotiation` | | See [Configure the negotiation timeouts](https://docs.gitlab.com/administration/settings/gitaly_timeouts/#configure-the-negotiation-timeouts). | +| `timeout.uploadArchiveNegotiation` | | See [Configure the negotiation timeouts](https://docs.gitlab.com/administration/settings/gitaly_timeouts/#configure-the-negotiation-timeouts). | +| `dailyMaintenance.disabled` | | Allows to disable the daily background maintenance. | +| `dailyMaintenance.duration` | | Maximum duration of the daily background maintenance. For example "1h" or "45m". | +| `dailyMaintenance.startHour` | | Start minute of the daily background maintenance. | +| `dailyMaintenance.startMinute` | | Start minute of the daily background maintenance. | +| `dailyMaintenance.storages` | | Array of storage names to perform the daily background maintenance. For example [ "default" ]. | +| `bundleUri.goCloudUrl` | | See the [Bundle URIs documentation](https://docs.gitlab.com/administration/gitaly/bundle_uris/). | ## Chart configuration examples @@ -239,13 +239,13 @@ image: This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not to create a ServiceAccount. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not to create a ServiceAccount. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### tolerations @@ -346,10 +346,10 @@ workhorse: port: 8181 ``` -| Name | Type | Default | Description | -| :------------ | :-----: | :----------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `host` | String | | The hostname of the Workhorse server. This can be omitted in lieu of `serviceName`. | -| `port` | Integer | `8181` | The port on which to connect to the Workhorse server. | +| Name | Type | Default | Description | +|:--------------|:-------:|:-------------|:------------| +| `host` | String | | The hostname of the Workhorse server. This can be omitted in lieu of `serviceName`. | +| `port` | Integer | `8181` | The port on which to connect to the Workhorse server. | | `serviceName` | String | `webservice` | The name of the `service` which is operating the Workhorse server. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Workhorse as a part of the overall GitLab chart. | ## Chart settings @@ -400,16 +400,16 @@ persistence: annotations: {} ``` -| Name | Type | Default | Description | -| :----------------- | :-----: | :-------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `accessMode` | String | `ReadWriteOnce` | Sets the accessMode requested in the PersistentVolumeClaim. See [Kubernetes Access Modes Documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for details. | -| `enabled` | Boolean | `true` | Sets whether or not to use a PersistentVolumeClaims for the repository data. If `false`, an emptyDir volume is used. | -| `matchExpressions` | Array | | Accepts an array of label condition objects to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | +| Name | Type | Default | Description | +|:-------------------|:-------:|:----------------|:------------| +| `accessMode` | String | `ReadWriteOnce` | Sets the accessMode requested in the PersistentVolumeClaim. See [Kubernetes Access Modes Documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for details. | +| `enabled` | Boolean | `true` | Sets whether or not to use a PersistentVolumeClaims for the repository data. If `false`, an emptyDir volume is used. | +| `matchExpressions` | Array | | Accepts an array of label condition objects to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | | `matchLabels` | Map | | Accepts a Map of label names and label values to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | -| `size` | String | `50Gi` | The minimum volume size to request for the data persistence. | -| `storageClass` | String | | Sets the storageClassName on the Volume Claim for dynamic provisioning. When unset or null, the default provisioner will be used. If set to a hyphen, dynamic provisioning is disabled. | -| `subPath` | String | | Sets the path within the volume to mount, rather than the volume root. The root is used if the subPath is empty. | -| `annotations` | Map | | Sets the annotations on the Volume Claim for dynamic provisioning. See [Kubernetes Annotations Documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) for details. | +| `size` | String | `50Gi` | The minimum volume size to request for the data persistence. | +| `storageClass` | String | | Sets the storageClassName on the Volume Claim for dynamic provisioning. When unset or null, the default provisioner will be used. If set to a hyphen, dynamic provisioning is disabled. | +| `subPath` | String | | Sets the path within the volume to mount, rather than the volume root. The root is used if the subPath is empty. | +| `annotations` | Map | | Sets the annotations on the Volume Claim for dynamic provisioning. See [Kubernetes Annotations Documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) for details. | ### Running Gitaly over TLS diff --git a/doc/charts/gitlab/gitlab-exporter/_index.md b/doc/charts/gitlab/gitlab-exporter/_index.md index bad619f27b..cd1bd22fe8 100644 --- a/doc/charts/gitlab/gitlab-exporter/_index.md +++ b/doc/charts/gitlab/gitlab-exporter/_index.md @@ -34,64 +34,64 @@ The `gitlab-exporter` chart is configured as follows: The table below contains all the possible chart configurations that can be supplied to the `helm install` command using the `--set` flags. -| Parameter | Default | Description | -|----------------------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `annotations` | | Pod annotations | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `enabled` | `true` | GitLab Exporter enabled flag | -| `extraContainers` | | Multiline literal style string containing a list of containers to include | -| `extraInitContainers` | | List of extra init containers to include | -| `extraVolumeMounts` | | List of extra volumes mounts to do | -| `extraVolumes` | | List of extra volumes to create | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter` | GitLab Exporter image repository | -| `image.tag` | | image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `9168` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | +| Parameter | Default | Description | +|----------------------------------------------------------|------------------------------------------------------------|-------------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | | Pod annotations | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `enabled` | `true` | GitLab Exporter enabled flag | +| `extraContainers` | | Multiline literal style string containing a list of containers to include | +| `extraInitContainers` | | List of extra init containers to include | +| `extraVolumeMounts` | | List of extra volumes mounts to do | +| `extraVolumes` | | List of extra volumes to create | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter` | GitLab Exporter image repository | +| `image.tag` | | image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `9168` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | | `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `resources.requests.cpu` | `75m` | GitLab Exporter minimum CPU | -| `resources.requests.memory` | `100M` | GitLab Exporter minimum memory | -| `serviceLabels` | `{}` | Supplemental service labels | -| `service.externalPort` | `9168` | GitLab Exporter exposed port | -| `service.internalPort` | `9168` | GitLab Exporter internal port | -| `service.name` | `gitlab-exporter` | GitLab Exporter service name | -| `service.type` | `ClusterIP` | GitLab Exporter service type | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allows overwriting of the specific security context user ID under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `false` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | -| `tls.enabled` | `false` | GitLab Exporter TLS enabled | -| `tls.secretName` | `{Release.Name}-gitlab-exporter-tls` | GitLab Exporter TLS secret. Must point to a [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `resources.requests.cpu` | `75m` | GitLab Exporter minimum CPU | +| `resources.requests.memory` | `100M` | GitLab Exporter minimum memory | +| `serviceLabels` | `{}` | Supplemental service labels | +| `service.externalPort` | `9168` | GitLab Exporter exposed port | +| `service.internalPort` | `9168` | GitLab Exporter internal port | +| `service.name` | `gitlab-exporter` | GitLab Exporter service name | +| `service.type` | `ClusterIP` | GitLab Exporter service type | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allows overwriting of the specific security context user ID under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `false` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `tls.enabled` | `false` | GitLab Exporter TLS enabled | +| `tls.secretName` | `{Release.Name}-gitlab-exporter-tls` | GitLab Exporter TLS secret. Must point to a [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). | ## Chart configuration examples @@ -164,13 +164,13 @@ image: This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### affinity diff --git a/doc/charts/gitlab/gitlab-pages/_index.md b/doc/charts/gitlab/gitlab-pages/_index.md index 5e32b544ab..68da32b059 100644 --- a/doc/charts/gitlab/gitlab-pages/_index.md +++ b/doc/charts/gitlab/gitlab-pages/_index.md @@ -39,157 +39,157 @@ configurations that can be supplied to the `helm install` command using the ### General settings -| Parameter | Default | Description | -|----------------------------------------------------------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `annotations` | | Pod annotations | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data source to expose | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| Parameter | Default | Description | +|----------------------------------------------------------|---------------------------------------------------------|-------------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | | Pod annotations | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data source to expose | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | | `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.minReplicas` | `1` | Minimum number of replicas | -| `hpa.maxReplicas` | `10` | Maximum number of replicas | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-pages` | GitLab Pages image repository | -| `image.tag` | | image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `9235` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | -| `metrics.tls.enabled` | `false` | TLS enabled for the metrics endpoint | -| `metrics.tls.secretName` | `{Release.Name}-pages-metrics-tls` | Secret for the metrics endpoint TLS cert and key | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `resources.requests.cpu` | `900m` | GitLab Pages minimum CPU | -| `resources.requests.memory` | `2G` | GitLab Pages minimum memory | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context user ID under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `service.externalPort` | `8090` | GitLab Pages exposed port | -| `service.internalPort` | `8090` | GitLab Pages internal port | -| `service.name` | `gitlab-pages` | GitLab Pages service name | -| `service.annotations` | | Annotations for all pages services. | -| `service.primary.annotations` | | Annotations for the primary service only. | -| `service.metrics.annotations` | | Annotations for the metrics service only. | -| `service.customDomains.annotations` | | Annotations for the custom domains service only. | -| `service.customDomains.type` | `LoadBalancer` | Type of service created for handling custom domains | -| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | -| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | -| `service.customDomains.nodePort.http` | | Node Port to be opened for HTTP connections. Valid only if `service.customDomains.type` is `NodePort` | -| `service.customDomains.nodePort.https` | | Node Port to be opened for HTTPS connections. Valid only if `service.customDomains.type` is `NodePort` | -| `service.sessionAffinity` | `None` | Type of the session affinity. Must be either `ClientIP` or `None` (this only makes sense for traffic originating from within the cluster) | -| `service.sessionAffinityConfig` | | Session affinity config. If `service.sessionAffinity` == `ClientIP` the default session sticky time is 3 hours (10800) | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| `serviceLabels` | `{}` | Supplemental service labels | -| `tolerations` | `[]` | Toleration labels for pod assignment | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.minReplicas` | `1` | Minimum number of replicas | +| `hpa.maxReplicas` | `10` | Maximum number of replicas | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-pages` | GitLab Pages image repository | +| `image.tag` | | image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `9235` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `metrics.tls.enabled` | `false` | TLS enabled for the metrics endpoint | +| `metrics.tls.secretName` | `{Release.Name}-pages-metrics-tls` | Secret for the metrics endpoint TLS cert and key | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `resources.requests.cpu` | `900m` | GitLab Pages minimum CPU | +| `resources.requests.memory` | `2G` | GitLab Pages minimum memory | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context user ID under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `service.externalPort` | `8090` | GitLab Pages exposed port | +| `service.internalPort` | `8090` | GitLab Pages internal port | +| `service.name` | `gitlab-pages` | GitLab Pages service name | +| `service.annotations` | | Annotations for all pages services. | +| `service.primary.annotations` | | Annotations for the primary service only. | +| `service.metrics.annotations` | | Annotations for the metrics service only. | +| `service.customDomains.annotations` | | Annotations for the custom domains service only. | +| `service.customDomains.type` | `LoadBalancer` | Type of service created for handling custom domains | +| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | +| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | +| `service.customDomains.nodePort.http` | | Node Port to be opened for HTTP connections. Valid only if `service.customDomains.type` is `NodePort` | +| `service.customDomains.nodePort.https` | | Node Port to be opened for HTTPS connections. Valid only if `service.customDomains.type` is `NodePort` | +| `service.sessionAffinity` | `None` | Type of the session affinity. Must be either `ClientIP` or `None` (this only makes sense for traffic originating from within the cluster) | +| `service.sessionAffinityConfig` | | Session affinity config. If `service.sessionAffinity` == `ClientIP` the default session sticky time is 3 hours (10800) | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `serviceLabels` | `{}` | Supplemental service labels | +| `tolerations` | `[]` | Toleration labels for pod assignment | ### Pages specific settings -| Parameter | Default | Description | -| --------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `artifactsServerTimeout` | `10` | Timeout (in seconds) for a proxied request to the artifacts server | -| `artifactsServerUrl` | | API URL to proxy artifact requests to | -| `extraVolumeMounts` | | List of extra volumes mounts to add | -| `extraVolumes` | | List of extra volumes to create | -| `gitlabCache.cleanup` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `gitlabCache.expiry` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `gitlabCache.refresh` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `gitlabClientHttpTimeout` | | GitLab API HTTP client connection timeout in seconds | -| `gitlabClientJwtExpiry` | | JWT Token expiry time in seconds | -| `gitlabRetrieval.interval` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `gitlabRetrieval.retries` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `gitlabRetrieval.timeout` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `gitlabServer` | | GitLab server FQDN | -| `headers` | `[]` | Specify any additional http headers that should be sent to the client with each response. Multiple headers can be given as an array, header and value as one string, for example `['my-header: myvalue', 'my-other-header: my-other-value']` | -| `insecureCiphers` | `false` | Use default list of cipher suites, may contain insecure ones like 3DES and RC4 | -| `internalGitlabServer` | | Internal GitLab server used for API requests | -| `logFormat` | `json` | Log output format | -| `logVerbose` | `false` | Verbose logging | -| `maxConnections` | | Limit on the number of concurrent connections to the HTTP, HTTPS or proxy listeners | -| `maxURILength` | | Limit the length of URI, 0 for unlimited. | -| `propagateCorrelationId` | | Reuse existing Correlation-ID from the incoming request header `X-Request-ID` if present | -| `redirectHttp` | `false` | Redirect pages from HTTP to HTTPS | -| `sentry.enabled` | `false` | Enable Sentry reporting | -| `sentry.dsn` | | The address for sending Sentry crash reporting to | -| `sentry.environment` | | The environment for Sentry crash reporting | -| `serverShutdowntimeout` | `30s` | GitLab Pages server shutdown timeout in seconds | -| `statusUri` | | The URL path for a status page | -| `tls.minVersion` | | Specifies the minimum SSL/TLS version | -| `tls.maxVersion` | | Specifies the maximum SSL/TLS version | -| `useHTTPProxy` | `false` | Use this option when GitLab Pages is behind a Reverse Proxy. | -| `useProxyV2` | `false` | Force HTTPS request to utilize the PROXYv2 protocol. | -| `zipCache.cleanup` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | -| `zipCache.expiration` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | -| `zipCache.refresh` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | -| `zipOpenTimeout` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | -| `zipHTTPClientTimeout` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | -| `rateLimitSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | -| `rateLimitSourceIPBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | -| `rateLimitDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | -| `rateLimitDomainBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | -| `rateLimitTLSSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | -| `rateLimitTLSSourceIPBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | -| `rateLimitTLSDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | -| `rateLimitTLSDomainBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | -| `rateLimitSubnetsAllowList` | | See: [GitLab Pages rate-limits](#rate-limits) | -| `serverReadTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `serverReadHeaderTimeout` | `1s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `serverWriteTimeout` | `5m` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `serverKeepAlive` | `15s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `authTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | -| `authCookieSessionTimeout` | `10m` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| Parameter | Default | Description | +|-----------------------------|---------|-------------| +| `artifactsServerTimeout` | `10` | Timeout (in seconds) for a proxied request to the artifacts server | +| `artifactsServerUrl` | | API URL to proxy artifact requests to | +| `extraVolumeMounts` | | List of extra volumes mounts to add | +| `extraVolumes` | | List of extra volumes to create | +| `gitlabCache.cleanup` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `gitlabCache.expiry` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `gitlabCache.refresh` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `gitlabClientHttpTimeout` | | GitLab API HTTP client connection timeout in seconds | +| `gitlabClientJwtExpiry` | | JWT Token expiry time in seconds | +| `gitlabRetrieval.interval` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `gitlabRetrieval.retries` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `gitlabRetrieval.timeout` | int | See: [Pages Global Settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `gitlabServer` | | GitLab server FQDN | +| `headers` | `[]` | Specify any additional http headers that should be sent to the client with each response. Multiple headers can be given as an array, header and value as one string, for example `['my-header: myvalue', 'my-other-header: my-other-value']` | +| `insecureCiphers` | `false` | Use default list of cipher suites, may contain insecure ones like 3DES and RC4 | +| `internalGitlabServer` | | Internal GitLab server used for API requests | +| `logFormat` | `json` | Log output format | +| `logVerbose` | `false` | Verbose logging | +| `maxConnections` | | Limit on the number of concurrent connections to the HTTP, HTTPS or proxy listeners | +| `maxURILength` | | Limit the length of URI, 0 for unlimited. | +| `propagateCorrelationId` | | Reuse existing Correlation-ID from the incoming request header `X-Request-ID` if present | +| `redirectHttp` | `false` | Redirect pages from HTTP to HTTPS | +| `sentry.enabled` | `false` | Enable Sentry reporting | +| `sentry.dsn` | | The address for sending Sentry crash reporting to | +| `sentry.environment` | | The environment for Sentry crash reporting | +| `serverShutdowntimeout` | `30s` | GitLab Pages server shutdown timeout in seconds | +| `statusUri` | | The URL path for a status page | +| `tls.minVersion` | | Specifies the minimum SSL/TLS version | +| `tls.maxVersion` | | Specifies the maximum SSL/TLS version | +| `useHTTPProxy` | `false` | Use this option when GitLab Pages is behind a Reverse Proxy. | +| `useProxyV2` | `false` | Force HTTPS request to utilize the PROXYv2 protocol. | +| `zipCache.cleanup` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | +| `zipCache.expiration` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | +| `zipCache.refresh` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | +| `zipOpenTimeout` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | +| `zipHTTPClientTimeout` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/administration/pages/#zip-serving-and-cache-configuration) | +| `rateLimitSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | +| `rateLimitSourceIPBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | +| `rateLimitDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | +| `rateLimitDomainBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | +| `rateLimitTLSSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | +| `rateLimitTLSSourceIPBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | +| `rateLimitTLSDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits). | +| `rateLimitTLSDomainBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/administration/pages/#rate-limits) | +| `rateLimitSubnetsAllowList` | | See: [GitLab Pages rate-limits](#rate-limits) | +| `serverReadTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `serverReadHeaderTimeout` | `1s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `serverWriteTimeout` | `5m` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `serverKeepAlive` | `15s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `authTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | +| `authCookieSessionTimeout` | `10m` | See: [GitLab Pages global settings](https://docs.gitlab.com/administration/pages/#global-settings) | ### Configuring the `ingress` This section controls the GitLab Pages Ingress. -| Name | Type | Default | Description | -| :--------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `apiVersion` | String | | Value to use in the `apiVersion` field. | -| `annotations` | String | | This field is an exact match to the standard `annotations` for [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). | +| Name | Type | Default | Description | +|:-----------------------|:-------:|:--------|:------------| +| `apiVersion` | String | | Value to use in the `apiVersion` field. | +| `annotations` | String | | This field is an exact match to the standard `annotations` for [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). | | `configureCertmanager` | Boolean | `false` | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`. The acquisition of a TLS certificate for GitLab Pages via cert-manager is disabled because a wildcard certificate acquisition requires a cert-manager Issuer with a [DNS01 solver](https://cert-manager.io/docs/configuration/acme/dns01/), and the Issuer deployed by this chart only provides a [HTTP01 solver](https://cert-manager.io/docs/configuration/acme/http01/). For more information see the [TLS requirement for GitLab Pages](../../../installation/tls.md). | -| `enabled` | Boolean | | Setting that controls whether to create Ingress objects for services that support them. When not set, the `global.ingress.enabled` setting is used. | -| `tls.enabled` | Boolean | | When set to `false`, you disable TLS for the Pages subchart. This is mainly useful for cases in which you cannot use TLS termination at `ingress-level`, like when you have a TLS-terminating proxy before the Ingress Controller. | -| `tls.secretName` | String | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the pages URL. When not set, the `global.ingress.tls.secretName` is used instead. Defaults to not being set. | +| `enabled` | Boolean | | Setting that controls whether to create Ingress objects for services that support them. When not set, the `global.ingress.enabled` setting is used. | +| `tls.enabled` | Boolean | | When set to `false`, you disable TLS for the Pages subchart. This is mainly useful for cases in which you cannot use TLS termination at `ingress-level`, like when you have a TLS-terminating proxy before the Ingress Controller. | +| `tls.secretName` | String | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the pages URL. When not set, the `global.ingress.tls.secretName` is used instead. Defaults to not being set. | ## Chart configuration examples @@ -225,12 +225,12 @@ This section controls the This configuration is optional and is used to limit Egress and Ingress of the Pods to specific endpoints. -| Name | Type | Default | Description | -| :---------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` | -| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | -| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | -| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` | +| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | +| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | +| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | | `egress.rules` | Array | `[]` | Rules for the egress policy, these for details see and the example below | ### Example Network Policy @@ -432,30 +432,30 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | ### serviceAccount This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the chart full name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the chart full name is used. | ### affinity diff --git a/doc/charts/gitlab/gitlab-shell/_index.md b/doc/charts/gitlab/gitlab-shell/_index.md index ceff8703be..4da57fb061 100644 --- a/doc/charts/gitlab/gitlab-shell/_index.md +++ b/doc/charts/gitlab/gitlab-shell/_index.md @@ -36,120 +36,120 @@ controlled by `global.shell.port`. ## Installation command line options -| Parameter | Default | Description | -|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `annotations` | | Pod annotations | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `config.clientAliveInterval` | `0` | Interval between keepalive pings on otherwise idle connections; the default value of 0 disables this ping | -| `config.loginGraceTime` | `60` | Specifies amount of time that the server will disconnect after if the user has not successfully logged in | -| `config.maxStartups.full` | `100` | SSHd refuse probability will increase linearly and all unauthenticated connection attempts would be refused when unauthenticated connections number will reach specified number | -| `config.maxStartups.rate` | `30` | SSHd will refuse connections with specified probability when there would be too many unauthenticated connections (optional) | -| `config.maxStartups.start` | `10` | SSHd will refuse connection attempts with some probability if there are currently more than the specified number of unauthenticated connections (optional) | -| `config.proxyProtocol` | `false` | Enable PROXY protocol support for the `gitlab-sshd` daemon | -| `config.proxyPolicy` | `"use"` | Specify policy for handling PROXY protocol. Value must be one of `use, require, ignore, reject` | -| `config.proxyHeaderTimeout` | `"500ms"` | The maximum duration `gitlab-sshd` will wait before giving up on reading the PROXY protocol header. Must include units: `ms`, `s`, or `m`. | -| `config.ciphers` | `[aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr]` | Specify the ciphers allowed. | -| `config.kexAlgorithms` | `[curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]` | Specifies the available KEX (Key Exchange) algorithms. | -| `config.macs` | `[hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]` | Specifies the available MAC (message authentication code algorithms. | -| `config.publicKeyAlgorithms` | `[]` | Custom list of public key algorithms. If empty, the default algorithms are used. | -| `config.gssapi.enabled` | `false` | Enable GSS-API support for the `gitlab-sshd` daemon | -| `config.gssapi.keytab.secret` | | The name of a Kubernetes secret holding the keytab for the gssapi-with-mic authentication method | -| `config.gssapi.keytab.key` | `keytab` | Key holding the keytab in the Kubernetes secret | -| `config.gssapi.krb5Config` | | Content of the `/etc/krb5.conf` file in the GitLab Shell container | -| `config.gssapi.servicePrincipalName` | | The Kerberos service name to be used by the `gitlab-sshd` daemon | -| `config.lfs.pureSSHProtocol` | `false` | Enable LFS Pure SSH protocol support | -| `config.pat.enabled` | `true` | Enable PAT using SSH | -| `config.pat.allowedScopes` | `[]` | An array of scopes allowed for PATs generated with SSH | -| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | -| `deployment.livenessProbe.initialDelaySeconds` | 10 | Delay before liveness probe is initiated | -| `deployment.livenessProbe.periodSeconds` | 10 | How often to perform the liveness probe | -| `deployment.livenessProbe.timeoutSeconds` | 3 | When the liveness probe times out | -| `deployment.livenessProbe.successThreshold` | 1 | Minimum consecutive successes for the liveness probe to be considered successful after having failed | -| `deployment.livenessProbe.failureThreshold` | 3 | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | -| `deployment.readinessProbe.initialDelaySeconds` | 10 | Delay before readiness probe is initiated | -| `deployment.readinessProbe.periodSeconds` | 5 | How often to perform the readiness probe | -| `deployment.readinessProbe.timeoutSeconds` | 3 | When the readiness probe times out | -| `deployment.readinessProbe.successThreshold` | 1 | Minimum consecutive successes for the readiness probe to be considered successful after having failed | -| `deployment.readinessProbe.failureThreshold` | 2 | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `deployment.terminationGracePeriodSeconds` | 30 | Seconds that Kubernetes will wait for a pod to forcibly exit | -| `enabled` | `true` | Shell enable flag | -| `extraContainers` | | Multiline literal style string containing a list of containers to include | -| `extraInitContainers` | | List of extra init containers to include | -| `extraVolumeMounts` | | List of extra volumes mounts to do | -| `extraVolumes` | | List of extra volumes to create | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| Parameter | Default | Description | +|----------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | | Pod annotations | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `config.clientAliveInterval` | `0` | Interval between keepalive pings on otherwise idle connections; the default value of 0 disables this ping | +| `config.loginGraceTime` | `60` | Specifies amount of time that the server will disconnect after if the user has not successfully logged in | +| `config.maxStartups.full` | `100` | SSHd refuse probability will increase linearly and all unauthenticated connection attempts would be refused when unauthenticated connections number will reach specified number | +| `config.maxStartups.rate` | `30` | SSHd will refuse connections with specified probability when there would be too many unauthenticated connections (optional) | +| `config.maxStartups.start` | `10` | SSHd will refuse connection attempts with some probability if there are currently more than the specified number of unauthenticated connections (optional) | +| `config.proxyProtocol` | `false` | Enable PROXY protocol support for the `gitlab-sshd` daemon | +| `config.proxyPolicy` | `"use"` | Specify policy for handling PROXY protocol. Value must be one of `use, require, ignore, reject` | +| `config.proxyHeaderTimeout` | `"500ms"` | The maximum duration `gitlab-sshd` will wait before giving up on reading the PROXY protocol header. Must include units: `ms`, `s`, or `m`. | +| `config.ciphers` | `[aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr]` | Specify the ciphers allowed. | +| `config.kexAlgorithms` | `[curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]` | Specifies the available KEX (Key Exchange) algorithms. | +| `config.macs` | `[hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]` | Specifies the available MAC (message authentication code algorithms. | +| `config.publicKeyAlgorithms` | `[]` | Custom list of public key algorithms. If empty, the default algorithms are used. | +| `config.gssapi.enabled` | `false` | Enable GSS-API support for the `gitlab-sshd` daemon | +| `config.gssapi.keytab.secret` | | The name of a Kubernetes secret holding the keytab for the gssapi-with-mic authentication method | +| `config.gssapi.keytab.key` | `keytab` | Key holding the keytab in the Kubernetes secret | +| `config.gssapi.krb5Config` | | Content of the `/etc/krb5.conf` file in the GitLab Shell container | +| `config.gssapi.servicePrincipalName` | | The Kerberos service name to be used by the `gitlab-sshd` daemon | +| `config.lfs.pureSSHProtocol` | `false` | Enable LFS Pure SSH protocol support | +| `config.pat.enabled` | `true` | Enable PAT using SSH | +| `config.pat.allowedScopes` | `[]` | An array of scopes allowed for PATs generated with SSH | +| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | +| `deployment.livenessProbe.initialDelaySeconds` | `10` | Delay before liveness probe is initiated | +| `deployment.livenessProbe.periodSeconds` | `10` | How often to perform the liveness probe | +| `deployment.livenessProbe.timeoutSeconds` | `3` | When the liveness probe times out | +| `deployment.livenessProbe.successThreshold` | `1` | Minimum consecutive successes for the liveness probe to be considered successful after having failed | +| `deployment.livenessProbe.failureThreshold` | `3` | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | +| `deployment.readinessProbe.initialDelaySeconds` | `10` | Delay before readiness probe is initiated | +| `deployment.readinessProbe.periodSeconds` | `5` | How often to perform the readiness probe | +| `deployment.readinessProbe.timeoutSeconds` | `3` | When the readiness probe times out | +| `deployment.readinessProbe.successThreshold` | `1` | Minimum consecutive successes for the readiness probe to be considered successful after having failed | +| `deployment.readinessProbe.failureThreshold` | `2` | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `deployment.terminationGracePeriodSeconds` | `30` | Seconds that Kubernetes will wait for a pod to forcibly exit | +| `enabled` | `true` | Shell enable flag | +| `extraContainers` | | Multiline literal style string containing a list of containers to include | +| `extraInitContainers` | | List of extra init containers to include | +| `extraVolumeMounts` | | List of extra volumes mounts to do | +| `extraVolumes` | | List of extra volumes to create | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | | `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `image.pullPolicy` | `IfNotPresent` | Shell image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-shell` | Shell image repository | -| `image.tag` | `master` | Shell image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `logging.format` | `json` | Set to `text` for unstructured logs | -| `logging.sshdLogLevel` | `ERROR` | Log level for underlying SSH daemon | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `replicaCount` | `1` | Shell replicas | -| `serviceLabels` | `{}` | Supplemental service labels | -| `service.allocateLoadBalancerNodePorts` | Not set, to use Kubernetes default value. | Allows to disable NodePort allocation on LoadBalancer service, see the [documentation](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation) | -| `service.externalTrafficPolicy` | `Cluster` | Shell service external traffic policy (Cluster or Local) | -| `service.internalPort` | `2222` | Shell internal port | -| `service.nodePort` | | Sets shell nodePort if set | -| `service.name` | `gitlab-shell` | Shell service name | -| `service.type` | `ClusterIP` | Shell service type | -| `service.loadBalancerIP` | | IP address to assign to LoadBalancer (if supported) | -| `service.loadBalancerSourceRanges` | | List of IP CIDRs allowed access to LoadBalancer (if supported) | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `sshDaemon` | `openssh` | Selects which SSH daemon would be run, possible values (`openssh`, `gitlab-sshd`) | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `traefik.entrypoint` | `gitlab-shell` | When using traefik, which traefik entrypoint to use for GitLab Shell. Defaults to `gitlab-shell` | -| `traefik.tcpMiddlewares` | `[]` | When using traefik, which TCP Middlewares to add to IngressRouteTCP resource. No middlewares by default | -| `workhorse.serviceName` | `webservice` | Workhorse service name (by default, Workhorse is a part of the webservice Pods / Service) | -| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping (requires `sshDaemon=gitlab-sshd`). | -| `metrics.port` | `9122` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `image.pullPolicy` | `IfNotPresent` | Shell image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-shell` | Shell image repository | +| `image.tag` | `master` | Shell image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `logging.format` | `json` | Set to `text` for unstructured logs | +| `logging.sshdLogLevel` | `ERROR` | Log level for underlying SSH daemon | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `replicaCount` | `1` | Shell replicas | +| `serviceLabels` | `{}` | Supplemental service labels | +| `service.allocateLoadBalancerNodePorts` | Not set, to use Kubernetes default value. | Allows to disable NodePort allocation on LoadBalancer service, see the [documentation](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation) | +| `service.externalTrafficPolicy` | `Cluster` | Shell service external traffic policy (Cluster or Local) | +| `service.internalPort` | `2222` | Shell internal port | +| `service.nodePort` | | Sets shell nodePort if set | +| `service.name` | `gitlab-shell` | Shell service name | +| `service.type` | `ClusterIP` | Shell service type | +| `service.loadBalancerIP` | | IP address to assign to LoadBalancer (if supported) | +| `service.loadBalancerSourceRanges` | | List of IP CIDRs allowed access to LoadBalancer (if supported) | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `sshDaemon` | `openssh` | Selects which SSH daemon would be run, possible values (`openssh`, `gitlab-sshd`) | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `traefik.entrypoint` | `gitlab-shell` | When using traefik, which traefik entrypoint to use for GitLab Shell. Defaults to `gitlab-shell` | +| `traefik.tcpMiddlewares` | `[]` | When using traefik, which TCP Middlewares to add to IngressRouteTCP resource. No middlewares by default | +| `workhorse.serviceName` | `webservice` | Workhorse service name (by default, Workhorse is a part of the webservice Pods / Service) | +| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping (requires `sshDaemon=gitlab-sshd`). | +| `metrics.port` | `9122` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | ## Chart configuration examples @@ -223,13 +223,13 @@ image: This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### livenessProbe/readinessProbe @@ -311,10 +311,10 @@ workhorse: port: 8181 ``` -| Name | Type | Default | Description | -| :------------ | :-----: | :----------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `host` | String | | The hostname of the Workhorse server. This can be omitted in lieu of `serviceName`. | -| `port` | Integer | `8181` | The port on which to connect to the Workhorse server. | +| Name | Type | Default | Description | +|:--------------|:-------:|:-------------|:------------| +| `host` | String | | The hostname of the Workhorse server. This can be omitted in lieu of `serviceName`. | +| `port` | Integer | `8181` | The port on which to connect to the Workhorse server. | | `serviceName` | String | `webservice` | The name of the `service` which is operating the Workhorse server. By default, Workhorse is a part of the webservice Pods / Service. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Workhorse as a part of the overall GitLab chart. | ## Chart settings @@ -337,10 +337,10 @@ authToken: key: secret ``` -| Name | Type | Default | Description | -| :----------------- | :----: | :------ | :-------------------------------------------------------------------- | +| Name | Type | Default | Description | +|:-------------------|:------:|:--------|:------------| | `authToken.key` | String | | The name of the key in the above secret that contains the auth token. | -| `authToken.secret` | String | | The name of the Kubernetes `Secret` to pull from. | +| `authToken.secret` | String | | The name of the Kubernetes `Secret` to pull from. | ### LoadBalancer Service @@ -412,12 +412,12 @@ This section controls the This configuration is optional and is used to limit Egress and Ingress of the Pods to specific endpoints. -| Name | Type | Default | Description | -| :---------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` | -| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | -| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | -| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` | +| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | +| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | +| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | | `egress.rules` | Array | `[]` | Rules for the egress policy, these for details see and the example below | ### Example Network Policy @@ -516,17 +516,17 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | See [`examples/keda/gitlab-shell.yml`](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/keda/gitlab-shell.yml) for an usage example of `keda`. diff --git a/doc/charts/gitlab/kas/_index.md b/doc/charts/gitlab/kas/_index.md index 46641f62d1..708b673b54 100644 --- a/doc/charts/gitlab/kas/_index.md +++ b/doc/charts/gitlab/kas/_index.md @@ -67,99 +67,99 @@ specified in `global.hosts.domain`. You can pass these parameters to the `helm install` command by using the `--set` flags. -| Parameter | Default | Description | -|----------------------------------------------------------|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `annotations` | `{}` | Pod annotations. | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `securityContext.runAsUser` | `65532` | User ID under which the pod should be started | -| `securityContext.runAsGroup` | `65534` | Group ID under which the pod should be started | -| `securityContext.fsGroup` | `65532` | Group ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) user ID under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `extraContainers` | | Multiline literal style string containing a list of containers to include. | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `init.containerSecurityContext` | | init container securityContext overrides | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | -| `image.tag` | `v13.7.0` | Image tag. | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | +| Parameter | Default | Description | +|----------------------------------------------------------|-------------------------------------------------------|-------------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | `{}` | Pod annotations. | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `securityContext.runAsUser` | `65532` | User ID under which the pod should be started | +| `securityContext.runAsGroup` | `65534` | Group ID under which the pod should be started | +| `securityContext.fsGroup` | `65532` | Group ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) user ID under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `extraContainers` | | Multiline literal style string containing a list of containers to include. | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `init.containerSecurityContext` | | init container securityContext overrides | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | +| `image.tag` | `v13.7.0` | Image tag. | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | | `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`). | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`. | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value. | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization. | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`. | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value. | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization. | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `ingress.enabled` | `true` if `global.kas.enabled=true` | You can use `kas.ingress.enabled` to explicitly turn it on or off. If not set, you can optionally use `global.ingress.enabled` for the same purpose. | -| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | -| `ingress.annotations` | `{}` | Ingress annotations. | -| `ingress.tls` | `{}` | Ingress TLS configuration. | -| `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | -| `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | -| `metrics.path` | `/metrics` | Metrics endpoint path. | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`. | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value. | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization. | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`. | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value. | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization. | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `ingress.enabled` | `true` if `global.kas.enabled=true` | You can use `kas.ingress.enabled` to explicitly turn it on or off. If not set, you can optionally use `global.ingress.enabled` for the same purpose. | +| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | +| `ingress.annotations` | `{}` | Ingress annotations. | +| `ingress.tls` | `{}` | Ingress TLS configuration. | +| `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | +| `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | +| `metrics.path` | `/metrics` | Metrics endpoint path. | | `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. It cannot be enabled together with `metrics.podMonitor.enabled`. | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor. | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor. | | `metrics.podMonitor.enabled` | `false` | If a PodMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. It cannot be enabled together with `metrics.serviceMonitor.enabled`. | -| `metrics.podMonitor.additionalLabels` | `{}` | Additional labels to add to the PodMonitor. | -| `metrics.podMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the PodMonitor. | -| `maxReplicas` | `10` | HPA `maxReplicas`. | -| `maxUnavailable` | `1` | HPA `maxUnavailable`. | -| `minReplicas` | `2` | HPA `maxReplicas`. | -| `nodeSelector` | | Define a [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the `Pod`s of this `Deployment`, if present. | -| `observability.port` | `8151` | Observability endpoint port. Used for metrics and probe endpoints. | -| `observability.livenessProbe.path` | `/liveness` | URI for the liveness probe endpoint. This value has to match the `observability.liveness_probe.url_path` value from the KAS service configuration. | -| `observability.readinessProbe.path` | `/readiness` | URI for the readiness probe endpoint. This value has to match the `observability.readiness_probe.url_path` value from the KAS service configuration. | -| `serviceAccount.annotations` | `{}` | Service account annotations. | -| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | -| `serviceLabels` | `{}` | Supplemental service labels. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `resources.requests.cpu` | `100m` | Minimum CPU request per KAS pod | -| `resources.requests.memory` | `256Mi` | Minimum memory request per KAS pod memory. | -| `service.externalPort` | `8150` | External port (for `agentk` connections). | -| `service.internalPort` | `8150` | Internal port (for `agentk` connections). | -| `service.apiInternalPort` | `8153` | Internal port for the internal API (for GitLab backend). | -| `service.loadBalancerIP` | `nil` | A custom load balancer IP when `service.type` is `LoadBalancer`. | -| `service.loadBalancerSourceRanges` | `nil` | A list of custom load balancer source ranges when `service.type` is `LoadBalancer`. | -| `service.kubernetesApiPort` | `8154` | External port to expose proxied Kubernetes API on. | -| `service.privateApiPort` | `8155` | Internal port to expose `kas`' private API on (for `kas` -> `kas` communication). | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations. | -| `serviceAccount.automountServiceAccountToken`| `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods. | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created. | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount. | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used. | -| `websocketToken.secret` | Autogenerated | The name of the secret to use for WebSocket Token signing and verification. | -| `websocketToken.key` | Autogenerated | The name of the key in `websocketToken.secret` to use. | -| `privateApi.secret` | Autogenerated | The name of the secret to use for authenticating with the database. | -| `privateApi.key` | Autogenerated | The name of the key in `privateApi.secret` to use. | -| `global.kas.service.apiExternalPort` | `8153` | External port for the internal API (for GitLab backend). | -| `service.type` | `ClusterIP` | Service type. | -| `tolerations` | `[]` | Toleration labels for pod assignment. | -| `customConfig` | `{}` | When given, merges the default `kas` configuration with these values giving precedence to those defined here. | -| `deployment.minReadySeconds` | `0` | Minimum number of seconds that must pass before a `kas` pod is considered ready. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment. | -| `deployment.terminationGracePeriodSeconds` | `300` | How much time in seconds a Pod is allowed to spend shutting down after receiving SIGTERM. | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `metrics.podMonitor.additionalLabels` | `{}` | Additional labels to add to the PodMonitor. | +| `metrics.podMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the PodMonitor. | +| `maxReplicas` | `10` | HPA `maxReplicas`. | +| `maxUnavailable` | `1` | HPA `maxUnavailable`. | +| `minReplicas` | `2` | HPA `maxReplicas`. | +| `nodeSelector` | | Define a [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the `Pod`s of this `Deployment`, if present. | +| `observability.port` | `8151` | Observability endpoint port. Used for metrics and probe endpoints. | +| `observability.livenessProbe.path` | `/liveness` | URI for the liveness probe endpoint. This value has to match the `observability.liveness_probe.url_path` value from the KAS service configuration. | +| `observability.readinessProbe.path` | `/readiness` | URI for the readiness probe endpoint. This value has to match the `observability.readiness_probe.url_path` value from the KAS service configuration. | +| `serviceAccount.annotations` | `{}` | Service account annotations. | +| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | +| `serviceLabels` | `{}` | Supplemental service labels. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `resources.requests.cpu` | `100m` | Minimum CPU request per KAS pod | +| `resources.requests.memory` | `256Mi` | Minimum memory request per KAS pod memory. | +| `service.externalPort` | `8150` | External port (for `agentk` connections). | +| `service.internalPort` | `8150` | Internal port (for `agentk` connections). | +| `service.apiInternalPort` | `8153` | Internal port for the internal API (for GitLab backend). | +| `service.loadBalancerIP` | `nil` | A custom load balancer IP when `service.type` is `LoadBalancer`. | +| `service.loadBalancerSourceRanges` | `nil` | A list of custom load balancer source ranges when `service.type` is `LoadBalancer`. | +| `service.kubernetesApiPort` | `8154` | External port to expose proxied Kubernetes API on. | +| `service.privateApiPort` | `8155` | Internal port to expose `kas`' private API on (for `kas` -> `kas` communication). | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations. | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods. | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created. | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount. | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `websocketToken.secret` | Autogenerated | The name of the secret to use for WebSocket Token signing and verification. | +| `websocketToken.key` | Autogenerated | The name of the key in `websocketToken.secret` to use. | +| `privateApi.secret` | Autogenerated | The name of the secret to use for authenticating with the database. | +| `privateApi.key` | Autogenerated | The name of the key in `privateApi.secret` to use. | +| `global.kas.service.apiExternalPort` | `8153` | External port for the internal API (for GitLab backend). | +| `service.type` | `ClusterIP` | Service type. | +| `tolerations` | `[]` | Toleration labels for pod assignment. | +| `customConfig` | `{}` | When given, merges the default `kas` configuration with these values giving precedence to those defined here. | +| `deployment.minReadySeconds` | `0` | Minimum number of seconds that must pass before a `kas` pod is considered ready. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment. | +| `deployment.terminationGracePeriodSeconds` | `300` | How much time in seconds a Pod is allowed to spend shutting down after receiving SIGTERM. | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | ## Enable TLS communication @@ -215,30 +215,30 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | ### serviceAccount This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### affinity diff --git a/doc/charts/gitlab/mailroom/_index.md b/doc/charts/gitlab/mailroom/_index.md index 68d4ce60ab..4a2a0fa149 100644 --- a/doc/charts/gitlab/mailroom/_index.md +++ b/doc/charts/gitlab/mailroom/_index.md @@ -82,63 +82,63 @@ serviceAccount: # name: ``` -| Parameter | Description | Default | -| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `annotations` | Pod annotations. | `{}` | -| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` | -| `enabled` | Mailroom enablement flag | `true` | -| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | -| `hpa.customMetrics` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | `[]` | -| `hpa.cpu.targetType` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | `Utilization` | -| `hpa.cpu.targetAverageValue` | Set the autoscaling CPU target value | | -| `hpa.cpu.targetAverageUtilization` | Set the autoscaling CPU target utilization | `75` | -| `hpa.memory.targetType` | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | | -| `hpa.memory.targetAverageValue` | Set the autoscaling memory target value | | -| `hpa.memory.targetAverageUtilization` | Set the autoscaling memory target utilization | | -| `hpa.maxReplicas` | Maximum number of replicas | `2` | -| `hpa.minReplicas` | Minimum number of replicas | `1` | -| `image.pullPolicy` | Mailroom image pull policy | `IfNotPresent` | -| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | -| `image.pullSecrets` | Mailroom image pull secrets | | -| `image.registry` | Mailroom image registry | | -| `image.repository` | Mailroom image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom` | -| `image.tag` | Mailroom image tag | | -| `init.image.repository` | Mailroom init image repository | | -| `init.image.tag` | Mailroom init image tag | | -| `init.resources` | Mailroom init container resource requirements | `{ requests: { cpu: 50m }}` | -| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `podLabels` | Labels for running Mailroom Pods | `{}` | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `resources` | Mailroom resource requirements | `{ requests: { cpu: 50m, memory: 150M }}` | -| `networkpolicy.annotations` | Annotations to add to the NetworkPolicy | `{}` | -| `networkpolicy.egress.enabled` | Flag to enable egress rules of NetworkPolicy | `false` | -| `networkpolicy.egress.rules` | Define a list of egress rules for NetworkPolicy | `[]` | -| `networkpolicy.enabled` | Flag for using NetworkPolicy | `false` | -| `networkpolicy.ingress.enabled` | Flag to enable `ingress` rules of NetworkPolicy | `false` | -| `networkpolicy.ingress.rules` | Define a list of `ingress` rules for NetworkPolicy | `[]` | -| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `serviceAccount.annotations` | Annotations for ServiceAccount | `{}` | -| `serviceAccount.automountServiceAccountToken`| Indicates whether or not the default ServiceAccount access token should be mounted in pods | `false` | -| `serviceAccount.enabled` | Indicates whether or not to use a ServiceAccount | `false` | -| `serviceAccount.create` | Indicates whether or not a ServiceAccount should be created | `false` | -| `serviceAccount.name` | Name of the ServiceAccount. If not set, the full chart name is used | | -| `tolerations` | Tolerations to add to the Mailroom | | -| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | +| Parameter | Description | Default | +|-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------- -|---------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | Pod annotations. | `{}` | +| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` | +| `enabled` | Mailroom enablement flag | `true` | +| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | +| `hpa.customMetrics` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | `[]` | +| `hpa.cpu.targetType` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | `Utilization` | +| `hpa.cpu.targetAverageValue` | Set the autoscaling CPU target value | | +| `hpa.cpu.targetAverageUtilization` | Set the autoscaling CPU target utilization | `75` | +| `hpa.memory.targetType` | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | | +| `hpa.memory.targetAverageValue` | Set the autoscaling memory target value | | +| `hpa.memory.targetAverageUtilization` | Set the autoscaling memory target utilization | | +| `hpa.maxReplicas` | Maximum number of replicas | `2` | +| `hpa.minReplicas` | Minimum number of replicas | `1` | +| `image.pullPolicy` | Mailroom image pull policy | `IfNotPresent` | +| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | +| `image.pullSecrets` | Mailroom image pull secrets | | +| `image.registry` | Mailroom image registry | | +| `image.repository` | Mailroom image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom` | +| `image.tag` | Mailroom image tag | | +| `init.image.repository` | Mailroom init image repository | | +| `init.image.tag` | Mailroom init image tag | | +| `init.resources` | Mailroom init container resource requirements | `{ requests: { cpu: 50m }}` | +| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `podLabels` | Labels for running Mailroom Pods | `{}` | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `resources` | Mailroom resource requirements | `{ requests: { cpu: 50m, memory: 150M }}` | +| `networkpolicy.annotations` | Annotations to add to the NetworkPolicy | `{}` | +| `networkpolicy.egress.enabled` | Flag to enable egress rules of NetworkPolicy | `false` | +| `networkpolicy.egress.rules` | Define a list of egress rules for NetworkPolicy | `[]` | +| `networkpolicy.enabled` | Flag for using NetworkPolicy | `false` | +| `networkpolicy.ingress.enabled` | Flag to enable `ingress` rules of NetworkPolicy | `false` | +| `networkpolicy.ingress.rules` | Define a list of `ingress` rules for NetworkPolicy | `[]` | +| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | +| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | +| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `serviceAccount.annotations` | Annotations for ServiceAccount | `{}` | +| `serviceAccount.automountServiceAccountToken` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | `false` | +| `serviceAccount.enabled` | Indicates whether or not to use a ServiceAccount | `false` | +| `serviceAccount.create` | Indicates whether or not a ServiceAccount should be created | `false` | +| `serviceAccount.name` | Name of the ServiceAccount. If not set, the full chart name is used | | +| `tolerations` | Tolerations to add to the Mailroom | | +| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | ## Configuring KEDA @@ -156,18 +156,18 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | ## Incoming email @@ -252,13 +252,13 @@ as described in the [secrets guide](../../../installation/secrets.md#imap-passwo This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### affinity diff --git a/doc/charts/gitlab/migrations/_index.md b/doc/charts/gitlab/migrations/_index.md index abdff3e7bc..29f41fe1f9 100644 --- a/doc/charts/gitlab/migrations/_index.md +++ b/doc/charts/gitlab/migrations/_index.md @@ -156,13 +156,13 @@ image: This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### affinity diff --git a/doc/charts/gitlab/praefect/_index.md b/doc/charts/gitlab/praefect/_index.md index af75a3f0d6..30227d2a0d 100644 --- a/doc/charts/gitlab/praefect/_index.md +++ b/doc/charts/gitlab/praefect/_index.md @@ -290,63 +290,63 @@ global: The table below contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags. -| Parameter | Default | Description | -| ----------------------------------------- | ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| common.labels | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| failover.enabled | true | Whether Praefect should perform failover on node failure | -| failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | -| autoMigrate | true | Automatically run migrations on startup | -| image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | -| podLabels | `{}` | Supplemental Pod labels. Will not be used for selectors. | -| ntpHost | `pool.ntp.org` | Configure the NTP server Praefect should ask the for the current time. | -| service.name | `praefect` | The name of the service to create | -| service.type | ClusterIP | The type of service to create | -| service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | -| service.externalPort | 8075 | The port number the Praefect service should expose in the cluster | -| init.resources | | | -| init.image | | | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| extraEnvFrom | |List of extra environment variables from other data sources to expose | -| logging.level | | Log level | -| logging.format | `json` | Log format | -| logging.sentryDsn | | Sentry DSN URL - Exceptions from Go server | -| logging.sentryEnvironment | | Sentry environment to be used for logging | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `9236` | Metrics endpoint port | -| `metrics.separate_database_metrics` | `true` | If true then metrics scrapes will not perform database queries, setting to false [may cause performance problems](https://gitlab.com/gitlab-org/gitaly/-/issues/3796) | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| securityContext.runAsUser | 1000 | | -| securityContext.fsGroup | 1000 | | -| securityContext.fsGroupChangePolicy | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| serviceLabels | `{}` | Supplemental service labels | -| statefulset.strategy | `{}` | Allows one to configure the update strategy utilized by the statefulset | +| Parameter | Default | Description | +|----------------------------------------------------------|---------------------------------------------------|-------------| +| common.labels | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| failover.enabled | true | Whether Praefect should perform failover on node failure | +| failover.readonlyAfter | false | Whether the nodes should be in read-only mode after failover | +| autoMigrate | true | Automatically run migrations on startup | +| image.repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | The default image repository to use. Praefect is bundled as part of the Gitaly image | +| podLabels | `{}` | Supplemental Pod labels. Will not be used for selectors. | +| ntpHost | `pool.ntp.org` | Configure the NTP server Praefect should ask the for the current time. | +| service.name | `praefect` | The name of the service to create | +| service.type | ClusterIP | The type of service to create | +| service.internalPort | 8075 | The internal port number that the Praefect pod will be listening on | +| service.externalPort | 8075 | The port number the Praefect service should expose in the cluster | +| init.resources | | | +| init.image | | | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| extraEnvFrom | | List of extra environment variables from other data sources to expose | +| logging.level | | Log level | +| logging.format | `json` | Log format | +| logging.sentryDsn | | Sentry DSN URL - Exceptions from Go server | +| logging.sentryEnvironment | | Sentry environment to be used for logging | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `9236` | Metrics endpoint port | +| `metrics.separate_database_metrics` | `true` | If true then metrics scrapes will not perform database queries, setting to false [may cause performance problems](https://gitlab.com/gitlab-org/gitaly/-/issues/3796) | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| securityContext.runAsUser | 1000 | | +| securityContext.fsGroup | 1000 | | +| securityContext.fsGroupChangePolicy | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| serviceLabels | `{}` | Supplemental service labels | +| statefulset.strategy | `{}` | Allows one to configure the update strategy utilized by the statefulset | ### serviceAccount This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### affinity diff --git a/doc/charts/gitlab/sidekiq/_index.md b/doc/charts/gitlab/sidekiq/_index.md index 504181e894..da12e4a779 100644 --- a/doc/charts/gitlab/sidekiq/_index.md +++ b/doc/charts/gitlab/sidekiq/_index.md @@ -43,107 +43,107 @@ The `sidekiq` chart is configured in three parts: chart-wide [external services] The table below contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags: -| Parameter | Default | Description | -| ------------------------------------------ | ------------------------------------------------------------ |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `annotations` | | Pod annotations | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `concurrency` | `20` | Sidekiq default concurrency | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | -| `enabled` | `true` | Sidekiq enabled flag | -| `extraContainers` | | Multiline literal style string containing a list of containers to include | -| `extraInitContainers` | | List of extra init containers to include | -| `extraVolumeMounts` | | String template of extra volume mounts to configure | -| `extraVolumes` | | String template of extra volumes to configure | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `gitaly.serviceName` | `gitaly` | Gitaly service name | -| `health_checks.port` | `3808` | Health check server port | -| `hpa.behaviour` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `350m` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `minReplicas` | `2` | Minimum number of replicas | -| `maxReplicas` | `10` | Maximum number of replicas | -| `maxUnavailable` | `1` | Limit of maximum number of Pods to be unavailable | -| `image.pullPolicy` | `Always` | Sidekiq image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee` | Sidekiq image repository | -| `image.tag` | | Sidekiq image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `logging.format` | `json` | Set to `text` for non-JSON logs | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `3807` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.log_enabled` | `false` | Enables or disables metrics server logs written to `sidekiq_exporter.log` | -| `metrics.podMonitor.enabled` | `false` | If a PodMonitor should be created to enable Prometheus Operator to manage the metrics scraping | -| `metrics.podMonitor.additionalLabels` | `{}` | Additional labels to add to the PodMonitor | -| `metrics.podMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the PodMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | -| `metrics.tls.enabled` | `false` | TLS enabled for the `metrics/sidekiq_exporter` endpoint | -| `metrics.tls.secretName` | `{Release.Name}-sidekiq-metrics-tls` | Secret for the `metrics/sidekiq_exporter` endpoint TLS cert and key | -| `psql.password.key` | `psql-password` | key to psql password in psql secret | -| `psql.password.secret` | `gitlab-postgres` | psql password secret | -| `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | -| `redis.serviceName` | `redis` | Redis service name | -| `resources.requests.cpu` | `900m` | Sidekiq minimum needed CPU | -| `resources.requests.memory` | `2G` | Sidekiq minimum needed memory | -| `resources.limits.memory` | | Sidekiq maximum allowed memory | -| `timeout` | `25` | Sidekiq job timeout | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `memoryKiller.daemonMode` | `true` | If `false`, uses the legacy memory killer mode | -| `memoryKiller.maxRss` | `2000000` | Maximum RSS before delayed shutdown triggered expressed in kilobytes | -| `memoryKiller.graceTime` | `900` | Time to wait before a triggered shutdown expressed in seconds | -| `memoryKiller.shutdownWait` | `30` | Amount of time after triggered shutdown for existing jobs to finish expressed in seconds | -| `memoryKiller.hardLimitRss` | | Maximum RSS before immediate shutdown triggered expressed in kilobyte in daemon mode | -| `memoryKiller.checkInterval` | `3` | Amount of time between memory checks | -| `livenessProbe.initialDelaySeconds` | `20` | Delay before liveness probe is initiated | -| `livenessProbe.periodSeconds` | `60` | How often to perform the liveness probe | -| `livenessProbe.timeoutSeconds` | `30` | When the liveness probe times out | -| `livenessProbe.successThreshold` | `1` | Minimum consecutive successes for the liveness probe to be considered successful after having failed | -| `livenessProbe.failureThreshold` | `3` | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | -| `readinessProbe.initialDelaySeconds` | `0` | Delay before readiness probe is initiated | -| `readinessProbe.periodSeconds` | `10` | How often to perform the readiness probe | -| `readinessProbe.timeoutSeconds` | `2` | When the readiness probe times out | -| `readinessProbe.successThreshold` | `1` | Minimum consecutive successes for the readiness probe to be considered successful after having failed | -| `readinessProbe.failureThreshold` | `3` | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| `priorityClassName` | `""` | Allow configuring pods `priorityClassName`, this is used to control pod priority in case of eviction | +| Parameter | Default | Description | +|----------------------------------------------------------|--------------------------------------------------------------|-------------| +| `annotations` | | Pod annotations | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `concurrency` | `20` | Sidekiq default concurrency | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | +| `enabled` | `true` | Sidekiq enabled flag | +| `extraContainers` | | Multiline literal style string containing a list of containers to include | +| `extraInitContainers` | | List of extra init containers to include | +| `extraVolumeMounts` | | String template of extra volume mounts to configure | +| `extraVolumes` | | String template of extra volumes to configure | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `gitaly.serviceName` | `gitaly` | Gitaly service name | +| `health_checks.port` | `3808` | Health check server port | +| `hpa.behaviour` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `350m` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `minReplicas` | `2` | Minimum number of replicas | +| `maxReplicas` | `10` | Maximum number of replicas | +| `maxUnavailable` | `1` | Limit of maximum number of Pods to be unavailable | +| `image.pullPolicy` | `Always` | Sidekiq image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee` | Sidekiq image repository | +| `image.tag` | | Sidekiq image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `logging.format` | `json` | Set to `text` for non-JSON logs | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `3807` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.log_enabled` | `false` | Enables or disables metrics server logs written to `sidekiq_exporter.log` | +| `metrics.podMonitor.enabled` | `false` | If a PodMonitor should be created to enable Prometheus Operator to manage the metrics scraping | +| `metrics.podMonitor.additionalLabels` | `{}` | Additional labels to add to the PodMonitor | +| `metrics.podMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the PodMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `metrics.tls.enabled` | `false` | TLS enabled for the `metrics/sidekiq_exporter` endpoint | +| `metrics.tls.secretName` | `{Release.Name}-sidekiq-metrics-tls` | Secret for the `metrics/sidekiq_exporter` endpoint TLS cert and key | +| `psql.password.key` | `psql-password` | key to psql password in psql secret | +| `psql.password.secret` | `gitlab-postgres` | psql password secret | +| `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `redis.serviceName` | `redis` | Redis service name | +| `resources.requests.cpu` | `900m` | Sidekiq minimum needed CPU | +| `resources.requests.memory` | `2G` | Sidekiq minimum needed memory | +| `resources.limits.memory` | | Sidekiq maximum allowed memory | +| `timeout` | `25` | Sidekiq job timeout | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `memoryKiller.daemonMode` | `true` | If `false`, uses the legacy memory killer mode | +| `memoryKiller.maxRss` | `2000000` | Maximum RSS before delayed shutdown triggered expressed in kilobytes | +| `memoryKiller.graceTime` | `900` | Time to wait before a triggered shutdown expressed in seconds | +| `memoryKiller.shutdownWait` | `30` | Amount of time after triggered shutdown for existing jobs to finish expressed in seconds | +| `memoryKiller.hardLimitRss` | | Maximum RSS before immediate shutdown triggered expressed in kilobyte in daemon mode | +| `memoryKiller.checkInterval` | `3` | Amount of time between memory checks | +| `livenessProbe.initialDelaySeconds` | `20` | Delay before liveness probe is initiated | +| `livenessProbe.periodSeconds` | `60` | How often to perform the liveness probe | +| `livenessProbe.timeoutSeconds` | `30` | When the liveness probe times out | +| `livenessProbe.successThreshold` | `1` | Minimum consecutive successes for the liveness probe to be considered successful after having failed | +| `livenessProbe.failureThreshold` | `3` | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | +| `readinessProbe.initialDelaySeconds` | `0` | Delay before readiness probe is initiated | +| `readinessProbe.periodSeconds` | `10` | How often to perform the readiness probe | +| `readinessProbe.timeoutSeconds` | `2` | When the readiness probe times out | +| `readinessProbe.successThreshold` | `1` | Minimum consecutive successes for the readiness probe to be considered successful after having failed | +| `readinessProbe.failureThreshold` | `3` | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `serviceAccount.annotations` | `{}` | ServiceAccount annotations | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `priorityClassName` | `""` | Allow configuring pods `priorityClassName`, this is used to control pod priority in case of eviction | ## Chart configuration examples @@ -282,13 +282,13 @@ image: This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | ### tolerations @@ -348,15 +348,15 @@ redis: key: redis-password ``` -| Name | Type | Default | Description | -| :------------------ | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `host` | String | | The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName`. If using Redis Sentinels, the `host` attribute needs to be set to the cluster name as specified in the `sentinel.conf`. | -| `password.key` | String | | The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | -| `password.secret` | String | | The `password.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | -| `port` | Integer | `6379` | The port on which to connect to the Redis server. | +| Name | Type | Default | Description | +|:--------------------|:-------:|:--------|:------------| +| `host` | String | | The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName`. If using Redis Sentinels, the `host` attribute needs to be set to the cluster name as specified in the `sentinel.conf`. | +| `password.key` | String | | The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | +| `password.secret` | String | | The `password.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | +| `port` | Integer | `6379` | The port on which to connect to the Redis server. | | `serviceName` | String | `redis` | The name of the `service` which is operating the Redis database. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Redis as a part of the overall GitLab chart. | -| `sentinels.[].host` | String | | The hostname of Redis Sentinel server for a Redis HA setup. | -| `sentinels.[].port` | Integer | `26379` | The port on which to connect to the Redis Sentinel server. | +| `sentinels.[].host` | String | | The hostname of Redis Sentinel server for a Redis HA setup. | +| `sentinels.[].port` | Integer | `26379` | The port on which to connect to the Redis Sentinel server. | {{< alert type="note" >}} @@ -383,16 +383,16 @@ psql: key: psql-password ``` -| Name | Type | Default | Description | -| :------------------- | :-----: | :-------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `host` | String | | The hostname of the PostgreSQL server with the database to use. This can be omitted if `postgresql.install=true` (default non-production). | +| Name | Type | Default | Description | +|:---------------------|:-------:|:----------------------|:------------| +| `host` | String | | The hostname of the PostgreSQL server with the database to use. This can be omitted if `postgresql.install=true` (default non-production). | | `serviceName` | String | | The name of the `service` which is operating the PostgreSQL database. If this is present, and `host` is not, the chart will template the hostname of the service in place of the `host` value. | -| `database` | String | `gitlabhq_production` | The name of the database to use on the PostgreSQL server. | -| `password.key` | String | | The `password.key` attribute for PostgreSQL defines the name of the key in the secret (below) that contains the password. | -| `password.secret` | String | | The `password.secret` attribute for PostgreSQL defines the name of the Kubernetes `Secret` to pull from. | -| `port` | Integer | `5432` | The port on which to connect to the PostgreSQL server. | -| `username` | String | `gitlab` | The username with which to authenticate to the database. | -| `preparedStatements` | Boolean | `false` | If prepared statements should be used when communicating with the PostgreSQL server. | +| `database` | String | `gitlabhq_production` | The name of the database to use on the PostgreSQL server. | +| `password.key` | String | | The `password.key` attribute for PostgreSQL defines the name of the key in the secret (below) that contains the password. | +| `password.secret` | String | | The `password.secret` attribute for PostgreSQL defines the name of the Kubernetes `Secret` to pull from. | +| `port` | Integer | `5432` | The port on which to connect to the PostgreSQL server. | +| `username` | String | `gitlab` | The username with which to authenticate to the database. | +| `preparedStatements` | Boolean | `false` | If prepared statements should be used when communicating with the PostgreSQL server. | ### Gitaly @@ -411,13 +411,13 @@ gitaly: key: token ``` -| Name | Type | Default | Description | -| :----------------- | :-----: | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `host` | String | | The hostname of the Gitaly server to use. This can be omitted in lieu of `serviceName`. | +| Name | Type | Default | Description | +|:-------------------|:-------:|:---------|:------------| +| `host` | String | | The hostname of the Gitaly server to use. This can be omitted in lieu of `serviceName`. | | `serviceName` | String | `gitaly` | The name of the `service` which is operating the Gitaly server. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Gitaly as a part of the overall GitLab chart. | -| `port` | Integer | `8075` | The port on which to connect to the Gitaly server. | -| `authToken.key` | String | | The name of the key in the secret below that contains the authToken. | -| `authToken.secret` | String | | The name of the Kubernetes `Secret` to pull from. | +| `port` | Integer | `8075` | The port on which to connect to the Gitaly server. | +| `authToken.key` | String | | The name of the key in the secret below that contains the authToken. | +| `authToken.secret` | String | | The name of the Kubernetes `Secret` to pull from. | ## Metrics @@ -432,17 +432,17 @@ server to discover and scrape the exposed metrics. The following values will be used chart-wide, in the event that a value is not presented on a per-pod basis. -| Name | Type | Default | Description | -| :--------------------------- | :-----: | :-------- | :------------------------------------------------------------------------------------------------------------------------------------ | -| `concurrency` | Integer | `25` | The number of tasks to process simultaneously. | +| Name | Type | Default | Description | +|:-----------------------------|:-------:|:----------|:------------| +| `concurrency` | Integer | `25` | The number of tasks to process simultaneously. | | `timeout` | Integer | `4` | The Sidekiq shutdown timeout. The number of seconds after Sidekiq gets the TERM signal before it forcefully shuts down its processes. | -| `memoryKiller.checkInterval` | Integer | `3` | Amount of time in seconds between memory checks | -| `memoryKiller.maxRss` | Integer | `2000000` | Maximum RSS before delayed shutdown triggered expressed in kilobytes | -| `memoryKiller.graceTime` | Integer | `900` | Time to wait before a triggered shutdown expressed in seconds | -| `memoryKiller.shutdownWait` | Integer | `30` | Amount of time after triggered shutdown for existing jobs to finish expressed in seconds | -| `minReplicas` | Integer | `2` | Minimum number of replicas | -| `maxReplicas` | Integer | `10` | Maximum number of replicas | -| `maxUnavailable` | Integer | `1` | Limit of maximum number of Pods to be unavailable | +| `memoryKiller.checkInterval` | Integer | `3` | Amount of time in seconds between memory checks | +| `memoryKiller.maxRss` | Integer | `2000000` | Maximum RSS before delayed shutdown triggered expressed in kilobytes | +| `memoryKiller.graceTime` | Integer | `900` | Time to wait before a triggered shutdown expressed in seconds | +| `memoryKiller.shutdownWait` | Integer | `30` | Amount of time after triggered shutdown for existing jobs to finish expressed in seconds | +| `minReplicas` | Integer | `2` | Minimum number of replicas | +| `maxReplicas` | Integer | `10` | Maximum number of replicas | +| `maxUnavailable` | Integer | `1` | Limit of maximum number of Pods to be unavailable | {{< alert type="note" >}} @@ -465,47 +465,47 @@ a different pod configuration. It will not add a new pod in addition to the defa {{< /alert >}} -| Name | Type | Default | Description | -| :----------------------------------- | :-----: | :------------------------------------------------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `concurrency` | Integer | | The number of tasks to process simultaneously. If not provided, it will be pulled from the chart-wide default. | -| `name` | String | | Used to name the `Deployment` and `ConfigMap` for this pod. It should be kept short, and should not be duplicated between any two entries. | -| `queues` | String | | [See below](#queues). | -| `timeout` | Integer | | The Sidekiq shutdown timeout. The number of seconds after Sidekiq gets the TERM signal before it forcefully shuts down its processes. If not provided, it will be pulled from the chart-wide default. This value **must** be less than `terminationGracePeriodSeconds`. | -| `resources` | | | Each pod can present it's own `resources` requirements, which will be added to the `Deployment` created for it, if present. These match the Kubernetes documentation. | -| `nodeSelector` | | | Each pod can be configured with a `nodeSelector` attribute, which will be added to the `Deployment` created for it, if present. These definitions match the Kubernetes documentation. | -| `memoryKiller.checkInterval` | Integer | `3` | Amount of time between memory checks | -| `memoryKiller.maxRss` | Integer | `2000000` | Overrides the maximum RSS for a given pod. | -| `memoryKiller.graceTime` | Integer | `900` | Overrides the time to wait before a triggered shutdown for a given Pod | -| `memoryKiller.shutdownWait` | Integer | `30` | Overrides the amount of time after triggered shutdown for existing jobs to finish for a given Pod | -| `minReplicas` | Integer | `2` | Minimum number of replicas | -| `maxReplicas` | Integer | `10` | Maximum number of replicas | -| `maxUnavailable` | Integer | `1` | Limit of maximum number of Pods to be unavailable | -| `podLabels` | Map | `{}` | Supplemental Pod labels. Will not be used for selectors. | -| `strategy` | | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `extraVolumes` | String | | Configures extra volumes for the given pod. | -| `extraVolumeMounts` | String | | Configures extra volume mounts for the given pod. | -| `priorityClassName` | String | `""` | Allow configuring pods `priorityClassName`, this is used to control pod priority in case of eviction | -| `hpa.customMetrics` | Array | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | String | `AverageValue` | Overrides the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | String | `350m` | Overrides the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | Integer | | Overrides the autoscaling CPU target utilization | -| `hpa.memory.targetType` | String | | Overrides the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | String | | Overrides the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | Integer | | Overrides the autoscaling memory target utilization | -| `hpa.targetAverageValue` | String | | **DEPRECATED** Overrides the autoscaling CPU target value | -| `keda.enabled` | Boolean | `false` | Overrides enabling KEDA | -| `keda.pollingInterval` | Integer | `30` | Overrides the KEDA polling interval | -| `keda.cooldownPeriod` | Integer | `300` | Overrides the KEDA cooldown period | -| `keda.minReplicaCount` | Integer | | Overrides the KEDA minimum replica count | -| `keda.maxReplicaCount` | Integer | | Overrides the KEDA maximum replica count | -| `keda.fallback` | Map | | Overrides the KEDA fallback configuration | -| `keda.hpaName` | String | | Overrides the KEDA HPA name | -| `keda.restoreToOriginalReplicaCount` | Boolean | | Overrides enabling the restoration of the original replica count | -| `keda.behavior` | Map | | Overrides the KEDA HPA behavior | -| `keda.triggers` | Array | | Overrides the KEDA triggers | -| `extraEnv` | Map | | List of extra environment variables to expose. The chart-wide value is merged into this, with values from the pod taking precedence | -| `extraEnvFrom` | Map | | List of extra environment variables from other data source to expose | -| `terminationGracePeriodSeconds` | Integer | `30` | Optional duration in seconds the pod needs to terminate gracefully. | +| Name | Type | Default | Description | +|:--------------------------------------|:-------:|:---------------|:------------| +| `concurrency` | Integer | | The number of tasks to process simultaneously. If not provided, it will be pulled from the chart-wide default. | +| `name` | String | | Used to name the `Deployment` and `ConfigMap` for this pod. It should be kept short, and should not be duplicated between any two entries. | +| `queues` | String | | [See below](#queues). | +| `timeout` | Integer | | The Sidekiq shutdown timeout. The number of seconds after Sidekiq gets the TERM signal before it forcefully shuts down its processes. If not provided, it will be pulled from the chart-wide default. This value **must** be less than `terminationGracePeriodSeconds`. | +| `resources` | | | Each pod can present it's own `resources` requirements, which will be added to the `Deployment` created for it, if present. These match the Kubernetes documentation. | +| `nodeSelector` | | | Each pod can be configured with a `nodeSelector` attribute, which will be added to the `Deployment` created for it, if present. These definitions match the Kubernetes documentation. | +| `memoryKiller.checkInterval` | Integer | `3` | Amount of time between memory checks | +| `memoryKiller.maxRss` | Integer | `2000000` | Overrides the maximum RSS for a given pod. | +| `memoryKiller.graceTime` | Integer | `900` | Overrides the time to wait before a triggered shutdown for a given Pod | +| `memoryKiller.shutdownWait` | Integer | `30` | Overrides the amount of time after triggered shutdown for existing jobs to finish for a given Pod | +| `minReplicas` | Integer | `2` | Minimum number of replicas | +| `maxReplicas` | Integer | `10` | Maximum number of replicas | +| `maxUnavailable` | Integer | `1` | Limit of maximum number of Pods to be unavailable | +| `podLabels` | Map | `{}` | Supplemental Pod labels. Will not be used for selectors. | +| `strategy` | | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `extraVolumes` | String | | Configures extra volumes for the given pod. | +| `extraVolumeMounts` | String | | Configures extra volume mounts for the given pod. | +| `priorityClassName` | String | `""` | Allow configuring pods `priorityClassName`, this is used to control pod priority in case of eviction | +| `hpa.customMetrics` | Array | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | String | `AverageValue` | Overrides the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | String | `350m` | Overrides the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | Integer | | Overrides the autoscaling CPU target utilization | +| `hpa.memory.targetType` | String | | Overrides the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | String | | Overrides the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | Integer | | Overrides the autoscaling memory target utilization | +| `hpa.targetAverageValue` | String | | **DEPRECATED** Overrides the autoscaling CPU target value | +| `keda.enabled` | Boolean | `false` | Overrides enabling KEDA | +| `keda.pollingInterval` | Integer | `30` | Overrides the KEDA polling interval | +| `keda.cooldownPeriod` | Integer | `300` | Overrides the KEDA cooldown period | +| `keda.minReplicaCount` | Integer | | Overrides the KEDA minimum replica count | +| `keda.maxReplicaCount` | Integer | | Overrides the KEDA maximum replica count | +| `keda.fallback` | Map | | Overrides the KEDA fallback configuration | +| `keda.hpaName` | String | | Overrides the KEDA HPA name | +| `keda.restoreToOriginalReplicaCount` | Boolean | | Overrides enabling the restoration of the original replica count | +| `keda.behavior` | Map | | Overrides the KEDA HPA behavior | +| `keda.triggers` | Array | | Overrides the KEDA triggers | +| `extraEnv` | Map | | List of extra environment variables to expose. The chart-wide value is merged into this, with values from the pod taking precedence | +| `extraEnvFrom` | Map | | List of extra environment variables from other data source to expose | +| `terminationGracePeriodSeconds` | Integer | `30` | Optional duration in seconds the pod needs to terminate gracefully. | ### queues @@ -589,12 +589,12 @@ This section controls the This configuration is optional and is used to limit Egress and Ingress of the Pods to specific endpoints. -| Name | Type | Default | Description | -| :---------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | This setting enables the network policy | -| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | -| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | -| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | This setting enables the network policy | +| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | +| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | +| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | | `egress.rules` | Array | `[]` | Rules for the egress policy, these for details see and the example below | ### Example Network Policy @@ -720,15 +720,15 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | diff --git a/doc/charts/gitlab/spamcheck/_index.md b/doc/charts/gitlab/spamcheck/_index.md index 7d77aafdc7..87e547cd0e 100644 --- a/doc/charts/gitlab/spamcheck/_index.md +++ b/doc/charts/gitlab/spamcheck/_index.md @@ -47,65 +47,65 @@ helm upgrade --force --install gitlab . \ The table below contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags. -| Parameter | Default | Description | -| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | -| `annotations` | `{}` | Pod annotations | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `deployment.livenessProbe.initialDelaySeconds` | 20 | Delay before liveness probe is initiated | -| `deployment.livenessProbe.periodSeconds` | 60 | How often to perform the liveness probe | -| `deployment.livenessProbe.timeoutSeconds` | 30 | When the liveness probe times out | -| `deployment.livenessProbe.successThreshold` | 1 | Minimum consecutive successes for the liveness probe to be considered successful after having failed | -| `deployment.livenessProbe.failureThreshold` | 3 | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | -| `deployment.readinessProbe.initialDelaySeconds` | 0 | Delay before readiness probe is initiated | -| `deployment.readinessProbe.periodSeconds` | 10 | How often to perform the readiness probe | -| `deployment.readinessProbe.timeoutSeconds` | 2 | When the readiness probe times out | -| `deployment.readinessProbe.successThreshold` | 1 | Minimum consecutive successes for the readiness probe to be considered successful after having failed | -| `deployment.readinessProbe.failureThreshold` | 3 | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `image.registry` | | Spamcheck image registry | -| `image.repository` | `registry.gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck` | Spamcheck image repository | -| `image.tag` | | Spamcheck image tag | -| `image.digest` | | Spamcheck image digest | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `logging.level` | `info` | Log level | -| `maxReplicas` | `10` | HPA `maxReplicas` | -| `maxUnavailable` | `1` | HPA `maxUnavailable` | -| `minReplicas` | `2` | HPA `maxReplicas` | -| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | -| `resources.requests.cpu` | `100m` | Spamcheck minimum CPU | -| `resources.requests.memory` | `100M` | Spamcheck minimum memory | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `serviceLabels` | `{}` | Supplemental service labels | -| `service.externalPort` | `8001` | Spamcheck external port | -| `service.internalPort` | `8001` | Spamcheck internal port | -| `service.type` | `ClusterIP` | Spamcheck service type | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `extraEnvFrom` | `{}` | List of extra environment variables from other data sources to expose | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| Parameter | Default | Description | +|-------------------------------------------------|---------------------------------------------------|-------------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | `{}` | Pod annotations | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.livenessProbe.initialDelaySeconds` | 20 | Delay before liveness probe is initiated | +| `deployment.livenessProbe.periodSeconds` | 60 | How often to perform the liveness probe | +| `deployment.livenessProbe.timeoutSeconds` | 30 | When the liveness probe times out | +| `deployment.livenessProbe.successThreshold` | 1 | Minimum consecutive successes for the liveness probe to be considered successful after having failed | +| `deployment.livenessProbe.failureThreshold` | 3 | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | +| `deployment.readinessProbe.initialDelaySeconds` | 0 | Delay before readiness probe is initiated | +| `deployment.readinessProbe.periodSeconds` | 10 | How often to perform the readiness probe | +| `deployment.readinessProbe.timeoutSeconds` | 2 | When the readiness probe times out | +| `deployment.readinessProbe.successThreshold` | 1 | Minimum consecutive successes for the readiness probe to be considered successful after having failed | +| `deployment.readinessProbe.failureThreshold` | 3 | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `image.registry` | | Spamcheck image registry | +| `image.repository` | `registry.gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/spam/spamcheck` | Spamcheck image repository | +| `image.tag` | | Spamcheck image tag | +| `image.digest` | | Spamcheck image digest | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `logging.level` | `info` | Log level | +| `maxReplicas` | `10` | HPA `maxReplicas` | +| `maxUnavailable` | `1` | HPA `maxUnavailable` | +| `minReplicas` | `2` | HPA `maxReplicas` | +| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | +| `resources.requests.cpu` | `100m` | Spamcheck minimum CPU | +| `resources.requests.memory` | `100M` | Spamcheck minimum memory | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `serviceLabels` | `{}` | Supplemental service labels | +| `service.externalPort` | `8001` | Spamcheck external port | +| `service.internalPort` | `8001` | Spamcheck internal port | +| `service.type` | `ClusterIP` | Spamcheck service type | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `extraEnvFrom` | `{}` | List of extra environment variables from other data sources to expose | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | ## Configuring KEDA @@ -123,18 +123,18 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | ## Chart configuration examples @@ -142,11 +142,11 @@ Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-dep This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | ### tolerations diff --git a/doc/charts/gitlab/toolbox/_index.md b/doc/charts/gitlab/toolbox/_index.md index a596c03c9d..9e2fc15181 100644 --- a/doc/charts/gitlab/toolbox/_index.md +++ b/doc/charts/gitlab/toolbox/_index.md @@ -67,90 +67,90 @@ gitlab: affinity: {} ``` -| Parameter | Description | Default | -|----------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------| -| `affinity` | [Affinity rules](../_index.md#affinity) for pod assignment | `{}` | -| `annotations` | Annotations to add to the Toolbox Pods and Jobs | `{}` | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `antiAffinityLabels.matchLabels` | Labels for setting anti-affinity options | | -| `backups.cron.activeDeadlineSeconds` | Backup CronJob active deadline seconds (if null, no active deadline is applied) | `null` | -| `backups.cron.ttlSecondsAfterFinished` | Backup CronJob job time to live after finished (if null, no time to liveis applied) | `null` | -| `backups.cron.safeToEvict` | Autoscaling safe-to-evict annotation | false | -| `backups.cron.backoffLimit` | Backup CronJob backoff limit | `6` | -| `backups.cron.concurrencyPolicy` | Kubernetes Job concurrency policy | `Replace` | -| `backups.cron.enabled` | Backup CronJob enabled flag | false | -| `backups.cron.extraArgs` | String of arguments to pass to the backup utility | | -| `backups.cron.failedJobsHistoryLimit` | Number of failed backup jobs list in history | `1` | -| `backups.cron.persistence.accessMode` | Backup cron persistence access mode | `ReadWriteOnce` | -| `backups.cron.persistence.enabled` | Backup cron enable persistence flag | false | -| `backups.cron.persistence.matchExpressions` | Label-expression matches to bind | | -| `backups.cron.persistence.matchLabels` | Label-value matches to bind | | -| `backups.cron.persistence.useGenericEphemeralVolume` | Use a [generic ephemeral volume](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) | false | -| `backups.cron.persistence.size` | Backup cron persistence volume size | `10Gi` | -| `backups.cron.persistence.storageClass` | StorageClass name for provisioning | | -| `backups.cron.persistence.subPath` | Backup cron persistence volume mount path | | -| `backups.cron.persistence.volumeName` | Existing persistent volume name | | -| `backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | -| `backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | -| `backups.cron.restartPolicy` | Backup cron restart policy (`Never` or `OnFailure`) | `OnFailure` | -| `backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | -| `backups.cron.startingDeadlineSeconds` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | `null` | -| `backups.cron.successfulJobsHistoryLimit` | Number of successful backup jobs list in history | `3` | -| `backups.cron.suspend` | Backup cron job is suspended | `false` | -| `backups.cron.timeZone` | Time zone for the backup schedule. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones). Uses the cluster time zone if not specified. | "" | -| `backups.cron.tolerations` | Tolerations to add to the backup cron job | "" | -| `backups.cron.nodeSelector` | Backup cron job node selection | "" | -| `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | -| `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `backups.objectStorage.config.key` | Key containing credentials in secret | "" | -| `backups.objectStorage.config.secret` | Object storage credentials secret | "" | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | { `type`: `Recreate` } | -| `enabled` | Toolbox enablement flag | true | -| `extra` | YAML block for [extra `gitlab.yml` configuration](https://gitlab.com/gitlab-org/gitlab/-/blob/8d2b59dbf232f17159d63f0359fa4793921896d5/config/gitlab.yml.example#L1193-1199) | {} | -| `image.pullPolicy` | Toolbox image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Toolbox image pull secrets | | -| `image.repository` | Toolbox image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | -| `image.tag` | Toolbox image tag | `master` | -| `init.image.repository` | Toolbox init image repository | | -| `init.image.tag` | Toolbox init image tag | | -| `init.resources` | Toolbox init container resource requirements | { `requests`: { `cpu`: `50m` }} | -| `init.containerSecurityContext` | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | | -| `init.containerSecurityContext.allowPrivilegeEscalation` | initContainer specific: Controls whether a process can gain more privileges than its parent process | `false` | -| `init.containerSecurityContext.runAsUser` | initContainer specific: User ID under which the container should be started | `1000` | -| `init.containerSecurityContext.allowPrivilegeEscalation` | initContainer specific: Controls whether a process can gain more privileges than its parent process | `false` | -| `init.containerSecurityContext.runAsNonRoot` | initContainer specific: Controls whether the container runs with a non-root user | `true` | -| `init.containerSecurityContext.capabilities.drop` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | `[ "ALL" ]` | -| `nodeSelector` | Toolbox and backup job node selection | | -| `persistence.accessMode` | Toolbox persistence access mode | `ReadWriteOnce` | -| `persistence.enabled` | Toolbox enable persistence flag | false | -| `persistence.matchExpressions` | Label-expression matches to bind | | -| `persistence.matchLabels` | Label-value matches to bind | | -| `persistence.size` | Toolbox persistence volume size | `10Gi` | -| `persistence.storageClass` | StorageClass name for provisioning | | -| `persistence.subPath` | Toolbox persistence volume mount path | | -| `persistence.volumeName` | Existing PersistentVolume name | | -| `podLabels` | Labels for running Toolbox Pods | {} | -| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | -| `replicas` | Number of Toolbox Pods to run | `1` | -| `resources.requests` | Toolbox minimum requested resources | { `cpu`: `50m`, `memory`: `350M` | -| `securityContext.fsGroup` | File System Group ID under which the pod should be started | `1000` | -| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `securityContext.runAsGroup` | Group ID under which the pod should be started | `1000` | -| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | -| `securityContext.seccompProfile.type` | Seccomp profile to use | `RuntimeDefault` | -| `containerSecurityContext` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | | -| `containerSecurityContext.runAsUser` | Allow to overwrite the specific security context under which the container is started | `1000` | -| `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process of the container can gain more privileges than its parent process | `false` | -| `containerSecurityContext.runAsNonRoot` | Controls whether the container runs with a non-root user | `true` | -| `containerSecurityContext.capabilities.drop` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | `[ "ALL" ]` | -| `serviceAccount.annotations` | Annotations for ServiceAccount | {} | -| `serviceAccount.automountServiceAccountToken`| Indicates whether or not the default ServiceAccount access token should be mounted in pods | `false` | -| `serviceAccount.enabled` | Indicates whether or not to use a ServiceAccount | false | -| `serviceAccount.create` | Indicates whether or not a ServiceAccount should be created | false | -| `serviceAccount.name` | Name of the ServiceAccount. If not set, the full chart name is used | | -| `tolerations` | Tolerations to add to the Toolbox | | -| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | +| Parameter | Default | Description | +|----------------------------------------------------------|--------------------------------------------------------------|-------------| +| `affinity` | `{}` | [Affinity rules](../_index.md#affinity) for pod assignment | +| `annotations` | `{}` | Annotations to add to the Toolbox Pods and Jobs | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `antiAffinityLabels.matchLabels` | | Labels for setting anti-affinity options | +| `backups.cron.activeDeadlineSeconds` | `null` | Backup CronJob active deadline seconds (if null, no active deadline is applied) | +| `backups.cron.ttlSecondsAfterFinished` | `null` | Backup CronJob job time to live after finished (if null, no time to liveis applied) | +| `backups.cron.safeToEvict` | `false` | Autoscaling safe-to-evict annotation | +| `backups.cron.backoffLimit` | `6` | Backup CronJob backoff limit | +| `backups.cron.concurrencyPolicy` | `Replace` | Kubernetes Job concurrency policy | +| `backups.cron.enabled` | `false` | Backup CronJob enabled flag | +| `backups.cron.extraArgs` | | String of arguments to pass to the backup utility | +| `backups.cron.failedJobsHistoryLimit` | `1` | Number of failed backup jobs list in history | +| `backups.cron.persistence.accessMode` | `ReadWriteOnce` | Backup cron persistence access mode | +| `backups.cron.persistence.enabled` | `false` | Backup cron enable persistence flag | +| `backups.cron.persistence.matchExpressions` | | Label-expression matches to bind | +| `backups.cron.persistence.matchLabels` | | Label-value matches to bind | +| `backups.cron.persistence.useGenericEphemeralVolume` | `false` | Use a [generic ephemeral volume](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) | +| `backups.cron.persistence.size` | `10Gi` | Backup cron persistence volume size | +| `backups.cron.persistence.storageClass` | | StorageClass name for provisioning | +| `backups.cron.persistence.subPath` | | Backup cron persistence volume mount path | +| `backups.cron.persistence.volumeName` | | Existing persistent volume name | +| `backups.cron.resources.requests.cpu` | `50m` | Backup cron minimum needed CPU | +| `backups.cron.resources.requests.memory` | `350M` | Backup cron minimum needed memory | +| `backups.cron.restartPolicy` | `OnFailure` | Backup cron restart policy (`Never` or `OnFailure`) | +| `backups.cron.schedule` | `0 1 * * *` | Cron style schedule string | +| `backups.cron.startingDeadlineSeconds` | `null` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | +| `backups.cron.successfulJobsHistoryLimit` | `3` | Number of successful backup jobs list in history | +| `backups.cron.suspend` | `false` | Backup cron job is suspended | +| `backups.cron.timeZone` | `""` | Time zone for the backup schedule. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones). Uses the cluster time zone if not specified. | +| `backups.cron.tolerations` | `""` | Tolerations to add to the backup cron job | +| `backups.cron.nodeSelector` | `""` | Backup cron job node selection | +| `backups.objectStorage.backend` | `s3` | Object storage provider to use (`s3`, `gcs` or `azure`) | +| `backups.objectStorage.config.gcpProject` | `""` | GCP Project to use when backend is `gcs` | +| `backups.objectStorage.config.key` | `""` | Key containing credentials in secret | +| `backups.objectStorage.config.secret` | `""` | Object storage credentials secret | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.strategy` | ``{ `type`: `Recreate` }`` | Allows one to configure the update strategy utilized by the deployment | +| `enabled` | `true` | Toolbox enablement flag | +| `extra` | `{}` | YAML block for [extra `gitlab.yml` configuration](https://gitlab.com/gitlab-org/gitlab/-/blob/8d2b59dbf232f17159d63f0359fa4793921896d5/config/gitlab.yml.example#L1193-1199) | +| `image.pullPolicy` | `IfNotPresent` | Toolbox image pull policy | +| `image.pullSecrets` | | Toolbox image pull secrets | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | Toolbox image repository | +| `image.tag` | `master` | Toolbox image tag | +| `init.image.repository` | | Toolbox init image repository | +| `init.image.tag` | | Toolbox init image tag | +| `init.resources` | ``{ `requests`: { `cpu`: `50m` }}`` | Toolbox init container resource requirements | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `nodeSelector` | | Toolbox and backup job node selection | +| `persistence.accessMode` | `ReadWriteOnce` | Toolbox persistence access mode | +| `persistence.enabled` | `false` | Toolbox enable persistence flag | +| `persistence.matchExpressions` | | Label-expression matches to bind | +| `persistence.matchLabels` | | Label-value matches to bind | +| `persistence.size` | `10Gi` | Toolbox persistence volume size | +| `persistence.storageClass` | | StorageClass name for provisioning | +| `persistence.subPath` | | Toolbox persistence volume mount path | +| `persistence.volumeName` | | Existing PersistentVolume name | +| `podLabels` | `{}` | Labels for running Toolbox Pods | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `replicas` | `1` | Number of Toolbox Pods to run | +| `resources.requests` | ``{ `cpu`: `50m`, `memory`: `350M` }`` | Toolbox minimum requested resources | +| `securityContext.fsGroup` | `1000` | File System Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.runAsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `serviceAccount.annotations` | `{}` | Annotations for ServiceAccount | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `tolerations` | | Tolerations to add to the Toolbox | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | ## Configuring backups diff --git a/doc/charts/gitlab/webservice/_index.md b/doc/charts/gitlab/webservice/_index.md index 40b8887cf7..c717cee3f3 100644 --- a/doc/charts/gitlab/webservice/_index.md +++ b/doc/charts/gitlab/webservice/_index.md @@ -39,168 +39,168 @@ The `webservice` chart is configured as follows: [Global settings](#global-setti The table below contains all the possible chart configurations that can be supplied to the `helm install` command using the `--set` flags. -| Parameter | Default | Description | -|---------------------------------------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `annotations` | | Pod annotations | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `deployment.terminationGracePeriodSeconds` | 30 | Seconds that Kubernetes will wait for a pod to exit, note this must be longer than `shutdown.blackoutSeconds` | -| `deployment.livenessProbe.initialDelaySeconds` | 20 | Delay before liveness probe is initiated | -| `deployment.livenessProbe.periodSeconds` | 60 | How often to perform the liveness probe | -| `deployment.livenessProbe.timeoutSeconds` | 30 | When the liveness probe times out | -| `deployment.livenessProbe.successThreshold` | 1 | Minimum consecutive successes for the liveness probe to be considered successful after having failed | -| `deployment.livenessProbe.failureThreshold` | 3 | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | -| `deployment.readinessProbe.initialDelaySeconds` | 0 | Delay before readiness probe is initiated | -| `deployment.readinessProbe.periodSeconds` | 10 | How often to perform the readiness probe | -| `deployment.readinessProbe.timeoutSeconds` | 2 | When the readiness probe times out | -| `deployment.readinessProbe.successThreshold` | 1 | Minimum consecutive successes for the readiness probe to be considered successful after having failed | -| `deployment.readinessProbe.failureThreshold` | 3 | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | -| `enabled` | `true` | Webservice enabled flag | -| `extraContainers` | | Multiline literal style string containing a list of containers to include | -| `extraInitContainers` | | List of extra init containers to include | -| `extras.google_analytics_id` | `nil` | Google Analytics ID for frontend | -| `extraVolumeMounts` | | List of extra volumes mounts to do | -| `extraVolumes` | | List of extra volumes to create | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `gitlab.webservice.workhorse.image` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee` | Workhorse image repository | -| `gitlab.webservice.workhorse.tag` | | Workhorse image tag | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `1` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `sshHostKeys.mount` | `false` | Whether to mount the GitLab Shell secret containing the public SSH keys. | -| `sshHostKeys.mountName` | `ssh-host-keys` | Name of the mounted volume. | -| `sshHostKeys.types` | `[dsa,rsa,ecdsa,ed25519]` | List of SSH key types to mount. | -| `image.pullPolicy` | `Always` | Webservice image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee` | Webservice image repository | -| `image.tag` | | Webservice image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `8083` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | -| `metrics.tls.enabled` | | TLS enabled for the metrics/web_exporter endpoint. Defaults to `tls.enabled`. | -| `metrics.tls.secretName` | | Secret for the metrics/web_exporter endpoint TLS cert and key. Defaults to `tls.secretName`. | -| `minio.bucket` | `git-lfs` | Name of storage bucket, when using MinIO | -| `minio.port` | `9000` | Port for MinIO service | -| `minio.serviceName` | `minio-svc` | Name of MinIO service | -| `monitoring.ipWhitelist` | `[0.0.0.0/0]` | List of IPs to whitelist for the monitoring endpoints | -| `monitoring.exporter.enabled` | `false` | Enable webserver to expose Prometheus metrics, this is overridden by `metrics.enabled` if the metrics port is set to the monitoring exporter port | -| `monitoring.exporter.port` | `8083` | Port number to use for the metrics exporter | -| `psql.password.key` | `psql-password` | Key to psql password in psql secret | -| `psql.password.secret` | `gitlab-postgres` | psql secret name | -| `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | -| `puma.disableWorkerKiller` | `true` | Disables Puma worker memory killer | -| `puma.workerMaxMemory` | | The maximum memory (in megabytes) for the Puma worker killer | -| `puma.threads.min` | `4` | The minimum amount of Puma threads | -| `puma.threads.max` | `4` | The maximum amount of Puma threads | -| `rack_attack.git_basic_auth` | `{}` | See [GitLab documentation](https://docs.gitlab.com/administration/settings/protected_paths/) for details | -| `redis.serviceName` | `redis` | Redis service name | -| `global.registry.api.port` | `5000` | Registry port | -| `global.registry.api.protocol` | `http` | Registry protocol | -| `global.registry.api.serviceName` | `registry` | Registry service name | -| `global.registry.enabled` | `true` | Add/Remove registry link in all projects menu | -| `global.registry.tokenIssuer` | `gitlab-issuer` | Registry token issuer | -| `replicaCount` | `1` | Webservice number of replicas | -| `resources.requests.cpu` | `300m` | Webservice minimum CPU | -| `resources.requests.memory` | `1.5G` | Webservice minimum memory | -| `service.externalPort` | `8080` | Webservice exposed port | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context user ID under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the Gitaly container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | -| `serviceLabels` | `{}` | Supplemental service labels | -| `service.internalPort` | `8080` | Webservice internal port | -| `service.type` | `ClusterIP` | Webservice service type | -| `service.workhorseExternalPort` | `8181` | Workhorse exposed port | -| `service.workhorseInternalPort` | `8181` | Workhorse internal port | -| `service.loadBalancerIP` | | IP address to assign to LoadBalancer (if supported by cloud provider) | -| `service.loadBalancerSourceRanges` | | List of IP CIDRs allowed access to LoadBalancer (if supported) Required for service.type = LoadBalancer | -| `shell.authToken.key` | `secret` | Key to shell token in shell secret | -| `shell.authToken.secret` | `{Release.Name}-gitlab-shell-secret` | Shell token secret | -| `shell.port` | `nil` | Port number to use in SSH URLs generated by UI | -| `shutdown.blackoutSeconds` | `10` | Number of seconds to keep Webservice running after receiving shutdown, note this must shorter than `deployment.terminationGracePeriodSeconds` | -| `tls.enabled` | `false` | Webservice TLS enabled | -| `tls.secretName` | `{Release.Name}-webservice-tls` | Webservice TLS secrets. `secretName` must point to a [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `trusted_proxies` | `[]` | See [GitLab documentation](https://docs.gitlab.com/install/installation/#adding-your-trusted-proxies) for details | -| `workhorse.logFormat` | `json` | Logging format. Valid formats: `json`, `structured`, `text` | -| `workerProcesses` | `2` | Webservice number of workers | -| `workhorse.keywatcher` | `true` | Subscribe workhorse to Redis. This is **required** by any deployment servicing request to `/api/*`, but can be safely disabled for other deployments | -| `workhorse.shutdownTimeout` | `global.webservice.workerTimeout + 1` (seconds) | Time to wait for all Web requests to clear from Workhorse. Examples: `1min`, `65s`. | +| Parameter | Default | Description | +|---------------------------------------------------------------|-----------------------------------------------------------------|-------------| +| `annotations` | | Pod annotations | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.terminationGracePeriodSeconds` | `30` | Seconds that Kubernetes will wait for a pod to exit, note this must be longer than `shutdown.blackoutSeconds` | +| `deployment.livenessProbe.initialDelaySeconds` | `20` | Delay before liveness probe is initiated | +| `deployment.livenessProbe.periodSeconds` | `60` | How often to perform the liveness probe | +| `deployment.livenessProbe.timeoutSeconds` | `30` | When the liveness probe times out | +| `deployment.livenessProbe.successThreshold` | `1` | Minimum consecutive successes for the liveness probe to be considered successful after having failed | +| `deployment.livenessProbe.failureThreshold` | `3` | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | +| `deployment.readinessProbe.initialDelaySeconds` | `0` | Delay before readiness probe is initiated | +| `deployment.readinessProbe.periodSeconds` | `10` | How often to perform the readiness probe | +| `deployment.readinessProbe.timeoutSeconds` | `2` | When the readiness probe times out | +| `deployment.readinessProbe.successThreshold` | `1` | Minimum consecutive successes for the readiness probe to be considered successful after having failed | +| `deployment.readinessProbe.failureThreshold` | `3` | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | +| `enabled` | `true` | Webservice enabled flag | +| `extraContainers` | | Multiline literal style string containing a list of containers to include | +| `extraInitContainers` | | List of extra init containers to include | +| `extras.google_analytics_id` | `nil` | Google Analytics ID for frontend | +| `extraVolumeMounts` | | List of extra volumes mounts to do | +| `extraVolumes` | | List of extra volumes to create | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `gitlab.webservice.workhorse.image` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee` | Workhorse image repository | +| `gitlab.webservice.workhorse.tag` | | Workhorse image tag | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `1` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `sshHostKeys.mount` | `false` | Whether to mount the GitLab Shell secret containing the public SSH keys. | +| `sshHostKeys.mountName` | `ssh-host-keys` | Name of the mounted volume. | +| `sshHostKeys.types` | `[dsa,rsa,ecdsa,ed25519]` | List of SSH key types to mount. | +| `image.pullPolicy` | `Always` | Webservice image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee` | Webservice image repository | +| `image.tag` | | Webservice image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `8083` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `metrics.tls.enabled` | | TLS enabled for the metrics/web_exporter endpoint. Defaults to `tls.enabled`. | +| `metrics.tls.secretName` | | Secret for the metrics/web_exporter endpoint TLS cert and key. Defaults to `tls.secretName`. | +| `minio.bucket` | `git-lfs` | Name of storage bucket, when using MinIO | +| `minio.port` | `9000` | Port for MinIO service | +| `minio.serviceName` | `minio-svc` | Name of MinIO service | +| `monitoring.ipWhitelist` | `[0.0.0.0/0]` | List of IPs to whitelist for the monitoring endpoints | +| `monitoring.exporter.enabled` | `false` | Enable webserver to expose Prometheus metrics, this is overridden by `metrics.enabled` if the metrics port is set to the monitoring exporter port | +| `monitoring.exporter.port` | `8083` | Port number to use for the metrics exporter | +| `psql.password.key` | `psql-password` | Key to psql password in psql secret | +| `psql.password.secret` | `gitlab-postgres` | psql secret name | +| `psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `puma.disableWorkerKiller` | `true` | Disables Puma worker memory killer | +| `puma.workerMaxMemory` | | The maximum memory (in megabytes) for the Puma worker killer | +| `puma.threads.min` | `4` | The minimum amount of Puma threads | +| `puma.threads.max` | `4` | The maximum amount of Puma threads | +| `rack_attack.git_basic_auth` | `{}` | See [GitLab documentation](https://docs.gitlab.com/administration/settings/protected_paths/) for details | +| `redis.serviceName` | `redis` | Redis service name | +| `global.registry.api.port` | `5000` | Registry port | +| `global.registry.api.protocol` | `http` | Registry protocol | +| `global.registry.api.serviceName` | `registry` | Registry service name | +| `global.registry.enabled` | `true` | Add/Remove registry link in all projects menu | +| `global.registry.tokenIssuer` | `gitlab-issuer` | Registry token issuer | +| `replicaCount` | `1` | Webservice number of replicas | +| `resources.requests.cpu` | `300m` | Webservice minimum CPU | +| `resources.requests.memory` | `1.5G` | Webservice minimum memory | +| `service.externalPort` | `8080` | Webservice exposed port | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context user ID under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the Gitaly container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.create` | `false` | Indicates whether or not a ServiceAccount should be created | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceAccount.name` | | Name of the ServiceAccount. If not set, the full chart name is used | +| `serviceLabels` | `{}` | Supplemental service labels | +| `service.internalPort` | `8080` | Webservice internal port | +| `service.type` | `ClusterIP` | Webservice service type | +| `service.workhorseExternalPort` | `8181` | Workhorse exposed port | +| `service.workhorseInternalPort` | `8181` | Workhorse internal port | +| `service.loadBalancerIP` | | IP address to assign to LoadBalancer (if supported by cloud provider) | +| `service.loadBalancerSourceRanges` | | List of IP CIDRs allowed access to LoadBalancer (if supported) Required for service.type = LoadBalancer | +| `shell.authToken.key` | `secret` | Key to shell token in shell secret | +| `shell.authToken.secret` | `{Release.Name}-gitlab-shell-secret` | Shell token secret | +| `shell.port` | `nil` | Port number to use in SSH URLs generated by UI | +| `shutdown.blackoutSeconds` | `10` | Number of seconds to keep Webservice running after receiving shutdown, note this must shorter than `deployment.terminationGracePeriodSeconds` | +| `tls.enabled` | `false` | Webservice TLS enabled | +| `tls.secretName` | `{Release.Name}-webservice-tls` | Webservice TLS secrets. `secretName` must point to a [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `trusted_proxies` | `[]` | See [GitLab documentation](https://docs.gitlab.com/install/installation/#adding-your-trusted-proxies) for details | +| `workhorse.logFormat` | `json` | Logging format. Valid formats: `json`, `structured`, `text` | +| `workerProcesses` | `2` | Webservice number of workers | +| `workhorse.keywatcher` | `true` | Subscribe workhorse to Redis. This is **required** by any deployment servicing request to `/api/*`, but can be safely disabled for other deployments | +| `workhorse.shutdownTimeout` | `global.webservice.workerTimeout + 1` (seconds) | Time to wait for all Web requests to clear from Workhorse. Examples: `1min`, `65s`. | | `workhorse.trustedCIDRsForPropagation` | | A list of CIDR blocks that can be trusted for propagating a correlation ID. The `-propagateCorrelationID` option must also be used in `workhorse.extraArgs` for this to work. See the [Workhorse documentation](https://docs.gitlab.com/development/workhorse/configuration/#propagate-correlation-ids) for more details. | -| `workhorse.trustedCIDRsForXForwardedFor` | | A list of CIDR blocks that can be used to resolve the actual client IP via the `X-Forwarded-For` HTTP header. This is used with `workhorse.trustedCIDRsForPropagation`. See the [Workhorse documentation](https://docs.gitlab.com/development/workhorse/configuration/#trusted-proxies) for more details. | -| `workhorse.metadata.zipReaderLimitBytes` | | The optional number of bytes to limit the zip reader to. Introduced in GitLab 16.9. See the [Workhorse documentation](https://docs.gitlab.com/development/workhorse/configuration/#metadata-options) for more details. | -| `workhorse.containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `workhorse.containerSecurityContext.runAsUser` | `1000` | User ID under which the container should be started | -| `workhorse.containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | -| `workhorse.containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `workhorse.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `workhorse.livenessProbe.initialDelaySeconds` | 20 | Delay before liveness probe is initiated | -| `workhorse.livenessProbe.periodSeconds` | 60 | How often to perform the liveness probe | -| `workhorse.livenessProbe.timeoutSeconds` | 30 | When the liveness probe times out | -| `workhorse.livenessProbe.successThreshold` | 1 | Minimum consecutive successes for the liveness probe to be considered successful after having failed | -| `workhorse.livenessProbe.failureThreshold` | 3 | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | -| `workhorse.monitoring.exporter.enabled` | `false` | Enable workhorse to expose Prometheus metrics, this is overridden by `workhorse.metrics.enabled` | -| `workhorse.monitoring.exporter.port` | `9229` | Port number to use for workhorse Prometheus metrics | -| `workhorse.monitoring.exporter.tls.enabled` | `false` | When set to `true`, enables TLS on metrics endpoint. It requires [TLS to be enabled for Workhorse](#gitlab-workhorse). | -| `workhorse.metrics.enabled` | `true` | If a workhorse metrics endpoint should be made available for scraping | -| `workhorse.metrics.port` | `8083` | Workhorse metrics endpoint port | -| `workhorse.metrics.path` | `/metrics` | Workhorse metrics endpoint path | -| `workhorse.metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the Workhorse metrics scraping | -| `workhorse.metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the Workhorse ServiceMonitor | -| `workhorse.metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the Workhorse ServiceMonitor | -| `workhorse.readinessProbe.initialDelaySeconds` | 0 | Delay before readiness probe is initiated | -| `workhorse.readinessProbe.periodSeconds` | 10 | How often to perform the readiness probe | -| `workhorse.readinessProbe.timeoutSeconds` | 2 | When the readiness probe times out | -| `workhorse.readinessProbe.successThreshold` | 1 | Minimum consecutive successes for the readiness probe to be considered successful after having failed | -| `workhorse.readinessProbe.failureThreshold` | 3 | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | -| `workhorse.imageScaler.maxProcs` | 2 | The maximum number of image scaling processes that may run concurrently | -| `workhorse.imageScaler.maxFileSizeBytes` | 250000 | The maximum file size in bytes for images to be processed by the scaler | -| `workhorse.tls.verify` | `true` | When set to `true` forces NGINX Ingress to verify the TLS certificate of Workhorse. For custom CA you need to set `workhorse.tls.caSecretName` as well. Must be set to `false` for self-signed certificates. | -| `workhorse.tls.secretName` | `{Release.Name}-workhorse-tls` | The name of the [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) that contains the TLS key and certificate pair. This is required when Workhorse TLS is enabled. | -| `workhorse.tls.caSecretName` | | The name of the Secret that contains the CA certificate. This **is not** a [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets), and must have only `ca.crt` key. This is used for TLS verification by NGINX. | -| `webServer` | `puma` | Selects web server (Webservice/Puma) that would be used for request handling | -| `priorityClassName` | `""` | Allow configuring pods `priorityClassName`, this is used to control pod priority in case of eviction | +| `workhorse.trustedCIDRsForXForwardedFor` | | A list of CIDR blocks that can be used to resolve the actual client IP via the `X-Forwarded-For` HTTP header. This is used with `workhorse.trustedCIDRsForPropagation`. See the [Workhorse documentation](https://docs.gitlab.com/development/workhorse/configuration/#trusted-proxies) for more details. | +| `workhorse.metadata.zipReaderLimitBytes` | | The optional number of bytes to limit the zip reader to. Introduced in GitLab 16.9. See the [Workhorse documentation](https://docs.gitlab.com/development/workhorse/configuration/#metadata-options) for more details. | +| `workhorse.containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `workhorse.containerSecurityContext.runAsUser` | `1000` | User ID under which the container should be started | +| `workhorse.containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the container can gain more privileges than its parent process | +| `workhorse.containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `workhorse.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `workhorse.livenessProbe.initialDelaySeconds` | `20` | Delay before liveness probe is initiated | +| `workhorse.livenessProbe.periodSeconds` | `60` | How often to perform the liveness probe | +| `workhorse.livenessProbe.timeoutSeconds` | `30` | When the liveness probe times out | +| `workhorse.livenessProbe.successThreshold` | `1` | Minimum consecutive successes for the liveness probe to be considered successful after having failed | +| `workhorse.livenessProbe.failureThreshold` | `3` | Minimum consecutive failures for the liveness probe to be considered failed after having succeeded | +| `workhorse.monitoring.exporter.enabled` | `false` | Enable workhorse to expose Prometheus metrics, this is overridden by `workhorse.metrics.enabled` | +| `workhorse.monitoring.exporter.port` | `9229` | Port number to use for workhorse Prometheus metrics | +| `workhorse.monitoring.exporter.tls.enabled` | `false` | When set to `true`, enables TLS on metrics endpoint. It requires [TLS to be enabled for Workhorse](#gitlab-workhorse). | +| `workhorse.metrics.enabled` | `true` | If a workhorse metrics endpoint should be made available for scraping | +| `workhorse.metrics.port` | `8083` | Workhorse metrics endpoint port | +| `workhorse.metrics.path` | `/metrics` | Workhorse metrics endpoint path | +| `workhorse.metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the Workhorse metrics scraping | +| `workhorse.metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the Workhorse ServiceMonitor | +| `workhorse.metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the Workhorse ServiceMonitor | +| `workhorse.readinessProbe.initialDelaySeconds` | `0` | Delay before readiness probe is initiated | +| `workhorse.readinessProbe.periodSeconds` | `10` | How often to perform the readiness probe | +| `workhorse.readinessProbe.timeoutSeconds` | `2` | When the readiness probe times out | +| `workhorse.readinessProbe.successThreshold` | `1` | Minimum consecutive successes for the readiness probe to be considered successful after having failed | +| `workhorse.readinessProbe.failureThreshold` | `3` | Minimum consecutive failures for the readiness probe to be considered failed after having succeeded | +| `workhorse.imageScaler.maxProcs` | `2` | The maximum number of image scaling processes that may run concurrently | +| `workhorse.imageScaler.maxFileSizeBytes` | `250000` | The maximum file size in bytes for images to be processed by the scaler | +| `workhorse.tls.verify` | `true` | When set to `true` forces NGINX Ingress to verify the TLS certificate of Workhorse. For custom CA you need to set `workhorse.tls.caSecretName` as well. Must be set to `false` for self-signed certificates. | +| `workhorse.tls.secretName` | `{Release.Name}-workhorse-tls` | The name of the [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) that contains the TLS key and certificate pair. This is required when Workhorse TLS is enabled. | +| `workhorse.tls.caSecretName` | | The name of the Secret that contains the CA certificate. This **is not** a [TLS Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets), and must have only `ca.crt` key. This is used for TLS verification by NGINX. | +| `webServer` | `puma` | Selects web server (Webservice/Puma) that would be used for request handling | +| `priorityClassName` | `""` | Allow configuring pods `priorityClassName`, this is used to control pod priority in case of eviction | ## Chart configuration examples -### extraEnv +### `extraEnv` `extraEnv` allows you to expose additional environment variables in all containers in the pods. @@ -220,7 +220,7 @@ SOME_KEY=some_value SOME_OTHER_KEY=some_other_value ``` -### extraEnvFrom +### `extraEnvFrom` `extraEnvFrom` allows you to expose additional environment variables from other data sources in all containers in the pods. Subsequent variables can be overridden per [deployment](#deployments-settings). @@ -251,7 +251,7 @@ deployments: # optional: boolean ``` -### image.pullSecrets +### `image.pullSecrets` `pullSecrets` allows you to authenticate to a private registry to pull images for a pod. @@ -269,19 +269,19 @@ image: - name: my-secondary-secret-name ``` -### serviceAccount +### `serviceAccount` This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | Map | `{}` | ServiceAccount annotations. | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| +| `annotations` | Map | `{}` | ServiceAccount annotations. | | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | -| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | +| `create` | Boolean | `false` | Indicates whether or not a ServiceAccount should be created. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `name` | String | | Name of the ServiceAccount. If not set, the full chart name is used. | -### tolerations +### `tolerations` `tolerations` allow you schedule pods on tainted worker nodes @@ -299,7 +299,7 @@ tolerations: effect: "NoExecute" ``` -### annotations +### `annotations` `annotations` allows you to add annotations to the Webservice pods. For example: @@ -308,7 +308,7 @@ annotations: kubernetes.io/example-annotation: annotation-value ``` -### strategy +### `strategy` `deployment.strategy` allows you to change the deployment update strategy. It defines how the pods will be recreated when deployment is updated. When not provided, the cluster default is used. For example, if you don't want to create extra pods when the rolling update starts and change max unavailable pods to 50%: @@ -534,24 +534,24 @@ webservice: ## Ingress settings -| Name | Type | Default | Description | -| :-------------------------------- | :-----: | :------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `ingress.apiVersion` | String | | Value to use in the `apiVersion` field. | -| `ingress.annotations` | Map | See [below](#annotations) | These annotations will be used for every Ingress. For example: `ingress.annotations."nginx\.ingress\.kubernetes\.io/enable-access-log"=true`. | -| `ingress.configureCertmanager` | Boolean | | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`. For more information see the [TLS requirement for GitLab Pages](../../../installation/tls.md). | -| `ingress.enabled` | Boolean | `false` | Setting that controls whether to create Ingress objects for services that support them. When `false`, the `global.ingress.enabled` setting value is used. | -| `ingress.proxyBodySize` | String | `512m` | [See Below](#proxybodysize). | -| `ingress.serviceUpstream` | Boolean | `true` | [See Below](#serviceupstream). | +| Name | Type | Default | Description | +|:----------------------------------|:-------:|:--------------------------|:------------| +| `ingress.apiVersion` | String | | Value to use in the `apiVersion` field. | +| `ingress.annotations` | Map | See [below](#annotations) | These annotations will be used for every Ingress. For example: `ingress.annotations."nginx\.ingress\.kubernetes\.io/enable-access-log"=true`. | +| `ingress.configureCertmanager` | Boolean | | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`. For more information see the [TLS requirement for GitLab Pages](../../../installation/tls.md). | +| `ingress.enabled` | Boolean | `false` | Setting that controls whether to create Ingress objects for services that support them. When `false`, the `global.ingress.enabled` setting value is used. | +| `ingress.proxyBodySize` | String | `512m` | [See Below](#proxybodysize). | +| `ingress.serviceUpstream` | Boolean | `true` | [See Below](#serviceupstream). | | `ingress.tls.enabled` | Boolean | `true` | When set to `false`, you disable TLS for GitLab Webservice. This is mainly useful for cases in which you cannot use TLS termination at Ingress-level, like when you have a TLS-terminating proxy before the Ingress Controller. | -| `ingress.tls.secretName` | String | (empty) | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the GitLab URL. When not set, the `global.ingress.tls.secretName` value is used instead. | -| `ingress.tls.smardcardSecretName` | String | (empty) | The name of the Kubernetes TLS SEcret that contains a valid certificate and key for the GitLab smartcard URL if enabled. When not set, the `global.ingress.tls.secretName` value is used instead. | -| `ingress.tls.useGeoClass` | Boolean | false | Override the IngressClass with the Geo Ingress class (`global.geo.ingressClass`). Required for primary Geo sites. | +| `ingress.tls.secretName` | String | (empty) | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the GitLab URL. When not set, the `global.ingress.tls.secretName` value is used instead. | +| `ingress.tls.smardcardSecretName` | String | (empty) | The name of the Kubernetes TLS SEcret that contains a valid certificate and key for the GitLab smartcard URL if enabled. When not set, the `global.ingress.tls.secretName` value is used instead. | +| `ingress.tls.useGeoClass` | Boolean | `false` | Override the IngressClass with the Geo Ingress class (`global.geo.ingressClass`). Required for primary Geo sites. | ### annotations `annotations` is used to set annotations on the Webservice Ingress. -### serviceUpstream +### `serviceUpstream` This helps balance traffic to the Webservice pods more evenly by telling NGINX to directly contact the Service itself as the upstream. For more information, see the @@ -566,7 +566,7 @@ gitlab: serviceUpstream: "false" ``` -### proxyBodySize +### `proxyBodySize` `proxyBodySize` is used to set the NGINX proxy maximum body size. This is commonly required to allow a larger Docker image than the default. @@ -644,9 +644,9 @@ minio: port: 9000 ``` -| Name | Type | Default | Description | -| :------------ | :-----: | :---------- | :------------------------------------------------------ | -| `port` | Integer | `9000` | Port number to reach the MinIO `Service` on. | +| Name | Type | Default | Description | +|:--------------|:-------:|:------------|:------------| +| `port` | Integer | `9000` | Port number to reach the MinIO `Service` on. | | `serviceName` | String | `minio-svc` | Name of the `Service` that is exposed by the MinIO pod. | ### Registry @@ -666,28 +666,28 @@ registry: key: registry-auth.key ``` -| Name | Type | Default | Description | -| :------------------- | :-----: | :-------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `api.host` | String | | The hostname of the Registry server to use. This can be omitted in lieu of `api.serviceName`. | -| `api.port` | Integer | `5000` | The port on which to connect to the Registry API. | -| `api.protocol` | String | | The protocol Webservice should use to reach the Registry API. | -| `api.serviceName` | String | `registry` | The name of the `service` which is operating the Registry server. If this is present, and `api.host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `api.host` value. This is convenient when using Registry as a part of the overall GitLab chart. | -| `certificate.key` | String | | The name of the `key` in the `Secret` which houses the certificate bundle that will be provided to the [registry](https://hub.docker.com/_/registry/) container as `auth.token.rootcertbundle`. | -| `certificate.secret` | String | | The name of the [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that houses the certificate bundle to be used to verify the tokens created by the GitLab instance(s). | +| Name | Type | Default | Description | +|:---------------------|:-------:|:----------------|:------------| +| `api.host` | String | | The hostname of the Registry server to use. This can be omitted in lieu of `api.serviceName`. | +| `api.port` | Integer | `5000` | The port on which to connect to the Registry API. | +| `api.protocol` | String | | The protocol Webservice should use to reach the Registry API. | +| `api.serviceName` | String | `registry` | The name of the `service` which is operating the Registry server. If this is present, and `api.host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `api.host` value. This is convenient when using Registry as a part of the overall GitLab chart. | +| `certificate.key` | String | | The name of the `key` in the `Secret` which houses the certificate bundle that will be provided to the [registry](https://hub.docker.com/_/registry/) container as `auth.token.rootcertbundle`. | +| `certificate.secret` | String | | The name of the [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that houses the certificate bundle to be used to verify the tokens created by the GitLab instance(s). | | `host` | String | | The external hostname to use for providing Docker commands to users in the GitLab UI. Falls back to the value set in the `registry.hostname` template. Which determines the registry hostname based on the values set in `global.hosts`. See the [Globals Documentation](../../globals.md) for more information. | -| `port` | Integer | | The external port used in the hostname. Using port `80` or `443` will result in the URLs being formed with `http`/`https`. Other ports will all use `http` and append the port to the end of hostname, for example `http://registry.example.com:8443`. | -| `tokenIssuer` | String | `gitlab-issuer` | The name of the auth token issuer. This must match the name used in the Registry's configuration, as it incorporated into the token when it is sent. The default of `gitlab-issuer` is the same default we use in the Registry chart. | +| `port` | Integer | | The external port used in the hostname. Using port `80` or `443` will result in the URLs being formed with `http`/`https`. Other ports will all use `http` and append the port to the end of hostname, for example `http://registry.example.com:8443`. | +| `tokenIssuer` | String | `gitlab-issuer` | The name of the auth token issuer. This must match the name used in the Registry's configuration, as it incorporated into the token when it is sent. The default of `gitlab-issuer` is the same default we use in the Registry chart. | ## Chart settings The following values are used to configure the Webservice Pods. -| Name | Type | Default | Description | -| :---------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| | `workerProcesses` | Integer | `2` | The number of Webservice workers to run per pod. You must have at least `2` workers available in your cluster in order for GitLab to function properly. Note that increasing the `workerProcesses` will increase the memory required by approximately `400MB` per worker, so you should update the pod `resources` accordingly. | -| `minReplicas` | Integer | `2` | Minimum number of replicas | -| `maxReplicas` | Integer | `10` | Maximum number of replicas | -| `maxUnavailable` | Integer | `1` | Limit of maximum number of Pods to be unavailable | +| `minReplicas` | Integer | `2` | Minimum number of replicas | +| `maxReplicas` | Integer | `10` | Maximum number of replicas | +| `maxUnavailable` | Integer | `1` | Limit of maximum number of Pods to be unavailable | ### Metrics @@ -715,10 +715,10 @@ shell: port: ``` -| Name | Type | Default | Description | -| :----------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------ | -| `authToken.key` | String | | Defines the name of the key in the secret (below) that contains the authToken. | -| `authToken.secret` | String | | Defines the name of the Kubernetes `Secret` to pull from. | +| Name | Type | Default | Description | +|:-------------------|:-------:|:--------|:------------| +| `authToken.key` | String | | Defines the name of the key in the secret (below) that contains the authToken. | +| `authToken.secret` | String | | Defines the name of the Kubernetes `Secret` to pull from. | | `port` | Integer | `22` | The port number to use in the generation of SSH URLs within the GitLab UI. Controlled by `global.shell.port`. | ### WebServer options @@ -727,11 +727,11 @@ Current version of chart supports Puma web server. Puma unique options: -| Name | Type | Default | Description | -| :--------------------- | :-----: | :------ | :----------------------------------------------------------- | +| Name | Type | Default | Description | +|:-----------------------|:-------:|:--------|:------------| | `puma.workerMaxMemory` | Integer | | The maximum memory (in megabytes) for the Puma worker killer | -| `puma.threads.min` | Integer | `4` | The minimum amount of Puma threads | -| `puma.threads.max` | Integer | `4` | The maximum amount of Puma threads | +| `puma.threads.min` | Integer | `4` | The minimum amount of Puma threads | +| `puma.threads.max` | Integer | `4` | The maximum amount of Puma threads | ## Configuring the `networkpolicy` @@ -740,12 +740,12 @@ This section controls the This configuration is optional and is used to limit Egress and Ingress of the Pods to specific endpoints. -| Name | Type | Default | Description | -| :---------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` | -| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | -| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | -| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` | +| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | +| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | +| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | | `egress.rules` | Array | `[]` | Rules for the egress policy, these for details see and the example below | ### Example Network Policy @@ -880,7 +880,7 @@ networkpolicy: protocol: UDP ``` -### LoadBalancer Service +### `LoadBalancer` service If the `service.type` is set to `LoadBalancer`, you can optionally specify `service.loadBalancerIP` to create the `LoadBalancer` with a user-specified IP (if your cloud provider supports it). @@ -916,15 +916,15 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 045ff66de9..a2576e6fa0 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -129,33 +129,33 @@ global: The GitLab global host settings for HPA are located under the `global.hpa` key: -| Name | Type | Default | Description | -| :----------- | :-------: | :------ | :-------------------------------------------------------------------- | -| `apiVersion` | String | | API version to use in the `HorizontalPodAutoscaler` object definitions. | +| Name | Type | Default | Description | +|:-------------|:------:|:--------|:------------| +| `apiVersion` | String | | API version to use in the `HorizontalPodAutoscaler` object definitions. | ## Configure `PodDisruptionBudget` settings The GitLab global host settings for PDB are located under the `global.pdb` key: -| Name | Type | Default | Description | -| :----------- | :-------: | :------ | :-------------------------------------------------------------------- | -| `apiVersion` | String | | API version to use in the `PodDisruptionBudget` object definitions. | +| Name | Type | Default | Description | +|:-------------|:------:|:--------|:------------| +| `apiVersion` | String | | API version to use in the `PodDisruptionBudget` object definitions. | ## Configure `CronJob` settings The GitLab global host settings for `CronJobs` are located under the `global.batch.cronJob` key: -| Name | Type | Default | Description | -| :----------- | :-------: | :------ | :-------------------------------------------------------------------- | -| `apiVersion` | String | | API version to use in the `CronJob` object definitions. | +| Name | Type | Default | Description | +|:-------------|:------:|:--------|:------------| +| `apiVersion` | String | | API version to use in the `CronJob` object definitions. | ## Configure Monitoring settings The GitLab global settings for `ServiceMonitors` and `PodMonitors` are located under the `global.monitoring` key: -| Name | Type | Default | Description | -| :----------- | :-------: | :------ | :-------------------------------------------------------------------- | -| `enabled` | Boolean | `false` | Enable monitoring resources regardless of the availability of the `monitoring.coreos.com/v1` API. | +| Name | Type | Default | Description | +|:----------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Enable monitoring resources regardless of the availability of the `monitoring.coreos.com/v1` API. | ## Configure Ingress settings @@ -367,12 +367,12 @@ global: serverCA: server-ca.pem # Secret key containing the CA for the database server ``` -| Name | Type | Default | Description | -|:----------------- |:-------:|:------- |:----------- | -| `secret` | String | | Name of the Kubernetes `Secret` containing the following keys | -| `clientCertificate` | String | | Name of the key within the `Secret` containing the client certificate. | -| `clientKey` | String | | Name of the key within the `Secret` containing the client certificate's key file. | -| `serverCA` | String | | Name of the key within the `Secret` containing the certificate authority for the server. | +| Name | Type | Default | Description | +|:--------------------|:------:|:--------|:------------| +| `secret` | String | | Name of the Kubernetes `Secret` containing the following keys | +| `clientCertificate` | String | | Name of the key within the `Secret` containing the client certificate. | +| `clientKey` | String | | Name of the key within the `Secret` containing the client certificate's key file. | +| `serverCA` | String | | Name of the key within the `Secret` containing the certificate authority for the server. | You may also need to set `extraEnv` values to export environment values to point to the correct keys. @@ -481,20 +481,20 @@ global: scheme: ``` -| Name | Type | Default | Description | -|:------------------ |:-------:|:------- |:----------- | -| `connectTimeout` | Integer | | The number of seconds to wait for a Redis connection. If no value specified, the client defaults to 1 second. | -| `readTimeout` | Integer | | The number of seconds to wait for a Redis read. If no value is specified, the client defaults to 1 second. | -| `writeTimeout` | Integer | | The number of seconds to wait for a Redis write. If no value is specified, the client defaults to 1 second. | -| `host` | String | | The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName`. | -| `serviceName` | String | `redis` | The name of the `service` which is operating the Redis database. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Redis as a part of the overall GitLab chart. | -| `port` | Integer | `6379` | The port on which to connect to the Redis server. | -| `database` | Integer | `0` | The database to connect to on the Redis server. | -| `user` | String | | The user used to authenticate against Redis (Redis 6.0+). | -| `auth.enabled` | Boolean | `true` | The `auth.enabled` provides a toggle for using a password with the Redis instance. | -| `auth.key` | String | | The `auth.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | -| `auth.secret` | String | | The `auth.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | -| `scheme` | String | `redis` | The URI scheme to be used to generate Redis URLs. Valid values are `redis`, `rediss`, and `tcp`. If using `rediss` (SSL encrypted connection) scheme, the certificate used by the server should be a part of the system's trusted chains. This can be done by adding them to the [custom certificate authorities](#custom-certificate-authorities) list. | +| Name | Type | Default | Description | +|:-----------------|:-------:|:--------|:------------| +| `connectTimeout` | Integer | | The number of seconds to wait for a Redis connection. If no value specified, the client defaults to 1 second. | +| `readTimeout` | Integer | | The number of seconds to wait for a Redis read. If no value is specified, the client defaults to 1 second. | +| `writeTimeout` | Integer | | The number of seconds to wait for a Redis write. If no value is specified, the client defaults to 1 second. | +| `host` | String | | The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName`. | +| `serviceName` | String | `redis` | The name of the `service` which is operating the Redis database. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Redis as a part of the overall GitLab chart. | +| `port` | Integer | `6379` | The port on which to connect to the Redis server. | +| `database` | Integer | `0` | The database to connect to on the Redis server. | +| `user` | String | | The user used to authenticate against Redis (Redis 6.0+). | +| `auth.enabled` | Boolean | `true` | The `auth.enabled` provides a toggle for using a password with the Redis instance. | +| `auth.key` | String | | The `auth.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | +| `auth.secret` | String | | The `auth.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | +| `scheme` | String | `redis` | The URI scheme to be used to generate Redis URLs. Valid values are `redis`, `rediss`, and `tcp`. If using `rediss` (SSL encrypted connection) scheme, the certificate used by the server should be a part of the system's trusted chains. This can be done by adding them to the [custom certificate authorities](#custom-certificate-authorities) list. | ### Configure Redis chart-specific settings @@ -549,11 +549,11 @@ global: key: redis-password ``` -| Name | Type | Default | Description | -|:------------------ |:-------:|:------- |:----------- | -| `host` | String | | The `host` attribute needs to be set to the cluster name as specified in the `sentinel.conf`.| -| `sentinels.[].host`| String | | The hostname of Redis Sentinel server for a Redis HA setup. | -| `sentinels.[].port`| Integer | `26379` | The port on which to connect to the Redis Sentinel server. | +| Name | Type | Default | Description | +|:--------------------|:-------:|:--------|:------------| +| `host` | String | | The `host` attribute needs to be set to the cluster name as specified in the `sentinel.conf`. | +| `sentinels.[].host` | String | | The hostname of Redis Sentinel server for a Redis HA setup. | +| `sentinels.[].port` | Integer | `26379` | The port on which to connect to the Redis Sentinel server. | All the prior Redis attributes in the general [configure Redis settings](#configure-redis-settings) continue to apply with the Sentinel support unless re-specified in the table above. @@ -589,11 +589,11 @@ global: key: sentinel-password ``` -| Name | Type | Default | Description | -|:-------------------------- |:----------:|:------- |:----------- | -| `sentinelAuth.enabled` | Boolean | `false` | The `sentinelAuth.enabled` provides a toggle for using a password with the Redis Sentinel instance. | -| `sentinelAuth.key` | String | | The `sentinelAuth.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | -| `sentinelAuth.secret` | String | | The `sentinelAuth.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | +| Name | Type | Default | Description | +|:-----------------------|:-------:|:--------|:------------| +| `sentinelAuth.enabled` | Boolean | `false` | The `sentinelAuth.enabled` provides a toggle for using a password with the Redis Sentinel instance. | +| `sentinelAuth.key` | String | | The `sentinelAuth.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | +| `sentinelAuth.secret` | String | | The `sentinelAuth.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | `global.redis.sentinelAuth` can be used to configure a Sentinel password for all Sentinel instances. @@ -716,13 +716,13 @@ global: The following table describes the attributes for each dictionary of the Redis instances. -| Name | Type | Default | Description | -|:------------------ |:-------:|:------- |:----------- | -| `.host` | String | | The hostname of the Redis server with the database to use. | -| `.port` | Integer | `6379` | The port on which to connect to the Redis server. | -| `.password.enabled`| Boolean | `true` | The `password.enabled` provides a toggle for using a password with the Redis instance. | -| `.password.key` | String | | The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | -| `.password.secret` | String | | The `password.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | +| Name | Type | Default | Description | +|:--------------------|:-------:|:--------|:------------| +| `.host` | String | | The hostname of the Redis server with the database to use. | +| `.port` | Integer | `6379` | The port on which to connect to the Redis server. | +| `.password.enabled` | Boolean | `true` | The `password.enabled` provides a toggle for using a password with the Redis instance. | +| `.password.key` | String | | The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. | +| `.password.secret` | String | | The `password.secret` attribute for Redis defines the name of the Kubernetes `Secret` to pull from. | The primary Redis definition is required as there are additional persistence classes that have not been separated. @@ -788,7 +788,6 @@ global: serviceName: registry port: 5000 tokenIssuer: gitlab-issuer - ``` For more details on `bucket`, `certificate`, `httpSecret`, and `notificationSecret` settings, see the documentation within the [registry chart](registry/_index.md). @@ -797,7 +796,7 @@ For details on `enabled`, `host`, `api` and `tokenIssuer` see documentation for `host` is used to override autogenerated external registry hostname reference. -### notifications +### `notifications` This setting is used to configure [Registry notifications](https://distribution.github.io/distribution/about/notifications/). @@ -878,7 +877,7 @@ The Gitaly authentication token is expected to be identical for all Gitaly services at this time, internal or external. Ensure these are aligned. See [issue #1992](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1992) for further details. -#### Internal +#### `internal` The `internal` key currently consists of only one key, `names`, which is a list of [storage names](https://docs.gitlab.com/administration/repository_storage_paths/) @@ -900,7 +899,7 @@ by re-adding a node to the `names` list. A sample [configuration of multiple internal nodes](https://gitlab.com/gitlab-org/charts/gitlab/blob/master/examples/gitaly/values-multiple-internal.yaml) can be found in the examples folder. -#### External +#### `external` The `external` key provides a configuration for Gitaly nodes external to the cluster. Each item of this list has 3 keys: @@ -941,8 +940,8 @@ All Gitaly nodes **must** share the same authentication token. ### Deprecated Gitaly settings -| Name | Type | Default | Description | -|:---------------------------- |:-------:|:------- |:----------- | +| Name | Type | Default | Description | +|:-----------------------------|:-------:|:--------|:------------| | `host` *(deprecated)* | String | | The hostname of the Gitaly server to use. This can be omitted in lieu of `serviceName`. If this setting is used, it will override any values of `internal` or `external`. | | `port` *(deprecated)* | Integer | `8075` | The port on which to connect to the Gitaly server. | | `serviceName` *(deprecated)* | String | | The name of the `service` which is operating the Gitaly server. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Gitaly as a part of the overall GitLab chart. | @@ -1161,8 +1160,8 @@ global: The `appConfig` settings that can be used to tweak the general properties of the Rails application are described below: -| Name | Type | Default | Description | -|:----------------------------------- |:-------:|:------- |:----------- | +| Name | Type | Default | Description | +|:------------------------------------|:-------:|:--------|:------------| | `cdnHost` | String | (empty) | Sets a base URL for a CDN to serve static assets (for example, `https://mycdnsubdomain.fictional-cdn.com`). | | `contentSecurityPolicy` | Struct | | [See below](#content-security-policy). | | `enableUsagePing` | Boolean | `true` | A flag to disable the [usage ping support](https://docs.gitlab.com/administration/settings/usage_statistics/). | @@ -1234,8 +1233,8 @@ defaultProjectsFeatures: By default, the charts work with Gravatar avatar service available at gravatar.com. However, a custom Libravatar service can also be used if needed: -| Name | Type | Default | Description | -|:------------------- |:------:|:------- |:----------- | +| Name | Type | Default | Description | +|:--------------------|:------:|:--------|:------------| | `gravatar.plainURL` | String | (empty) | [HTTP URL to Libravatar instance (instead of using gravatar.com)](https://docs.gitlab.com/administration/libravatar/). | | `gravatar.sslUrl` | String | (empty) | [HTTPS URL to Libravatar instance (instead of using gravatar.com)](https://docs.gitlab.com/administration/libravatar/). | @@ -1271,17 +1270,17 @@ are not individually configured with a `connection` property. key: ``` -| Name | Type | Default | Description | -|:---------------- |:-------:|:------- |:----------- | -| `enabled` | Boolean | `false` | Enable the use of consolidated object storage. | -| `proxy_download` | Boolean | `true` | Enable proxy of all downloads via GitLab, in place of direct downloads from the `bucket`. | -| `storage_options`| String | `{}` | [See below](#storage_options). | -| `connection` | String | `{}` | [See below](#connection). | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Enable the use of consolidated object storage. | +| `proxy_download` | Boolean | `true` | Enable proxy of all downloads via GitLab, in place of direct downloads from the `bucket`. | +| `storage_options` | String | `{}` | [See below](#storage_options). | +| `connection` | String | `{}` | [See below](#connection). | The property structure is shared, and all properties here can be overridden by the individual items below. The `connection` property structure is identical. -**Notice:** The `bucket`, `enabled`, and `proxy_download` properties are the only properties that must be +**Notice**: The `bucket`, `enabled`, and `proxy_download` properties are the only properties that must be configured on a per-item level (`global.appConfig.artifacts.bucket`, ...) if you wish to deviate from the default values. @@ -1363,12 +1362,12 @@ as they are structurally identical aside from the default value of the `bucket` key: ``` -| Name | Type | Default | Description | -|:---------------- |:-------:|:------- |:----------- | -| `enabled` | Boolean | Defaults to `true` for LFS, artifacts, uploads, and packages | Enable the use of these features with object storage. | -| `proxy_download` | Boolean | `true` | Enable proxy of all downloads via GitLab, in place of direct downloads from the `bucket`. | -| `bucket` | String | Various | Name of the bucket to use from object storage provider. Default will be `git-lfs`, `gitlab-artifacts`, `gitlab-uploads`, or `gitlab-packages`, depending on the service. | -| `connection` | String | `{}` | [See below](#connection). | +| Name | Type | Default | Description | +|:-----------------|:-------:|:-------------------------------------------------------------|:------------| +| `enabled` | Boolean | Defaults to `true` for LFS, artifacts, uploads, and packages | Enable the use of these features with object storage. | +| `proxy_download` | Boolean | `true` | Enable proxy of all downloads via GitLab, in place of direct downloads from the `bucket`. | +| `bucket` | String | Various | Name of the bucket to use from object storage provider. Default will be `git-lfs`, `gitlab-artifacts`, `gitlab-uploads`, or `gitlab-packages`, depending on the service. | +| `connection` | String | `{}` | [See below](#connection). | #### `connection` @@ -1649,7 +1648,7 @@ for deployed pods. The `gitlab-base` container is now used for this operation, w See [Custom Certificate Authorities](#custom-certificate-authorities) for more info. -### DuoAuth +### `duoAuth` Use these settings to enable [two-factor authentication (2FA) with GitLab Duo](https://docs.gitlab.com/user/profile/account/two_factor_authentication/#enable-one-time-password). @@ -1722,7 +1721,7 @@ omniauth: | `syncProfileAttributes` | | `['email']` | | `syncProfileFromProvider` | | `[]` | -#### providers +#### `providers` `providers` is presented as an array of maps that are used to populate `gitlab.yml` as when installed from source. See GitLab documentation for the available selection @@ -1736,7 +1735,7 @@ This property has two sub-keys: `secret` and `key`: Defaults to `provider` Alternatively, if the provider has no other configuration than its name, you may -use a second form with only a 'name' attribute, and optionally a `label` or +use a second form with only a `name` attribute, and optionally a `label` or `icon` attribute. The eligible providers are: - [`group_saml`](https://docs.gitlab.com/integration/saml/#configure-group-saml-sso-on-a-self-managed-instance) @@ -2401,7 +2400,7 @@ global: SOME_OTHER_KEY: some_other_value ``` -## extraEnvFrom +## `extraEnvFrom` `extraEnvFrom` allows to expose additional environment variables from other data sources in all containers in the pods. Extra environment variables can be set up at `global` level (`global.extraEnvFrom`) diff --git a/doc/charts/minio/_index.md b/doc/charts/minio/_index.md index 3e76019db4..a015e7344a 100644 --- a/doc/charts/minio/_index.md +++ b/doc/charts/minio/_index.md @@ -66,53 +66,53 @@ minio: The table below contains all the possible charts configurations that can be supplied to the `helm install` command using the `--set` flags: -| Parameter | Default | Description | -|----------------------------------------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------| -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| Parameter | Default | Description | +|----------------------------------------------------------|--------------------------------|-------------| +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | | `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `defaultBuckets` | `[{"name": "registry"}]` | MinIO default buckets | -| `deployment.strategy` | { `type`: `Recreate` } | Allows one to configure the update strategy utilized by the deployment | -| `image` | `minio/minio` | MinIO image | -| `imagePullPolicy` | `Always` | MinIO image pull policy | -| `imageTag` | `RELEASE.2017-12-28T01-21-00Z` | MinIO image tag | -| `minioConfig.browser` | `on` | MinIO browser flag | -| `minioConfig.domain` | | MinIO domain | -| `minioConfig.region` | `us-east-1` | MinIO region | -| `minioMc.image` | `minio/mc` | MinIO mc image | -| `minioMc.tag` | `latest` | MinIO mc image tag | -| `mountPath` | `/export` | MinIO configuration file mount path | -| `persistence.accessMode` | `ReadWriteOnce` | MinIO persistence access mode | -| `persistence.annotations` | | MinIO PersistentVolumeClaim annotations | -| `persistence.enabled` | `true` | MinIO enable persistence flag | -| `persistence.matchExpressions` | | MinIO label-expression matches to bind | -| `persistence.matchLabels` | | MinIO label-value matches to bind | -| `persistence.size` | `10Gi` | MinIO persistence volume size | -| `persistence.storageClass` | | MinIO storageClassName for provisioning | -| `persistence.subPath` | | MinIO persistence volume mount path | -| `persistence.volumeName` | | MinIO existing persistent volume name | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `pullSecrets` | | Secrets for the image repository | -| `resources.requests.cpu` | `250m` | MinIO minimum CPU requested | -| `resources.requests.memory` | `256Mi` | MinIO minimum memory requested | -| `securityContext.fsGroup` | `1000` | Group ID to start the pod with | -| `securityContext.runAsUser` | `1000` | User ID to start the pod with | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `servicePort` | `9000` | MinIO service port | -| `serviceType` | `ClusterIP` | MinIO service type | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `jobAnnotations` | `{}` | Annotations for the job spec | +| `defaultBuckets` | `[{"name": "registry"}]` | MinIO default buckets | +| `deployment.strategy` | ``{ `type`: `Recreate` }`` | Allows one to configure the update strategy utilized by the deployment | +| `image` | `minio/minio` | MinIO image | +| `imagePullPolicy` | `Always` | MinIO image pull policy | +| `imageTag` | `RELEASE.2017-12-28T01-21-00Z` | MinIO image tag | +| `minioConfig.browser` | `on` | MinIO browser flag | +| `minioConfig.domain` | | MinIO domain | +| `minioConfig.region` | `us-east-1` | MinIO region | +| `minioMc.image` | `minio/mc` | MinIO mc image | +| `minioMc.tag` | `latest` | MinIO mc image tag | +| `mountPath` | `/export` | MinIO configuration file mount path | +| `persistence.accessMode` | `ReadWriteOnce` | MinIO persistence access mode | +| `persistence.annotations` | | MinIO PersistentVolumeClaim annotations | +| `persistence.enabled` | `true` | MinIO enable persistence flag | +| `persistence.matchExpressions` | | MinIO label-expression matches to bind | +| `persistence.matchLabels` | | MinIO label-value matches to bind | +| `persistence.size` | `10Gi` | MinIO persistence volume size | +| `persistence.storageClass` | | MinIO storageClassName for provisioning | +| `persistence.subPath` | | MinIO persistence volume mount path | +| `persistence.volumeName` | | MinIO existing persistent volume name | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `pullSecrets` | | Secrets for the image repository | +| `resources.requests.cpu` | `250m` | MinIO minimum CPU requested | +| `resources.requests.memory` | `256Mi` | MinIO minimum memory requested | +| `securityContext.fsGroup` | `1000` | Group ID to start the pod with | +| `securityContext.runAsUser` | `1000` | User ID to start the pod with | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `servicePort` | `9000` | MinIO service port | +| `serviceType` | `ClusterIP` | MinIO service type | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `jobAnnotations` | `{}` | Annotations for the job spec | ## Chart configuration examples -### pullSecrets +### `pullSecrets` `pullSecrets` allows you to authenticate to a private registry to pull images for a pod. @@ -130,15 +130,15 @@ pullSecrets: - name: my-secondary-secret-name ``` -### serviceAccount +### `serviceAccount` This section controls if the default ServiceAccount access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -### tolerations +### `tolerations` `tolerations` allow you schedule pods on tainted worker nodes @@ -165,7 +165,7 @@ the first setting you should decide on is `enabled:`. By default, MinIO is enabled out of the box, but is not recommended for production use. When you are ready to disable it, run `--set global.minio.enabled: false`. -## Configure the initContainer +## Configure the `initContainer` While rarely altered, the `initContainer` behaviors can be changed via the following items: @@ -205,14 +205,14 @@ to provide the `config.json` to the [MinIO](https://min.io) server. These settings control the MinIO Ingress. -| Name | Type | Default | Description | -|:---------------- |:-------:|:------- |:----------- | -| `apiVersion` | String | | Value to use in the `apiVersion` field. | -| `annotations` | String | | This field is an exact match to the standard `annotations` for [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). | -| `enabled` | Boolean | `false` | Setting that controls whether to create Ingress objects for services that support them. When `false` the `global.ingress.enabled` setting is used. | -| `configureCertmanager` | Boolean | | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`.. For more information see the [TLS requirement for GitLab Pages](../../installation/tls.md). | -| `tls.enabled` | Boolean | `true` | When set to `false`, you disable TLS for MinIO. This is mainly useful when you cannot use TLS termination at Ingress-level, like when you have a TLS-terminating proxy before the Ingress Controller. | -| `tls.secretName` | String | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the MinIO URL. When not set, the `global.ingress.tls.secretName` is used instead. | +| Name | Type | Default | Description | +|:-----------------------|:-------:|:--------|:------------| +| `apiVersion` | String | | Value to use in the `apiVersion` field. | +| `annotations` | String | | This field is an exact match to the standard `annotations` for [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). | +| `enabled` | Boolean | `false` | Setting that controls whether to create Ingress objects for services that support them. When `false` the `global.ingress.enabled` setting is used. | +| `configureCertmanager` | Boolean | | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`.. For more information see the [TLS requirement for GitLab Pages](../../installation/tls.md). | +| `tls.enabled` | Boolean | `true` | When set to `false`, you disable TLS for MinIO. This is mainly useful when you cannot use TLS termination at Ingress-level, like when you have a TLS-terminating proxy before the Ingress Controller. | +| `tls.secretName` | String | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the MinIO URL. When not set, the `global.ingress.tls.secretName` is used instead. | ## Configuring the image @@ -238,13 +238,13 @@ persistence: matchExpressions: ``` -| Name | Type | Default | Description | -|:------------------ |:-------:|:------- |:----------- | -| `volumeName` | String | `false` | When `volumeName` is provided, the `PersistentVolumeClaim` will use the provided `PersistentVolume` by name, in place of creating a `PersistentVolume` dynamically. This overrides the upstream behavior. | -| `matchLabels` | Map | `true` | Accepts a Map of label names and label values to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | -| `matchExpressions` | Array | | Accepts an array of label condition objects to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | +| Name | Type | Default | Description | +|:-------------------|:------:|:--------|:------------| +| `volumeName` | String | `false` | When `volumeName` is provided, the `PersistentVolumeClaim` will use the provided `PersistentVolume` by name, in place of creating a `PersistentVolume` dynamically. This overrides the upstream behavior. | +| `matchLabels` | Map | `true` | Accepts a Map of label names and label values to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | +| `matchExpressions` | Array | | Accepts an array of label condition objects to match against when choosing a volume to bind. This is used in the `PersistentVolumeClaim` `selector` section. See the [volumes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector). | -## defaultBuckets +## `defaultBuckets` `defaultBuckets` provides a mechanism to automatically create buckets on the MinIO pod at *installation*. This property contains an array of items, each with up to three @@ -260,9 +260,9 @@ defaultBuckets: policy: download ``` -| Name | Type | Default | Description | -|:-------- |:-------:|:--------|:------------| -| `name` | String | | The name of the bucket that is created. The provided value should conform to [AWS bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html), meaning that it should be compliant with DNS and contain only the characters a-z, 0-9, and – (hyphen) in strings between 3 and 63 characters in length. The `name` property is _required_ for all entries. | +| Name | Type | Default | Description | +|:---------|:-------:|:--------|:------------| +| `name` | String | | The name of the bucket that is created. The provided value should conform to [AWS bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html), meaning that it should be compliant with DNS and contain only the characters a-z, 0-9, and - (hyphen) in strings between 3 and 63 characters in length. The `name` property is _required_ for all entries. | | `policy` | | `none` | The value of `policy` controls the access policy of the bucket on MinIO. The `policy` property is not required, and the default value is `none`. In regards to **anonymous** access, possible values are: `none` (no anonymous access), `download` (anonymous read-only access), `upload` (anonymous write-only access) or `public` (anonymous read/write access). | | `purge` | Boolean | | The `purge` property is provided as a means to cause any existing bucket to be removed with force, at installation time. This only comes into play when using a pre-existing `PersistentVolume` for the volumeName property of [persistence](#persistence). If you make use of a dynamically created `PersistentVolume`, this will have no valuable effect as it only happens at chart installation and there will be no data in the `PersistentVolume` that was just created. This property is not required, but you may specify this property with a value of `true` in order to cause a bucket to purged with force `mc rm -r --force`. | diff --git a/doc/charts/registry/_index.md b/doc/charts/registry/_index.md index c588da3e46..72d3e32d12 100644 --- a/doc/charts/registry/_index.md +++ b/doc/charts/registry/_index.md @@ -151,202 +151,202 @@ If you chose to deploy this chart as a standalone, remove the `registry` at the ## Installation parameters -| Parameter | Default | Description | -| -------------------------------------------------------- | -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | | Pod annotations | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | -| `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | -| `certificate.secret` | `gitlab-registry` | JWT certificate | -| `debug.addr.port` | `5001` | Debug port | -| `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | -| `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | -| `debug.prometheus.enabled` | `false` | **DEPRECATED** Use `metrics.enabled` | -| `debug.prometheus.path` | `""` | **DEPRECATED** Use `metrics.path` | -| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `draintimeout` | `'0'` | Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'`) | -| `relativeurls` | `false` | Enable the registry to return relative URLs in Location headers. | -| `enabled` | `true` | Enable registry flag | -| `extraContainers` | | Multiline literal style string containing a list of containers to include | -| `extraInitContainers` | | List of extra init containers to include | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `Utilization` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | `75` | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.minReplicas` | `2` | Minimum number of replicas | -| `hpa.maxReplicas` | `10` | Maximum number of replicas | -| `httpSecret` | | Https secret | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `image.pullPolicy` | | Pull policy for the registry image | -| `image.pullSecrets` | | Secrets to use for image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry` | Registry image | -| `image.tag` | `v4.15.2-gitlab` | Version of the image to use | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | -| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | -| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | -| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `log` | `{level: info, fields: {service: registry}}` | Configure the logging options | -| `minio.bucket` | `global.registry.bucket` | Legacy registry bucket name | -| `maintenance.readonly.enabled` | `false` | Enable registry's read-only mode | -| `maintenance.uploadpurging.enabled` | `true` | Enable upload purging | -| `maintenance.uploadpurging.age` | `168h` | Purge uploads older than the specified age | -| `maintenance.uploadpurging.interval` | `24h` | Frequency at which upload purging is performed | -| `maintenance.uploadpurging.dryrun` | `false` | Only list which uploads will be purged without deleting | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `reporting.sentry.enabled` | `false` | Enable reporting using Sentry | -| `reporting.sentry.dsn` | | The Sentry DSN (Data Source Name) | -| `reporting.sentry.environment` | | The Sentry [environment](https://docs.sentry.io/concepts/key-terms/environments/) | -| `profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | -| `profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | -| `profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | -| `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | -| `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | -| `database.configure` | `false` | Populate database configuration in the registry chart without enabling it. Required when [migrating an existing registry](metadata_database.md#existing-registries). | -| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | -| `database.host` | `global.psql.host` | The database server hostname. | -| `database.port` | `global.psql.port` | The database server port. | -| `database.user` | | The database username. | -| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | -| `database.password.key` | `password` | Secret key in which the database password is stored. | -| `database.name` | | The database name. | -| `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | -| `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | -| `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | -| `database.ssl.clientKey` | `global.psql.ssl.clientKey` | The key inside the secret referring the client key. | -| `database.ssl.serverCA` | `global.psql.ssl.serverCA` | The key inside the secret referring the certificate authority (CA). | -| `database.connecttimeout` | `0` | Maximum time to wait for a connection. Zero or not specified means waiting indefinitely. | -| `database.draintimeout` | `0` | Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely. | -| `database.preparedstatements` | `false` | Enable prepared statements. Disabled by default for compatibility with PgBouncer. | -| `database.primary` | `false` | Target primary database server. This is used to specify a dedicated FQDN to target when running registry `database.migrations`. The `host` will be used to run `database.migrations` when not specified. | -| `database.pool.maxidle` | `0` | The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections. | -| `database.pool.maxopen` | `0` | The maximum number of open connections to the database. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections. | -| `database.pool.maxlifetime` | `0` | The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse. | -| `database.pool.maxidletime` | `0` | The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration. | -| `database.loadBalancing.enabled` | `false` | Enable database load balancing. This is an experimental feature and must not be used in production environments. | -| `database.loadBalancing.nameserver.host` | `localhost` | The host of the nameserver to use for looking up the DNS record. | -| `database.loadBalancing.nameserver.port` | `8600` | The port of the nameserver to use for looking up the DNS record. | -| `database.loadBalancing.record` | | The SRV record to look up. This option is required for service discovery to work. | -| `database.loadBalancing.replicaCheckInterval` | `1m` | The minimum amount of time between checking the status of a replica. | -| `database.migrations.enabled` | `true` | Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods. | -| `database.migrations.activeDeadlineSeconds` | `3600` | Set the [activeDeadlineSeconds](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | -| `database.migrations.annotations` | `{}` | Additional annotations to add to the migrations job. | -| `database.migrations.backoffLimit` | `6` | Set the [backoffLimit](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | +| Parameter | Default | Description | +|----------------------------------------------------------|----------------------------------------------------------------------|-------------| +| `annotations` | | Pod annotations | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | +| `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | +| `certificate.secret` | `gitlab-registry` | JWT certificate | +| `debug.addr.port` | `5001` | Debug port | +| `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | +| `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | +| `debug.prometheus.enabled` | `false` | **DEPRECATED** Use `metrics.enabled` | +| `debug.prometheus.path` | `""` | **DEPRECATED** Use `metrics.path` | +| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `draintimeout` | `'0'` | Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'`) | +| `relativeurls` | `false` | Enable the registry to return relative URLs in Location headers. | +| `enabled` | `true` | Enable registry flag | +| `extraContainers` | | Multiline literal style string containing a list of containers to include | +| `extraInitContainers` | | List of extra init containers to include | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `Utilization` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | `75` | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.minReplicas` | `2` | Minimum number of replicas | +| `hpa.maxReplicas` | `10` | Maximum number of replicas | +| `httpSecret` | | Https secret | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `image.pullPolicy` | | Pull policy for the registry image | +| `image.pullSecrets` | | Secrets to use for image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry` | Registry image | +| `image.tag` | `v4.15.2-gitlab` | Version of the image to use | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `init.containerSecurityContext.runAsUser` | `1000` | initContainer specific: User ID under which the container should be started | +| `init.containerSecurityContext.allowPrivilegeEscalation` | `false` | initContainer specific: Controls whether a process can gain more privileges than its parent process | +| `init.containerSecurityContext.runAsNonRoot` | `true` | initContainer specific: Controls whether the container runs with a non-root user | +| `init.containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | initContainer specific: Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the container | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `log` | `{level: info, fields: {service: registry}}` | Configure the logging options | +| `minio.bucket` | `global.registry.bucket` | Legacy registry bucket name | +| `maintenance.readonly.enabled` | `false` | Enable registry's read-only mode | +| `maintenance.uploadpurging.enabled` | `true` | Enable upload purging | +| `maintenance.uploadpurging.age` | `168h` | Purge uploads older than the specified age | +| `maintenance.uploadpurging.interval` | `24h` | Frequency at which upload purging is performed | +| `maintenance.uploadpurging.dryrun` | `false` | Only list which uploads will be purged without deleting | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `reporting.sentry.enabled` | `false` | Enable reporting using Sentry | +| `reporting.sentry.dsn` | | The Sentry DSN (Data Source Name) | +| `reporting.sentry.environment` | | The Sentry [environment](https://docs.sentry.io/concepts/key-terms/environments/) | +| `profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | +| `profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | +| `profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | +| `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | +| `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | +| `database.configure` | `false` | Populate database configuration in the registry chart without enabling it. Required when [migrating an existing registry](metadata_database.md#existing-registries). | +| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | +| `database.host` | `global.psql.host` | The database server hostname. | +| `database.port` | `global.psql.port` | The database server port. | +| `database.user` | | The database username. | +| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | +| `database.password.key` | `password` | Secret key in which the database password is stored. | +| `database.name` | | The database name. | +| `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | +| `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | +| `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | +| `database.ssl.clientKey` | `global.psql.ssl.clientKey` | The key inside the secret referring the client key. | +| `database.ssl.serverCA` | `global.psql.ssl.serverCA` | The key inside the secret referring the certificate authority (CA). | +| `database.connecttimeout` | `0` | Maximum time to wait for a connection. Zero or not specified means waiting indefinitely. | +| `database.draintimeout` | `0` | Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely. | +| `database.preparedstatements` | `false` | Enable prepared statements. Disabled by default for compatibility with PgBouncer. | +| `database.primary` | `false` | Target primary database server. This is used to specify a dedicated FQDN to target when running registry `database.migrations`. The `host` will be used to run `database.migrations` when not specified. | +| `database.pool.maxidle` | `0` | The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections. | +| `database.pool.maxopen` | `0` | The maximum number of open connections to the database. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections. | +| `database.pool.maxlifetime` | `0` | The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse. | +| `database.pool.maxidletime` | `0` | The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration. | +| `database.loadBalancing.enabled` | `false` | Enable database load balancing. This is an experimental feature and must not be used in production environments. | +| `database.loadBalancing.nameserver.host` | `localhost` | The host of the nameserver to use for looking up the DNS record. | +| `database.loadBalancing.nameserver.port` | `8600` | The port of the nameserver to use for looking up the DNS record. | +| `database.loadBalancing.record` | | The SRV record to look up. This option is required for service discovery to work. | +| `database.loadBalancing.replicaCheckInterval` | `1m` | The minimum amount of time between checking the status of a replica. | +| `database.migrations.enabled` | `true` | Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods. | +| `database.migrations.activeDeadlineSeconds` | `3600` | Set the [activeDeadlineSeconds](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | +| `database.migrations.annotations` | `{}` | Additional annotations to add to the migrations job. | +| `database.migrations.backoffLimit` | `6` | Set the [backoffLimit](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | | `database.backgroundMigrations.enabled` | `false` | Enable background migrations for the database. This is an experimental feature for the Registry metadata database. Do not use in production. See the [specification](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/spec/gitlab/database-background-migrations.md?ref_type=heads) for a detailed explanation of how it works. | -| `database.backgroundMigrations.jobInterval` | | The sleep interval between each background migration job worker run. When not specified [a default value is set by the registry](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#backgroundmigrations). | -| `database.backgroundMigrations.maxJobRetries` | | The maximum number of retries for a failed background migration job. When not specified [a default value is set by the registry](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#backgroundmigrations). | -| `gc.disabled` | `true` | When set to `true`, the online GC workers are disabled. | -| `gc.maxbackoff` | `24h` | The maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless `gc.noidlebackoff` is `true`. Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added. | -| `gc.noidlebackoff` | `false` | When set to `true`, disables exponential backoffs between worker runs when there are no tasks to be processed. | -| `gc.transactiontimeout` | `10s` | The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions. | -| `gc.blobs.disabled` | `false` | When set to `true`, the GC worker for blobs is disabled. | -| `gc.blobs.interval` | `5s` | The initial sleep interval between each worker run. | -| `gc.blobs.storagetimeout` | `5s` | The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend. | -| `gc.manifests.disabled` | `false` | When set to `true`, the GC worker for manifests is disabled. | -| `gc.manifests.interval` | `5s` | The initial sleep interval between each worker run. | -| `gc.reviewafter` | `24h` | The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait. | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context user ID under which the container is started | -| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | -| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | -| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | -| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | -| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | -| `serviceLabels` | `{}` | Supplemental service labels | -| `tokenService` | `container_registry` | JWT token service | -| `tokenIssuer` | `gitlab-issuer` | JWT token issuer | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `affinity` | `{}` | Affinity rules for pod assignment | -| `middleware.storage` | | configuration layer for midleware storage ([s3 for instance](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#example-middleware-configuration)) | -| `redis.cache.enabled` | `false` | When set to `true`, the Redis cache is enabled. This feature is dependent on the [metadata database](#database) being enabled. Repository metadata will be cached on the configured Redis instance. | -| `redis.cache.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | -| `redis.cache.port` | `6379` | The port of the Redis instance. | -| `redis.cache.sentinels` | `[]` | List sentinels with host and port. | -| `redis.cache.mainname` | | The main server name. Only applicable for Sentinel. | -| `redis.cache.password.enabled` | `false` | Indicates whether the Redis cache used by the Registry is password protected. | -| `redis.cache.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | -| `redis.cache.password.key` | `redis-password` | Secret key in which the Redis password is stored. | -| `redis.cache.sentinelpassword.enabled` | `false` | Indicates whether Redis Sentinels are password protected. If `redis.cache.sentinelpassword` is empty, the values from `global.redis.sentinelAuth` are used. Only used when `redis.cache.sentinels` is defined. | -| `redis.cache.sentinelpassword.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis Sentinel password. | -| `redis.cache.sentinelpassword.key` | `redis-sentinel-password` | Secret key in which the Redis Sentinel password is stored. | -| `redis.cache.db` | `0` | The name of the database to use for each connection. | -| `redis.cache.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | -| `redis.cache.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | -| `redis.cache.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | -| `redis.cache.tls.enabled` | `false` | Set to `true` to enable TLS. | -| `redis.cache.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | -| `redis.cache.pool.size` | `10` | The maximum number of socket connections. Default is 10 connections. | -| `redis.cache.pool.maxlifetime` | `1h` | The connection age at which client retires a connection. Default is to not close aged connections. | -| `redis.cache.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | -| `redis.rateLimiting.enabled` | `false` | When set to `true`, the Redis rate limiter is enabled. This feature is under development. | -| `redis.rateLimiting.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | -| `redis.rateLimiting.port` | `6379` | The port of the Redis instance. | -| `redis.rateLimiting.cluster` | `[]` | List of addresses with host and port. | -| `redis.rateLimiting.sentinels` | `[]` | List sentinels with host and port. | -| `redis.rateLimiting.mainname` | | The main server name. Only applicable for Sentinel. | -| `redis.rateLimiting.username` | | The username used to connect to the Redis instance. | -| `redis.rateLimiting.password.enabled` | `false` | Indicates whether the Redis instance is password protected. | -| `redis.rateLimiting.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | -| `redis.rateLimiting.password.key` | `redis-password` | Secret key in which the Redis password is stored. | -| `redis.rateLimiting.db` | `0` | The name of the database to use for each connection. | -| `redis.rateLimiting.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | -| `redis.rateLimiting.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | -| `redis.rateLimiting.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | -| `redis.rateLimiting.tls.enabled` | `false` | Set to `true` to enable TLS. | -| `redis.rateLimiting.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | -| `redis.rateLimiting.pool.size` | `10` | The maximum number of socket connections. | -| `redis.rateLimiting.pool.maxlifetime` | `1h` | The connection age at which the client retires a connection. Default is to not close aged connections. | -| `redis.rateLimiting.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | -| `redis.loadBalancing.enabled` | `false` | When set to `true`, the Redis connection for [load balancing](#load-balancing) is enabled. | -| `redis.loadBalancing.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | -| `redis.loadBalancing.port` | `6379` | The port of the Redis instance. | -| `redis.loadBalancing.cluster` | `[]` | List of addresses with host and port. | -| `redis.loadBalancing.sentinels` | `[]` | List sentinels with host and port. | -| `redis.loadBalancing.mainname` | | The main server name. Only applicable for Sentinel. | -| `redis.loadBalancing.username` | | The username used to connect to the Redis instance. | -| `redis.loadBalancing.password.enabled` | `false` | Indicates whether the Redis instance is password protected. | -| `redis.loadBalancing.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | -| `redis.loadBalancing.password.key` | `redis-password` | Secret key in which the Redis password is stored. | -| `redis.loadBalancing.db` | `0` | The name of the database to use for each connection. | -| `redis.loadBalancing.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | -| `redis.loadBalancing.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | -| `redis.loadBalancing.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | -| `redis.loadBalancing.tls.enabled` | `false` | Set to `true` to enable TLS. | -| `redis.loadBalancing.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | -| `redis.loadBalancing.pool.size` | `10` | The maximum number of socket connections. | -| `redis.loadBalancing.pool.maxlifetime` | `1h` | The connection age at which the client retires a connection. Default is to not close aged connections. | -| `redis.loadBalancing.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | +| `database.backgroundMigrations.jobInterval` | | The sleep interval between each background migration job worker run. When not specified [a default value is set by the registry](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#backgroundmigrations). | +| `database.backgroundMigrations.maxJobRetries` | | The maximum number of retries for a failed background migration job. When not specified [a default value is set by the registry](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md?ref_type=heads#backgroundmigrations). | +| `gc.disabled` | `true` | When set to `true`, the online GC workers are disabled. | +| `gc.maxbackoff` | `24h` | The maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless `gc.noidlebackoff` is `true`. Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added. | +| `gc.noidlebackoff` | `false` | When set to `true`, disables exponential backoffs between worker runs when there are no tasks to be processed. | +| `gc.transactiontimeout` | `10s` | The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions. | +| `gc.blobs.disabled` | `false` | When set to `true`, the GC worker for blobs is disabled. | +| `gc.blobs.interval` | `5s` | The initial sleep interval between each worker run. | +| `gc.blobs.storagetimeout` | `5s` | The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend. | +| `gc.manifests.disabled` | `false` | When set to `true`, the GC worker for manifests is disabled. | +| `gc.manifests.interval` | `5s` | The initial sleep interval between each worker run. | +| `gc.reviewafter` | `24h` | The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait. | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `securityContext.seccompProfile.type` | `RuntimeDefault` | Seccomp profile to use | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context user ID under which the container is started | +| `containerSecurityContext.allowPrivilegeEscalation` | `false` | Controls whether a process of the Gitaly container can gain more privileges than its parent process | +| `containerSecurityContext.runAsNonRoot` | `true` | Controls whether the container runs with a non-root user | +| `containerSecurityContext.capabilities.drop` | `[ "ALL" ]` | Removes [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) for the Gitaly container | +| `serviceAccount.automountServiceAccountToken` | `false` | Indicates whether or not the default ServiceAccount access token should be mounted in pods | +| `serviceAccount.enabled` | `false` | Indicates whether or not to use a ServiceAccount | +| `serviceLabels` | `{}` | Supplemental service labels | +| `tokenService` | `container_registry` | JWT token service | +| `tokenIssuer` | `gitlab-issuer` | JWT token issuer | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `affinity` | `{}` | Affinity rules for pod assignment | +| `middleware.storage` | | configuration layer for midleware storage ([s3 for instance](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#example-middleware-configuration)) | +| `redis.cache.enabled` | `false` | When set to `true`, the Redis cache is enabled. This feature is dependent on the [metadata database](#database) being enabled. Repository metadata will be cached on the configured Redis instance. | +| `redis.cache.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | +| `redis.cache.port` | `6379` | The port of the Redis instance. | +| `redis.cache.sentinels` | `[]` | List sentinels with host and port. | +| `redis.cache.mainname` | | The main server name. Only applicable for Sentinel. | +| `redis.cache.password.enabled` | `false` | Indicates whether the Redis cache used by the Registry is password protected. | +| `redis.cache.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | +| `redis.cache.password.key` | `redis-password` | Secret key in which the Redis password is stored. | +| `redis.cache.sentinelpassword.enabled` | `false` | Indicates whether Redis Sentinels are password protected. If `redis.cache.sentinelpassword` is empty, the values from `global.redis.sentinelAuth` are used. Only used when `redis.cache.sentinels` is defined. | +| `redis.cache.sentinelpassword.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis Sentinel password. | +| `redis.cache.sentinelpassword.key` | `redis-sentinel-password` | Secret key in which the Redis Sentinel password is stored. | +| `redis.cache.db` | `0` | The name of the database to use for each connection. | +| `redis.cache.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | +| `redis.cache.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | +| `redis.cache.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | +| `redis.cache.tls.enabled` | `false` | Set to `true` to enable TLS. | +| `redis.cache.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | +| `redis.cache.pool.size` | `10` | The maximum number of socket connections. Default is 10 connections. | +| `redis.cache.pool.maxlifetime` | `1h` | The connection age at which client retires a connection. Default is to not close aged connections. | +| `redis.cache.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | +| `redis.rateLimiting.enabled` | `false` | When set to `true`, the Redis rate limiter is enabled. This feature is under development. | +| `redis.rateLimiting.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | +| `redis.rateLimiting.port` | `6379` | The port of the Redis instance. | +| `redis.rateLimiting.cluster` | `[]` | List of addresses with host and port. | +| `redis.rateLimiting.sentinels` | `[]` | List sentinels with host and port. | +| `redis.rateLimiting.mainname` | | The main server name. Only applicable for Sentinel. | +| `redis.rateLimiting.username` | | The username used to connect to the Redis instance. | +| `redis.rateLimiting.password.enabled` | `false` | Indicates whether the Redis instance is password protected. | +| `redis.rateLimiting.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | +| `redis.rateLimiting.password.key` | `redis-password` | Secret key in which the Redis password is stored. | +| `redis.rateLimiting.db` | `0` | The name of the database to use for each connection. | +| `redis.rateLimiting.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | +| `redis.rateLimiting.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | +| `redis.rateLimiting.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | +| `redis.rateLimiting.tls.enabled` | `false` | Set to `true` to enable TLS. | +| `redis.rateLimiting.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | +| `redis.rateLimiting.pool.size` | `10` | The maximum number of socket connections. | +| `redis.rateLimiting.pool.maxlifetime` | `1h` | The connection age at which the client retires a connection. Default is to not close aged connections. | +| `redis.rateLimiting.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | +| `redis.loadBalancing.enabled` | `false` | When set to `true`, the Redis connection for [load balancing](#load-balancing) is enabled. | +| `redis.loadBalancing.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | +| `redis.loadBalancing.port` | `6379` | The port of the Redis instance. | +| `redis.loadBalancing.cluster` | `[]` | List of addresses with host and port. | +| `redis.loadBalancing.sentinels` | `[]` | List sentinels with host and port. | +| `redis.loadBalancing.mainname` | | The main server name. Only applicable for Sentinel. | +| `redis.loadBalancing.username` | | The username used to connect to the Redis instance. | +| `redis.loadBalancing.password.enabled` | `false` | Indicates whether the Redis instance is password protected. | +| `redis.loadBalancing.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | +| `redis.loadBalancing.password.key` | `redis-password` | Secret key in which the Redis password is stored. | +| `redis.loadBalancing.db` | `0` | The name of the database to use for each connection. | +| `redis.loadBalancing.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | +| `redis.loadBalancing.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | +| `redis.loadBalancing.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | +| `redis.loadBalancing.tls.enabled` | `false` | Set to `true` to enable TLS. | +| `redis.loadBalancing.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | +| `redis.loadBalancing.pool.size` | `10` | The maximum number of socket connections. | +| `redis.loadBalancing.pool.maxlifetime` | `1h` | The connection age at which the client retires a connection. Default is to not close aged connections. | +| `redis.loadBalancing.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | ## Chart configuration examples -### pullSecrets +### `pullSecrets` `pullSecrets` allows you to authenticate to a private registry to pull images for a pod. @@ -365,14 +365,14 @@ image: - name: my-secondary-secret-name ``` -### serviceAccount +### `serviceAccount` This section controls if a ServiceAccount should be created and if the default access token should be mounted in pods. -| Name | Type | Default | Description | -| :----------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Name | Type | Default | Description | +|:-------------------------------|:-------:|:--------|:------------| | `automountServiceAccountToken` | Boolean | `false` | Controls if the default ServiceAccount access token should be mounted in pods. You should not enable this unless it is required by certain sidecars to work properly (for example, Istio). | -| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | +| `enabled` | Boolean | `false` | Indicates whether or not to use a ServiceAccount. | ### tolerations @@ -392,7 +392,7 @@ tolerations: effect: "NoExecute" ``` -### affinity +### `affinity` `affinity` is an optional parameter that allows you to set either or both: @@ -426,7 +426,7 @@ affinity: topologyKey: "test.com/hostname" ``` -### annotations +### `annotations` `annotations` allows you to add annotations to the registry pods. @@ -463,28 +463,28 @@ These settings will be populated by [`values.yaml`](https://gitlab.com/gitlab-or By default, the Service is configured as: -| Name | Type | Default | Description | -| :--------------- | :----: | :---------- | :-------------------------------------------------------------------- | -| `name` | String | `registry` | Configures the name of the service | -| `type` | String | `ClusterIP` | Configures the type of the service | -| `externalPort` | Int | `5000` | Port exposed by the Service | -| `internalPort` | Int | `5000` | Port utilized by the Pod to accept request from the service | -| `clusterIP` | String | `null` | Allows one to configure a custom Cluster IP as necessary | +| Name | Type | Default | Description | +|:-----------------|:------:|:------------|:------------| +| `name` | String | `registry` | Configures the name of the service | +| `type` | String | `ClusterIP` | Configures the type of the service | +| `externalPort` | Int | `5000` | Port exposed by the Service | +| `internalPort` | Int | `5000` | Port utilized by the Pod to accept request from the service | +| `clusterIP` | String | `null` | Allows one to configure a custom Cluster IP as necessary | | `loadBalancerIP` | String | `null` | Allows one to configure a custom LoadBalancer IP address as necessary | ## Configuring the `ingress` This section controls the registry Ingress. -| Name | Type | Default | Description | -| :--------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `apiVersion` | String | | Value to use in the `apiVersion` field. | -| `annotations` | String | | This field is an exact match to the standard `annotations` for [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). | -| `configureCertmanager` | Boolean | | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`. For more information see the [TLS requirement for GitLab Pages](../../installation/tls.md). | -| `enabled` | Boolean | `false` | Setting that controls whether to create Ingress objects for services that support them. When `false` the `global.ingress.enabled` setting is used. | +| Name | Type | Default | Description | +|:-----------------------|:-------:|:--------|:------------| +| `apiVersion` | String | | Value to use in the `apiVersion` field. | +| `annotations` | String | | This field is an exact match to the standard `annotations` for [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). | +| `configureCertmanager` | Boolean | | Toggles Ingress annotation `cert-manager.io/issuer` and `acme.cert-manager.io/http01-edit-in-place`. For more information see the [TLS requirement for GitLab Pages](../../installation/tls.md). | +| `enabled` | Boolean | `false` | Setting that controls whether to create Ingress objects for services that support them. When `false` the `global.ingress.enabled` setting is used. | | `tls.enabled` | Boolean | `true` | When set to `false`, you disable TLS for the Registry subchart. This is mainly useful for cases in which you cannot use TLS termination at `ingress-level`, like when you have a TLS-terminating proxy before the Ingress Controller. | -| `tls.secretName` | String | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry URL. When not set, the `global.ingress.tls.secretName` is used instead. Defaults to not being set. | -| `tls.cipherSuites` | Array | `[]` | The list of cipher suites that Container registry should present to the client during TLS handshake. | +| `tls.secretName` | String | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry URL. When not set, the `global.ingress.tls.secretName` is used instead. Defaults to not being set. | +| `tls.cipherSuites` | Array | `[]` | The list of cipher suites that Container registry should present to the client during TLS handshake. | ## Configuring TLS @@ -563,12 +563,12 @@ This section controls the registry This configuration is optional and is used to limit egress and Ingress of the registry to specific endpoints. and Ingress to specific endpoints. -| Name | Type | Default | Description | -| :---------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` for registry | -| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | -| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | -| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | +| Name | Type | Default | Description | +|:------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | This setting enables the `NetworkPolicy` for registry | +| `ingress.enabled` | Boolean | `false` | When set to `true`, the `Ingress` network policy will be activated. This will block all Ingress connections unless rules are specified. | +| `ingress.rules` | Array | `[]` | Rules for the Ingress policy, for details see and the example below | +| `egress.enabled` | Boolean | `false` | When set to `true`, the `Egress` network policy will be activated. This will block all egress connections unless rules are specified. | | `egress.rules` | Array | `[]` | Rules for the egress policy, these for details see and the example below | ### Example policy for preventing connections to all internal endpoints @@ -672,18 +672,18 @@ If no triggers are set, the `ScaledObject` is not created. Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/) for more details about those settings. -| Name | Type | Default | Description | -| :---------------------------- | :-----: | :------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `pollingInterval` | Integer | `30` | The interval to check each trigger on | -| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| Name | Type | Default | Description | +|:--------------------------------|:-------:|:--------|:------------| +| `enabled` | Boolean | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `pollingInterval` | Integer | `30` | The interval to check each trigger on | +| `cooldownPeriod` | Integer | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `minReplicaCount` | Integer | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `maxReplicaCount` | Integer | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `fallback` | Map | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | ### Example policy for preventing connections to all internal endpoints @@ -728,7 +728,7 @@ for integration with GitLab are exposed. For this integration, we make use of th settings of [Docker Distribution](https://github.com/docker/distribution), controlling authentication to the registry via JWT [authentication tokens](https://distribution.github.io/distribution/spec/auth/token/). -### httpSecret +### `httpSecret` Field `httpSecret` is a map that contains two items: `secret` and `key`. @@ -789,7 +789,7 @@ is automatically created if not provided. To create this secret manually, see the [Redis password instructions](../../installation/secrets.md#redis-password). -### authEndpoint +### `authEndpoint` The `authEndpoint` field is a string, providing the URL to the GitLab instance(s) that the [registry](https://hub.docker.com/_/registry/) will authenticate to. @@ -801,7 +801,7 @@ inside the container. For example: `authEndpoint: "https://gitlab.example.com"` By default this field is populated with the GitLab hostname configuration set by the [Global Settings](../globals.md). -### certificate +### `certificate` The `certificate` field is a map containing two items: `secret` and `key`. @@ -825,7 +825,7 @@ certificate: By default there is a readiness and liveness probe configured to check `/debug/health` on port `5001` which is the debug port. -### validation +### `validation` The `validation` field is a map that controls the Docker image validation process in the registry. When image validation is enabled the registry rejects @@ -839,7 +839,7 @@ The image validation is turned off by default. To enable image validation you need to explicitly set `registry.validation.disabled: false`. -#### manifests +#### `manifests` The `manifests` field allows configuration of validation policies particular to manifests. @@ -849,22 +849,22 @@ which contain URLs to pass validation, that layer must match one of the regular expressions in the `allow` field, while not matching any regular expression in the `deny` field. -| Name | Type | Default | Description | -| :----------------: | :---: | :------ | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | +| Name | Type | Default | Description | +|:------------------:|:-----:|:--------|:-----------:| | `referencelimit` | Int | `0` | The maximum number of references, such as layers, image configurations, and other manifests, that a single manifest may have. When set to `0` (default) this validation is disabled. | -| `payloadsizelimit` | Int | `0` | The maximum data size in bytes of manifest payloads. When set to `0` (default) this validation is disabled. | -| `urls.allow` | Array | `[]` | List of regular expressions that enables URLs in the layers of manifests. When left empty (default), layers with any URLs will be rejected. | -| `urls.deny` | Array | `[]` | List of regular expressions that restricts the URLs in the layers of manifests. When left empty (default), no layer with URLs which passed the `urls.allow` list will be rejected | +| `payloadsizelimit` | Int | `0` | The maximum data size in bytes of manifest payloads. When set to `0` (default) this validation is disabled. | +| `urls.allow` | Array | `[]` | List of regular expressions that enables URLs in the layers of manifests. When left empty (default), layers with any URLs will be rejected. | +| `urls.deny` | Array | `[]` | List of regular expressions that restricts the URLs in the layers of manifests. When left empty (default), no layer with URLs which passed the `urls.allow` list will be rejected | -### notifications +### `notifications` The `notifications` field is used to configure [Registry notifications](https://distribution.github.io/distribution/about/notifications/#configuration). It has an empty hash as default value. -| Name | Type | Default | Description | -| :---------: | :---: | :------ | :------------------------------------------------------------------------------------------------------------------: | +| Name | Type | Default | Description | +|:-----------:|:-----:|:--------|:-----------:| | `endpoints` | Array | `[]` | List of items where each item correspond to an [endpoint](https://distribution.github.io/distribution/about/configuration/#endpoints) | -| `events` | Hash | `{}` | Information provided in [event](https://distribution.github.io/distribution/about/configuration/#events) notifications | +| `events` | Hash | `{}` | Information provided in [event](https://distribution.github.io/distribution/about/configuration/#events) notifications | An example setting will look like the following: @@ -893,7 +893,7 @@ notifications: -### hpa +### `hpa` @@ -976,7 +976,7 @@ will supersede this default. {{< /alert >}} -### middleware.storage +### `middleware.storage` Configuration of `middleware.storage` follows [upstream convention](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#middleware): @@ -1004,15 +1004,15 @@ Within above code `options.privatekeySecret` is a `generic` Kubernetes secret co kubectl create secret generic cloudfront-secret-name --type=kubernetes.io/ssh-auth --from-file=private-key-ABC.pem=pk-ABCEDFGHIJKLMNOPQRST.pem ``` -`privatekey` used upstream is being auto-populated by chart from the privatekey Secret and will be **ignored** if specified. +`privatekey` used upstream is being auto-populated by chart from the `privatekey` Secret and will be **ignored** if specified. #### `keypairid` variants Various vendors use different field names for the same construct: -| Vendor | field name | -| :--------: | :---------: | -| Google CDN | `keyname` | +| Vendor | field name | +|:----------:|:----------:| +| Google CDN | `keyname` | | CloudFront | `keypairid` | {{< alert type="note" >}} @@ -1021,7 +1021,7 @@ Only configuration of `middleware.storage` section is supported at this time. {{< /alert >}} -### debug +### `debug` The debug port is enabled by default and is used for the liveness/readiness probe. Additionally, Prometheus metrics can be enabled via the `metrics` values. @@ -1035,11 +1035,11 @@ metrics: enabled: true ``` -### health +### `health` The `health` property is optional, and contains preferences for a periodic health check on the storage driver's backend storage. -For more details, see Docker's [configuration documentation](https://distribution.github.io/distribution/about/configuration/#health). +For more details, see the Docker [configuration documentation](https://distribution.github.io/distribution/about/configuration/#health). ```yaml health: @@ -1049,7 +1049,7 @@ health: threshold: 3 ``` -### reporting +### `reporting` The `reporting` property is optional and enables [reporting](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#reporting) @@ -1061,7 +1061,7 @@ reporting: environment: 'production' ``` -### profiling +### `profiling` The `profiling` property is optional and enables [continuous profiling](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#profiling) @@ -1075,7 +1075,7 @@ profiling: service: gitlab-registry ``` -### database +### `database` {{< history >}} diff --git a/doc/charts/shared-secrets.md b/doc/charts/shared-secrets.md index 14925176e0..f754ecd107 100644 --- a/doc/charts/shared-secrets.md +++ b/doc/charts/shared-secrets.md @@ -28,35 +28,35 @@ used across the installation, unless otherwise manually specified. This includes The table below contains all the possible configurations that can be supplied to the `helm install` command using the `--set` flag: -| Parameter | Default | Description | -| -------------------------- | ------------------- |---------------------------------------------------------------------------------------------------------------------| -| `enabled` | `true` | [See Below](#disable-functionality) | -| `env` | `production` | Rails environment | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `annotations` | | Supplemental Pod annotations. | -| `image.pullPolicy` | `Always` | **DEPRECATED**: Use `global.kubectl.image.pullPolicy` instead. | -| `image.pullSecrets` | | **DEPRECATED**: Use `global.kubectl.image.pullSecrets` instead. | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/kubectl` | **DEPRECATED**: Use `global.kubectl.image.repository` instead. | -| `image.tag` | `1f8690f03f7aeef27e727396927ab3cc96ac89e7` | **DEPRECATED**: Use `global.kubectl.image.tag` instead. | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods | -| `rbac.create` | `true` | Create RBAC roles and bindings | -| `resources` | | resource requests, limits | -| `securityContext.fsGroup` | `65534` | User ID to mount filesystems as | -| `securityContext.runAsUser` | `65534` | User ID to run the container as | -| `selfsign.caSubject` | `GitLab Helm Chart` | selfsign CA Subject | -| `selfsign.image.repository` | `registry.gitlab.com/gitlab-org/build/cnf/cfssl-self-sign` | selfsign image repository | -| `selfsign.image.pullSecrets` | | Secrets for the image repository | -| `selfsign.image.tag` | | selfsign image tag | -| `selfsign.keyAlgorithm` | `rsa` | selfsign cert key algorithm | -| `selfsign.keySize` | `4096` | selfsign cert key size | -| `serviceAccount.enabled` | `true` | Define serviceAccountName on job(s) | -| `serviceAccount.create` | `true` | Create ServiceAccount | -| `serviceAccount.name` | `RELEASE_NAME-shared-secrets` | Service account name to specify on job(s) (and on the serviceAccount itself if `serviceAccount.create=true`) | -| `tolerations` | `[]` | Toleration labels for pod assignment | +| Parameter | Default | Description | +|------------------------------|------------------------------------------------------------|-------------| +| `enabled` | `true` | [See Below](#disable-functionality) | +| `env` | `production` | Rails environment | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `annotations` | | Supplemental Pod annotations. | +| `image.pullPolicy` | `Always` | **DEPRECATED**: Use `global.kubectl.image.pullPolicy` instead. | +| `image.pullSecrets` | | **DEPRECATED**: Use `global.kubectl.image.pullSecrets` instead. | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/kubectl` | **DEPRECATED**: Use `global.kubectl.image.repository` instead. | +| `image.tag` | `1f8690f03f7aeef27e727396927ab3cc96ac89e7` | **DEPRECATED**: Use `global.kubectl.image.tag` instead. | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods | +| `rbac.create` | `true` | Create RBAC roles and bindings | +| `resources` | | resource requests, limits | +| `securityContext.fsGroup` | `65534` | User ID to mount filesystems as | +| `securityContext.runAsUser` | `65534` | User ID to run the container as | +| `selfsign.caSubject` | `GitLab Helm Chart` | selfsign CA Subject | +| `selfsign.image.repository` | `registry.gitlab.com/gitlab-org/build/cnf/cfssl-self-sign` | selfsign image repository | +| `selfsign.image.pullSecrets` | | Secrets for the image repository | +| `selfsign.image.tag` | | selfsign image tag | +| `selfsign.keyAlgorithm` | `rsa` | selfsign cert key algorithm | +| `selfsign.keySize` | `4096` | selfsign cert key size | +| `serviceAccount.enabled` | `true` | Define serviceAccountName on job(s) | +| `serviceAccount.create` | `true` | Create ServiceAccount | +| `serviceAccount.name` | `RELEASE_NAME-shared-secrets` | Service account name to specify on job(s) (and on the serviceAccount itself if `serviceAccount.create=true`) | +| `tolerations` | `[]` | Toleration labels for pod assignment | ## Job configuration examples -### tolerations +### `tolerations` `tolerations` allow you schedule pods on tainted worker nodes diff --git a/doc/development/changelog.md b/doc/development/changelog.md index 4b1677cb70..5e915b3b85 100644 --- a/doc/development/changelog.md +++ b/doc/development/changelog.md @@ -77,31 +77,31 @@ A good changelog entry should be descriptive and concise. It should explain the change to a reader who has _zero context_ about the change. If you have trouble making it both concise and descriptive, err on the side of descriptive. -- **Bad:** Go to a project order. -- **Good:** Show a user's starred projects at the top of the "Go to project" +- **Bad**: Go to a project order. +- **Good**: Show a user's starred projects at the top of the "Go to project" dropdown. The first example provides no context of where the change was made, or why, or how it benefits the user. -- **Bad:** Copy (some text) to clipboard. -- **Good:** Update the "Copy to clipboard" tooltip to indicate what's being +- **Bad**: Copy (some text) to clipboard. +- **Good**: Update the "Copy to clipboard" tooltip to indicate what's being copied. Again, the first example is too vague and provides no context. -- **Bad:** Fixes and Improves CSS and HTML problems in mini pipeline graph and +- **Bad**: Fixes and Improves CSS and HTML problems in mini pipeline graph and builds dropdown. -- **Good:** Fix tooltips and hover states in mini pipeline graph and builds +- **Good**: Fix tooltips and hover states in mini pipeline graph and builds dropdown. The first example is too focused on implementation details. The user doesn't care that we changed CSS and HTML, they care about the _end result_ of those changes. -- **Bad:** Strip out `nil`s in the Array of Commit objects returned from +- **Bad**: Strip out `nil`s in the Array of Commit objects returned from `find_commits_by_message_with_elastic` -- **Good:** Fix 500 errors caused by Elasticsearch results referencing +- **Good**: Fix 500 errors caused by Elasticsearch results referencing garbage-collected commits The first example focuses on _how_ we fixed something, not on _what_ it fixes. diff --git a/doc/development/ci.md b/doc/development/ci.md index 25977a77db..2bf7baae11 100644 --- a/doc/development/ci.md +++ b/doc/development/ci.md @@ -7,12 +7,12 @@ title: CI setup and use ## CI Variables -| Variable | Default Value | Description | -|------------|---------------|--------------------------------------------------------------------------------------------------------------------------| -| `LIMIT_TO` | `""` | Limit pipeline execution to a specific logical block. Available blocks: `eks131`, `gke130`, `gke131`, `gke131a`, `vcluster`. Empty value implies absence of limits - i.e. all components shall be considered for execution. | -| `DOCKERHUB_PREFIX` | `docker.io` | Override the prefix of DockerHub images. Allows to pull DockerHub from the dependency proxy or another mirror. | -| `DOCKER_MIRROR` | `https://mirror.gcr.io` | Default Docker mirror in DinD jobs. | -| `DOCKER_OPTIONS` | `--registry-mirror ${DOCKER_MIRROR}` | Flags passed to the Docker daemon. | +| Variable | Default Value | Description | +|--------------------|--------------------------------------|-------------| +| `LIMIT_TO` | `""` | Limit pipeline execution to a specific logical block. Available blocks: `eks131`, `gke130`, `gke131`, `gke131a`, `vcluster`. Empty value implies absence of limits - i.e. all components shall be considered for execution. | +| `DOCKERHUB_PREFIX` | `docker.io` | Override the prefix of DockerHub images. Allows to pull DockerHub from the dependency proxy or another mirror. | +| `DOCKER_MIRROR` | `https://mirror.gcr.io` | Default Docker mirror in DinD jobs. | +| `DOCKER_OPTIONS` | `--registry-mirror ${DOCKER_MIRROR}` | Flags passed to the Docker daemon. | ### LIMIT_TO diff --git a/doc/development/clickhouse.md b/doc/development/clickhouse.md index d5fbea3da4..7dceba8355 100644 --- a/doc/development/clickhouse.md +++ b/doc/development/clickhouse.md @@ -7,13 +7,13 @@ title: ClickHouse database The GitLab chart can be configured to set up GitLab with an external ClickHouse database via the HTTP interface. Required parameters: -| Parameter | Description | -| ------- | ------ | -| `global.clickhouse.main.url` | URL for the database | -| `global.clickhouse.main.username` | Database Username | +| Parameter | Description | +|------------------------------------------|-------------| +| `global.clickhouse.main.url` | URL for the database | +| `global.clickhouse.main.username` | Database Username | | `global.clickhouse.main.password.secret` | Name of the configured secret | -| `global.clickhouse.main.password.key` | Which key to use as the password within the secret | -| `global.clickhouse.main.database` | Database name | +| `global.clickhouse.main.password.key` | Which key to use as the password within the secret | +| `global.clickhouse.main.database` | Database name | {{< alert type="warning" >}} diff --git a/doc/development/release.md b/doc/development/release.md index 59208deac8..57cde6ebeb 100644 --- a/doc/development/release.md +++ b/doc/development/release.md @@ -39,7 +39,7 @@ We will bump it for: ### Example release scenarios | Chart Version | GitLab Version | Release Scenario | -| ------------- | -------------- | ---------------- | +|---------------|----------------|------------------| | `0.2.0` | `11.0.0` | GitLab 11 release, and chart beta | | `0.2.1` | `11.0.1` | GitLab patch release | | `0.2.2` | `11.0.1` | Chart changes released | @@ -49,7 +49,7 @@ We will bump it for: | `0.2.4` | `11.0.3` | Security release | | ~~`0.3.1`~~ | ~~`11.1.1`~~ | ~~Security release~~ (*1*) | | `0.4.1` | `11.1.1` | Security release (*1*) | -| ... | ... | ... | +| ... | ... | ... | | `1.0.0` | `11.x.0` | GitLab minor release, along with chart GA | | `2.0.0` | `11.x.x` | Introduced some breaking change to the chart | | `3.0.0` | `12.0.0` | GitLab 12 release | @@ -68,32 +68,32 @@ While we considered just using the GitLab version as our own, we are not yet in For this chart, we propose to follow the same branching strategy as the other main GitLab components. - A `master` branch, -- `x-x-stable` branches that we create from master per minor release. +- `x-x-stable` branches that we create from `master` per minor release. - `x.x.x` tags from those stable branches. The difference between our branch names, and the other GitLab components, is that we will be using the chart's version in the branch name, rather than the GitLab version. -In general, changes will be merged to master, then cherry-picked into the appropriate branch before release. GitLab image updates will happen as commits in the branches, not in master, as master will follow the latest daily images. +In general, changes will be merged to `master`, then cherry-picked into the appropriate branch before release. GitLab image updates will happen as commits in the branches, not in `master`, as `master` will follow the latest daily images. ### Example timeline of release actions Related to releasing using the proposed branching strategy | Branch | Tag | Action | Details | -| ------------ | ------- | ------------ | ------- | -| `0-2-stable` | | Branch | Branch created from master | +|--------------|---------|--------------|---------| +| `0-2-stable` | | Branch | Branch created from `master` | | | | Image update | GitLab `11.0.0-rcX` image used | -| | | Pick | Additional changes from master picked into branch | +| | | Pick | Additional changes from `master` picked into branch | | | | Image update | GitLab `11.0.0` image used | | | `0.2.0` | Tag | Chart `0.2.0` released | -| | | Pick | Fixes from master picked into branch | +| | | Pick | Fixes from `master` picked into branch | | | | Image update | GitLab `11.0.1` image used | | | `0.2.1` | Tag | Chart `0.2.1` released | -| `0-3-stable` | | Branch | Branch created from master | +| `0-3-stable` | | Branch | Branch created from `master` | | | | Image update | GitLab `11.1.0-rc1` image used | | `0-2-stable` | | Image update | GitLab `11.0.2` image used | | | `0.2.2` | Tag | Chart `0.2.2` released | -| `0-3-stable` | | Pick | Fixes from master picked into branch | +| `0-3-stable` | | Pick | Fixes from `master` picked into branch | | | | Image update | GitLab `11.1.0` image used | | | `0.3.0` | Tag | Chart `0.3.0` released | diff --git a/doc/development/rspec.md b/doc/development/rspec.md index e54977ebaf..a0e07421d4 100644 --- a/doc/development/rspec.md +++ b/doc/development/rspec.md @@ -104,7 +104,7 @@ When _adding_ properites, this has worked well. The drawback is that this does n Helm merges / coalesces configuration properties via [coalesceValues function](https://github.com/helm/helm/blob/a499b4b179307c267bdf3ec49b880e3dbd2a5591/pkg/chartutil/coalesce.go#L145-L148), which has some distinctly different behaviors to `deep_merge` as implemented here. We continue to refine how this functions within our RSpec. -**General guidelines:** +**General guidelines**: 1. Be aware of and wary of the behavior of `Hash.merge`. 1. Be aware of and wary of the behavior of `Hash.deep_merge` as offered by `hash-deep-merge` gem. diff --git a/doc/development/style_guide.md b/doc/development/style_guide.md index db2a1fd946..54fc397aae 100644 --- a/doc/development/style_guide.md +++ b/doc/development/style_guide.md @@ -396,7 +396,7 @@ These charts make use of cloud-native GitLab containers. Those containers support the use of either [ERB](https://docs.ruby-lang.org/en/2.7.0/ERB.html) or [gomplate](https://docs.gomplate.ca/). -**Guidelines:** +**Guidelines**: 1. Use template files within ConfigMaps (example: `gitlab.yml.erb`, `config.toml.tpl`) - Entries _must_ use the expected extensions in order to be handled as templates. @@ -404,11 +404,11 @@ or [gomplate](https://docs.gomplate.ca/). 1. ERB (`.erb`) can be used for any container using Ruby during run-time execution 1. gomplate (`.tpl`) can be used for any container. -**ERB usage:** +**ERB usage**: We make use of standard ERB, and you can expect [`json`](https://docs.ruby-lang.org/en/2.7.0/JSON.html) and [`yaml`](https://docs.ruby-lang.org/en/2.7.0/YAML.html) modules to have been pre-loaded. -**gomplate usage:** +**gomplate usage**: We make use of gomplate in order to remove the size and surface of Ruby within containers. We configure gomplate [syntax](https://docs.gomplate.ca/syntax/) with alternate delimiters of `{% %}`, so not @@ -420,7 +420,7 @@ Secrets have the potential contain characters that could result invalid YAML if not properly encoded or quoted. Especially for complex passwords, we must be careful how these strings are added into various configuration formats. -**Guidelines:** +**Guidelines**: 1. Quote in the ERB / Gomplate output, _not_ surrounding it. 1. Use a format-native encoder whenever possible. diff --git a/doc/installation/cloud/aks.md b/doc/installation/cloud/aks.md index e73d4a9b4c..13d1153fd0 100644 --- a/doc/installation/cloud/aks.md +++ b/doc/installation/cloud/aks.md @@ -68,19 +68,19 @@ from environment variables, or command line arguments: The table below describes all available variables. -| Variable | Description | Default value | Scope | -|---------------------------|-------------------------------------------------------------------------------------|--------------------|----------| -| `-g --resource-group` | Name of the resource group to use. | `gitlab-resources` | All | -| `-n --cluster-name` | Name of the cluster to use. | `gitlab-cluster` | All | -| `-r --region` | Region to install the cluster in. | `eastus` | `up` | -| `-v --cluster-version` | Version of Kubernetes to use for creating the cluster. | Latest | `up` | -| `-c --node-count` | Number of nodes to use. | `2` | `up` | -| `-s --node-vm-size` | Type of nodes to use. | `Standard_D4s_v3` | `up` | -| `-p --public-ip-name` | Name of the public IP to create. | `gitlab-ext-ip` | `up` | -| `--create-resource-group` | Create a new resource group to hold all created resources. | `false` | `up` | -| `--create-public-ip` | Create a public IP to use with the new cluster. | `false` | `up` | -| `--delete-resource-group` | Delete the resource group when using the down command. | `false` | `down` | -| `-f --kubctl-config-file` | Kubernetes configuration file to update. Use `-` to print YAML to `stdout` instead. | `~/.kube/config` | `creds` | +| Variable | Default value | Scope | Description | +|---------------------------|--------------------|---------|-------------| +| `-g --resource-group` | `gitlab-resources` | All | Name of the resource group to use. | +| `-n --cluster-name` | `gitlab-cluster` | All | Name of the cluster to use. | +| `-r --region` | `eastus` | `up` | Region to install the cluster in. | +| `-v --cluster-version` | Latest | `up` | Version of Kubernetes to use for creating the cluster. | +| `-c --node-count` | `2` | `up` | Number of nodes to use. | +| `-s --node-vm-size` | `Standard_D4s_v3` | `up` | Type of nodes to use. | +| `-p --public-ip-name` | `gitlab-ext-ip` | `up` | Name of the public IP to create. | +| `--create-resource-group` | `false` | `up` | Create a new resource group to hold all created resources. | +| `--create-public-ip` | `false` | `up` | Create a public IP to use with the new cluster. | +| `--delete-resource-group` | `false` | `down` | Delete the resource group when using the down command. | +| `-f --kubctl-config-file` | `~/.kube/config` | `creds` | Kubernetes configuration file to update. Use `-` to print YAML to `stdout` instead. | ### Manual cluster creation diff --git a/doc/installation/cloud/eks.md b/doc/installation/cloud/eks.md index 9ac8970984..4dd2972b16 100644 --- a/doc/installation/cloud/eks.md +++ b/doc/installation/cloud/eks.md @@ -46,13 +46,13 @@ The script reads various parameters from environment variables, or command line The table below describes all variables. -| Variable | Description | Default value | -|-------------------|--------------------------------------------------|------------------| -| `REGION` | The region where your cluster lives | `us-east-2` | -| `CLUSTER_NAME` | The name of the cluster | `gitlab-cluster` | -| `CLUSTER_VERSION` | The version of your EKS cluster | `1.29` | -| `NUM_NODES` | The number of nodes required | `2` | -| `MACHINE_TYPE` | The type of nodes to deploy | `m5.xlarge` | +| Variable | Default value | Description | +|-------------------|------------------|-------------| +| `REGION` | `us-east-2` | The region where your cluster lives | +| `CLUSTER_NAME` | `gitlab-cluster` | The name of the cluster | +| `CLUSTER_VERSION` | `1.29` | The version of your EKS cluster | +| `NUM_NODES` | `2` | The number of nodes required | +| `MACHINE_TYPE` | `m5.xlarge` | The type of nodes to deploy | Run the script, by passing in your desired parameters. It can work with the default parameters. diff --git a/doc/installation/cloud/gke.md b/doc/installation/cloud/gke.md index 62e274cb0e..4f17c023cd 100644 --- a/doc/installation/cloud/gke.md +++ b/doc/installation/cloud/gke.md @@ -42,23 +42,23 @@ The script reads various parameters from environment variables and the argument The table below describes all variables. -| Variable | Description | Default value | -|---------------------|----------------------------------------------------------------------------------|----------------------------------| -| REGION | The region where your cluster lives | `us-central1` | -| ZONE_EXTENSION | The extension (`a`, `b`, `c`) of the zone name where your cluster instances live | `b` | -| CLUSTER_NAME | The name of the cluster | `gitlab-cluster` | -| CLUSTER_VERSION | The version of your GKE cluster | GKE default, check the [GKE release notes](https://cloud.google.com/kubernetes-engine/docs/release-notes) | -| MACHINE_TYPE | The cluster instances' type | `n2d-standard-4` | -| NUM_NODES | The number of nodes required. | 2 | -| AUTOSCALE_MIN_NODES | The minimum number of nodes the autoscaler should scale down to. | 0 | -| AUTOSCALE_MAX_NODES | The maximum number of nodes the autoscaler should scale up to. | `NUM_NODES` | -| PROJECT | The ID of your GCP project | No defaults, required to be set. | -| ADMIN_USER | The user to assign cluster-admin access to during setup | current gcloud user | -| RBAC_ENABLED | If you know whether your cluster has RBAC enabled set this variable. | true | -| PREEMPTIBLE | Cheaper, clusters live at *most* 24 hrs. No SLA on nodes/disks | false | -| USE_STATIC_IP | Create a static IP for GitLab instead of an ephemeral IP with managed DNS | false | -| INT_NETWORK | The IP space to use within this cluster | default | -| SUBNETWORK | The subnetwork to use within this cluster | default | +| Variable | Default value | Description | +|-----------------------|-----------------------------------|-------------| +| `ADMIN_USER` | current gcloud user | The user to assign cluster-admin access to during setup. | +| `AUTOSCALE_MAX_NODES` | `NUM_NODES` | The maximum number of nodes the autoscaler should scale up to. | +| `AUTOSCALE_MIN_NODES` | `0` | The minimum number of nodes the autoscaler should scale down to. | +| `CLUSTER_NAME` | `gitlab-cluster` | The name of the cluster. | +| `CLUSTER_VERSION` | GKE default, check the [GKE release notes](https://cloud.google.com/kubernetes-engine/docs/release-notes) | The version of your GKE cluster. | +| `INT_NETWORK` | default | The IP space to use within this cluster. | +| `MACHINE_TYPE` | `n2d-standard-4` | The cluster instances' type. | +| `NUM_NODES` | `2` | The number of nodes required. | +| `PREEMPTIBLE` | `false` | Cheaper, clusters live at *most* 24 hrs. No SLA on nodes/disks. | +| `PROJECT` | No defaults, required to be set. | The ID of your GCP project. | +| `RBAC_ENABLED` | `true` | If you know whether your cluster has RBAC enabled set this variable. | +| `REGION` | `us-central1` | The region where your cluster lives. | +| `SUBNETWORK` | default | The subnetwork to use within this cluster. | +| `USE_STATIC_IP` | `false` | Create a static IP for GitLab instead of an ephemeral IP with managed DNS. | +| `ZONE_EXTENSION` | `b` | The extension (`a`, `b`, `c`) of the zone name where your cluster instances live. | Run the script, by passing in your desired parameters. It can work with the default parameters except for `PROJECT` which is required: diff --git a/doc/installation/cloud/openshift.md b/doc/installation/cloud/openshift.md index 2ed6d4b188..c125f9b2d0 100644 --- a/doc/installation/cloud/openshift.md +++ b/doc/installation/cloud/openshift.md @@ -69,20 +69,20 @@ This directory is gitignored. Configuration can be applied during runtime by setting environment variables. All options have defaults, so no options are required. -| Variable | Description | Default | -|----------------------------------|----------------------------------------------------------------------|---------| -| `CLUSTER_NAME` | Name of cluster | `ocp-$USER` | -| `BASE_DOMAIN` | Root domain for cluster | `k8s-ft.win` | -| `GCP_PROJECT_ID` | Google Cloud project ID | `cloud-native-182609` | -| `GCP_REGION` | Google Cloud region for cluster | `us-central1` | -| `GOOGLE_APPLICATION_CREDENTIALS` | Path to Google Cloud service account JSON file | `gcloud.json` | -| `GOOGLE_CREDENTIALS` | Content of Google Cloud service account JSON file | Content of `$GOOGLE_APPLICATION_CREDENTIALS` | -| `PULL_SECRET_FILE` | Path to Red Hat pull secret file | `pull_secret` | -| `PULL_SECRET` | Content of Red Hat pull secret file | Content of `$PULL_SECRET_FILE` | -| `SSH_PUBLIC_KEY_FILE` | Path to SSH public key file | `$HOME/.ssh/id_rsa.pub` | -| `SSH_PUBLIC_KEY` | Content of SSH public key file | Content of `$SSH_PUBLIC_KEY_FILE` | -| `LOG_LEVEL` | Verbosity of `openshift-install` output | `info` | -| `INSTALL_DIR` | Directory for install assets, useful for launching multiple clusters | `install-$CLUSTER_NAME` | +| Variable | Default | Description | +|----------------------------------|----------------------------------------------|-------------| +| `CLUSTER_NAME` | `ocp-$USER` | Name of cluster | +| `BASE_DOMAIN` | `k8s-ft.win` | Root domain for cluster | +| `GCP_PROJECT_ID` | `cloud-native-182609` | Google Cloud project ID | +| `GCP_REGION` | `us-central1` | Google Cloud region for cluster | +| `GOOGLE_APPLICATION_CREDENTIALS` | `gcloud.json` | Path to Google Cloud service account JSON file | +| `GOOGLE_CREDENTIALS` | Content of `$GOOGLE_APPLICATION_CREDENTIALS` | Content of Google Cloud service account JSON file | +| `PULL_SECRET_FILE` | `pull_secret` | Path to Red Hat pull secret file | +| `PULL_SECRET` | Content of `$PULL_SECRET_FILE` | Content of Red Hat pull secret file | +| `SSH_PUBLIC_KEY_FILE` | `$HOME/.ssh/id_rsa.pub` | Path to SSH public key file | +| `SSH_PUBLIC_KEY` | Content of `$SSH_PUBLIC_KEY_FILE` | Content of SSH public key file | +| `LOG_LEVEL` | `info` | Verbosity of `openshift-install` output | +| `INSTALL_DIR` | `install-$CLUSTER_NAME` | Directory for install assets, useful for launching multiple clusters | {{< alert type="note" >}} @@ -111,12 +111,12 @@ To destroy the OpenShift cluster: Configuration can be applied during runtime by setting the following environment variables. All options have defaults, no options are required. -| Variable | Description | Default | -|----------------------------------|----------------------------------------------------------------------|---------| -| `GOOGLE_APPLICATION_CREDENTIALS` | Path to Google Cloud service account JSON file | `gcloud.json` | -| `GOOGLE_CREDENTIALS` | Content of Google Cloud service account JSON file | Content of `$GOOGLE_APPLICATION_CREDENTIALS` | -| `LOG_LEVEL` | Verbosity of `openshift-install` output | `info` | -| `INSTALL_DIR` | Directory for install assets, useful for launching multiple clusters | `install-$CLUSTER_NAME` | +| Variable | Default------------------------------------- | Description | +|----------------------------------|----------------------------------------------|-------------| +| `GOOGLE_APPLICATION_CREDENTIALS` | `gcloud.json` | Path to Google Cloud service account JSON file | +| `GOOGLE_CREDENTIALS` | Content of `$GOOGLE_APPLICATION_CREDENTIALS` | Content of Google Cloud service account JSON file | +| `LOG_LEVEL` | `info` | Verbosity of `openshift-install` output | +| `INSTALL_DIR` | `install-$CLUSTER_NAME` | Directory for install assets, useful for launching multiple clusters | ## Next steps diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index 777e1171e5..187fd11b4f 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -28,83 +28,83 @@ helm inspect values gitlab/gitlab ## Basic configuration -| Parameter | Description | Default | -|------------------------------------------------|---------------------------------------------------------------------------------------------|-----------------------------------------------| -| `gitlab.migrations.initialRootPassword.key` | Key pointing to the root account password in the migrations secret | `password` | -| `gitlab.migrations.initialRootPassword.secret` | Global name of the secret containing the root account password | `{Release.Name}-gitlab-initial-root-password` | -| `global.gitlab.license.key` | Key pointing to the Enterprise license in the license secret | `license` | -| `global.gitlab.license.secret` | Global name of the secret containing the Enterprise license | _none_ | -| `global.application.create` | Create an [Application resource](https://github.com/kubernetes-sigs/application) for GitLab | `false` | -| `global.edition` | The edition of GitLab to install. Enterprise Edition (`ee`) or Community Edition (`ce`) | `ee` | -| `global.gitaly.enabled` | Gitaly enable flag | true | -| `global.hosts.domain` | Domain name that will be used for all publicly exposed services | Required | -| `global.hosts.externalIP` | Static IP to assign to NGINX Ingress Controller | Required | -| `global.hosts.ssh` | Domain name that will be used for Git SSH access | `gitlab.{global.hosts.domain}` | -| `global.imagePullPolicy` | DEPRECATED: Use `global.image.pullPolicy` instead | `IfNotPresent` | -| `global.image.pullPolicy` | Set default imagePullPolicy for all charts | _none_ (default behavior is `IfNotPresent`) | -| `global.image.pullSecrets` | Set default imagePullSecrets for all charts (use a list of `name` and value pairs) | _none_ | -| `global.minio.enabled` | MinIO enable flag | `true` | -| `global.psql.host` | Global hostname of an external psql, overrides subcharts' psql configuration | _Uses in-cluster non-production PostgreSQL_ | -| `global.psql.password.key` | Key pointing to the psql password in the psql secret | _Uses in-cluster non-production PostgreSQL_ | -| `global.psql.password.secret` | Global name of the secret containing the psql password | _Uses in-cluster non-production PostgreSQL_ | -| `global.registry.bucket` | registry bucket name | `registry` | -| `global.service.annotations` | Annotations to add to every `Service` | {} | -| `global.rails.sessionStore.sessionCookieTokenPrefix` | Prefix for the generated session cookies | "" | -| `global.deployment.annotations` | Annotations to add to every `Deployment` | {} | -| `global.time_zone` | Global time zone | UTC | +| Parameter | Default | Description | +|------------------------------------------------------|-----------------------------------------------|-------------| +| `gitlab.migrations.initialRootPassword.key` | `password` | Key pointing to the root account password in the migrations secret | +| `gitlab.migrations.initialRootPassword.secret` | `{Release.Name}-gitlab-initial-root-password` | Global name of the secret containing the root account password | +| `global.gitlab.license.key` | `license` | Key pointing to the Enterprise license in the license secret | +| `global.gitlab.license.secret` | _none_ | Global name of the secret containing the Enterprise license | +| `global.application.create` | `false` | Create an [Application resource](https://github.com/kubernetes-sigs/application) for GitLab | +| `global.edition` | `ee` | The edition of GitLab to install. Enterprise Edition (`ee`) or Community Edition (`ce`) | +| `global.gitaly.enabled` | `true` | Gitaly enable flag | +| `global.hosts.domain` | Required | Domain name that will be used for all publicly exposed services | +| `global.hosts.externalIP` | Required | Static IP to assign to NGINX Ingress Controller | +| `global.hosts.ssh` | `gitlab.{global.hosts.domain}` | Domain name that will be used for Git SSH access | +| `global.imagePullPolicy` | `IfNotPresent` | DEPRECATED: Use `global.image.pullPolicy` instead | +| `global.image.pullPolicy` | _none_ (default behavior is `IfNotPresent`) | Set default imagePullPolicy for all charts | +| `global.image.pullSecrets` | _none_ | Set default imagePullSecrets for all charts (use a list of `name` and value pairs) | +| `global.minio.enabled` | `true` | MinIO enable flag | +| `global.psql.host` | _Uses in-cluster non-production PostgreSQL_ | Global hostname of an external psql, overrides subcharts' psql configuration | +| `global.psql.password.key` | _Uses in-cluster non-production PostgreSQL_ | Key pointing to the psql password in the psql secret | +| `global.psql.password.secret` | _Uses in-cluster non-production PostgreSQL_ | Global name of the secret containing the psql password | +| `global.registry.bucket` | `registry` | registry bucket name | +| `global.service.annotations` | `{}` | Annotations to add to every `Service` | +| `global.rails.sessionStore.sessionCookieTokenPrefix` | `""` | Prefix for the generated session cookies | +| `global.deployment.annotations` | `{}` | Annotations to add to every `Deployment` | +| `global.time_zone` | UTC | Global time zone | ## TLS configuration -| Parameter | Description | Default | -|-----------------------------------------|-------------------------------------------------------------------|---------| -| `certmanager-issuer.email` | Email for Let's Encrypt account | false | -| `gitlab.webservice.ingress.tls.secretName` | Existing `Secret` containing TLS certificate and key for GitLab | _none_ | -| `gitlab.webservice.ingress.tls.smartcardSecretName` | Existing `Secret` containing TLS certificate and key for the GitLab smartcard auth domain | _none_ | -| `global.hosts.https` | Serve over https | true | -| `global.ingress.configureCertmanager` | Configure cert-manager to get certificates from Let's Encrypt | true | -| `global.ingress.tls.secretName` | Existing `Secret` containing wildcard TLS certificate and key | _none_ | -| `minio.ingress.tls.secretName` | Existing `Secret` containing TLS certificate and key for MinIO | _none_ | -| `registry.ingress.tls.secretName` | Existing `Secret` containing TLS certificate and key for registry | _none_ | +| Parameter | Default | Description | +|-----------------------------------------------------|---------|-------------| +| `certmanager-issuer.email` | `false` | Email for Let's Encrypt account | +| `gitlab.webservice.ingress.tls.secretName` | _none_ | Existing `Secret` containing TLS certificate and key for GitLab | +| `gitlab.webservice.ingress.tls.smartcardSecretName` | _none_ | Existing `Secret` containing TLS certificate and key for the GitLab smartcard auth domain | +| `global.hosts.https` | `true` | Serve over https | +| `global.ingress.configureCertmanager` | `true` | Configure cert-manager to get certificates from Let's Encrypt | +| `global.ingress.tls.secretName` | _none_ | Existing `Secret` containing wildcard TLS certificate and key | +| `minio.ingress.tls.secretName` | _none_ | Existing `Secret` containing TLS certificate and key for MinIO | +| `registry.ingress.tls.secretName` | _none_ | Existing `Secret` containing TLS certificate and key for registry | ## Outgoing Email configuration -| Parameter | Description | Default | -|-----------------------------------|-----------------------------------------------------------------------------------------|-----------------------| -| `global.email.display_name` | Name that appears as the sender for emails from GitLab | `GitLab` | -| `global.email.from` | Email address that appears as the sender for emails from GitLab | `gitlab@example.com` | -| `global.email.reply_to` | Reply-to email listed in emails from GitLab | `noreply@example.com` | -| `global.email.smime.certName` | Secret object key value for locating the S/MIME certificate file | `tls.crt` | -| `global.email.smime.enabled` | Add the S/MIME signatures to outgoing email | false | -| `global.email.smime.keyName` | Secret object key value for locating the S/MIME key file | `tls.key` | -| `global.email.smime.secretName` | Kubernetes Secret object to find the X.509 certificate ([S/MIME Cert](secrets.md#smime-certificate) for creation ) | "" | -| `global.email.subject_suffix` | Suffix on the subject of all outgoing email from GitLab | "" | -| `global.smtp.address` | Hostname or IP of the remote mail server | `smtp.mailgun.org` | -| `global.smtp.authentication` | Type of SMTP authentication ("plain", "login", "cram_md5", or "" for no authentication) | `plain` | -| `global.smtp.domain` | Optional HELO domain for SMTP | "" | -| `global.smtp.enabled` | Enable outgoing email | false | -| `global.smtp.openssl_verify_mode` | TLS verification mode ("none", "peer", "client_once", or "fail_if_no_peer_cert") | `peer` | -| `global.smtp.password.key` | Key in `global.smtp.password.secret` that contains the SMTP password | `password` | -| `global.smtp.password.secret` | Name of a `Secret` containing the SMTP password | "" | -| `global.smtp.port` | Port for SMTP | `2525` | -| `global.smtp.starttls_auto` | Use STARTTLS if enabled on the mail server | false | -| `global.smtp.tls` | Enables SMTP/TLS (SMTPS: SMTP over direct TLS connection) | _none_ | -| `global.smtp.user_name` | Username for SMTP authentication https | "" | -| `global.smtp.open_timeout` | Seconds to wait while attempting to open a connection. | `30` | -| `global.smtp.read_timeout` | Seconds to wait while reading one block. | `60` | -| `global.smtp.pool` | Enables SMTP connection pooling | false | +| Parameter | Default | Description | +|-----------------------------------|-----------------------|-------------| +| `global.email.display_name` | `GitLab` | Name that appears as the sender for emails from GitLab | +| `global.email.from` | `gitlab@example.com` | Email address that appears as the sender for emails from GitLab | +| `global.email.reply_to` | `noreply@example.com` | Reply-to email listed in emails from GitLab | +| `global.email.smime.certName` | `tls.crt` | Secret object key value for locating the S/MIME certificate file | +| `global.email.smime.enabled` | `false` | Add the S/MIME signatures to outgoing email | +| `global.email.smime.keyName` | `tls.key` | Secret object key value for locating the S/MIME key file | +| `global.email.smime.secretName` | `""` | Kubernetes Secret object to find the X.509 certificate ([S/MIME Cert](secrets.md#smime-certificate) for creation ) | +| `global.email.subject_suffix` | `""` | Suffix on the subject of all outgoing email from GitLab | +| `global.smtp.address` | `smtp.mailgun.org` | Hostname or IP of the remote mail server | +| `global.smtp.authentication` | `plain` | Type of SMTP authentication ("plain", "login", "cram_md5", or "" for no authentication) | +| `global.smtp.domain` | `""` | Optional HELO domain for SMTP | +| `global.smtp.enabled` | `false` | Enable outgoing email | +| `global.smtp.openssl_verify_mode` | `peer` | TLS verification mode ("none", "peer", "client_once", or "fail_if_no_peer_cert") | +| `global.smtp.password.key` | `password` | Key in `global.smtp.password.secret` that contains the SMTP password | +| `global.smtp.password.secret` | `""` | Name of a `Secret` containing the SMTP password | +| `global.smtp.port` | `2525` | Port for SMTP | +| `global.smtp.starttls_auto` | `false` | Use STARTTLS if enabled on the mail server | +| `global.smtp.tls` | _none_ | Enables SMTP/TLS (SMTPS: SMTP over direct TLS connection) | +| `global.smtp.user_name` | `""` | Username for SMTP authentication https | +| `global.smtp.open_timeout` | `30` | Seconds to wait while attempting to open a connection. | +| `global.smtp.read_timeout` | `60` | Seconds to wait while reading one block. | +| `global.smtp.pool` | `false` | Enables SMTP connection pooling | ### Microsoft Graph Mailer settings -| Parameter | Description | Default | -|-----------------------------------|-----------------------------------------------------------------------------------------|-----------------------| -| `global.appConfig.microsoft_graph_mailer.enabled` | Enable outgoing email via Microsoft Graph API | false | -| `global.appConfig.microsoft_graph_mailer.user_id` | The unique identifier for the user that uses the Microsoft Graph API | "" | -| `global.appConfig.microsoft_graph_mailer.tenant` | The directory tenant the application plans to operate against, in GUID or domain-name format | "" | -| `global.appConfig.microsoft_graph_mailer.client_id` | The application ID that's assigned to your app. You can find this information in the portal where you registered your app | "" | -| `global.appConfig.microsoft_graph_mailer.client_secret.key` | Key in `global.appConfig.microsoft_graph_mailer.client_secret.secret` that contains the client secret that you generated for your app in the app registration portal | `secret` | -| `global.appConfig.microsoft_graph_mailer.client_secret.secret` | Name of a `Secret` containing the client secret that you generated for your app in the app registration portal | "" | -| `global.appConfig.microsoft_graph_mailer.azure_ad_endpoint` | The URL of the Azure Active Directory endpoint | `https://login.microsoftonline.com` | -| `global.appConfig.microsoft_graph_mailer.graph_endpoint` | The URL of the Microsoft Graph endpoint | `https://graph.microsoft.com` | +| Parameter | Default | Description | +|----------------------------------------------------------------|-------------------------------------|-------------| +| `global.appConfig.microsoft_graph_mailer.enabled` | `false` | Enable outgoing email via Microsoft Graph API | +| `global.appConfig.microsoft_graph_mailer.user_id` | `""` | The unique identifier for the user that uses the Microsoft Graph API | +| `global.appConfig.microsoft_graph_mailer.tenant` | `""` | The directory tenant the application plans to operate against, in GUID or domain-name format | +| `global.appConfig.microsoft_graph_mailer.client_id` | `""` | The application ID that's assigned to your app. You can find this information in the portal where you registered your app | +| `global.appConfig.microsoft_graph_mailer.client_secret.key` | `secret` | Key in `global.appConfig.microsoft_graph_mailer.client_secret.secret` that contains the client secret that you generated for your app in the app registration portal | +| `global.appConfig.microsoft_graph_mailer.client_secret.secret` | `""` | Name of a `Secret` containing the client secret that you generated for your app in the app registration portal | +| `global.appConfig.microsoft_graph_mailer.azure_ad_endpoint` | `https://login.microsoftonline.com` | The URL of the Azure Active Directory endpoint | +| `global.appConfig.microsoft_graph_mailer.graph_endpoint` | `https://graph.microsoft.com` | The URL of the Microsoft Graph endpoint | ## Incoming Email configuration @@ -113,43 +113,43 @@ helm inspect values gitlab/gitlab See [incoming email configuration examples documentation](https://docs.gitlab.com/administration/incoming_email/#configuration-examples) for more information. -| Parameter | Description | Default | -|---------------------------------------------------|--------------------------------------------------------------------------------------------------------|------------------------------------------------------------| -| `global.appConfig.incomingEmail.address` | The email address to reference the item being replied to (example: `gitlab-incoming+%{key}@gmail.com`). Note that the `+%{key}` suffix should be included in its entirety within the email address and not replaced by another value. | empty | -| `global.appConfig.incomingEmail.enabled` | Enable incoming email | false | -| `global.appConfig.incomingEmail.deleteAfterDelivery` | Whether to mark messages as deleted. For IMAP, messages that are marked as deleted are expunged if `expungedDeleted` is set to `true`. For Microsoft Graph, set this to false to retain messages in the inbox because deleted messages are auto-expunged after some time. | true | -| `global.appConfig.incomingEmail.expungeDeleted` | Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery. Only relevant to IMAP because Microsoft Graph will auto-expunge deleted messages. | false | -| `global.appConfig.incomingEmail.logger.logPath` | Path to write JSON structured logs to; set to "" to disable this logging | `/dev/stdout` | -| `global.appConfig.incomingEmail.inboxMethod` | Read mail with IMAP (`imap`) or Microsoft Graph API with OAuth2 (`microsoft_graph`) | `imap` | -| `global.appConfig.incomingEmail.deliveryMethod` | How mailroom can send an email content to Rails app for processing. Either `sidekiq` or `webhook` | `webhook` | -| `gitlab.appConfig.incomingEmail.authToken.key` | Key to incoming email token in incoming email secret. Effective when the delivery method is webhook. | `authToken` | -| `gitlab.appConfig.incomingEmail.authToken.secret` | Incoming email authentication secret. Effective when the delivery method is webhook. | `{Release.Name}-incoming-email-auth-token` | +| Parameter | Default | Description | +|------------------------------------------------------|--------------------------------------------|-------------| +| `global.appConfig.incomingEmail.address` | empty | The email address to reference the item being replied to (example: `gitlab-incoming+%{key}@gmail.com`). Note that the `+%{key}` suffix should be included in its entirety within the email address and not replaced by another value. | +| `global.appConfig.incomingEmail.enabled` | `false` | Enable incoming email | +| `global.appConfig.incomingEmail.deleteAfterDelivery` | `true` | Whether to mark messages as deleted. For IMAP, messages that are marked as deleted are expunged if `expungedDeleted` is set to `true`. For Microsoft Graph, set this to false to retain messages in the inbox because deleted messages are auto-expunged after some time. | +| `global.appConfig.incomingEmail.expungeDeleted` | `false` | Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery. Only relevant to IMAP because Microsoft Graph will auto-expunge deleted messages. | +| `global.appConfig.incomingEmail.logger.logPath` | `/dev/stdout` | Path to write JSON structured logs to; set to "" to disable this logging | +| `global.appConfig.incomingEmail.inboxMethod` | `imap` | Read mail with IMAP (`imap`) or Microsoft Graph API with OAuth2 (`microsoft_graph`) | +| `global.appConfig.incomingEmail.deliveryMethod` | `webhook` | How mailroom can send an email content to Rails app for processing. Either `sidekiq` or `webhook` | +| `gitlab.appConfig.incomingEmail.authToken.key` | `authToken` | Key to incoming email token in incoming email secret. Effective when the delivery method is webhook. | +| `gitlab.appConfig.incomingEmail.authToken.secret` | `{Release.Name}-incoming-email-auth-token` | Incoming email authentication secret. Effective when the delivery method is webhook. | ### IMAP settings -| Parameter | Description | Default | -|---------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|------------| -| `global.appConfig.incomingEmail.host` | Host for IMAP | empty | -| `global.appConfig.incomingEmail.idleTimeout` | The IDLE command timeout | `60` | -| `global.appConfig.incomingEmail.mailbox` | Mailbox where incoming mail will end up. | `inbox` | -| `global.appConfig.incomingEmail.password.key` | Key in `global.appConfig.incomingEmail.password.secret` that contains the IMAP password | `password` | -| `global.appConfig.incomingEmail.password.secret` | Name of a `Secret` containing the IMAP password | empty | -| `global.appConfig.incomingEmail.port` | Port for IMAP | `993` | -| `global.appConfig.incomingEmail.ssl` | Whether IMAP server uses SSL | true | -| `global.appConfig.incomingEmail.startTls` | Whether IMAP server uses StartTLS | false | -| `global.appConfig.incomingEmail.user` | Username for IMAP authentication | empty | +| Parameter | Default | Description | +|--------------------------------------------------|------------|-------------| +| `global.appConfig.incomingEmail.host` | empty | Host for IMAP | +| `global.appConfig.incomingEmail.idleTimeout` | `60` | The IDLE command timeout | +| `global.appConfig.incomingEmail.mailbox` | `inbox` | Mailbox where incoming mail will end up. | +| `global.appConfig.incomingEmail.password.key` | `password` | Key in `global.appConfig.incomingEmail.password.secret` that contains the IMAP password | +| `global.appConfig.incomingEmail.password.secret` | empty | Name of a `Secret` containing the IMAP password | +| `global.appConfig.incomingEmail.port` | `993` | Port for IMAP | +| `global.appConfig.incomingEmail.ssl` | `true` | Whether IMAP server uses SSL | +| `global.appConfig.incomingEmail.startTls` | `false` | Whether IMAP server uses StartTLS | +| `global.appConfig.incomingEmail.user` | empty | Username for IMAP authentication | ### Microsoft Graph settings -| Parameter | Description | Default | -|------------------------------------------------------|----------------------------------------------------------------------------------------------------------|------------| -| `global.appConfig.incomingEmail.tenantId` | The tenant ID for your Microsoft Azure Active Directory | empty | -| `global.appConfig.incomingEmail.clientId` | The client ID for your OAuth2 app | empty | -| `global.appConfig.incomingEmail.clientSecret.key` | Key in `appConfig.incomingEmail.clientSecret.secret` that contains the OAuth2 client secret | empty | -| `global.appConfig.incomingEmail.clientSecret.secret` | Name of a `Secret` containing the OAuth2 client secret | secret | -| `global.appConfig.incomingEmail.pollInterval` | The interval in seconds how often to poll for new mail | 60 | -| `global.appConfig.incomingEmail.azureAdEndpoint` | The URL of the Azure Active Directory endpoint (example: `https://login.microsoftonline.com`) | empty | -| `global.appConfig.incomingEmail.graphEndpoint` | The URL of the Microsoft Graph endpoint (example: `https://graph.microsoft.com`) | empty | +| Parameter | Default | Description | +|------------------------------------------------------|---------|-------------| +| `global.appConfig.incomingEmail.tenantId` | empty | The tenant ID for your Microsoft Azure Active Directory | +| `global.appConfig.incomingEmail.clientId` | empty | The client ID for your OAuth2 app | +| `global.appConfig.incomingEmail.clientSecret.key` | empty | Key in `appConfig.incomingEmail.clientSecret.secret` that contains the OAuth2 client secret | +| `global.appConfig.incomingEmail.clientSecret.secret` | secret | Name of a `Secret` containing the OAuth2 client secret | +| `global.appConfig.incomingEmail.pollInterval` | `60` | The interval in seconds how often to poll for new mail | +| `global.appConfig.incomingEmail.azureAdEndpoint` | empty | The URL of the Azure Active Directory endpoint (example: `https://login.microsoftonline.com`) | +| `global.appConfig.incomingEmail.graphEndpoint` | empty | The URL of the Microsoft Graph endpoint (example: `https://graph.microsoft.com`) | See the [instructions for creating secrets](secrets.md). @@ -163,76 +163,76 @@ must be `+%{key}`. ### Common settings -| Parameter | Description | Default | -|------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------| -| `global.appConfig.serviceDeskEmail.address` | The email address to reference the item being replied to (example: `project_contact+%{key}@gmail.com`) | empty | -| `global.appConfig.serviceDeskEmail.enabled` | Enable Service Desk email | false | -| `global.appConfig.serviceDeskEmail.deleteAfterDelivery` | Whether to mark messages as deleted. For IMAP, messages that are marked as deleted are expunged if `expungedDeleted` is set to `true`. For Microsoft Graph, set this to false to retain messages in the inbox because deleted messages are auto-expunged after some time. | true | -| `global.appConfig.serviceDeskEmail.expungeDeleted` | Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery. Only relevant to IMAP because Microsoft Graph auto-expunges deleted messages. | false | -| `global.appConfig.serviceDeskEmail.logger.logPath` | Path to write JSON structured logs to; set to "" to disable this logging | `/dev/stdout` | -| `global.appConfig.serviceDeskEmail.inboxMethod` | Read mail with IMAP (`imap`) or Microsoft Graph API with OAuth2 (`microsoft_graph`) | `imap` | -| `global.appConfig.serviceDeskEmail.deliveryMethod` | How mailroom can send an email content to Rails app for processing. Either `sidekiq` or `webhook` | `webhook` | -| `gitlab.appConfig.serviceDeskEmail.authToken.key` | Key to Service Desk email token in Service Desk email secret. Effective when the delivery method is webhook. | `authToken` | -| `gitlab.appConfig.serviceDeskEmail.authToken.secret` | service-desk email authentication secret. Effective when the delivery method is webhook. | `{Release.Name}-service-desk-email-auth-token` | +| Parameter | Default | Description | +|---------------------------------------------------------|------------------------------------------------|-------------| +| `global.appConfig.serviceDeskEmail.address` | empty | The email address to reference the item being replied to (example: `project_contact+%{key}@gmail.com`) | +| `global.appConfig.serviceDeskEmail.enabled` | `false` | Enable Service Desk email | +| `global.appConfig.serviceDeskEmail.deleteAfterDelivery` | `true` | Whether to mark messages as deleted. For IMAP, messages that are marked as deleted are expunged if `expungedDeleted` is set to `true`. For Microsoft Graph, set this to false to retain messages in the inbox because deleted messages are auto-expunged after some time. | +| `global.appConfig.serviceDeskEmail.expungeDeleted` | `false` | Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery. Only relevant to IMAP because Microsoft Graph auto-expunges deleted messages. | +| `global.appConfig.serviceDeskEmail.logger.logPath` | `/dev/stdout` | Path to write JSON structured logs to; set to "" to disable this logging | +| `global.appConfig.serviceDeskEmail.inboxMethod` | `imap` | Read mail with IMAP (`imap`) or Microsoft Graph API with OAuth2 (`microsoft_graph`) | +| `global.appConfig.serviceDeskEmail.deliveryMethod` | `webhook` | How mailroom can send an email content to Rails app for processing. Either `sidekiq` or `webhook` | +| `gitlab.appConfig.serviceDeskEmail.authToken.key` | `authToken` | Key to Service Desk email token in Service Desk email secret. Effective when the delivery method is webhook. | +| `gitlab.appConfig.serviceDeskEmail.authToken.secret` | `{Release.Name}-service-desk-email-auth-token` | service-desk email authentication secret. Effective when the delivery method is webhook. | ### IMAP settings -| Parameter | Description | Default | -|-----------------------------------------------------|--------------------------------------------------------------------------------------------------------|---------------| -| `global.appConfig.serviceDeskEmail.host` | Host for IMAP | empty | -| `global.appConfig.serviceDeskEmail.idleTimeout` | The IDLE command timeout | `60` | -| `global.appConfig.serviceDeskEmail.mailbox` | Mailbox where Service Desk mail will end up. | `inbox` | -| `global.appConfig.serviceDeskEmail.password.key` | Key in `global.appConfig.serviceDeskEmail.password.secret` that contains the IMAP password | `password` | -| `global.appConfig.serviceDeskEmail.password.secret` | Name of a `Secret` containing the IMAP password | empty | -| `global.appConfig.serviceDeskEmail.port` | Port for IMAP | `993` | -| `global.appConfig.serviceDeskEmail.ssl` | Whether IMAP server uses SSL | true | -| `global.appConfig.serviceDeskEmail.startTls` | Whether IMAP server uses StartTLS | false | -| `global.appConfig.serviceDeskEmail.user` | Username for IMAP authentication | empty | +| Parameter | Default | Description | +|-----------------------------------------------------|------------|-------------| +| `global.appConfig.serviceDeskEmail.host` | empty | Host for IMAP | +| `global.appConfig.serviceDeskEmail.idleTimeout` | `60` | The IDLE command timeout | +| `global.appConfig.serviceDeskEmail.mailbox` | `inbox` | Mailbox where Service Desk mail will end up. | +| `global.appConfig.serviceDeskEmail.password.key` | `password` | Key in `global.appConfig.serviceDeskEmail.password.secret` that contains the IMAP password | +| `global.appConfig.serviceDeskEmail.password.secret` | empty | Name of a `Secret` containing the IMAP password | +| `global.appConfig.serviceDeskEmail.port` | `993` | Port for IMAP | +| `global.appConfig.serviceDeskEmail.ssl` | `true` | Whether IMAP server uses SSL | +| `global.appConfig.serviceDeskEmail.startTls` | `false` | Whether IMAP server uses StartTLS | +| `global.appConfig.serviceDeskEmail.user` | empty | Username for IMAP authentication | ### Microsoft Graph settings -| Parameter | Description | Default | -|---------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|------------| -| `global.appConfig.serviceDeskEmail.tenantId` | The tenant ID for your Microsoft Azure Active Directory | empty | -| `global.appConfig.serviceDeskEmail.clientId` | The client ID for your OAuth2 app | empty | -| `global.appConfig.serviceDeskEmail.clientSecret.key` | Key in `appConfig.serviceDeskEmail.clientSecret.secret` that contains the OAuth2 client secret | empty | -| `global.appConfig.serviceDeskEmail.clientSecret.secret` | Name of a `Secret` containing the OAuth2 client secret | secret | -| `global.appConfig.serviceDeskEmail.pollInterval` | The interval in seconds how often to poll for new mail | 60 | -| `global.appConfig.serviceDeskEmail.azureAdEndpoint` | The URL of the Azure Active Directory endpoint (example: `https://login.microsoftonline.com`) | empty | -| `global.appConfig.serviceDeskEmail.graphEndpoint` | The URL of the Microsoft Graph endpoint (example: `https://graph.microsoft.com`) | empty | +| Parameter | Default | Description | +|---------------------------------------------------------|---------|-------------| +| `global.appConfig.serviceDeskEmail.tenantId` | empty | The tenant ID for your Microsoft Azure Active Directory | +| `global.appConfig.serviceDeskEmail.clientId` | empty | The client ID for your OAuth2 app | +| `global.appConfig.serviceDeskEmail.clientSecret.key` | empty | Key in `appConfig.serviceDeskEmail.clientSecret.secret` that contains the OAuth2 client secret | +| `global.appConfig.serviceDeskEmail.clientSecret.secret` | secret | Name of a `Secret` containing the OAuth2 client secret | +| `global.appConfig.serviceDeskEmail.pollInterval` | `60` | The interval in seconds how often to poll for new mail | +| `global.appConfig.serviceDeskEmail.azureAdEndpoint` | empty | The URL of the Azure Active Directory endpoint (example: `https://login.microsoftonline.com`) | +| `global.appConfig.serviceDeskEmail.graphEndpoint` | empty | The URL of the Microsoft Graph endpoint (example: `https://graph.microsoft.com`) | See the [instructions for creating secrets](secrets.md). ## Default Project Features configuration -| Parameter | Description | Default | -|--------------------------------------------------------------|--------------------------------------------|---------| -| `global.appConfig.defaultProjectsFeatures.builds` | Enable project builds | true | -| `global.appConfig.defaultProjectsFeatures.containerRegistry` | Enable container registry project features | true | -| `global.appConfig.defaultProjectsFeatures.issues` | Enable project issues | true | -| `global.appConfig.defaultProjectsFeatures.mergeRequests` | Enable project merge requests | true | -| `global.appConfig.defaultProjectsFeatures.snippets` | Enable project snippets | true | -| `global.appConfig.defaultProjectsFeatures.wiki` | Enable project wikis | true | +| Parameter | Default | Description | +|--------------------------------------------------------------|---------|-------------| +| `global.appConfig.defaultProjectsFeatures.builds` | `true` | Enable project builds | +| `global.appConfig.defaultProjectsFeatures.containerRegistry` | `true` | Enable container registry project features | +| `global.appConfig.defaultProjectsFeatures.issues` | `true` | Enable project issues | +| `global.appConfig.defaultProjectsFeatures.mergeRequests` | `true` | Enable project merge requests | +| `global.appConfig.defaultProjectsFeatures.snippets` | `true` | Enable project snippets | +| `global.appConfig.defaultProjectsFeatures.wiki` | `true` | Enable project wikis | ## GitLab Shell -| Parameter | Description | Default | -|----------------------------------|------------------------------------------|---------| -| `global.shell.authToken` | Secret containing shared secret | | -| `global.shell.hostKeys` | Secret containing SSH host keys | | -| `global.shell.port` | Port number to expose on Ingress for SSH | | -| `global.shell.tcp.proxyProtocol` | Enable ProxyProtocol in SSH Ingress | false | +| Parameter | Default | Description | +|----------------------------------|---------|-------------| +| `global.shell.authToken` | | Secret containing shared secret | +| `global.shell.hostKeys` | | Secret containing SSH host keys | +| `global.shell.port` | | Port number to expose on Ingress for SSH | +| `global.shell.tcp.proxyProtocol` | `false` | Enable ProxyProtocol in SSH Ingress | ## RBAC Settings -| Parameter | Description | Default | -|----------------------------------------|---------------------------------------|---------| -| `certmanager.rbac.create` | Create and use RBAC resources | true | -| `gitlab-runner.rbac.create` | Create and use RBAC resources | true | -| `nginx-ingress.rbac.create` | Create and use default RBAC resources | false | -| `nginx-ingress.rbac.createClusterRole` | Create and use Cluster role | false | -| `nginx-ingress.rbac.createRole` | Create and use namespaced role | true | -| `prometheus.rbac.create` | Create and use RBAC resources | true | +| Parameter | Default | Description | +|----------------------------------------|---------|-------------| +| `certmanager.rbac.create` | `true` | Create and use RBAC resources | +| `gitlab-runner.rbac.create` | `true` | Create and use RBAC resources | +| `nginx-ingress.rbac.create` | `false` | Create and use default RBAC resources | +| `nginx-ingress.rbac.createClusterRole` | `false` | Create and use Cluster role | +| `nginx-ingress.rbac.createRole` | `true` | Create and use namespaced role | +| `prometheus.rbac.create` | `true` | Create and use RBAC resources | If you're setting `nginx-ingress.rbac.create` to `false` to configure the RBAC rules by yourself, you might need to add specific RBAC rules @@ -246,230 +246,230 @@ See [`nginx-ingress` chart](../charts/nginx/_index.md). ## Advanced in-cluster Redis configuration -| Parameter | Description | Default | -|--------------------------------------|---------------------------------------------|-----------------------| -| `redis.install` | Install the `bitnami/redis` chart | true | -| `redis.existingSecret` | Specify the Secret for Redis servers to use | `gitlab-redis-secret` | -| `redis.existingSecretKey` | Secret key where password is stored | `redis-password` | +| Parameter | Default | Description | +|---------------------------|-----------------------|-------------| +| `redis.install` | `true` | Install the `bitnami/redis` chart | +| `redis.existingSecret` | `gitlab-redis-secret` | Specify the Secret for Redis servers to use | +| `redis.existingSecretKey` | `redis-password` | Secret key where password is stored | Any additional configuration of the Redis service should use the configuration settings from the [Redis chart](https://github.com/bitnami/charts/tree/main/bitnami/redis). ## Advanced registry configuration -| Parameter | Description | Default | -|-----------------------------------------------------|----------------------------------------------------------|-----------------------------------| -| `registry.authEndpoint` | Auth endpoint | Undefined by default | -| `registry.enabled` | Enable Docker registry | true | -| `registry.httpSecret` | Https secret | | -| `registry.minio.bucket` | MinIO registry bucket name | `registry` | -| `registry.service.annotations` | Annotations to add to the `Service` | {} | -| `registry.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `registry.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `registry.tokenIssuer` | JWT token issuer | `gitlab-issuer` | -| `registry.tokenService` | JWT token service | `container_registry` | -| `registry.profiling.stackdriver.enabled` | Enable continuous profiling using Stackdriver | `false` | -| `registry.profiling.stackdriver.credentials.secret` | Name of the secret containing credentials | `gitlab-registry-profiling-creds` | -| `registry.profiling.stackdriver.credentials.key` | Secret key in which the credentials are stored | `credentials` | -| `registry.profiling.stackdriver.service` | Name of the Stackdriver service to record profiles under | `RELEASE-registry` (templated Service name) | -| `registry.profiling.stackdriver.projectid` | GCP project to report profiles to | GCP project where running | +| Parameter | Default | Description | +|-----------------------------------------------------|---------------------------------------------|-------------| +| `registry.authEndpoint` | Undefined by default | Auth endpoint | +| `registry.enabled` | `true` | Enable Docker registry | +| `registry.httpSecret` | | Https secret | +| `registry.minio.bucket` | `registry` | MinIO registry bucket name | +| `registry.service.annotations` | `{}` | Annotations to add to the `Service` | +| `registry.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `registry.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `registry.tokenIssuer` | `gitlab-issuer` | JWT token issuer | +| `registry.tokenService` | `container_registry` | JWT token service | +| `registry.profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | +| `registry.profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | +| `registry.profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | +| `registry.profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | +| `registry.profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | ## Advanced MinIO configuration -| Parameter | Description | Default | -|--------------------------------------|-----------------------------------------|--------------------------------| -| `minio.defaultBuckets` | MinIO default buckets | `[{"name": "registry"}]` | -| `minio.image` | MinIO image | `minio/minio` | -| `minio.imagePullPolicy` | MinIO image pull policy | | -| `minio.imageTag` | MinIO image tag | `RELEASE.2017-12-28T01-21-00Z` | -| `minio.minioConfig.browser` | MinIO browser flag | `on` | -| `minio.minioConfig.domain` | MinIO domain | | -| `minio.minioConfig.region` | MinIO region | `us-east-1` | -| `minio.mountPath` | MinIO configuration file mount path | `/export` | -| `minio.persistence.accessMode` | MinIO persistence access mode | `ReadWriteOnce` | -| `minio.persistence.enabled` | MinIO enable persistence flag | true | -| `minio.persistence.matchExpressions` | MinIO label-expression matches to bind | | -| `minio.persistence.matchLabels` | MinIO label-value matches to bind | | -| `minio.persistence.size` | MinIO persistence volume size | `10Gi` | -| `minio.persistence.storageClass` | MinIO storageClassName for provisioning | | -| `minio.persistence.subPath` | MinIO persistence volume mount path | | -| `minio.persistence.volumeName` | MinIO existing persistent volume name | | -| `minio.resources.requests.cpu` | MinIO minimum CPU requested | `250m` | -| `minio.resources.requests.memory` | MinIO minimum memory requested | `256Mi` | -| `minio.service.annotations` | Annotations to add to the `Service` | {} | -| `minio.servicePort` | MinIO service port | `9000` | -| `minio.serviceType` | MinIO service type | `ClusterIP` | +| Parameter | Default | Description | +|--------------------------------------|--------------------------------|-------------| +| `minio.defaultBuckets` | `[{"name": "registry"}]` | MinIO default buckets | +| `minio.image` | `minio/minio` | MinIO image | +| `minio.imagePullPolicy` | | MinIO image pull policy | +| `minio.imageTag` | `RELEASE.2017-12-28T01-21-00Z` | MinIO image tag | +| `minio.minioConfig.browser` | `on` | MinIO browser flag | +| `minio.minioConfig.domain` | | MinIO domain | +| `minio.minioConfig.region` | `us-east-1` | MinIO region | +| `minio.mountPath` | `/export` | MinIO configuration file mount path | +| `minio.persistence.accessMode` | `ReadWriteOnce` | MinIO persistence access mode | +| `minio.persistence.enabled` | `true` | MinIO enable persistence flag | +| `minio.persistence.matchExpressions` | | MinIO label-expression matches to bind | +| `minio.persistence.matchLabels` | | MinIO label-value matches to bind | +| `minio.persistence.size` | `10Gi` | MinIO persistence volume size | +| `minio.persistence.storageClass` | | MinIO storageClassName for provisioning | +| `minio.persistence.subPath` | | MinIO persistence volume mount path | +| `minio.persistence.volumeName` | | MinIO existing persistent volume name | +| `minio.resources.requests.cpu` | `250m` | MinIO minimum CPU requested | +| `minio.resources.requests.memory` | `256Mi` | MinIO minimum memory requested | +| `minio.service.annotations` | `{}` | Annotations to add to the `Service` | +| `minio.servicePort` | `9000` | MinIO service port | +| `minio.serviceType` | `ClusterIP` | MinIO service type | ## Advanced GitLab configuration -| Parameter | Description | Default | -|---|---|---| -| `gitlab-runner.checkInterval` | polling interval | `30s` | -| `gitlab-runner.concurrent` | number of concurrent jobs | `20` | -| `gitlab-runner.imagePullPolicy` | image pull policy | `IfNotPresent` | -| `gitlab-runner.image` | runner image | `gitlab/gitlab-runner:alpine-v10.5.0` | -| `gitlab-runner.gitlabUrl` | URL that the Runner uses to register to GitLab Server | GitLab external URL | -| `gitlab-runner.install` | install the `gitlab-runner` chart | true | -| `gitlab-runner.rbac.clusterWideAccess` | deploy containers of jobs cluster-wide | false | -| `gitlab-runner.rbac.create` | whether to create RBAC service account | true | -| `gitlab-runner.rbac.serviceAccountName` | name of the RBAC service account to create | `default` | -| `gitlab-runner.resources.limits.cpu` | runner resources | | -| `gitlab-runner.resources.limits.memory` | runner resources | | -| `gitlab-runner.resources.requests.cpu` | runner resources | | -| `gitlab-runner.resources.requests.memory` | runner resources | | -| `gitlab-runner.runners.privileged` | run in privileged mode, needed for `dind` | false | -| `gitlab-runner.runners.cache.secretName` | secret to get `accesskey` and `secretkey` from | `gitlab-minio` | -| `gitlab-runner.runners.config` | Runner configuration as string | See [Chart documentation](../charts/gitlab/gitlab-runner/_index.md#default-runner-configuration) | -| `gitlab-runner.unregisterRunners` | Unregisters all runners in the local `config.toml` when the chart is installed. If the token is prefixed with `glrt-`, the runner manager is deleted, not the runner. The runner manager is identified by the runner and the machine that contains the `config.toml`. If the runner was registered with a registration token, the runner is deleted. | true | -| `gitlab.geo-logcursor.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.geo-logcursor.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.gitaly.authToken.key` | Key to Gitaly token in the secret | `token` | -| `gitlab.gitaly.authToken.secret` | Gitaly secret name | `{.Release.Name}-gitaly-secret` | -| `gitlab.gitaly.image.pullPolicy` | Gitaly image pull policy | | -| `gitlab.gitaly.image.repository` | Gitaly image repository | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | -| `gitlab.gitaly.image.tag` | Gitaly image tag | `master` | -| `gitlab.gitaly.persistence.accessMode` | Gitaly persistence access mode | `ReadWriteOnce` | -| `gitlab.gitaly.persistence.enabled` | Gitaly enable persistence flag | true | -| `gitlab.gitaly.persistence.matchExpressions` | Label-expression matches to bind | | -| `gitlab.gitaly.persistence.matchLabels` | Label-value matches to bind | | -| `gitlab.gitaly.persistence.size` | Gitaly persistence volume size | `50Gi` | -| `gitlab.gitaly.persistence.storageClass` | storageClassName for provisioning | | -| `gitlab.gitaly.persistence.subPath` | Gitaly persistence volume mount path | | -| `gitlab.gitaly.persistence.volumeName` | Existing persistent volume name | | -| `gitlab.gitaly.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.gitaly.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.gitaly.service.annotations` | Annotations to add to the `Service` | `{}` | -| `gitlab.gitaly.service.externalPort` | Gitaly service exposed port | `8075` | -| `gitlab.gitaly.service.internalPort` | Gitaly internal port | `8075` | -| `gitlab.gitaly.service.name` | Gitaly service name | `gitaly` | -| `gitlab.gitaly.service.type` | Gitaly service type | `ClusterIP` | -| `gitlab.gitaly.serviceName` | Gitaly service name | `gitaly` | -| `gitlab.gitaly.shell.authToken.key` | Shell key | `secret` | -| `gitlab.gitaly.shell.authToken.secret` | Shell secret | `{Release.Name}-gitlab-shell-secret` | -| `gitlab.gitlab-exporter.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.gitlab-exporter.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.gitlab-shell.authToken.key` | Shell auth secret key | `secret` | -| `gitlab.gitlab-shell.authToken.secret` | Shell auth secret | `{Release.Name}-gitlab-shell-secret` | -| `gitlab.gitlab-shell.enabled` | Shell enable flag | true | -| `gitlab.gitlab-shell.image.pullPolicy` | Shell image pull policy | | -| `gitlab.gitlab-shell.image.repository` | Shell image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-shell` | -| `gitlab.gitlab-shell.image.tag` | Shell image tag | `master` | -| `gitlab.gitlab-shell.replicaCount` | Shell replicas | `1` | -| `gitlab.gitlab-shell.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.gitlab-shell.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.gitlab-shell.service.annotations` | Annotations to add to the `Service` | {} | -| `gitlab.gitlab-shell.service.internalPort` | Shell internal port | `2222` | -| `gitlab.gitlab-shell.service.name` | Shell service name | `gitlab-shell` | -| `gitlab.gitlab-shell.service.type` | Shell service type | `ClusterIP` | -| `gitlab.gitlab-shell.webservice.serviceName` | Webservice service name | inherited from `global.webservice.serviceName` | -| `gitlab.mailroom.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.mailroom.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.migrations.bootsnap.enabled` | Migrations Bootsnap enable flag | true | -| `gitlab.migrations.enabled` | Migrations enable flag | true | -| `gitlab.migrations.image.pullPolicy` | Migrations pull policy | | -| `gitlab.migrations.image.repository` | Migrations image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | -| `gitlab.migrations.image.tag` | Migrations image tag | `master` | -| `gitlab.migrations.psql.password.key` | key to psql password in psql secret | `psql-password` | -| `gitlab.migrations.psql.password.secret` | psql secret | `gitlab-postgres` | -| `gitlab.migrations.psql.port` | Set PostgreSQL server port. Takes precedence over `global.psql.port` | | -| `gitlab.migrations.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.migrations.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.sidekiq.concurrency` | Sidekiq default concurrency | `20` | -| `gitlab.sidekiq.enabled` | Sidekiq enabled flag | true | -| `gitlab.sidekiq.gitaly.authToken.key` | key to Gitaly token in Gitaly secret | `token` | -| `gitlab.sidekiq.gitaly.authToken.secret` | Gitaly secret | `{.Release.Name}-gitaly-secret` | -| `gitlab.sidekiq.gitaly.serviceName` | Gitaly service name | `gitaly` | -| `gitlab.sidekiq.image.pullPolicy` | Sidekiq image pull policy | | -| `gitlab.sidekiq.image.repository` | Sidekiq image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee` | -| `gitlab.sidekiq.image.tag` | Sidekiq image tag | `master` | -| `gitlab.sidekiq.psql.password.key` | key to psql password in psql secret | `psql-password` | -| `gitlab.sidekiq.psql.password.secret` | psql password secret | `gitlab-postgres` | -| `gitlab.sidekiq.psql.port` | Set PostgreSQL server port. Takes precedence over `global.psql.port` | | -| `gitlab.sidekiq.replicas` | Sidekiq replicas | `1` | -| `gitlab.sidekiq.resources.requests.cpu` | Sidekiq minimum needed CPU | `100m` | -| `gitlab.sidekiq.resources.requests.memory` | Sidekiq minimum needed memory | `600M` | -| `gitlab.sidekiq.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.sidekiq.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.sidekiq.timeout` | Sidekiq job timeout | `5` | -| `gitlab.toolbox.annotations` | Annotations to add to the toolbox | {} | -| `gitlab.toolbox.backups.cron.enabled` | Backup CronJob enabled flag | false | -| `gitlab.toolbox.backups.cron.extraArgs` | String of arguments to pass to the backup utility | | -| `gitlab.toolbox.backups.cron.persistence.accessMode` | Backup cron persistence access mode | `ReadWriteOnce` | -| `gitlab.toolbox.backups.cron.persistence.enabled` | Backup cron enable persistence flag | false | -| `gitlab.toolbox.backups.cron.persistence.matchExpressions` | Label-expression matches to bind | | -| `gitlab.toolbox.backups.cron.persistence.matchLabels` | Label-value matches to bind | | -| `gitlab.toolbox.backups.cron.persistence.size` | Backup cron persistence volume size | `10Gi` | -| `gitlab.toolbox.backups.cron.persistence.storageClass` | storageClassName for provisioning | | -| `gitlab.toolbox.backups.cron.persistence.subPath` | Backup cron persistence volume mount path | | -| `gitlab.toolbox.backups.cron.persistence.volumeName` | Existing persistent volume name | | -| `gitlab.toolbox.backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | -| `gitlab.toolbox.backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | -| `gitlab.toolbox.backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | -| `gitlab.toolbox.backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs`, or `azure`) | `s3` | -| `gitlab.toolbox.backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `gitlab.toolbox.backups.objectStorage.config.key` | key containing credentials in secret | "" | -| `gitlab.toolbox.backups.objectStorage.config.secret` | Object storage credentials secret | "" | -| `gitlab.toolbox.backups.objectStorage.config` | Authentication information for object storage | {} | -| `gitlab.toolbox.bootsnap.enabled` | Enable Bootsnap cache in Toolbox | true | -| `gitlab.toolbox.enabled` | Toolbox enabled flag | true | -| `gitlab.toolbox.image.pullPolicy` | Toolbox image pull policy | `IfNotPresent` | -| `gitlab.toolbox.image.repository` | Toolbox image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | -| `gitlab.toolbox.image.tag` | Toolbox image tag | `master` | -| `gitlab.toolbox.init.image.repository` | Toolbox init image repository | | -| `gitlab.toolbox.init.image.tag` | Toolbox init image tag | | -| `gitlab.toolbox.init.resources.requests.cpu` | Toolbox init minimum needed CPU | `50m` | -| `gitlab.toolbox.persistence.accessMode` | Toolbox persistence access mode | `ReadWriteOnce` | -| `gitlab.toolbox.persistence.enabled` | Toolbox enable persistence flag | false | -| `gitlab.toolbox.persistence.matchExpressions` | Label-expression matches to bind | | -| `gitlab.toolbox.persistence.matchLabels` | Label-value matches to bind | | -| `gitlab.toolbox.persistence.size` | Toolbox persistence volume size | `10Gi` | -| `gitlab.toolbox.persistence.storageClass` | storageClassName for provisioning | | -| `gitlab.toolbox.persistence.subPath` | Toolbox persistence volume mount path | | -| `gitlab.toolbox.persistence.volumeName` | Existing persistent volume name | | -| `gitlab.toolbox.psql.port` | Set PostgreSQL server port. Takes precedence over `global.psql.port` | | -| `gitlab.toolbox.resources.requests.cpu` | Toolbox minimum needed CPU | `50m` | -| `gitlab.toolbox.resources.requests.memory` | Toolbox minimum needed memory | `350M` | -| `gitlab.toolbox.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.toolbox.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.webservice.enabled` | webservice enabled flag | true | -| `gitlab.webservice.gitaly.authToken.key` | Key to Gitaly token in Gitaly secret | `token` | -| `gitlab.webservice.gitaly.authToken.secret` | Gitaly secret name | `{.Release.Name}-gitaly-secret` | -| `gitlab.webservice.gitaly.serviceName` | Gitaly service name | `gitaly` | -| `gitlab.webservice.image.pullPolicy` | webservice image pull policy | | -| `gitlab.webservice.image.repository` | webservice image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee` | -| `gitlab.webservice.image.tag` | webservice image tag | `master` | -| `gitlab.webservice.psql.password.key` | Key to psql password in psql secret | `psql-password` | -| `gitlab.webservice.psql.password.secret` | psql secret name | `gitlab-postgres` | -| `gitlab.webservice.psql.port` | Set PostgreSQL server port. Takes precedence over `global.psql.port` | | -| `global.registry.enabled` | Enable registry. Mirrors `registry.enabled` | `true` | -| `global.registry.api.port` | Registry port | `5000` | -| `global.registry.api.protocol` | Registry protocol | `http` | -| `global.registry.api.serviceName` | Registry service name | `registry` | -| `global.registry.tokenIssuer` | Registry token issuer | `gitlab-issuer` | -| `gitlab.webservice.replicaCount` | webservice number of replicas | `1` | -| `gitlab.webservice.resources.requests.cpu` | webservice minimum CPU | `200m` | -| `gitlab.webservice.resources.requests.memory` | webservice minimum memory | `1.4G` | -| `gitlab.webservice.securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `gitlab.webservice.securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `gitlab.webservice.service.annotations` | Annotations to add to the `Service` | {} | -| `gitlab.webservice.http.enabled` | webservice HTTP enabled | true | -| `gitlab.webservice.service.externalPort` | webservice exposed port | `8080` | -| `gitlab.webservice.service.internalPort` | webservice internal port | `8080` | -| `gitlab.webservice.tls.enabled` | webservice TLS enabled | false | -| `gitlab.webservice.tls.secretName` | webservice secret name of TLS key | `{Release.Name}-webservice-tls` | -| `gitlab.webservice.service.tls.externalPort` | webservice TLS exposed port | `8081` | -| `gitlab.webservice.service.tls.internalPort` | webservice TLS internal port | `8081` | -| `gitlab.webservice.service.type` | webservice service type | `ClusterIP` | -| `gitlab.webservice.service.workhorseExternalPort` | Workhorse exposed port | `8181` | -| `gitlab.webservice.service.workhorseInternalPort` | Workhorse internal port | `8181` | -| `gitlab.webservice.shell.authToken.key` | Key to shell token in shell secret | `secret` | -| `gitlab.webservice.shell.authToken.secret` | Shell token secret | `{Release.Name}-gitlab-shell-secret` | -| `gitlab.webservice.workerProcesses` | webservice number of workers | `2` | -| `gitlab.webservice.workerTimeout` | webservice worker timeout | `60` | -| `gitlab.webservice.workhorse.extraArgs` | String of extra parameters for workhorse | "" | -| `gitlab.webservice.workhorse.image` | Workhorse image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee` | -| `gitlab.webservice.workhorse.sentryDSN` | DSN for Sentry instance for error reporting | "" | -| `gitlab.webservice.workhorse.tag` | Workhorse image tag | | +| Parameter | Default | Description | +|------------------------------------------------------------|-----------------------------------------------------------------|-------------| +| `gitlab-runner.checkInterval` | `30s` | polling interval | +| `gitlab-runner.concurrent` | `20` | number of concurrent jobs | +| `gitlab-runner.imagePullPolicy` | `IfNotPresent` | image pull policy | +| `gitlab-runner.image` | `gitlab/gitlab-runner:alpine-v10.5.0` | runner image | +| `gitlab-runner.gitlabUrl` | GitLab external URL | URL that the Runner uses to register to GitLab Server | +| `gitlab-runner.install` | `true` | install the `gitlab-runner` chart | +| `gitlab-runner.rbac.clusterWideAccess` | `false` | deploy containers of jobs cluster-wide | +| `gitlab-runner.rbac.create` | `true` | whether to create RBAC service account | +| `gitlab-runner.rbac.serviceAccountName` | `default` | name of the RBAC service account to create | +| `gitlab-runner.resources.limits.cpu` | | runner resources | +| `gitlab-runner.resources.limits.memory` | | runner resources | +| `gitlab-runner.resources.requests.cpu` | | runner resources | +| `gitlab-runner.resources.requests.memory` | | runner resources | +| `gitlab-runner.runners.privileged` | `false` | run in privileged mode, needed for `dind` | +| `gitlab-runner.runners.cache.secretName` | `gitlab-minio` | secret to get `accesskey` and `secretkey` from | +| `gitlab-runner.runners.config` | See [Chart documentation](../charts/gitlab/gitlab-runner/_index.md#default-runner-configuration) | Runner configuration as string | +| `gitlab-runner.unregisterRunners` | `true` | Unregisters all runners in the local `config.toml` when the chart is installed. If the token is prefixed with `glrt-`, the runner manager is deleted, not the runner. The runner manager is identified by the runner and the machine that contains the `config.toml`. If the runner was registered with a registration token, the runner is deleted. | +| `gitlab.geo-logcursor.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.geo-logcursor.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.gitaly.authToken.key` | `token` | Key to Gitaly token in the secret | +| `gitlab.gitaly.authToken.secret` | `{.Release.Name}-gitaly-secret` | Gitaly secret name | +| `gitlab.gitaly.image.pullPolicy` | | Gitaly image pull policy | +| `gitlab.gitaly.image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitaly` | Gitaly image repository | +| `gitlab.gitaly.image.tag` | `master` | Gitaly image tag | +| `gitlab.gitaly.persistence.accessMode` | `ReadWriteOnce` | Gitaly persistence access mode | +| `gitlab.gitaly.persistence.enabled` | `true` | Gitaly enable persistence flag | +| `gitlab.gitaly.persistence.matchExpressions` | | Label-expression matches to bind | +| `gitlab.gitaly.persistence.matchLabels` | | Label-value matches to bind | +| `gitlab.gitaly.persistence.size` | `50Gi` | Gitaly persistence volume size | +| `gitlab.gitaly.persistence.storageClass` | | storageClassName for provisioning | +| `gitlab.gitaly.persistence.subPath` | | Gitaly persistence volume mount path | +| `gitlab.gitaly.persistence.volumeName` | | Existing persistent volume name | +| `gitlab.gitaly.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.gitaly.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.gitaly.service.annotations` | `{}` | Annotations to add to the `Service` | +| `gitlab.gitaly.service.externalPort` | `8075` | Gitaly service exposed port | +| `gitlab.gitaly.service.internalPort` | `8075` | Gitaly internal port | +| `gitlab.gitaly.service.name` | `gitaly` | Gitaly service name | +| `gitlab.gitaly.service.type` | `ClusterIP` | Gitaly service type | +| `gitlab.gitaly.serviceName` | `gitaly` | Gitaly service name | +| `gitlab.gitaly.shell.authToken.key` | `secret` | Shell key | +| `gitlab.gitaly.shell.authToken.secret` | `{Release.Name}-gitlab-shell-secret` | Shell secret | +| `gitlab.gitlab-exporter.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.gitlab-exporter.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.gitlab-shell.authToken.key` | `secret` | Shell auth secret key | +| `gitlab.gitlab-shell.authToken.secret` | `{Release.Name}-gitlab-shell-secret` | Shell auth secret | +| `gitlab.gitlab-shell.enabled` | `true` | Shell enable flag | +| `gitlab.gitlab-shell.image.pullPolicy` | | Shell image pull policy | +| `gitlab.gitlab-shell.image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-shell` | Shell image repository | +| `gitlab.gitlab-shell.image.tag` | `master` | Shell image tag | +| `gitlab.gitlab-shell.replicaCount` | `1` | Shell replicas | +| `gitlab.gitlab-shell.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.gitlab-shell.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.gitlab-shell.service.annotations` | `{}` | Annotations to add to the `Service` | +| `gitlab.gitlab-shell.service.internalPort` | `2222` | Shell internal port | +| `gitlab.gitlab-shell.service.name` | `gitlab-shell` | Shell service name | +| `gitlab.gitlab-shell.service.type` | `ClusterIP` | Shell service type | +| `gitlab.gitlab-shell.webservice.serviceName` | inherited from `global.webservice.serviceName` | Webservice service name | +| `gitlab.mailroom.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.mailroom.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.migrations.bootsnap.enabled` | `true` | Migrations Bootsnap enable flag | +| `gitlab.migrations.enabled` | `true` | Migrations enable flag | +| `gitlab.migrations.image.pullPolicy` | | Migrations pull policy | +| `gitlab.migrations.image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | Migrations image repository | +| `gitlab.migrations.image.tag` | `master` | Migrations image tag | +| `gitlab.migrations.psql.password.key` | `psql-password` | key to psql password in psql secret | +| `gitlab.migrations.psql.password.secret` | `gitlab-postgres` | psql secret | +| `gitlab.migrations.psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `gitlab.migrations.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.migrations.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.sidekiq.concurrency` | `20` | Sidekiq default concurrency | +| `gitlab.sidekiq.enabled` | `true` | Sidekiq enabled flag | +| `gitlab.sidekiq.gitaly.authToken.key` | `token` | key to Gitaly token in Gitaly secret | +| `gitlab.sidekiq.gitaly.authToken.secret` | `{.Release.Name}-gitaly-secret` | Gitaly secret | +| `gitlab.sidekiq.gitaly.serviceName` | `gitaly` | Gitaly service name | +| `gitlab.sidekiq.image.pullPolicy` | | Sidekiq image pull policy | +| `gitlab.sidekiq.image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee` | Sidekiq image repository | +| `gitlab.sidekiq.image.tag` | `master` | Sidekiq image tag | +| `gitlab.sidekiq.psql.password.key` | `psql-password` | key to psql password in psql secret | +| `gitlab.sidekiq.psql.password.secret` | `gitlab-postgres` | psql password secret | +| `gitlab.sidekiq.psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `gitlab.sidekiq.replicas` | `1` | Sidekiq replicas | +| `gitlab.sidekiq.resources.requests.cpu` | `100m` | Sidekiq minimum needed CPU | +| `gitlab.sidekiq.resources.requests.memory` | `600M` | Sidekiq minimum needed memory | +| `gitlab.sidekiq.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.sidekiq.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.sidekiq.timeout` | `5` | Sidekiq job timeout | +| `gitlab.toolbox.annotations` | `{}` | Annotations to add to the toolbox | +| `gitlab.toolbox.backups.cron.enabled` | `false` | Backup CronJob enabled flag | +| `gitlab.toolbox.backups.cron.extraArgs` | | String of arguments to pass to the backup utility | +| `gitlab.toolbox.backups.cron.persistence.accessMode` | `ReadWriteOnce` | Backup cron persistence access mode | +| `gitlab.toolbox.backups.cron.persistence.enabled` | `false` | Backup cron enable persistence flag | +| `gitlab.toolbox.backups.cron.persistence.matchExpressions` | | Label-expression matches to bind | +| `gitlab.toolbox.backups.cron.persistence.matchLabels` | | Label-value matches to bind | +| `gitlab.toolbox.backups.cron.persistence.size` | `10Gi` | Backup cron persistence volume size | +| `gitlab.toolbox.backups.cron.persistence.storageClass` | | storageClassName for provisioning | +| `gitlab.toolbox.backups.cron.persistence.subPath` | | Backup cron persistence volume mount path | +| `gitlab.toolbox.backups.cron.persistence.volumeName` | | Existing persistent volume name | +| `gitlab.toolbox.backups.cron.resources.requests.cpu` | `50m` | Backup cron minimum needed CPU | +| `gitlab.toolbox.backups.cron.resources.requests.memory` | `350M` | Backup cron minimum needed memory | +| `gitlab.toolbox.backups.cron.schedule` | `0 1 * * *` | Cron style schedule string | +| `gitlab.toolbox.backups.objectStorage.backend` | `s3` | Object storage provider to use (`s3`, `gcs`, or `azure`) | +| `gitlab.toolbox.backups.objectStorage.config.gcpProject` | `""` | GCP Project to use when backend is `gcs` | +| `gitlab.toolbox.backups.objectStorage.config.key` | `""` | key containing credentials in secret | +| `gitlab.toolbox.backups.objectStorage.config.secret` | `""` | Object storage credentials secret | +| `gitlab.toolbox.backups.objectStorage.config` | `{}` | Authentication information for object storage | +| `gitlab.toolbox.bootsnap.enabled` | `true` | Enable Bootsnap cache in Toolbox | +| `gitlab.toolbox.enabled` | `true` | Toolbox enabled flag | +| `gitlab.toolbox.image.pullPolicy` | `IfNotPresent` | Toolbox image pull policy | +| `gitlab.toolbox.image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | Toolbox image repository | +| `gitlab.toolbox.image.tag` | `master` | Toolbox image tag | +| `gitlab.toolbox.init.image.repository` | | Toolbox init image repository | +| `gitlab.toolbox.init.image.tag` | | Toolbox init image tag | +| `gitlab.toolbox.init.resources.requests.cpu` | `50m` | Toolbox init minimum needed CPU | +| `gitlab.toolbox.persistence.accessMode` | `ReadWriteOnce` | Toolbox persistence access mode | +| `gitlab.toolbox.persistence.enabled` | `false` | Toolbox enable persistence flag | +| `gitlab.toolbox.persistence.matchExpressions` | | Label-expression matches to bind | +| `gitlab.toolbox.persistence.matchLabels` | | Label-value matches to bind | +| `gitlab.toolbox.persistence.size` | `10Gi` | Toolbox persistence volume size | +| `gitlab.toolbox.persistence.storageClass` | | storageClassName for provisioning | +| `gitlab.toolbox.persistence.subPath` | | Toolbox persistence volume mount path | +| `gitlab.toolbox.persistence.volumeName` | | Existing persistent volume name | +| `gitlab.toolbox.psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `gitlab.toolbox.resources.requests.cpu` | `50m` | Toolbox minimum needed CPU | +| `gitlab.toolbox.resources.requests.memory` | `350M` | Toolbox minimum needed memory | +| `gitlab.toolbox.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.toolbox.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.webservice.enabled` | `true` | webservice enabled flag | +| `gitlab.webservice.gitaly.authToken.key` | `token` | Key to Gitaly token in Gitaly secret | +| `gitlab.webservice.gitaly.authToken.secret` | `{.Release.Name}-gitaly-secret` | Gitaly secret name | +| `gitlab.webservice.gitaly.serviceName` | `gitaly` | Gitaly service name | +| `gitlab.webservice.image.pullPolicy` | | webservice image pull policy | +| `gitlab.webservice.image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee` | webservice image repository | +| `gitlab.webservice.image.tag` | `master` | webservice image tag | +| `gitlab.webservice.psql.password.key` | `psql-password` | Key to psql password in psql secret | +| `gitlab.webservice.psql.password.secret` | `gitlab-postgres` | psql secret name | +| `gitlab.webservice.psql.port` | | Set PostgreSQL server port. Takes precedence over `global.psql.port` | +| `global.registry.enabled` | `true` | Enable registry. Mirrors `registry.enabled` | +| `global.registry.api.port` | `5000` | Registry port | +| `global.registry.api.protocol` | `http` | Registry protocol | +| `global.registry.api.serviceName` | `registry` | Registry service name | +| `global.registry.tokenIssuer` | `gitlab-issuer` | Registry token issuer | +| `gitlab.webservice.replicaCount` | `1` | webservice number of replicas | +| `gitlab.webservice.resources.requests.cpu` | `200m` | webservice minimum CPU | +| `gitlab.webservice.resources.requests.memory` | `1.4G` | webservice minimum memory | +| `gitlab.webservice.securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `gitlab.webservice.securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `gitlab.webservice.service.annotations` | `{}` | Annotations to add to the `Service` | +| `gitlab.webservice.http.enabled` | `true` | webservice HTTP enabled | +| `gitlab.webservice.service.externalPort` | `8080` | webservice exposed port | +| `gitlab.webservice.service.internalPort` | `8080` | webservice internal port | +| `gitlab.webservice.tls.enabled` | `false` | webservice TLS enabled | +| `gitlab.webservice.tls.secretName` | `{Release.Name}-webservice-tls` | webservice secret name of TLS key | +| `gitlab.webservice.service.tls.externalPort` | `8081` | webservice TLS exposed port | +| `gitlab.webservice.service.tls.internalPort` | `8081` | webservice TLS internal port | +| `gitlab.webservice.service.type` | `ClusterIP` | webservice service type | +| `gitlab.webservice.service.workhorseExternalPort` | `8181` | Workhorse exposed port | +| `gitlab.webservice.service.workhorseInternalPort` | `8181` | Workhorse internal port | +| `gitlab.webservice.shell.authToken.key` | `secret` | Key to shell token in shell secret | +| `gitlab.webservice.shell.authToken.secret` | `{Release.Name}-gitlab-shell-secret` | Shell token secret | +| `gitlab.webservice.workerProcesses` | `2` | webservice number of workers | +| `gitlab.webservice.workerTimeout` | `60` | webservice worker timeout | +| `gitlab.webservice.workhorse.extraArgs` | `""` | String of extra parameters for workhorse | +| `gitlab.webservice.workhorse.image` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee` | Workhorse image repository | +| `gitlab.webservice.workhorse.sentryDSN` | `""` | DSN for Sentry instance for error reporting | +| `gitlab.webservice.workhorse.tag` | | Workhorse image tag | ## External charts diff --git a/doc/installation/storage.md b/doc/installation/storage.md index 195df8acbd..77c9cc6959 100644 --- a/doc/installation/storage.md +++ b/doc/installation/storage.md @@ -21,7 +21,7 @@ The following applications within the GitLab chart require persistent storage to The administrator may choose to provision this storage using [dynamic](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#dynamic) or [static](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#static) volume provisioning. -> **Important:** Minimize extra storage migration tasks after installation through pre-planning. Changes made +> **Important**: Minimize extra storage migration tasks after installation through pre-planning. Changes made > after the first deployment require manual edits to existing Kubernetes objects prior to running `helm upgrade`. ## Typical Installation Behavior diff --git a/doc/installation/version_mappings.md b/doc/installation/version_mappings.md index 3fa79bd22c..72bdd80db2 100644 --- a/doc/installation/version_mappings.md +++ b/doc/installation/version_mappings.md @@ -36,327 +36,327 @@ The table below maps some of the key previous supported chart versions and suppo | Chart version | GitLab version | |---------------|----------------| -| 9.0.1 | 18.0.1 | -| 9.0.0 | 18.0.0 | -| 8.11.3 | 17.11.3 | -| 8.11.2 | 17.11.2 | -| 8.11.1 | 17.11.1 | -| 8.11.0 | 17.11.0 | -| 8.10.7 | 17.10.7 | -| 8.10.6 | 17.10.6 | -| 8.10.5 | 17.10.5 | -| 8.10.4 | 17.10.4 | -| 8.10.3 | 17.10.3 | -| 8.10.2 | 17.10.2 | -| 8.10.1 | 17.10.1 | -| 8.10.0 | 17.10.0 | -| 8.9.8 | 17.9.8 | -| 8.9.7 | 17.9.7 | -| 8.9.6 | 17.9.6 | -| 8.9.5 | 17.9.5 | -| 8.9.4 | 17.9.4 | -| 8.9.3 | 17.9.3 | -| 8.9.2 | 17.9.2 | -| 8.9.1 | 17.9.1 | -| 8.9.0 | 17.9.0 | -| 8.8.7 | 17.8.7 | -| 8.8.6 | 17.8.6 | -| 8.8.5 | 17.8.5 | -| 8.8.4 | 17.8.4 | -| 8.8.3 | 17.8.3 | -| 8.8.2 | 17.8.2 | -| 8.8.1 | 17.8.1 | -| 8.8.0 | 17.8.0 | -| 8.7.9 | 17.7.7 | -| 8.7.8 | 17.7.6 | -| 8.7.7 | 17.7.5 | -| 8.7.6 | 17.7.4 | -| 8.7.5 | 17.7.3 | -| 8.7.4 | 17.7.2 | -| 8.7.3 | 17.7.1 | -| 8.7.2 | 17.7.0 | -| 8.7.0 | 17.7.0 | -| 8.6.5 | 17.6.5 | -| 8.6.4 | 17.6.4 | -| 8.6.3 | 17.6.3 | -| 8.6.2 | 17.6.2 | -| 8.6.1 | 17.6.1 | -| 8.6.0 | 17.6.0 | -| 8.5.5 | 17.5.5 | -| 8.5.4 | 17.5.4 | -| 8.5.3 | 17.5.3 | -| 8.5.2 | 17.5.2 | -| 8.5.1 | 17.5.1 | -| 8.5.0 | 17.5.0 | -| 8.4.6 | 17.4.6 | -| 8.4.5 | 17.4.5 | -| 8.4.4 | 17.4.4 | -| 8.4.3 | 17.4.3 | -| 8.4.2 | 17.4.2 | -| 8.4.1 | 17.4.1 | -| 8.4.0 | 17.4.0 | -| 8.3.7 | 17.3.7 | -| 8.3.6 | 17.3.6 | -| 8.3.5 | 17.3.5 | -| 8.3.4 | 17.3.4 | -| 8.3.3 | 17.3.3 | -| 8.3.2 | 17.3.2 | -| 8.3.1 | 17.3.1 | -| 8.3.0 | 17.3.0 | -| 8.2.9 | 17.2.9 | -| 8.2.8 | 17.2.8 | -| 8.2.7 | 17.2.7 | -| 8.2.6 | 17.2.6 | -| 8.2.5 | 17.2.5 | -| 8.2.4 | 17.2.4 | -| 8.2.3 | 17.2.3 | -| 8.2.2 | 17.2.2 | -| 8.2.1 | 17.2.1 | -| 8.2.0 | 17.2.0 | -| 8.1.8 | 17.1.8 | -| 8.1.7 | 17.1.7 | -| 8.1.6 | 17.1.6 | -| 8.1.5 | 17.1.5 | -| 8.1.4 | 17.1.4 | -| 8.1.3 | 17.1.3 | -| 8.1.2 | 17.1.2 | -| 8.1.1 | 17.1.1 | -| 8.1.0 | 17.1.0 | -| 8.0.8 | 17.0.8 | -| 8.0.7 | 17.0.7 | -| 8.0.6 | 17.0.6 | -| 8.0.5 | 17.0.5 | -| 8.0.4 | 17.0.4 | -| 8.0.3 | 17.0.3 | -| 8.0.2 | 17.0.2 | -| 8.0.1 | 17.0.1 | -| 8.0.0 | 17.0.0 | -| 7.11.10 | 16.11.10 | -| 7.11.9 | 16.11.9 | -| 7.11.8 | 16.11.8 | -| 7.11.7 | 16.11.7 | -| 7.11.6 | 16.11.6 | -| 7.11.5 | 16.11.5 | -| 7.11.4 | 16.11.4 | -| 7.11.3 | 16.11.3 | -| 7.11.2 | 16.11.2 | -| 7.11.1 | 16.11.1 | -| 7.11.0 | 16.11.0 | -| 7.10.10 | 16.10.10 | -| 7.10.9 | 16.10.9 | -| 7.10.8 | 16.10.8 | -| 7.10.7 | 16.10.7 | -| 7.10.6 | 16.10.6 | -| 7.10.5 | 16.10.5 | -| 7.10.4 | 16.10.4 | -| 7.10.3 | 16.10.3 | -| 7.10.2 | 16.10.2 | -| 7.10.1 | 16.10.1 | -| 7.10.0 | 16.10.0 | -| 7.9.11 | 16.9.11 | -| 7.9.10 | 16.9.10 | -| 7.9.9 | 16.9.9 | -| 7.9.8 | 16.9.8 | -| 7.9.7 | 16.9.7 | -| 7.9.6 | 16.9.6 | -| 7.9.5 | 16.9.5 | -| 7.9.4 | 16.9.4 | -| 7.9.3 | 16.9.3 | -| 7.9.2 | 16.9.2 | -| 7.9.1 | 16.9.1 | -| 7.9.0 | 16.9.0 | -| 7.8.10 | 16.8.10 | -| 7.8.9 | 16.8.9 | -| 7.8.8 | 16.8.8 | -| 7.8.7 | 16.8.7 | -| 7.8.6 | 16.8.6 | -| 7.8.5 | 16.8.5 | -| 7.8.4 | 16.8.4 | -| 7.8.3 | 16.8.3 | -| 7.8.2 | 16.8.2 | -| 7.8.1 | 16.8.1 | -| 7.8.0 | 16.8.0 | -| 7.7.10 | 16.7.10 | -| 7.7.9 | 16.7.9 | -| 7.7.8 | 16.7.8 | -| 7.7.7 | 16.7.7 | -| 7.7.6 | 16.7.6 | -| 7.7.5 | 16.7.5 | -| 7.7.4 | 16.7.4 | -| 7.7.3 | 16.7.3 | -| 7.7.2 | 16.7.2 | -| 7.7.1 | 16.7.1 | -| 7.7.0 | 16.7.0 | -| 7.6.10 | 16.6.10 | -| 7.6.9 | 16.6.9 | -| 7.6.8 | 16.6.8 | -| 7.6.7 | 16.6.7 | -| 7.6.6 | 16.6.6 | -| 7.6.5 | 16.6.5 | -| 7.6.4 | 16.6.4 | -| 7.6.3 | 16.6.3 | -| 7.6.2 | 16.6.2 | -| 7.6.1 | 16.6.1 | -| 7.6.0 | 16.6.0 | -| 7.5.10 | 16.5.10 | -| 7.5.9 | 16.5.9 | -| 7.5.8 | 16.5.8 | -| 7.5.7 | 16.5.7 | -| 7.5.6 | 16.5.6 | -| 7.5.5 | 16.5.5 | -| 7.5.4 | 16.5.4 | -| 7.5.3 | 16.5.3 | -| 7.5.2 | 16.5.2 | -| 7.5.1 | 16.5.1 | -| 7.5.0 | 16.5.0 | -| 7.4.7 | 16.4.7 | -| 7.4.6 | 16.4.6 | -| 7.4.5 | 16.4.5 | -| 7.4.4 | 16.4.4 | -| 7.4.3 | 16.4.3 | -| 7.4.2 | 16.4.2 | -| 7.4.1 | 16.4.1 | -| 7.4.0 | 16.4.0 | -| 7.3.9 | 16.3.9 | -| 7.3.8 | 16.3.8 | -| 7.3.7 | 16.3.7 | -| 7.3.6 | 16.3.6 | -| 7.3.5 | 16.3.5 | -| 7.3.4 | 16.3.4 | -| 7.3.3 | 16.3.3 | -| 7.3.2 | 16.3.2 | -| 7.3.1 | 16.3.1 | -| 7.3.0 | 16.3.0 | -| 7.2.11 | 16.2.11 | -| 7.2.10 | 16.2.10 | -| 7.2.9 | 16.2.9 | -| 7.2.8 | 16.2.8 | -| 7.2.7 | 16.2.7 | -| 7.2.6 | 16.2.6 | -| 7.2.5 | 16.2.5 | -| 7.2.4 | 16.2.4 | -| 7.2.3 | 16.2.3 | -| 7.2.2 | 16.2.2 | -| 7.2.1 | 16.2.1 | -| 7.2.0 | 16.2.0 | -| 7.1.8 | 16.1.8 | -| 7.1.7 | 16.1.7 | -| 7.1.6 | 16.1.6 | -| 7.1.5 | 16.1.5 | -| 7.1.4 | 16.1.4 | -| 7.1.3 | 16.1.3 | -| 7.1.2 | 16.1.2 | -| 7.1.1 | 16.1.1 | -| 7.1.0 | 16.1.0 | -| 7.0.10 | 16.0.10 | -| 7.0.9 | 16.0.9 | -| 7.0.8 | 16.0.8 | -| 7.0.7 | 16.0.7 | -| 7.0.6 | 16.0.6 | -| 7.0.5 | 16.0.5 | -| 7.0.4 | 16.0.4 | -| 7.0.3 | 16.0.3 | -| 7.0.2 | 16.0.2 | -| 7.0.1 | 16.0.1 | -| 7.0.0 | 16.0.0 | -| 6.11.13 | 15.11.13 | -| 6.11.12 | 15.11.12 | -| 6.11.11 | 15.11.11 | -| 6.11.10 | 15.11.10 | -| 6.11.9 | 15.11.9 | -| 6.11.8 | 15.11.8 | -| 6.11.7 | 15.11.7 | -| 6.11.6 | 15.11.6 | -| 6.11.5 | 15.11.5 | -| 6.11.4 | 15.11.4 | -| 6.11.3 | 15.11.3 | -| 6.11.2 | 15.11.2 | -| 6.11.1 | 15.11.1 | -| 6.11.0 | 15.11.0 | -| 6.10.8 | 15.10.8 | -| 6.10.7 | 15.10.7 | -| 6.10.6 | 15.10.6 | -| 6.10.5 | 15.10.5 | -| 6.10.4 | 15.10.4 | -| 6.10.3 | 15.10.3 | -| 6.10.2 | 15.10.2 | -| 6.10.1 | 15.10.1 | -| 6.10.0 | 15.10.0 | -| 6.9.8 | 15.9.8 | -| 6.9.7 | 15.9.7 | -| 6.9.6 | 15.9.6 | -| 6.9.5 | 15.9.5 | -| 6.9.4 | 15.9.4 | -| 6.9.3 | 15.9.3 | -| 6.9.2 | 15.9.2 | -| 6.9.1 | 15.9.1 | -| 6.9.0 | 15.9.0 | -| 6.8.6 | 15.8.6 | -| 6.8.5 | 15.8.5 | -| 6.8.4 | 15.8.4 | -| 6.8.3 | 15.8.3 | -| 6.8.2 | 15.8.2 | -| 6.8.1 | 15.8.1 | -| 6.8.0 | 15.8.0 | -| 6.7.9 | 15.7.9 | -| 6.7.8 | 15.7.8 | -| 6.7.7 | 15.7.7 | -| 6.7.6 | 15.7.6 | -| 6.7.5 | 15.7.5 | -| 6.7.3 | 15.7.3 | -| 6.7.2 | 15.7.2 | -| 6.7.1 | 15.7.1 | -| 6.7.0 | 15.7.0 | -| 6.6.8 | 15.6.8 | -| 6.6.7 | 15.6.7 | -| 6.6.6 | 15.6.6 | -| 6.6.4 | 15.6.4 | -| 6.6.3 | 15.6.3 | -| 6.6.2 | 15.6.2 | -| 6.6.1 | 15.6.1 | -| 6.6.0 | 15.6.0 | -| 6.5.9 | 15.5.9 | -| 6.5.8 | 15.5.7 | -| 6.5.7 | 15.5.6 | -| 6.5.6 | 15.5.5 | -| 6.5.5 | 15.5.4 | -| 6.5.4 | 15.5.3 | -| 6.5.3 | 15.5.3 | -| 6.5.2 | 15.5.2 | -| 6.5.1 | 15.5.1 | -| 6.5.0 | 15.5.0 | -| 6.4.6 | 15.4.6 | -| 6.4.5 | 15.4.5 | -| 6.4.4 | 15.4.4 | -| 6.4.3 | 15.4.3 | -| 6.4.2 | 15.4.2 | -| 6.4.1 | 15.4.1 | -| 6.4.0 | 15.4.0 | -| 6.3.5 | 15.3.5 | -| 6.3.4 | 15.3.4 | -| 6.3.3 | 15.3.3 | -| 6.3.2 | 15.3.2 | -| 6.3.1 | 15.3.1 | -| 6.3.0 | 15.3.0 | -| 6.2.5 | 15.2.5 | -| 6.2.4 | 15.2.4 | -| 6.2.3 | 15.2.3 | -| 6.2.2 | 15.2.2 | -| 6.2.1 | 15.2.1 | -| 6.2.0 | 15.2.0 | -| 6.1.6 | 15.1.6 | -| 6.1.5 | 15.1.5 | -| 6.1.4 | 15.1.4 | -| 6.1.3 | 15.1.3 | -| 6.1.2 | 15.1.2 | -| 6.1.1 | 15.1.1 | -| 6.1.0 | 15.1.0 | -| 6.0.5 | 15.0.5 | -| 6.0.4 | 15.0.4 | -| 6.0.3 | 15.0.3 | -| 6.0.2 | 15.0.2 | -| 6.0.1 | 15.0.1 | -| 6.0.0 | 15.0.0 | +| 9.0.1 | 18.0.1 | +| 9.0.0 | 18.0.0 | +| 8.11.3 | 17.11.3 | +| 8.11.2 | 17.11.2 | +| 8.11.1 | 17.11.1 | +| 8.11.0 | 17.11.0 | +| 8.10.7 | 17.10.7 | +| 8.10.6 | 17.10.6 | +| 8.10.5 | 17.10.5 | +| 8.10.4 | 17.10.4 | +| 8.10.3 | 17.10.3 | +| 8.10.2 | 17.10.2 | +| 8.10.1 | 17.10.1 | +| 8.10.0 | 17.10.0 | +| 8.9.8 | 17.9.8 | +| 8.9.7 | 17.9.7 | +| 8.9.6 | 17.9.6 | +| 8.9.5 | 17.9.5 | +| 8.9.4 | 17.9.4 | +| 8.9.3 | 17.9.3 | +| 8.9.2 | 17.9.2 | +| 8.9.1 | 17.9.1 | +| 8.9.0 | 17.9.0 | +| 8.8.7 | 17.8.7 | +| 8.8.6 | 17.8.6 | +| 8.8.5 | 17.8.5 | +| 8.8.4 | 17.8.4 | +| 8.8.3 | 17.8.3 | +| 8.8.2 | 17.8.2 | +| 8.8.1 | 17.8.1 | +| 8.8.0 | 17.8.0 | +| 8.7.9 | 17.7.7 | +| 8.7.8 | 17.7.6 | +| 8.7.7 | 17.7.5 | +| 8.7.6 | 17.7.4 | +| 8.7.5 | 17.7.3 | +| 8.7.4 | 17.7.2 | +| 8.7.3 | 17.7.1 | +| 8.7.2 | 17.7.0 | +| 8.7.0 | 17.7.0 | +| 8.6.5 | 17.6.5 | +| 8.6.4 | 17.6.4 | +| 8.6.3 | 17.6.3 | +| 8.6.2 | 17.6.2 | +| 8.6.1 | 17.6.1 | +| 8.6.0 | 17.6.0 | +| 8.5.5 | 17.5.5 | +| 8.5.4 | 17.5.4 | +| 8.5.3 | 17.5.3 | +| 8.5.2 | 17.5.2 | +| 8.5.1 | 17.5.1 | +| 8.5.0 | 17.5.0 | +| 8.4.6 | 17.4.6 | +| 8.4.5 | 17.4.5 | +| 8.4.4 | 17.4.4 | +| 8.4.3 | 17.4.3 | +| 8.4.2 | 17.4.2 | +| 8.4.1 | 17.4.1 | +| 8.4.0 | 17.4.0 | +| 8.3.7 | 17.3.7 | +| 8.3.6 | 17.3.6 | +| 8.3.5 | 17.3.5 | +| 8.3.4 | 17.3.4 | +| 8.3.3 | 17.3.3 | +| 8.3.2 | 17.3.2 | +| 8.3.1 | 17.3.1 | +| 8.3.0 | 17.3.0 | +| 8.2.9 | 17.2.9 | +| 8.2.8 | 17.2.8 | +| 8.2.7 | 17.2.7 | +| 8.2.6 | 17.2.6 | +| 8.2.5 | 17.2.5 | +| 8.2.4 | 17.2.4 | +| 8.2.3 | 17.2.3 | +| 8.2.2 | 17.2.2 | +| 8.2.1 | 17.2.1 | +| 8.2.0 | 17.2.0 | +| 8.1.8 | 17.1.8 | +| 8.1.7 | 17.1.7 | +| 8.1.6 | 17.1.6 | +| 8.1.5 | 17.1.5 | +| 8.1.4 | 17.1.4 | +| 8.1.3 | 17.1.3 | +| 8.1.2 | 17.1.2 | +| 8.1.1 | 17.1.1 | +| 8.1.0 | 17.1.0 | +| 8.0.8 | 17.0.8 | +| 8.0.7 | 17.0.7 | +| 8.0.6 | 17.0.6 | +| 8.0.5 | 17.0.5 | +| 8.0.4 | 17.0.4 | +| 8.0.3 | 17.0.3 | +| 8.0.2 | 17.0.2 | +| 8.0.1 | 17.0.1 | +| 8.0.0 | 17.0.0 | +| 7.11.10 | 16.11.10 | +| 7.11.9 | 16.11.9 | +| 7.11.8 | 16.11.8 | +| 7.11.7 | 16.11.7 | +| 7.11.6 | 16.11.6 | +| 7.11.5 | 16.11.5 | +| 7.11.4 | 16.11.4 | +| 7.11.3 | 16.11.3 | +| 7.11.2 | 16.11.2 | +| 7.11.1 | 16.11.1 | +| 7.11.0 | 16.11.0 | +| 7.10.10 | 16.10.10 | +| 7.10.9 | 16.10.9 | +| 7.10.8 | 16.10.8 | +| 7.10.7 | 16.10.7 | +| 7.10.6 | 16.10.6 | +| 7.10.5 | 16.10.5 | +| 7.10.4 | 16.10.4 | +| 7.10.3 | 16.10.3 | +| 7.10.2 | 16.10.2 | +| 7.10.1 | 16.10.1 | +| 7.10.0 | 16.10.0 | +| 7.9.11 | 16.9.11 | +| 7.9.10 | 16.9.10 | +| 7.9.9 | 16.9.9 | +| 7.9.8 | 16.9.8 | +| 7.9.7 | 16.9.7 | +| 7.9.6 | 16.9.6 | +| 7.9.5 | 16.9.5 | +| 7.9.4 | 16.9.4 | +| 7.9.3 | 16.9.3 | +| 7.9.2 | 16.9.2 | +| 7.9.1 | 16.9.1 | +| 7.9.0 | 16.9.0 | +| 7.8.10 | 16.8.10 | +| 7.8.9 | 16.8.9 | +| 7.8.8 | 16.8.8 | +| 7.8.7 | 16.8.7 | +| 7.8.6 | 16.8.6 | +| 7.8.5 | 16.8.5 | +| 7.8.4 | 16.8.4 | +| 7.8.3 | 16.8.3 | +| 7.8.2 | 16.8.2 | +| 7.8.1 | 16.8.1 | +| 7.8.0 | 16.8.0 | +| 7.7.10 | 16.7.10 | +| 7.7.9 | 16.7.9 | +| 7.7.8 | 16.7.8 | +| 7.7.7 | 16.7.7 | +| 7.7.6 | 16.7.6 | +| 7.7.5 | 16.7.5 | +| 7.7.4 | 16.7.4 | +| 7.7.3 | 16.7.3 | +| 7.7.2 | 16.7.2 | +| 7.7.1 | 16.7.1 | +| 7.7.0 | 16.7.0 | +| 7.6.10 | 16.6.10 | +| 7.6.9 | 16.6.9 | +| 7.6.8 | 16.6.8 | +| 7.6.7 | 16.6.7 | +| 7.6.6 | 16.6.6 | +| 7.6.5 | 16.6.5 | +| 7.6.4 | 16.6.4 | +| 7.6.3 | 16.6.3 | +| 7.6.2 | 16.6.2 | +| 7.6.1 | 16.6.1 | +| 7.6.0 | 16.6.0 | +| 7.5.10 | 16.5.10 | +| 7.5.9 | 16.5.9 | +| 7.5.8 | 16.5.8 | +| 7.5.7 | 16.5.7 | +| 7.5.6 | 16.5.6 | +| 7.5.5 | 16.5.5 | +| 7.5.4 | 16.5.4 | +| 7.5.3 | 16.5.3 | +| 7.5.2 | 16.5.2 | +| 7.5.1 | 16.5.1 | +| 7.5.0 | 16.5.0 | +| 7.4.7 | 16.4.7 | +| 7.4.6 | 16.4.6 | +| 7.4.5 | 16.4.5 | +| 7.4.4 | 16.4.4 | +| 7.4.3 | 16.4.3 | +| 7.4.2 | 16.4.2 | +| 7.4.1 | 16.4.1 | +| 7.4.0 | 16.4.0 | +| 7.3.9 | 16.3.9 | +| 7.3.8 | 16.3.8 | +| 7.3.7 | 16.3.7 | +| 7.3.6 | 16.3.6 | +| 7.3.5 | 16.3.5 | +| 7.3.4 | 16.3.4 | +| 7.3.3 | 16.3.3 | +| 7.3.2 | 16.3.2 | +| 7.3.1 | 16.3.1 | +| 7.3.0 | 16.3.0 | +| 7.2.11 | 16.2.11 | +| 7.2.10 | 16.2.10 | +| 7.2.9 | 16.2.9 | +| 7.2.8 | 16.2.8 | +| 7.2.7 | 16.2.7 | +| 7.2.6 | 16.2.6 | +| 7.2.5 | 16.2.5 | +| 7.2.4 | 16.2.4 | +| 7.2.3 | 16.2.3 | +| 7.2.2 | 16.2.2 | +| 7.2.1 | 16.2.1 | +| 7.2.0 | 16.2.0 | +| 7.1.8 | 16.1.8 | +| 7.1.7 | 16.1.7 | +| 7.1.6 | 16.1.6 | +| 7.1.5 | 16.1.5 | +| 7.1.4 | 16.1.4 | +| 7.1.3 | 16.1.3 | +| 7.1.2 | 16.1.2 | +| 7.1.1 | 16.1.1 | +| 7.1.0 | 16.1.0 | +| 7.0.10 | 16.0.10 | +| 7.0.9 | 16.0.9 | +| 7.0.8 | 16.0.8 | +| 7.0.7 | 16.0.7 | +| 7.0.6 | 16.0.6 | +| 7.0.5 | 16.0.5 | +| 7.0.4 | 16.0.4 | +| 7.0.3 | 16.0.3 | +| 7.0.2 | 16.0.2 | +| 7.0.1 | 16.0.1 | +| 7.0.0 | 16.0.0 | +| 6.11.13 | 15.11.13 | +| 6.11.12 | 15.11.12 | +| 6.11.11 | 15.11.11 | +| 6.11.10 | 15.11.10 | +| 6.11.9 | 15.11.9 | +| 6.11.8 | 15.11.8 | +| 6.11.7 | 15.11.7 | +| 6.11.6 | 15.11.6 | +| 6.11.5 | 15.11.5 | +| 6.11.4 | 15.11.4 | +| 6.11.3 | 15.11.3 | +| 6.11.2 | 15.11.2 | +| 6.11.1 | 15.11.1 | +| 6.11.0 | 15.11.0 | +| 6.10.8 | 15.10.8 | +| 6.10.7 | 15.10.7 | +| 6.10.6 | 15.10.6 | +| 6.10.5 | 15.10.5 | +| 6.10.4 | 15.10.4 | +| 6.10.3 | 15.10.3 | +| 6.10.2 | 15.10.2 | +| 6.10.1 | 15.10.1 | +| 6.10.0 | 15.10.0 | +| 6.9.8 | 15.9.8 | +| 6.9.7 | 15.9.7 | +| 6.9.6 | 15.9.6 | +| 6.9.5 | 15.9.5 | +| 6.9.4 | 15.9.4 | +| 6.9.3 | 15.9.3 | +| 6.9.2 | 15.9.2 | +| 6.9.1 | 15.9.1 | +| 6.9.0 | 15.9.0 | +| 6.8.6 | 15.8.6 | +| 6.8.5 | 15.8.5 | +| 6.8.4 | 15.8.4 | +| 6.8.3 | 15.8.3 | +| 6.8.2 | 15.8.2 | +| 6.8.1 | 15.8.1 | +| 6.8.0 | 15.8.0 | +| 6.7.9 | 15.7.9 | +| 6.7.8 | 15.7.8 | +| 6.7.7 | 15.7.7 | +| 6.7.6 | 15.7.6 | +| 6.7.5 | 15.7.5 | +| 6.7.3 | 15.7.3 | +| 6.7.2 | 15.7.2 | +| 6.7.1 | 15.7.1 | +| 6.7.0 | 15.7.0 | +| 6.6.8 | 15.6.8 | +| 6.6.7 | 15.6.7 | +| 6.6.6 | 15.6.6 | +| 6.6.4 | 15.6.4 | +| 6.6.3 | 15.6.3 | +| 6.6.2 | 15.6.2 | +| 6.6.1 | 15.6.1 | +| 6.6.0 | 15.6.0 | +| 6.5.9 | 15.5.9 | +| 6.5.8 | 15.5.7 | +| 6.5.7 | 15.5.6 | +| 6.5.6 | 15.5.5 | +| 6.5.5 | 15.5.4 | +| 6.5.4 | 15.5.3 | +| 6.5.3 | 15.5.3 | +| 6.5.2 | 15.5.2 | +| 6.5.1 | 15.5.1 | +| 6.5.0 | 15.5.0 | +| 6.4.6 | 15.4.6 | +| 6.4.5 | 15.4.5 | +| 6.4.4 | 15.4.4 | +| 6.4.3 | 15.4.3 | +| 6.4.2 | 15.4.2 | +| 6.4.1 | 15.4.1 | +| 6.4.0 | 15.4.0 | +| 6.3.5 | 15.3.5 | +| 6.3.4 | 15.3.4 | +| 6.3.3 | 15.3.3 | +| 6.3.2 | 15.3.2 | +| 6.3.1 | 15.3.1 | +| 6.3.0 | 15.3.0 | +| 6.2.5 | 15.2.5 | +| 6.2.4 | 15.2.4 | +| 6.2.3 | 15.2.3 | +| 6.2.2 | 15.2.2 | +| 6.2.1 | 15.2.1 | +| 6.2.0 | 15.2.0 | +| 6.1.6 | 15.1.6 | +| 6.1.5 | 15.1.5 | +| 6.1.4 | 15.1.4 | +| 6.1.3 | 15.1.3 | +| 6.1.2 | 15.1.2 | +| 6.1.1 | 15.1.1 | +| 6.1.0 | 15.1.0 | +| 6.0.5 | 15.0.5 | +| 6.0.4 | 15.0.4 | +| 6.0.3 | 15.0.3 | +| 6.0.2 | 15.0.2 | +| 6.0.1 | 15.0.1 | +| 6.0.0 | 15.0.0 | To see the full list, you can issue the following command with Helm: diff --git a/doc/releases/9_0.md b/doc/releases/9_0.md index df36293c58..2280bbfcad 100644 --- a/doc/releases/9_0.md +++ b/doc/releases/9_0.md @@ -26,7 +26,7 @@ which validates the structure of the chart's values. If you are currently setting the `certmanager.install` value, please migrate to `installCertmanager`. While you can start using this new parameter from version 9.0 and later, continuing to use the old parameter will cause upgrade checks to fail when upgrading to -version 9.3. +version 9.3. If you use the bundled cert-manager, please review the cert-manager release notes for additional important changes: -- GitLab