WIP: A new version of gitlab (13.0.0) is available
current diff:
--- current-deployment.yaml
+++ future-deployment.yaml
@@ -54,25 +54,6 @@
readOnlyRootFilesystem: false
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/pdb.yaml
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
- name: gitlab-prod-unicorn
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
-spec:
- maxUnavailable: 1
- selector:
- matchLabels:
- app: unicorn
- release: gitlab-prod
----
# Source: helm-gitlab-omnibus/charts/gitlab/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
@@ -421,7 +402,7 @@
namespace: default
labels:
app: gitlab-exporter
- chart: gitlab-exporter-3.3.3
+ chart: gitlab-exporter-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -501,7 +482,7 @@
labels:
gitlab_grafana_datasource: "true"
app: gitlab-grafana
- chart: gitlab-grafana-3.3.3
+ chart: gitlab-grafana-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -529,7 +510,7 @@
namespace: default
labels:
app: gitlab-grafana
- chart: gitlab-grafana-3.3.3
+ chart: gitlab-grafana-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -554,450 +535,6 @@
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/configmap.yml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: gitlab-prod-unicorn
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
-data:
- installation_type: |
- gitlab-helm-chart
- database.yml.erb: |
- production:
- adapter: postgresql
- encoding: unicode
- database: gitlab_production
- username: gitlab
- password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
- host: "gitlab-prod-postgresql-postgresql"
- port: 5432
- pool: 10
- prepared_statements: false
- # load_balancing:
- # hosts:
- # - host1.example.com
- # - host2.example.com
-
- smtp_settings.rb: |
- Rails.application.config.action_mailer.delivery_method = :smtp
-
- ActionMailer::Base.delivery_method = :smtp
- ActionMailer::Base.smtp_settings = {
- address: "gabe.freedesktop.org",
- port: 5878,
- ca_file: "/etc/ssl/certs/ca-certificates.crt",
- domain: "gitlab.freedesktop.org",
-
- authentication: :login,
- user_name: "gitlab@gitlab.freedesktop.org",
- password: File.read("/etc/gitlab/smtp/smtp-password").strip,
- enable_starttls_auto: true,
- tls: false,
- openssl_verify_mode: 'peer'
- }
- resque.yml.erb: |
- production:
- url: redis://:<%= URI.escape(File.read("/etc/gitlab/redis/redis-password").strip) %>@gitlab-prod-redis-master:6379
- id:
-
-
-
- cable.yml.erb: |
- production:
- url: redis://:<%= URI.escape(File.read("/etc/gitlab/redis/redis-password").strip) %>@gitlab-prod-redis-master:6379
- id:
- adapter: redis
- unicorn.rb: |
- # This file should be equivalent to `unicorn.rb` from:
- # * gitlab-foss: https://gitlab.com/gitlab-org/gitlab-foss/blob/master/config/unicorn.rb.example
- # * omnibus: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/unicorn.rb.erb
- worker_processes 2
- working_directory "/srv/gitlab"
- listen "0.0.0.0:8080", :tcp_nopush => true
- timeout 60
- pid "/home/git/unicorn.pid"
- preload_app true
-
- require_relative "/srv/gitlab/lib/gitlab/cluster/lifecycle_events"
-
- before_exec do |server|
- # Signal application hooks that we're about to restart
- Gitlab::Cluster::LifecycleEvents.do_before_master_restart
- end
-
- run_once = true
- before_fork do |server, worker|
- if run_once
- # There is a difference between Puma and Unicorn:
- # - Puma calls before_fork once when booting up master process
- # - Unicorn runs before_fork whenever new work is spawned
- # To unify this behavior we call before_fork only once (we use
- # this callback for deleting Prometheus files so for our purposes
- # it makes sense to align behavior with Puma)
- run_once = false
-
- # Signal application hooks that we're about to fork
- Gitlab::Cluster::LifecycleEvents.do_before_fork
- end
-
- # The following is only recommended for memory/DB-constrained
- # installations. It is not needed if your system can house
- # twice as many worker_processes as you have configured.
- #
- # This allows a new master process to incrementally
- # phase out the old master process with SIGTTOU to avoid a
- # thundering herd (especially in the "preload_app false" case)
- # when doing a transparent upgrade. The last worker spawned
- # will then kill off the old master process with a SIGQUIT.
- old_pid = "#{server.config[:pid]}.oldbin"
- if old_pid != server.pid
- begin
- sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
- Process.kill(sig, File.read(old_pid).to_i)
- rescue Errno::ENOENT, Errno::ESRCH
- end
- end
- #
- # Throttle the master from forking too quickly by sleeping. Due
- # to the implementation of standard Unix signal handlers, this
- # helps (but does not completely) prevent identical, repeated signals
- # from being lost when the receiving process is busy.
- # sleep 1
- end
-
- after_fork do |server, worker|
- # Signal application hooks of worker start
- Gitlab::Cluster::LifecycleEvents.do_worker_start
-
- # per-process listener ports for debugging/admin/migrations
- # addr = "127.0.0.1:#{9293 + worker.nr}"
- # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
- end
-
- ENV['GITLAB_UNICORN_MEMORY_MIN'] = (1024 * 1 << 20).to_s
- ENV['GITLAB_UNICORN_MEMORY_MAX'] = (1280 * 1 << 20).to_s
- puma.rb: |
- # This file should be equivalent to `puma.rb` from:
- # * gitlab-foss: https://gitlab.com/gitlab-org/gitlab-foss/blob/master/config/puma.rb.example
- # * omnibus: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/puma.rb.erb
- # frozen_string_literal: true
-
- pidfile "/home/git/puma.pid"
- state_path "/home/git/puma.pid"
-
- stdout_redirect '/srv/gitlab/log/puma.stdout.log',
- '/srv/gitlab/log/puma.stderr.log',
- true
-
- # Configure "min" to be the minimum number of threads to use to answer
- # requests and "max" the maximum.
- threads 4, 4
-
- # By default, workers accept all requests and queue them to pass to handlers.
- # When false, workers accept the number of simultaneous requests configured.
- #
- # Queueing requests generally improves performance, but can cause deadlocks if
- # the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
- #
- # When set to false this may require a reverse proxy to handle slow clients and
- # queue requests before they reach puma. This is due to disabling HTTP keepalive
- queue_requests false
-
- # Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
- # accepted protocols.
- bind 'tcp://0.0.0.0:8080'
-
- directory "/srv/gitlab"
-
- workers 2
-
- require_relative "/srv/gitlab/lib/gitlab/cluster/lifecycle_events"
- require_relative "/srv/gitlab/lib/gitlab/cluster/puma_worker_killer_initializer"
-
- on_restart do
- # Signal application hooks that we're about to restart
- Gitlab::Cluster::LifecycleEvents.do_before_master_restart
- end
-
- options = { workers: 2 }
-
- before_fork do
- # Signal to the puma killer
- Gitlab::Cluster::PumaWorkerKillerInitializer.start(options, puma_per_worker_max_memory_mb: 1024)
-
- # Signal application hooks that we're about to fork
- Gitlab::Cluster::LifecycleEvents.do_before_fork
- end
-
- Gitlab::Cluster::LifecycleEvents.set_puma_options options
- on_worker_boot do
- # Signal application hooks of worker start
- Gitlab::Cluster::LifecycleEvents.do_worker_start
- end
-
- # Preload the application before starting the workers; this conflicts with
- # phased restart feature. (off by default)
-
- preload_app!
-
- tag 'gitlab-puma-worker'
-
- # Verifies that all workers have checked in to the master process within
- # the given timeout. If not the worker process will be restarted. Default
- # value is 60 seconds.
- #
- worker_timeout 60
-
- # Use customised JSON formatter for Puma log
- require_relative "/srv/gitlab/lib/gitlab/puma_logging/json_formatter"
-
- json_formatter = Gitlab::PumaLogging::JSONFormatter.new
- log_formatter do |str|
- json_formatter.call(str)
- end
- gitlab.yml.erb: |
- production: &base
- gitlab:
- host: gitlab.freedesktop.org
- https: true
- max_request_duration_seconds: 57
- impersonation_enabled:
- usage_ping_enabled: true
- seat_link_enabled: true
- default_can_create_group: false
- username_changing_enabled: true
- issue_closing_pattern:
- default_theme:
- default_projects_features:
- issues: true
- merge_requests: true
- wiki: true
- snippets: true
- builds: true
- container_registry: true
- webhook_timeout:
- trusted_proxies:
- time_zone: "UTC"
- email_from: "gitlab@freedesktop.org"
- email_display_name: "GitLab"
- email_reply_to: "noreply@freedesktop.org"
- email_subject_suffix: ""
-
- gravatar:
- plain_url:
- ssl_url:
- extra:
-
-
-
- artifacts:
- enabled: true
- object_store:
- enabled: true
- remote_directory: fdo-gitlab-artifacts
- direct_upload: true
- background_upload: false
- proxy_download: false
- connection: <%= YAML.load_file("/etc/gitlab/objectstorage/artifacts").to_json() %>
- lfs:
- enabled: true
- object_store:
- enabled: true
- remote_directory: fdo-gitlab-lfs
- direct_upload: true
- background_upload: false
- proxy_download: false
- connection: <%= YAML.load_file("/etc/gitlab/objectstorage/lfs").to_json() %>
- uploads:
- enabled: true
- object_store:
- enabled: true
- remote_directory: fdo-gitlab-uploads
- direct_upload: true
- background_upload: false
- proxy_download: false
- connection: <%= YAML.load_file("/etc/gitlab/objectstorage/uploads").to_json() %>
- packages:
- enabled: true
- object_store:
- enabled: true
- remote_directory: gitlab-packages
- direct_upload: true
- background_upload: false
- proxy_download: true
- external_diffs:
- enabled:
- when:
- object_store:
- enabled: false
- remote_directory: gitlab-mr-diffs
- direct_upload: true
- background_upload: false
- proxy_download: true
- terraform_state:
- enabled: false
- object_store:
- enabled: false
- remote_directory: gitlab-terraform-state
- direct_upload: true
- background_upload: false
- proxy_download: true
-
- pages:
- enabled: false
- mattermost:
- enabled: false
- gitlab_ci:
- ldap:
- enabled: false
-
- omniauth:
- enabled: true
- sync_profile_from_provider: []
- sync_profile_attributes: ["email"]
- allow_single_sign_on: true
- block_auto_created_users: false
- auto_link_ldap_user: false
- auto_link_saml_user: false
- external_providers: []
- providers:
- - <%= YAML.load_file("/etc/gitlab/omniauth/gitlab-prod-freedesktop-omniauth-providers/google").to_json() %>
- - <%= YAML.load_file("/etc/gitlab/omniauth/gitlab-prod-freedesktop-omniauth-providers/gitlab").to_json() %>
- - <%= YAML.load_file("/etc/gitlab/omniauth/gitlab-prod-freedesktop-omniauth-providers/github").to_json() %>
- - <%= YAML.load_file("/etc/gitlab/omniauth/gitlab-prod-freedesktop-omniauth-providers/twitter").to_json() %>
- kerberos:
- enabled: false
- shared:
- gitaly:
- client_path: /home/git/gitaly/bin
- token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
- repositories:
- storages: # You must have at least a `default` storage path.
- default:
- path: /var/opt/gitlab/repo
- gitaly_address: tcp://node1.git.example.com:8075
-
- backup:
- path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
- gitlab_shell:
- path: /home/git/gitlab-shell/
- hooks_path: /home/git/gitlab-shell/hooks/
- upload_pack: true
- receive_pack: true
- ssh_port: 22
- secret_file: /etc/gitlab/shell/.gitlab_shell_secret
- workhorse:
- secret_file: /etc/gitlab/gitlab-workhorse/secret
- git:
- bin_path: /usr/bin/git
- webpack:
- monitoring:
- ip_whitelist:
- - 0.0.0.0/0
- web_exporter:
- enabled: false
- address: 0.0.0.0
- port: 8083
- sidekiq_exporter:
- shutdown:
- blackout_seconds: 10
- rack_attack:
- git_basic_auth:
- ## Registry Integration
- registry:
- enabled: true
- host: registry.freedesktop.org
- api_url: http://gitlab-prod-registry:5000
- key: /etc/gitlab/registry/gitlab-registry.key
- issuer: gitlab-issuer
- configure: |
- set -e
- config_dir="/init-config"
- secret_dir="/init-secrets"
-
- for secret in shell gitaly registry postgres rails-secrets gitlab-workhorse ; do
- mkdir -p "${secret_dir}/${secret}"
- cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
- done
- for secret in redis minio objectstorage ldap omniauth smtp ; do
- if [ -e "${config_dir}/${secret}" ]; then
- mkdir -p "${secret_dir}/${secret}"
- cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
- fi
- done
-
-
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: gitlab-prod-workhorse-config
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
-data:
- installation_type: |
- gitlab-helm-chart
- workhorse-config.toml.erb: |
- [redis]
- URL = "redis://gitlab-prod-redis-master:6379"
- Password = "<%= File.read("/etc/gitlab/redis/redis-password").strip.dump[1..-2] %>"
- configure: |
- set -e
- mkdir -p /init-secrets-workhorse/gitlab-workhorse
- cp -v -r -L /init-config/gitlab-workhorse/secret /init-secrets-workhorse/gitlab-workhorse/secret
- mkdir -p /init-secrets-workhorse/redis
- cp -v -r -L /init-config/redis/redis-password /init-secrets-workhorse/redis/
-# Leave this here - This line denotes end of block to the parser.
-
----
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/tests/tests.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: gitlab-prod-unicorn-tests
- namespace: default
-data:
- test_login: |
- set -e
- echo 'Start Test'
- endpoint="https://gitlab.freedesktop.org"
- cookie_read="-c /tmp/test_login.cookie"
- cookie_readwrite="$cookie_read -b /tmp/test_login.cookie"
-
- signin_url="$endpoint/users/sign_in"
- echo "Login to create a session: $signin_url"
- csrf=$(curl $signin_url --fail -s $cookie_read | grep -Po '<meta.*name="csrf-token".*content="\K[a-zA-Z0-9\+=\-\/]*')
- curl --fail -X POST $signin_url -s $cookie_readwrite -F "authenticity_token=$csrf" -F 'user[login]=root' -F "user[password]=$(cat /initial_root_password)"
-
- profile_url="$endpoint/profile"
- echo "Confirm session valid: $profile_url"
- profile_status=$(curl -s -o /tmp/profile_output -w "%{http_code}" $cookie_readwrite $profile_url)
-
- if [ "$profile_status" != "200" ]; then
- echo "Error: Session Invalid"
- cat /tmp/profile_output
- exit 1
- fi
-
- echo 'Test Passed'
- exit 0
-
-# Leave this here - This line denotes end of block to the parser.
-
----
# Source: helm-gitlab-omnibus/charts/gitlab/charts/grafana/templates/configmap-dashboard-provider.yaml
apiVersion: v1
@@ -1082,7 +619,7 @@
server-tokens: "false"
ssl-ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
ssl-protocols: TLSv1.3 TLSv1.2
- use-http2: "false"
+ use-http2: "true"
---
@@ -1514,6 +1051,7 @@
otp_key_base=$(fetch_rails_value secrets.yml "${env}.otp_key_base")
db_key_base=$(fetch_rails_value secrets.yml "${env}.db_key_base")
openid_connect_signing_key=$(fetch_rails_value secrets.yml "${env}.openid_connect_signing_key")
+ ci_jwt_signing_key=$(fetch_rails_value secrets.yml "${env}.ci_jwt_signing_key")
fi;
# Generate defaults for any unset secrets
@@ -1521,6 +1059,7 @@
otp_key_base="${otp_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
db_key_base="${db_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
openid_connect_signing_key="${openid_connect_signing_key:-$(openssl genrsa 2048)}"
+ ci_jwt_signing_key="${ci_jwt_signing_key:-$(openssl genrsa 2048)}"
# Update the existing secret
cat << EOF > rails-secrets.yml
@@ -1537,6 +1076,8 @@
db_key_base: $db_key_base
openid_connect_signing_key: |
$(echo "${openid_connect_signing_key}" | awk '{print " " $0}')
+ ci_jwt_signing_key: |
+ $(echo "${ci_jwt_signing_key}" | awk '{print " " $0}')
EOF
kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml
label_secret $rails_secret
@@ -1570,13 +1111,13 @@
namespace: default
labels:
app: gitlab
- chart: gitlab-3.3.3
+ chart: gitlab-4.0.0
release: gitlab-prod
heritage: Tiller
data:
- gitlabVersion: "12.10.3"
- gitlabChartVersion: "3.3.3"
+ gitlabVersion: "13.0.0"
+ gitlabChartVersion: "4.0.0"
---
# Source: helm-gitlab-omnibus/charts/gitlab/templates/initdb-configmap.yaml
@@ -1587,7 +1128,7 @@
namespace: default
labels:
app: gitlab
- chart: gitlab-3.3.3
+ chart: gitlab-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -10188,7 +9729,7 @@
namespace: default
labels:
app: gitlab-exporter
- chart: gitlab-exporter-3.3.3
+ chart: gitlab-exporter-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -10206,37 +9747,6 @@
release: gitlab-prod
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/service.yaml
-
-apiVersion: v1
-kind: Service
-metadata:
- name: gitlab-prod-unicorn
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
- annotations:
-
-spec:
- type: ClusterIP
- ports:
- - port: 8080
- targetPort: 8080
- protocol: TCP
- name: http-unicorn
- - port: 8181
- targetPort: 8181
- protocol: TCP
- name: http-workhorse
- selector:
- app: unicorn
- release: gitlab-prod
-
----
# Source: helm-gitlab-omnibus/charts/gitlab/charts/grafana/templates/service.yaml
apiVersion: v1
kind: Service
@@ -10391,7 +9901,7 @@
name: gitlab-prod-postgresql-postgresql-metrics
labels:
app: postgresql
- chart: postgresql-7.7.3
+ chart: postgresql-8.9.4
release: "gitlab-prod"
heritage: "Tiller"
annotations:
@@ -10401,9 +9911,9 @@
spec:
type: ClusterIP
ports:
- - name: metrics
+ - name: http-metrics
port: 9187
- targetPort: metrics
+ targetPort: http-metrics
selector:
app: postgresql
release: gitlab-prod
@@ -10417,16 +9927,16 @@
name: gitlab-prod-postgresql-postgresql-headless
labels:
app: postgresql
- chart: postgresql-7.7.3
+ chart: postgresql-8.9.4
release: "gitlab-prod"
heritage: "Tiller"
spec:
type: ClusterIP
clusterIP: None
ports:
- - name: postgresql
+ - name: tcp-postgresql
port: 5432
- targetPort: postgresql
+ targetPort: tcp-postgresql
selector:
app: postgresql
release: "gitlab-prod"
@@ -10439,15 +9949,16 @@
name: gitlab-prod-postgresql-postgresql
labels:
app: postgresql
- chart: postgresql-7.7.3
+ chart: postgresql-8.9.4
release: "gitlab-prod"
heritage: "Tiller"
+ annotations:
spec:
type: ClusterIP
ports:
- - name: postgresql
+ - name: tcp-postgresql
port: 5432
- targetPort: postgresql
+ targetPort: tcp-postgresql
selector:
app: postgresql
release: "gitlab-prod"
@@ -10545,39 +10056,6 @@
role: master
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/tests/test-runner.yaml
-apiVersion: v1
-kind: Pod
-metadata:
- name: gitlab-prod-unicorn-test-runner-dglq0
- namespace: default
- annotations:
- "helm.sh/hook": test-success
-spec:
- containers:
- - name: test-runner
- image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v12.10.3
- command: ['sh', '/tests/test_login']
- volumeMounts:
- - name: tests
- mountPath: '/tests'
- - name: root-password
- readOnly: true
- mountPath: /initial_root_password
- subPath: initial_root_password
- volumes:
- - name: tests
- configMap:
- name: gitlab-prod-unicorn-tests
- - name: root-password
- secret:
- secretName: "gitlab-prod-gitlab-initial-root-password"
- items:
- - key: "password"
- path: initial_root_password
- restartPolicy: Never
-
----
# Source: helm-gitlab-omnibus/charts/gitlab-omnibus/templates/gitlab/gitlab-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
@@ -10606,7 +10084,7 @@
requests:
memory: "36Gi"
cpu: "12"
- image: gitlab/gitlab-ce:12.10.3-ce.0
+ image: gitlab/gitlab-ce:13.0.0-ce.0
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-c",
"sed -i \"s/environment ({'GITLAB_ROOT_PASSWORD' => initial_root_password }) if initial_root_password/environment ({'GITLAB_ROOT_PASSWORD' => initial_root_password, 'GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN' => node['gitlab']['gitlab-rails']['initial_shared_runners_registration_token'] })/g\" /opt/gitlab/embedded/cookbooks/gitlab/recipes/database_migrations.rb && exec /assets/wrapper"]
@@ -11062,7 +10540,7 @@
namespace: default
labels:
app: gitlab-exporter
- chart: gitlab-exporter-3.3.3
+ chart: gitlab-exporter-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -11078,7 +10556,7 @@
app: gitlab-exporter
release: gitlab-prod
annotations:
- checksum/config: ec491f6cfc0c7eea6b6c95103196ecdd046e78cf4cfda738121c5a6ac08cc399
+ checksum/config: 6613f6f043bf898e4763e889df04f723871ef40c53711460e408669cb798799e
prometheus.io/path: /metrics
prometheus.io/port: "9168"
prometheus.io/scrape: "true"
@@ -11134,7 +10612,7 @@
containers:
- name: gitlab-exporter
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:7.0.1"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:7.0.3"
env:
- name: CONFIG_TEMPLATE_DIRECTORY
@@ -11206,386 +10684,6 @@
medium: "Memory"
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/deployment.yaml
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: gitlab-prod-unicorn
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
-spec:
- replicas:
- selector:
- matchLabels:
- app: unicorn
- release: gitlab-prod
- template:
- metadata:
- labels:
- app: unicorn
- release: gitlab-prod
- annotations:
- checksum/config: e3bf5d077071e24c434c7b4f3656e170849fff33a37630294cf6a19fdb59dfd2
- cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
- prometheus.io/path: /-/metrics
- prometheus.io/port: "8080"
- prometheus.io/scrape: "true"
-
- spec:
- securityContext:
- runAsUser: 1000
- fsGroup: 1000
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 1
- podAffinityTerm:
- topologyKey: kubernetes.io/hostname
- labelSelector:
- matchLabels:
- app: unicorn
- release: gitlab-prod
- initContainers:
-
-
- - name: certificates
- image: "registry.gitlab.com/gitlab-org/build/cng/alpine-certificates:20171114-r3"
-
- volumeMounts:
- - name: etc-ssl-certs
- mountPath: /etc/ssl/certs
- readOnly: false
- resources:
- requests:
- cpu: 50m
-
- - name: configure
- command: ['sh']
- args: [ '-c', 'sh -x /config-unicorn/configure ; sh -x /config-workhorse/configure ; mkdir -p -m 3770 /tmp/gitlab']
- image: "busybox:latest"
- volumeMounts:
-
-
-
- - name: unicorn-config
- mountPath: /config-unicorn
- readOnly: true
- - name: workhorse-config
- mountPath: /config-workhorse
- readOnly: true
- - name: init-unicorn-secrets
- mountPath: /init-config
- readOnly: true
- - name: unicorn-secrets
- mountPath: /init-secrets
- readOnly: false
- - name: workhorse-secrets
- mountPath: /init-secrets-workhorse
- readOnly: false
- - name: shared-tmp
- mountPath: /tmp
- readOnly: false
- resources:
- requests:
- cpu: 50m
-
- - name: dependencies
- image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v12.10.3
-
- args:
- - /scripts/wait-for-deps
- env:
- - name: GITALY_FEATURE_DEFAULT_ON
- value: "1"
- - name: CONFIG_TEMPLATE_DIRECTORY
- value: '/var/opt/gitlab/templates'
- - name: CONFIG_DIRECTORY
- value: '/srv/gitlab/config'
- - name: WORKHORSE_ARCHIVE_CACHE_DISABLED
- value: "1"
- - name: ENABLE_BOOTSNAP
- value: "1"
- volumeMounts:
-
- - name: unicorn-config
- mountPath: '/var/opt/gitlab/templates'
- - name: unicorn-secrets
- mountPath: '/etc/gitlab'
- readOnly: true
- - name: unicorn-secrets
- mountPath: /srv/gitlab/config/secrets.yml
- subPath: rails-secrets/secrets.yml
- readOnly: true
- resources:
- requests:
- cpu: 50m
-
- containers:
-
- - name: unicorn
- image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v12.10.3
-
- ports:
- - containerPort: 8080
- name: unicorn
- env:
- - name: GITLAB_WEBSERVER
- value: unicorn
- - name: TMPDIR
- value: "/tmp/gitlab"
- - name: GITALY_FEATURE_DEFAULT_ON
- value: "1"
- - name: CONFIG_TEMPLATE_DIRECTORY
- value: '/var/opt/gitlab/templates'
- - name: CONFIG_DIRECTORY
- value: '/srv/gitlab/config'
- - name: prometheus_multiproc_dir
- value: /metrics
- - name: ENABLE_BOOTSNAP
- value: "1"
- volumeMounts:
- - name: unicorn-metrics
- mountPath: '/metrics'
- - name: unicorn-config
- mountPath: '/var/opt/gitlab/templates'
- - name: unicorn-secrets
- mountPath: '/etc/gitlab'
- readOnly: true
- - name: unicorn-secrets
- mountPath: /srv/gitlab/config/secrets.yml
- subPath: rails-secrets/secrets.yml
- - name: unicorn-config
- mountPath: '/srv/gitlab/config/initializers/smtp_settings.rb'
- subPath: smtp_settings.rb
- - name: unicorn-config
- mountPath: '/srv/gitlab/INSTALLATION_TYPE'
- subPath: installation_type
- - name: shared-upload-directory
- mountPath: /srv/gitlab/public/uploads/tmp
- readOnly: false
- - name: shared-artifact-directory
- mountPath: /srv/gitlab/shared
- readOnly: false
- - name: shared-tmp
- mountPath: '/tmp'
- readOnly: false
- - name: etc-ssl-certs
- mountPath: /etc/ssl/certs/
- readOnly: true
-
- livenessProbe:
- httpGet:
- path: /-/liveness
- port: 8080
- initialDelaySeconds: 20
- periodSeconds: 60
- timeoutSeconds: 30
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /-/readiness
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 2
- successThreshold: 1
- failureThreshold: 3
- lifecycle:
- preStop:
- exec:
- command: ["/bin/bash", "-c", "pkill -SIGQUIT -f 'unicorn master'"]
- resources:
- requests:
- cpu: 300m
- memory: 1.5G
-
- - name: gitlab-workhorse
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce:v12.10.3"
-
- ports:
- - containerPort: 8181
- name: workhorse
- env:
- - name: TMPDIR
- value: "/tmp/gitlab"
- - name: GITLAB_WORKHORSE_EXTRA_ARGS
- value: ""
- - name: GITLAB_WORKHORSE_LISTEN_PORT
- value: "8181"
- - name: CONFIG_TEMPLATE_DIRECTORY
- value: '/var/opt/gitlab/templates'
- - name: CONFIG_DIRECTORY
- value: '/srv/gitlab/config'
- volumeMounts:
- - name: workhorse-config
- mountPath: '/var/opt/gitlab/templates'
- - name: workhorse-secrets
- mountPath: '/etc/gitlab'
- readOnly: true
- - name: shared-upload-directory
- mountPath: /srv/gitlab/public/uploads/tmp
- readOnly: false
- - name: shared-artifact-directory
- mountPath: /srv/gitlab/shared
- readOnly: false
- - name: shared-tmp
- mountPath: '/tmp'
- readOnly: false
- - name: etc-ssl-certs
- mountPath: /etc/ssl/certs/
- readOnly: true
-
- livenessProbe:
- exec:
- command:
- - /scripts/healthcheck
- initialDelaySeconds: 20
- periodSeconds: 60
- timeoutSeconds: 30
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- exec:
- command:
- - /scripts/healthcheck
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 2
- successThreshold: 1
- failureThreshold: 3
- resources:
- requests:
- cpu: 100m
- memory: 100M
-
- volumes:
-
-
-
- - name: shared-tmp
- emptyDir: {}
- - name: unicorn-metrics
- emptyDir:
- medium: "Memory"
- - name: unicorn-config
- configMap:
- name: gitlab-prod-unicorn
- - name: workhorse-config
- configMap:
- name: gitlab-prod-workhorse-config
- - name: init-unicorn-secrets
- projected:
- defaultMode: 0400
- sources:
- - secret:
- name: "gitlab-prod-rails-secret"
- items:
- - key: secrets.yml
- path: rails-secrets/secrets.yml
- - secret:
- name: "gitlab-prod-gitlab-shell-secret"
- items:
- - key: "secret"
- path: shell/.gitlab_shell_secret
- - secret:
- name: "gitlab-prod-gitaly-secret"
- items:
- - key: "token"
- path: gitaly/gitaly_token
-
-
- - secret:
- name: "gitlab-prod-redis-secret"
- items:
- - key: "secret"
- path: redis/redis-password
- - secret:
- name: "gitlab-prod-postgresql-password"
- items:
- - key: "postgresql-password"
- path: postgres/psql-password
- - secret:
- name: "gitlab-prod-registry-secret"
- items:
- - key: registry-auth.key
- path: registry/gitlab-registry.key
- - secret:
- name: "gitlab-prod-gitlab-workhorse-secret"
- items:
- - key: "shared_secret"
- path: gitlab-workhorse/secret
- # mount secret for minio
- # mount secret for artifacts
- - secret:
- name: gitlab-prod-freedesktop-gcs-key
- items:
- - key: connection
- path: objectstorage/artifacts
- # mount secret for lfs
- - secret:
- name: gitlab-prod-freedesktop-gcs-key
- items:
- - key: connection
- path: objectstorage/lfs
- # mount secret for uploads
- - secret:
- name: gitlab-prod-freedesktop-gcs-key
- items:
- - key: connection
- path: objectstorage/uploads
- # mount secret for packages
- # mount secret for external_diffs
- # mount secret for terraform_state
- # mount secrets for LDAP
-
- - secret:
- name: gitlab-prod-freedesktop-omniauth-providers
- items:
- - key: google
- path: "omniauth/gitlab-prod-freedesktop-omniauth-providers/google"
- - secret:
- name: gitlab-prod-freedesktop-omniauth-providers
- items:
- - key: gitlab
- path: "omniauth/gitlab-prod-freedesktop-omniauth-providers/gitlab"
- - secret:
- name: gitlab-prod-freedesktop-omniauth-providers
- items:
- - key: github
- path: "omniauth/gitlab-prod-freedesktop-omniauth-providers/github"
- - secret:
- name: gitlab-prod-freedesktop-omniauth-providers
- items:
- - key: twitter
- path: "omniauth/gitlab-prod-freedesktop-omniauth-providers/twitter"
- - secret:
- name: gitlab-prod-freedesktop-smtp-secret
- items:
- - key: password
- path: smtp/smtp-password
- - name: unicorn-secrets
- emptyDir:
- medium: "Memory"
- - name: workhorse-secrets
- emptyDir:
- medium: "Memory"
- - name: shared-upload-directory
- emptyDir: {}
- - name: shared-artifact-directory
- emptyDir: {}
-
- - name: etc-ssl-certs
- emptyDir:
- medium: "Memory"
-
----
# Source: helm-gitlab-omnibus/charts/gitlab/charts/grafana/templates/deployment.yaml
apiVersion: apps/v1
@@ -12018,31 +11116,6 @@
persistentVolumeClaim:
claimName: gitlab-prod-prometheus-server
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/hpa.yaml
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
- name: gitlab-prod-unicorn
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
-spec:
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: gitlab-prod-unicorn
- minReplicas: 2
- maxReplicas: 10
- metrics:
- - type: Resource
- resource:
- name: cpu
- targetAverageValue: 1
----
# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
@@ -12050,9 +11123,10 @@
name: gitlab-prod-postgresql
labels:
app: postgresql
- chart: postgresql-7.7.3
+ chart: postgresql-8.9.4
release: "gitlab-prod"
heritage: "Tiller"
+ annotations:
spec:
serviceName: gitlab-prod-postgresql-postgresql-headless
replicas: 1
@@ -12068,39 +11142,13 @@
name: gitlab-prod-postgresql-postgresql
labels:
app: postgresql
- chart: postgresql-7.7.3
+ chart: postgresql-8.9.4
release: "gitlab-prod"
heritage: "Tiller"
role: master
spec:
securityContext:
fsGroup: 1001
- initContainers:
- - name: init-chmod-data
- image: docker.io/bitnami/minideb:stretch
- imagePullPolicy: "Always"
- resources:
- requests:
- cpu: 250m
- memory: 256Mi
-
- command:
- - /bin/sh
- - -c
- - |
- mkdir -p /bitnami/postgresql/data
- chmod 700 /bitnami/postgresql/data
- find /bitnami/postgresql -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
- xargs chown -R 1001:1001
- chmod -R 777 /dev/shm
- securityContext:
- runAsUser: 0
- volumeMounts:
- - name: data
- mountPath: /bitnami/postgresql
- subPath:
- - name: dshm
- mountPath: /dev/shm
containers:
- name: gitlab-prod-postgresql-postgresql
image: docker.io/bitnami/postgresql:11.7.0-debian-10-r9
@@ -12132,7 +11180,7 @@
- name: POSTGRESQL_ENABLE_LDAP
value: "no"
ports:
- - name: postgresql
+ - name: tcp-postgresql
containerPort: 5432
livenessProbe:
exec:
@@ -12152,8 +11200,8 @@
- -c
- -e
- |
- pg_isready -U "gitlab" -d "gitlab_production" -h 127.0.0.1 -p 5432
- [ -f /opt/bitnami/postgresql/tmp/.initialized ]
+ exec pg_isready -U "gitlab" -d "gitlab_production" -h 127.0.0.1 -p 5432
+ [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@@ -12170,7 +11218,7 @@
mountPath: /bitnami/postgresql
subPath:
- name: metrics
- image: docker.io/bitnami/postgres-exporter:0.7.0-debian-9-r12
+ image: docker.io/bitnami/postgres-exporter:0.8.0-debian-10-r99
imagePullPolicy: "IfNotPresent"
env:
- name: DATA_SOURCE_URI
@@ -12182,7 +11230,7 @@
livenessProbe:
httpGet:
path: /
- port: metrics
+ port: http-metrics
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@@ -12191,7 +11239,7 @@
readinessProbe:
httpGet:
path: /
- port: metrics
+ port: http-metrics
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@@ -12201,7 +11249,7 @@
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
ports:
- - name: metrics
+ - name: http-metrics
containerPort: 9187
volumes:
- name: postgresql-password
@@ -12429,7 +11477,7 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: gitlab-prod-shared-secrets.0-l9l
+ name: gitlab-prod-shared-secrets.0-q7c
namespace: default
labels:
app: shared-secrets
@@ -13015,7 +12063,7 @@
namespace: default
labels:
app: gitlab-grafana
- chart: gitlab-grafana-3.3.3
+ chart: gitlab-grafana-4.0.0
release: gitlab-prod
heritage: Tiller
@@ -13040,45 +12088,8 @@
tls:
- hosts:
- gitlab.freedesktop.org
- secretName: gitlab-prod-gitlab-tls
+ secretName: gitlab-tls
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/ingress.yaml
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: gitlab-prod-unicorn
- namespace: default
- labels:
- app: unicorn
- chart: unicorn-3.3.3
- release: gitlab-prod
- heritage: Tiller
-
- annotations:
- kubernetes.io/ingress.class: "nginx"
- kubernetes.io/ingress.provider: nginx
- nginx.ingress.kubernetes.io/proxy-body-size: "512m"
- nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
- nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
- certmanager.k8s.io/issuer: "gitlab-prod-issuer"
-spec:
- rules:
- - host: gitlab.freedesktop.org
- http:
- paths:
- - path: /
- backend:
- serviceName: gitlab-prod-unicorn
- servicePort: 8181
- - path: /admin/sidekiq
- backend:
- serviceName: gitlab-prod-unicorn
- servicePort: 8080
- tls:
- - hosts:
- - gitlab.freedesktop.org
- secretName: gitlab-prod-gitlab-tls
----
# Source: helm-gitlab-omnibus/charts/freedesktop/templates/epoch.yaml
# Used to keep helm-gitlab-omnibus + helm-gitlab-config + helm-gitlab-secrets
# in sync with each other during breaking changes
@@ -13236,10 +12247,39 @@
---
-# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/unicorn/templates/pause_job.yaml
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/configmap.yml
---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/deployment.yaml
+
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/hpa.yaml
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/ingress.yaml
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/pause_job.yaml
+
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/pdb.yaml
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/service.yaml
+
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/tests/test-runner.yaml
+
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/gitlab/charts/webservice/templates/tests/tests.yaml
+
+
+---
# Source: helm-gitlab-omnibus/charts/gitlab/charts/grafana/templates/dashboards-json-configmap.yaml
@@ -13368,14 +12408,27 @@
---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/podsecuritypolicy.yaml
+
+
+---
# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/prometheusrule.yaml
---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/role.yaml
+
+
+---
+# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/rolebinding.yaml
+
+
+---
# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/secrets.yaml
---
# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/serviceaccount.yaml
+
---
# Source: helm-gitlab-omnibus/charts/gitlab/charts/postgresql/templates/servicemonitor.yaml