From 412789abb2d7129f9bd51b3da1f62d816e14e894 Mon Sep 17 00:00:00 2001 From: Med Mouine Date: Tue, 3 Sep 2024 10:22:37 -0400 Subject: [PATCH] feat: initial codebase --- .gitignore | 70 + .tool-versions | 7 + README.md | 11 + applications/gitea/helmfile.yaml | 12 + applications/gitea/values.yaml | 71 + applications/gitlab-runner/helmfile.yaml | 12 + applications/gitlab-runner/values.yaml.gotmpl | 80 + applications/gitlab/helmfile.yaml | 19 + applications/gitlab/values.yaml | 600 +++++++ applications/gitlab/values2.yaml | 1378 +++++++++++++++++ applications/harbor/helmfile.yaml | 19 + applications/harbor/values.yaml | 152 ++ applications/logging/helmfile.yaml | 46 + .../logging/values/elasticsearch-values.yaml | 16 + .../logging/values/filebeat-values.yaml | 12 + .../logging/values/grafana-values.yaml | 62 + applications/logging/values/loki-values.yaml | 33 + .../logging/values/promtail-values.yaml | 74 + applications/vault/helmfile.yaml | 13 + applications/vault/values.yaml | 2 + applications/woodpecker/helmfile.yaml | 12 + applications/woodpecker/values.yaml | 108 ++ common-config.yaml | 25 + helmfile.yaml | 45 + 24 files changed, 2879 insertions(+) create mode 100644 .gitignore create mode 100644 .tool-versions create mode 100644 README.md create mode 100644 applications/gitea/helmfile.yaml create mode 100644 applications/gitea/values.yaml create mode 100644 applications/gitlab-runner/helmfile.yaml create mode 100644 applications/gitlab-runner/values.yaml.gotmpl create mode 100644 applications/gitlab/helmfile.yaml create mode 100644 applications/gitlab/values.yaml create mode 100644 applications/gitlab/values2.yaml create mode 100644 applications/harbor/helmfile.yaml create mode 100644 applications/harbor/values.yaml create mode 100644 applications/logging/helmfile.yaml create mode 100644 applications/logging/values/elasticsearch-values.yaml create mode 100644 applications/logging/values/filebeat-values.yaml create mode 100644 applications/logging/values/grafana-values.yaml create mode 100644 applications/logging/values/loki-values.yaml create mode 100644 applications/logging/values/promtail-values.yaml create mode 100644 applications/vault/helmfile.yaml create mode 100644 applications/vault/values.yaml create mode 100644 applications/woodpecker/helmfile.yaml create mode 100644 applications/woodpecker/values.yaml create mode 100644 common-config.yaml create mode 100644 helmfile.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..649b901 --- /dev/null +++ b/.gitignore @@ -0,0 +1,70 @@ +### dotenv template +.env + +### OSX template +# General +.DS_Store +.AppleDouble +.LSOverride +.vscode/ +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### Example user template template +### Example user template + +# IntelliJ project files +.idea +*.iml +out +gen +### Go template +# If you prefer the allow list template instead of the deny list, see community template: +# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore +# +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Dependency directories (remove the comment below to include it) +# vendor/ + +# Go workspace file +go.work + +### SSH template +**/.ssh/id_* +**/.ssh/*_id_* +**/.ssh/known_hosts + +### Helm template +# Chart dependencies +**/charts/*.tgz diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 0000000..9134363 --- /dev/null +++ b/.tool-versions @@ -0,0 +1,7 @@ +kubectl 1.26.7 +minikube 1.29.0 +helm 3.11.0 +stern 1.23.0 +yq 4.34.2 +gomplate v3.11.5 +vale 3.6.1 diff --git a/README.md b/README.md new file mode 100644 index 0000000..291a4ab --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +# Cluster management template project + +This project is based on a GitLab [Project Template](https://docs.gitlab.com/ee/gitlab-basics/create-project.html). + +For more information, see [the documentation for this template](https://docs.gitlab.com/ee/user/clusters/management_project_template.html). + +Improvements can be proposed in the [original project](https://gitlab.com/gitlab-org/project-templates/cluster-management). + +## Supported Kubernetes versions + +The project should be used with a [supported version of Kubernetes cluster](https://docs.gitlab.com/ee/user/clusters/agent/#supported-cluster-versions). diff --git a/applications/gitea/helmfile.yaml b/applications/gitea/helmfile.yaml new file mode 100644 index 0000000..bddc7b9 --- /dev/null +++ b/applications/gitea/helmfile.yaml @@ -0,0 +1,12 @@ +--- +repositories: + - name: gitea-charts + url: https://dl.gitea.io/charts/ + +releases: + - name: gitea + namespace: nt + chart: gitea-charts/gitea + version: 8.3.0 + values: + - values.yaml diff --git a/applications/gitea/values.yaml b/applications/gitea/values.yaml new file mode 100644 index 0000000..2646810 --- /dev/null +++ b/applications/gitea/values.yaml @@ -0,0 +1,71 @@ +# Gitea Helm values +gitea: + admin: + username: gitea_admin + password: "{{ env "GITEA_ADMIN_PASSWORD" }}" + email: "admin@example.com" + + config: + APP_NAME: "Gitea: Git with a cup of tea" + RUN_MODE: prod + server: + SSH_DOMAIN: gitea.nationtech.io + DOMAIN: gitea.nationtech.io + ROOT_URL: https://gitea.nationtech.io + DISABLE_SSH: false + START_SSH_SERVER: true + SSH_PORT: 22 + SSH_LISTEN_PORT: 22 + database: + DB_TYPE: postgres + HOST: postgresql:5432 + NAME: gitea + USER: gitea + PASSWD: "{{ env "GITEA_DB_PASSWORD" }}" + service: + DISABLE_REGISTRATION: true + security: + INSTALL_LOCK: true + SECRET_KEY: "{{ env "GITEA_SECRET_KEY" }}" + webhook: + ALLOWED_HOST_LIST: woodpecker.nationtech.io + + persistence: + enabled: true + size: 10Gi + + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: "letsencrypt-prod" + hosts: + - host: gitea.nationtech.io + paths: + - path: / + pathType: Prefix + tls: + - secretName: gitea-tls + hosts: + - gitea.nationtech.io + +postgresql: + enabled: true + global: + postgresql: + auth: + username: gitea + password: "{{ env "GITEA_DB_PASSWORD" }}" + database: gitea + primary: + persistence: + enabled: true + size: 8Gi + storageClass: "managed-premium" + +metrics: + enabled: true + serviceMonitor: + enabled: true + namespace: monitoring + interval: 1m diff --git a/applications/gitlab-runner/helmfile.yaml b/applications/gitlab-runner/helmfile.yaml new file mode 100644 index 0000000..224e7a7 --- /dev/null +++ b/applications/gitlab-runner/helmfile.yaml @@ -0,0 +1,12 @@ +repositories: + - name: gitlab + url: https://charts.gitlab.io + +releases: + - name: runner + namespace: gitlab-managed-apps + chart: gitlab/gitlab-runner + version: 0.44.0 + installed: true + values: + - values.yaml.gotmpl diff --git a/applications/gitlab-runner/values.yaml.gotmpl b/applications/gitlab-runner/values.yaml.gotmpl new file mode 100644 index 0000000..aff11ee --- /dev/null +++ b/applications/gitlab-runner/values.yaml.gotmpl @@ -0,0 +1,80 @@ +## REQUIRED VALUES +gitlabUrl: {{ requiredEnv "CI_SERVER_URL" | quote }} +runnerRegistrationToken: {{ requiredEnv "GITLAB_RUNNER_REGISTRATION_TOKEN" | quote }} + +## Configure the maximum number of concurrent jobs +## - Documentation: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## - Default value: 10 +## - Currently don't support auto-scaling. +concurrent: 4 + +## Defines in seconds how often to check GitLab for a new builds +## - Documentation: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## - Default value: 3 +checkInterval: 3 + +## For RBAC support +rbac: + create: true + clusterWideAccess: false + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["pods/attach"] + verbs: ["create"] + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["create", "update", "delete"] + - apiGroups: [""] + resources: ["services"] + verbs: ["create"] + +## Configuration for the Pods that that the runner launches for each new job +runners: + image: ubuntu:20.04 + builds: {} + services: {} + helpers: {} + + ## Specify the tags associated with the runner. Comma-separated list of tags. + ## - Documentation: https://docs.gitlab.com/ce/ci/runners/#using-tags + tags: kubernetes,cluster + + ## Determine whether the runner should also run jobs without tags. + ## - Documentation: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#set-a-runner-to-run-untagged-jobs + # runUntagged: true + + ## Run all containers with the privileged flag enabled + ## This will allow the docker:dind image to run if you need to run Docker + ## commands. Please read the docs before turning this on: + ## - Documentation: https://docs.gitlab.com/runner/executors/kubernetes.html#using-docker-dind + privileged: true + + ## Kubernetes related options to control which nodes executors use + ## - Documentation: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # nodeSelector: + # myLabel: myValue + # + ## Documentation: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # nodeTolerations: + # - key: myTaint + # operator: Equal + # value: myValue + # effect: NoSchedule + + ## If you can't find a setting you think should be here this may help: + ## + ## The gitlab-runner chart uses `templates/configmap.yaml` to configure runners + ## `configmap.yaml`'s `data.register-the-runner` transforms this file into runner CLI options + ## `configmap.yaml`'s `data.config.toml` and `data.config.template.toml` transform this file into the runner's config.toml + ## + ## - Source code for `configmap.yaml` https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml + ## - Documentation for `config.toml` https://docs.gitlab.com/runner/executors/kubernetes.html#the-available-configtoml-settings + ## - Source code for runner CLI options (see `KubernetesConfig` struct) https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/common/config.go + +resources: {} diff --git a/applications/gitlab/helmfile.yaml b/applications/gitlab/helmfile.yaml new file mode 100644 index 0000000..1693b08 --- /dev/null +++ b/applications/gitlab/helmfile.yaml @@ -0,0 +1,19 @@ +repositories: + - name: gitlab + url: https://charts.gitlab.io/ + +releases: + - name: gitlab + namespace: gitlab + chart: gitlab/gitlab + version: 8.4.0 + installed: true + values: + - values.yaml + + - name: grafana + namespace: logging + chart: grafana/grafana + version: 6.50.7 + values: + - applications/logging/values/grafana-values.yaml diff --git a/applications/gitlab/values.yaml b/applications/gitlab/values.yaml new file mode 100644 index 0000000..798e0aa --- /dev/null +++ b/applications/gitlab/values.yaml @@ -0,0 +1,600 @@ +--- +serviceAccount: + enabled: true +certificates: + customCAs: [] + image: + repository: registry.gitlab.com/gitlab-org/build/cng/certificates +certmanager: + install: false + installCRDs: false + nameOverride: certmanager + rbac: + create: true +certmanager-issuer: + email: security@nationtech.io + +common: + labels: {} +deployment: + annotations: {} +envVars: + - name: CI_JOB_ID + value: $CI_JOB_ID +geo: + enabled: false +gitlab: + gitlab-exporter: + enabled: true + gitlab-pages: + ingress: + tls: + secretName: gitlab-pages-tls + enabled: true + gitlab-shell: + enabled: true + kas: + enabled: true + mailroom: + enabled: true + migrations: + enabled: true + sidekiq: + enabled: true + toolbox: + antiAffinityLabels: + matchLabels: + app: gitaly + enabled: true + replicas: 1 + webservice: + enabled: true + ingress: + tls: + secretName: gitlab-tls +gitlab-zoekt: + gateway: + basicAuth: + enabled: true + secretName: '{{ include "gitlab.zoekt.gateway.basicAuth.secretName" $ }}' + indexer: + internalApi: + enabled: true + gitlabUrl: '{{ include "gitlab.zoekt.indexer.internalApi.gitlabUrl" $ }}' + secretKey: '{{ include "gitlab.zoekt.indexer.internalApi.secretKey" $ }}' + secretName: '{{ include "gitlab.zoekt.indexer.internalApi.secretName" $ }}' + install: true + +global: + edition: ee + affinity: + nodeAffinity: + key: topology.kubernetes.io/zone + values: [] + podAntiAffinity: + topologyKey: kubernetes.io/hostname + antiAffinity: soft + + gitaly: + enabled: true + replicas: 2 + praefect: + enabled: false + redis: + cluster: + enabled: false + appConfig: + resources: + requests: + cpu: 200m + memory: 1Gi + limits: + cpu: 1 + memory: 1Gi + smartcard: + enabled: false + kerberos: + dedicatedPort: + enabled: false + https: true + port: 8443 + enabled: false + keytab: + key: keytab + simpleLdapLinkingAllowedRealms: [] + kubectl: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/kubectl + securityContext: + fsGroup: 65534 + runAsUser: 65534 + ldap: + preventSignin: false + servers: {} + lfs: + bucket: git-lfs + connection: {} + enabled: true + proxy_download: true + maxRequestDurationSeconds: null + microsoft_graph_mailer: + enabled: false + minio: + enabled: true + monitoring: + enabled: true + object_store: + enabled: true + proxy_download: true + omniauth: + enabled: false + packages: + enabled: true + proxy_download: true + bucket: gitlab-packages + connection: {} + pages: + enabled: true + host: pages.gitlab.nationtech.io + namespaceInPath: true + accessControl: true + artifactsServer: true + https: null + objectStore: + bucket: gitlab-pages + connection: {} + enabled: true + + applicationSettingsCacheSeconds: 60 + artifacts: + bucket: gitlab-artifacts + enabled: true + proxy_download: true + backups: + bucket: gitlab-backups + tmpBucket: tmp + ciSecureFiles: + bucket: gitlab-ci-secure-files + connection: {} + enabled: false + contentSecurityPolicy: + enabled: false + report_only: true + cron_jobs: {} + defaultProjectsFeatures: + builds: true + issues: true + mergeRequests: true + snippets: true + wiki: true + dependencyProxy: + bucket: gitlab-dependency-proxy + connection: {} + enabled: true + proxy_download: true + duoAuth: + enabled: false + enableImpersonation: false + enableSeatLink: true + enableUsagePing: true + externalDiffs: + bucket: gitlab-mr-diffs + connection: {} + enabled: false + proxy_download: true + extra: + bizible: + googleAnalyticsId: null + googleTagManagerNonceId: null + matomoDisableCookies: null + matomoSiteId: null + matomoUrl: null + oneTrustId: null + gitlab_docs: + enabled: false + kas: + enabled: true + service: + apiExternalPort: 8153 + tls: + enabled: false + verify: true + graphQlTimeout: null + gravatar: + plainUrl: null + sslUrl: null + hosts: + domain: brizo.nationtech.io + externalIP: null + https: true + gitlab: + name: gitlab.nationtech.io + minio: + name: minio.gitlab.nationtech.io + registry: + name: registry.gitlab.nationtech.io + protocol: https + ssh: gitlab.nationtech.io + incomingEmail: + enabled: false + ingress: + annotations: + cert-manager.io/issuer: letsencrypt-prod + kubernetes.io/tls-acme: 'true' + nginx.ingress.kubernetes.io/proxy-body-size: 10000m + class: nginx + configureCertmanager: false + enabled: true + path: / + pathType: Prefix + provider: nginx + tls: + enabled: true + secretName: gitlab-tls + useNewIngressForCerts: false + initialDefaults: {} + initialRootPassword: {} + issueClosingPattern: null + job: + nameSuffixOverride: null + keda: + enabled: false + psql: + ci: {} + connectTimeout: null + database: gitlabhq_production + keepalives: null + keepalivesCount: null + keepalivesIdle: null + keepalivesInterval: null + main: {} + password: + key: postgres-password + secret: gitlab-postgres + useSecret: true + tcpUserTimeout: null + username: gitlab + registry: + enabled: true + host: registry.gitlab.nationtech.io + port: 433 + tokenIssuer: gitlab-issuer + api: + protocol: http + serviceName: registry + port: 5000 + tls: + enabled: true + secretName: gitlab-registry-tls + sentry: + clientside_dsn: null + dsn: null + enabled: false + environment: null + serviceDeskEmail: + enabled: false + shell: + authToken: + secret: gitlab-gitlab-shell-auth-token + hostKeys: + secret: gitlab-gitlab-shell-host-keys + sidekiq: + routingRules: [] + smtp: + enabled: false + uploads: + bucket: gitlab-uploads + enabled: true + proxy_download: true + usernameChangingEnabled: true + webhookTimeout: null + webservice: + tls: + enabled: true + workerTimeout: 300 + workhorse: + tls: + enabled: false + serviceName: webservice-default +minio: + install: true +nginx-ingress: + class: nginx + enabled: false + tcpExternalConfig: 'true' +nginx-ingress-geo: + enabled: false + rbac: + create: true + scope: false + serviceAccount: + create: true + tcpExternalConfig: 'true' +postgresql: + auth: + existingSecret: '{{ include "gitlab.psql.password.secret" . }}' + password: bogus-satisfy-upgrade + postgresPassword: bogus-satisfy-upgrade + replicationPassword: "" + replicationUsername: repl_user + secretKeys: + adminPasswordKey: postgresql-postgres-password + replicationPasswordKey: replication-password + userPasswordKey: '{{ include "gitlab.psql.password.key" $ }}' + usePasswordFiles: false + image: + tag: 14.10.0 + install: true + metrics: + enabled: true + service: + annotations: + gitlab.com/prometheus_port: '9187' + gitlab.com/prometheus_scrape: 'true' + prometheus.io/port: '9187' + prometheus.io/scrape: 'true' + primary: + extraVolumeMounts: + - mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh + name: custom-init-scripts + subPath: init_revision.sh + initdb: + scriptsConfigMap: '{{ include "gitlab.psql.initdbscripts" $}}' + podAnnotations: + postgresql.gitlab/init-revision: '1' +prometheus: + install: false + alertmanager: + enabled: true + config: + global: + resolve_timeout: 5m + route: + group_by: ['job'] + group_wait: 30s + group_interval: 5m + repeat_interval: 12h + receiver: 'null' + routes: + - match: + alertname: Watchdog + receiver: 'null' + receivers: + - name: 'null' + kubeStateMetrics: + enabled: true + nodeExporter: + enabled: true + pushgateway: + enabled: true + rbac: + create: true + server: + image: + tag: v2.38.0 + retention: 15d + strategy: + type: Recreate + serverFiles: + prometheus.yml: + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name +rbac: + create: true +redis: + architecture: standalone + auth: + existingSecret: gitlab-redis-secret + existingSecretKey: redis-password + usePasswordFiles: true + cluster: + enabled: false + install: true + metrics: + enabled: true +registry: + enabled: true + database: + enabled: true + name: registry # must match the database name you created above + user: registry # must match the database username you created above + password: + secret: gitlab-registry-postgresql # must match the secret name + key: password # must match the secret key to read the password from + sslmode: verify-full + ssl: + secret: gitlab-registry-postgresql-ssl # you will need to create this secret manually + clientKey: client-key.pem + clientCertificate: client-cert.pem + serverCA: server-ca.pem + migrations: + enabled: true # this option will execute the schema migration as part of the registry deployment + tls: + enabled: true + secretName: gitlab-registry-tls + +shared-secrets: + enabled: true + env: production + rbac: + create: true + resources: + requests: + cpu: 50m + securityContext: + fsGroup: 65534 + runAsUser: 65534 + selfsign: + caSubject: GitLab Helm Chart + expiry: 3650d + image: + repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign + keyAlgorithm: rsa + keySize: '4096' + serviceAccount: + create: true + enabled: true + +gitlab-runner: + install: true + rbac: + create: true + runners: + locked: false + # Set secret to an arbitrary value because the runner chart renders the gitlab-runner.secret template only if it is not empty. + # The parent/GitLab chart overrides the template to render the actual secret name. + secret: "nonempty" + privileged: true + config: | + [[runners]] + [runners.kubernetes] + privileged = true + image = "ubuntu:22.04" + {{- if .Values.global.minio.enabled }} + [runners.cache] + Type = "s3" + Path = "gitlab-runner" + Shared = true + [runners.cache.s3] + ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }} + BucketName = "runner-cache" + BucketLocation = "us-east-1" + Insecure = true + {{ end }} + podAnnotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: 9252 + +upgradeCheck: + annotations: {} + configMapAnnotations: {} + enabled: true + image: {} + priorityClassName: '' + resources: + requests: + cpu: 50m + securityContext: + fsGroup: 65534 + runAsUser: 65534 + tolerations: [] diff --git a/applications/gitlab/values2.yaml b/applications/gitlab/values2.yaml new file mode 100644 index 0000000..1b948c2 --- /dev/null +++ b/applications/gitlab/values2.yaml @@ -0,0 +1,1378 @@ +--- +## NOTICE +# +# Due to the scope and complexity of this chart, all possible values are +# not documented in this file. Extensive documentation is available. + +# +# Please read the docs: https://docs.gitlab.com/charts/ +# +# Because properties are regularly added, updated, or relocated, it is +# _strongly suggest_ to not "copy and paste" this YAML. Please provide +# Helm only those properties you need, and allow the defaults to be +# provided by the version of this chart at the time of deployment. + +## Advanced Configuration +## https://docs.gitlab.com/charts/advanced +# +# Documentation for advanced configuration, such as +# - External PostgreSQL +# - External Gitaly +# - External Redis +# - External NGINX +# - External Object Storage providers +# - PersistentVolume configuration + +## The global properties are used to configure multiple charts at once. +## https://docs.gitlab.com/charts/charts/globals +global: + common: + labels: {} + pod: + labels: {} + + ## https://docs.gitlab.com/charts/installation/deployment#deploy-the-community-edition + edition: ee + + ## https://docs.gitlab.com/charts/charts/globals#gitlab-version + # gitlabVersion: + + ## https://docs.gitlab.com/charts/charts/globals#application-resource + application: + create: false + links: [] + allowClusterRoles: true + ## https://docs.gitlab.com/charts/charts/globals#configure-host-settings + hosts: + domain: nationtech.io + https: true + ssh: gitlab.nationtech.io + gitlab: + name: gitlab.nationtech.io + https: true + minio: + name: minio.nationtech.io + https: true + registry: + name: registry.nationtech.io + https: true + protocol: https + kas: + name: kas.nationtech.io + https: true + pages: + name: pages.nationtech.io + https: true + + ## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings + ingress: + configureCertmanager: true + useNewIngressForCerts: false + class: nginx + annotations: + cert-manager.io/issuer: letsencrypt-prod + kubernetes.io/tls-acme: 'true' + nginx.ingress.kubernetes.io/proxy-body-size: 10000m + enabled: true + tls: + enabled: true + secretName: gitlab-tls + path: / + pathType: Prefix + + # Override the API version to use for HorizontalPodAutoscaler + # Enable KEDA globally (https://keda.sh/) + keda: + enabled: false + + # Override the API version to use for PodDisruptionBudget + pdb: + apiVersion: "" + + # Override the API version to use for CronJob + batch: + cronJob: + apiVersion: "" + + # Override enablement of ServiceMonitor and PodMonitor objects. + monitoring: + enabled: true + + gitlab: + ## Enterprise license for this GitLab installation + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-enterprise-license + ## If allowing shared-secrets generation, this is OPTIONAL. + license: {} + # secret: RELEASE-gitlab-license + # key: license + + ## Initial root password for this GitLab installation + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-root-password + ## If allowing shared-secrets generation, this is OPTIONAL. + initialRootPassword: {} + # secret: RELEASE-gitlab-initial-root-password + # key: password + + ## https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings + psql: + connectTimeout: + keepalives: + keepalivesIdle: + keepalivesInterval: + keepalivesCount: + tcpUserTimeout: + password: + useSecret: true + secret: gitlab-postgres + key: psql-password + file: + # host: postgresql.hostedsomewhere.else + # port: 123 + username: gitlab + database: gitlabhq_production + applicationName: "" + preparedStatements: false + databaseTasks: true + main: {} + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab + # database: gitlabhq_production + # applicationName: + # preparedStatements: false + # databaseTasks: true + ci: {} + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab + # database: gitlabhq_production_ci + # applicationName: + # preparedStatements: false + # databaseTasks: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-redis-settings + redis: + auth: + enabled: true + secret: gitlab-redis + key: redis-password + # connectTimeout: 1 + # readTimeout: 1 + # writeTimeout: 1 + # host: redis.hostedsomewhere.else + # port: 6379 + # user: webservice + # sentinels: + # - host: + # port: + sentinelAuth: + enabled: false + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#configure-gitaly-settings + gitaly: + enabled: true + authToken: + secret: gitaly-secret + key: token + # serviceName: + internal: + names: [default] + external: [] + service: + name: gitaly + type: ClusterIP + externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 + tls: + enabled: true + secretName: gitlab-gitaly-tls + + praefect: + enabled: false + ntpHost: pool.ntp.org + replaceInternalGitaly: true + authToken: {} + autoMigrate: true + dbSecret: {} + virtualStorages: + - name: default + gitalyReplicas: 3 + maxUnavailable: 1 + psql: + sslMode: disable + # serviceName: + service: + name: praefect + type: ClusterIP + externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 + tls: + enabled: false + # secretName: + + ## https://docs.gitlab.com/charts/charts/globals#configure-minio-settings + minio: + enabled: true + credentials: {} + + ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings + ## Rails based portions of this chart share many settings + appConfig: + ## https://docs.gitlab.com/charts/charts/globals#general-application-settings + # cdnHost: + enableUsagePing: true + enableSeatLink: true + enableImpersonation: + applicationSettingsCacheSeconds: 60 + usernameChangingEnabled: true + issueClosingPattern: + defaultTheme: + defaultProjectsFeatures: + issues: true + mergeRequests: true + wiki: true + snippets: true + builds: true + graphQlTimeout: + webhookTimeout: + maxRequestDurationSeconds: + + ## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings + cron_jobs: {} + ## Flag stuck CI builds as failed + # stuck_ci_jobs_worker: + # cron: "0 * * * *" + ## Schedule pipelines in the near future + # pipeline_schedule_worker: + # cron: "19 * * * *" + ## Remove expired build artifacts + # expire_build_artifacts_worker: + # cron: "*/7 * * * *" + ## Periodically run 'git fsck' on all repositories. + # repository_check_worker: + # cron: "20 * * * *" + ## Send admin emails once a week + # admin_email_worker: + # cron: "0 0 * * 0" + ## Remove outdated repository archives + # repository_archive_cache_worker: + # cron: "0 * * * *" + ## Verify custom GitLab Pages domains + # pages_domain_verification_cron_worker: + # cron: "*/15 * * * *" + # schedule_migrate_external_diffs_worker: + # cron: "15 * * * *" + ## Prune stale group runners on opted-in namespaces + # ci_runners_stale_group_runners_prune_worker_cron: + # cron: "30 * * * *" + ## Periodically update ci_runner_versions table with up-to-date versions and status + # ci_runner_versions_reconciliation_worker: + # cron: "@daily" + ## Periodically clean up stale ci_runner_machines records + # ci_runners_stale_machines_cleanup_worker: + # cron: "36 * * * *" + # ci_click_house_finished_pipelines_sync_worker: + # cron: "*/4 * * * *" + # args: [0, 1] + ### GitLab Geo + # Geo Primary only! + # geo_prune_event_log_worker: + # cron: "*/5 * * * *" + ## GitLab Geo repository sync worker + # geo_repository_sync_worker: + # cron: "*/5 * * * *" + ## GitLab Geo file download dispatch worker + # geo_file_download_dispatch_worker: + # cron: "*/10 * * * *" + ## GitLab Geo repository verification primary batch worker + # geo_repository_verification_primary_batch_worker: + # cron: "*/5 * * * *" + ## GitLab Geo repository verification secondary scheduler worker + # geo_repository_verification_secondary_scheduler_worker: + # cron: "*/5 * * * *" + ## GitLab Geo migrated local files clean up worker + # geo_migrated_local_files_clean_up_worker: + # cron: "15 */6 * * *" + ### LDAP + # ldap_sync_worker: + # cron: "30 1 * * *" + # ldap_group_sync_worker: + # cron: "0 * * * *" + ### Snapshot active user statistics + # historical_data_worker: + # cron: "0 12 * * *" + # loose_foreign_keys_cleanup_worker_cron: + # cron: "*/5 * * * *" + + ## https://docs.gitlab.com/charts/charts/globals#content-security-policy + contentSecurityPolicy: + enabled: false + report_only: true + # directives: {} + + ## https://docs.gitlab.com/charts/charts/globals#gravatarlibravatar-settings + gravatar: + plainUrl: + sslUrl: + + ## https://docs.gitlab.com/charts/charts/globals#hooking-analytics-services-to-the-gitlab-instance + extra: + googleAnalyticsId: + matomoUrl: + matomoSiteId: + matomoDisableCookies: + oneTrustId: + googleTagManagerNonceId: + bizible: + + ## https://docs.gitlab.com/charts/charts/globals#lfs-artifacts-uploads-packages-external-mr-diffs-and-dependency-proxy + object_store: + enabled: true + proxy_download: true + storage_options: {} + # server_side_encryption: + # server_side_encryption_kms_key_id + connection: {} + # secret: + # key: + lfs: + enabled: true + proxy_download: true + bucket: git-lfs + connection: {} + # secret: + # key: + artifacts: + enabled: true + proxy_download: true + bucket: gitlab-artifacts + connection: {} + # secret: + # key: + uploads: + enabled: true + proxy_download: true + bucket: gitlab-uploads + connection: {} + # secret: + # key: + packages: + enabled: true + proxy_download: true + bucket: gitlab-packages + connection: {} + externalDiffs: + enabled: false + when: + proxy_download: true + bucket: gitlab-mr-diffs + connection: {} + terraformState: + enabled: false + bucket: gitlab-terraform-state + connection: {} + ciSecureFiles: + enabled: false + bucket: gitlab-ci-secure-files + connection: {} + dependencyProxy: + enabled: true + proxy_download: true + bucket: gitlab-dependency-proxy + connection: {} + + backups: + bucket: gitlab-backups + tmpBucket: tmp + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Microsoft Graph Mailer settings + microsoft_graph_mailer: + enabled: false + user_id: "" + tenant: "" + client_id: "" + client_secret: + secret: "" + key: secret + azure_ad_endpoint: "https://login.microsoftonline.com" + graph_endpoint: "https://graph.microsoft.com" + + ## https://docs.gitlab.com/charts/installation/command-line-options.html#incoming-email-configuration + ## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#incoming-email + incomingEmail: + enabled: false + address: "" + host: "imap.gmail.com" + port: 993 + ssl: true + startTls: false + user: "" + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#service-desk-email + serviceDeskEmail: + enabled: false + address: "" + host: "imap.gmail.com" + port: 993 + ssl: true + startTls: false + user: "" + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#ldap + ldap: + # prevent the use of LDAP for sign-in via web. + preventSignin: false + servers: {} + ## See documentation for complete example of a configured LDAP server + + duoAuth: + enabled: false + # hostname: + # integrationKey: + # secretKey: + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#kas-settings + gitlab_kas: + enabled: true + secret: gitlab-kas-secret + key: value + # externalUrl: + # internalUrl: + + ## https://docs.gitlab.com/charts/charts/globals#suggested-reviewers-settings + suggested_reviewers: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#omniauth + omniauth: + enabled: false + autoSignInWithProvider: + syncProfileFromProvider: [] + syncProfileAttributes: [email] + allowSingleSignOn: [saml] + blockAutoCreatedUsers: true + autoLinkLdapUser: false + autoLinkSamlUser: false + autoLinkUser: [] + externalProviders: [] + allowBypassTwoFactor: [] + providers: [] + # - secret: gitlab-google-oauth2 + # key: provider + + ## https://docs.gitlab.com/charts/charts/globals#kerberos + kerberos: + enabled: false + keytab: + # secret: + key: keytab + servicePrincipalName: "" + krb5Config: "" + dedicatedPort: + enabled: false + port: 8443 + https: true + simpleLdapLinkingAllowedRealms: [] + + ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings + sentry: + enabled: false + dsn: + clientside_dsn: + environment: + + gitlab_docs: + enabled: false + host: "" + + smartcard: + enabled: false + CASecret: + clientCertificateRequiredHost: + sanExtensions: false + requiredForGitAccess: false + + sidekiq: + routingRules: [] + + # Config that only applies to the defaults on initial install + initialDefaults: + signupEnabled: false + ## End of global.appConfig + + oauth: + gitlab-pages: {} + # secret: + # appIdKey: + # appSecretKey: + # redirectUri: + # authScope: + + ## https://docs.gitlab.com/charts/advanced/geo/ + geo: + enabled: false + # Valid values: primary, secondary + role: primary + ## Geo Secondary only + # nodeName allows multiple instances behind a load balancer. + nodeName: # defaults to `gitlab.gitlab.host` + # ingressClass: + # PostgreSQL connection details only needed for `secondary` + psql: + password: {} + # secret: + # key: + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab_replicator + # database: gitlabhq_geo_production + # ssl: + # secret: + # clientKey: + # clientCertificate: + # serverCA: + registry: + replication: + enabled: false + primaryApiUrl: + ## Consumes global.registry.notificationSecret + + ## https://docs.gitlab.com/charts/charts/gitlab/kas/ + kas: + enabled: true + service: + apiExternalPort: 8153 # port for connections from the GitLab backend + tls: + enabled: false + verify: true + # secretName: + # caSecretName: + + ## https://docs.gitlab.com/charts/charts/gitlab/spamcheck/ + spamcheck: + enabled: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-gitlab-shell + shell: + authToken: + secret: gitlab-shell-token-secret + key: token + hostKeys: + secret: gitlab-shell-hostkeys-secret + ## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol + tcp: + proxyProtocol: true + + ## Rails application secrets + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret + ## If allowing shared-secrets generation, this is OPTIONAL. + railsSecrets: {} + # secret: + + ## Rails generic setting, applicable to all Rails-based containers + rails: + bootsnap: # Enable / disable Shopify/Bootsnap cache + enabled: true + sessionStore: + sessionCookieTokenPrefix: "" + + ## https://docs.gitlab.com/charts/charts/globals#configure-registry-settings + registry: + bucket: registry + certificate: + secret: registry.nationtech.io-tls + httpSecret: + secret: gitlab-registry-http-secret + key: value + notificationSecret: {} + # secret: + # key: + tls: + enabled: true + secretName: registry.nationtech.io-tls + redis: + cache: + password: {} + rateLimiting: + password: {} + # https://docs.docker.com/registry/notifications/#configuration + notifications: {} + # endpoints: + # - name: FooListener + # url: https://foolistener.com/event + # timeout: 500ms + # threshold: 10 # DEPRECATED: use maxretries instead https://gitlab.com/gitlab-org/container-registry/-/issues/1243. + # maxretries: 5 + # backoff: 1s + # headers: + # FooBar: ['1', '2'] + # Authorization: + # secret: gitlab-registry-authorization-header + # SpecificPassword: + # secret: gitlab-registry-specific-password + # key: password + # events: {} + + # Settings utilized by other services referencing registry: + enabled: true + host: + # port: 443 + api: + protocol: http + serviceName: registry + port: 5000 + tokenIssuer: gitlab-issuer + + pages: + enabled: true + accessControl: true + # path: / + # host: + port: + https: true # default true + externalHttp: [] + externalHttps: [] + artifactsServer: true + localStore: + enabled: true + # path: /srv/gitlab/shared/pages + objectStore: + enabled: true + bucket: gitlab-pages + proxy_download: true + connection: {} + # secret: + # key: + # apiSecret: + # authSecret: {} + namespaceInPath: true + + ## GitLab Runner + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret + ## If allowing shared-secrets generation, this is OPTIONAL. + runner: + registrationToken: {} + # secret: + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Outgoing email server settings + smtp: + enabled: false + address: smtp.mailgun.org + port: 2525 + user_name: "" + ## https://docs.gitlab.com/charts/installation/secrets#smtp-password + password: + secret: "" + key: password + # domain: + authentication: "plain" + starttls_auto: false + openssl_verify_mode: "peer" + open_timeout: 30 + read_timeout: 60 + pool: false + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Email persona used in email sent by GitLab + email: + from: "" + display_name: GitLab + reply_to: "" + subject_suffix: "" + smime: + enabled: false + secretName: "" + keyName: "tls.key" + certName: "tls.crt" + + ## Timezone for containers. + time_zone: UTC + + ## Global Service Annotations and Labels + service: + labels: {} + annotations: {} + + ## Global Deployment Annotations + deployment: + annotations: {} + + + # Setting a global nodeAffinity only applies to the registry chart for now. + # See issue https://gitlab.com/gitlab-com/gl-infra/production-engineering/-/issues/25403 for more information + + nodeAffinity: + + antiAffinity: soft + affinity: + podAntiAffinity: + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + key: topology.kubernetes.io/zone + values: [] + + # Priority class assigned to pods, may be overridden for individual components + # https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + priorityClassName: "" + + ## https://docs.gitlab.com/charts/charts/globals#configure-workhorse-settings + ## Global settings related to Workhorse + workhorse: + serviceName: webservice-default + # scheme: + # host: + # port: + ## https://docs.gitlab.com/charts/installation/secrets#gitlab-workhorse-secret + # secret: + # key: + tls: + enabled: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-webservice + webservice: + workerTimeout: 60 + + ## https://docs.gitlab.com/charts/charts/globals#custom-certificate-authorities + # configuration of certificates container & custom CA injection + certificates: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/certificates + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + customCAs: [] + # - secret: custom-CA + # - secret: more-custom-CAs + # keys: + # - custom-ca-1.crt + # - configMap: custom-CA-cm + # - configMap: more-custom-CAs-cm + # keys: + # - custom-ca-2.crt + # - custom-ca-3.crt + + ## kubectl image used by hooks to carry out specific jobs + kubectl: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/kubectl + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + securityContext: + # in most base images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + gitlabBase: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # Charts using this image as init container support further overrides with `init.image.tag`. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + + ## https://docs.gitlab.com/charts/charts/globals#service-accounts + serviceAccount: + enabled: true + create: true + annotations: {} + automountServiceAccountToken: true + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + + ## https://docs.gitlab.com/charts/charts/globals/#tracing + tracing: + connection: + string: "" + urlTemplate: "" + + zoekt: + gateway: + basicAuth: {} + indexer: + internalApi: {} + + ## https://docs.gitlab.com/charts/charts/globals + extraEnv: {} + # SOME_KEY: some_value + # SOME_OTHER_KEY: some_other_value + + ## https://docs.gitlab.com/charts/charts/globals + extraEnvFrom: {} + # MY_NODE_NAME: + # fieldRef: + # fieldPath: spec.nodeName + # MY_CPU_REQUEST: + # resourceFieldRef: + # containerName: test-container + # resource: requests.cpu + # SECRET_THING: + # secretKeyRef: + # name: special-secret + # key: special_token + # # optional: boolean + # CONFIG_STRING: + # configMapKeyRef: + # name: useful-config + # key: some-string + # # optional: boolean + + ## https://docs.gitlab.com/charts/charts/globals/#jobs + job: + nameSuffixOverride: + + traefik: + apiVersion: "" # newer apiVersion: "traefik.io/v1alpha1" + +## End of global + +#upgradeCheck: +# enabled: true +# image: {} +# # repository: +# # tag: +# # pullPolicy: IfNotPresent +# # pullSecrets: [] +# securityContext: +# # in alpine/debian/busybox based images, this is `nobody:nogroup` +# runAsUser: 65534 +# fsGroup: 65534 +# containerSecurityContext: {} +# tolerations: [] +# annotations: {} +# configMapAnnotations: {} +# resources: +# requests: +# cpu: 50m +# priorityClassName: "" +# +# ## Settings to for the Let's Encrypt ACME Issuer +certmanager-issuer: + # # The email address to register certificates requested from Let's Encrypt. + # # Required if using Let's Encrypt. + email: security@nationtech.io + +## Installation & configuration of jetstack/cert-manager +## See requirements.yaml for current version +certmanager: + installCRDs: true + nameOverride: certmanager + # Install cert-manager chart. Set to false if you already have cert-manager + # installed or if you are not using cert-manager. + install: false + # Other cert-manager configurations from upstream + # See https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/README#configuration + rbac: + create: true + +## https://docs.gitlab.com/charts/charts/nginx/ +## https://docs.gitlab.com/charts/architecture/decisions#nginx-ingress +## Installation & configuration of charts/ingress-nginx: +nginx-ingress: &nginx-ingress + enabled: false + tcpExternalConfig: "true" + controller: &nginx-ingress-controller + addHeaders: + Referrer-Policy: strict-origin-when-cross-origin + config: &nginx-ingress-controller-config + annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"" + hsts: "true" + hsts-include-subdomains: "false" + hsts-max-age: "63072000" + server-name-hash-bucket-size: "256" + use-http2: "true" + ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + ssl-protocols: "TLSv1.3 TLSv1.2" + server-tokens: "false" + # Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration + upstream-keepalive-connections: 100 # Limit of 100 held-open connections + upstream-keepalive-time: 30s # 30 second limit for connection reuse + upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections + upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling + + service: + externalTrafficPolicy: "Local" + ingressClassByName: true + ingressClassResource: + name: '{{ include "ingress.class.name" $ | quote }}' + resources: + requests: + cpu: 100m + memory: 100Mi + publishService: + enabled: true + replicaCount: 2 + minAvailable: 1 + scope: + enabled: true + metrics: + enabled: true + service: + annotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "10254" + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + admissionWebhooks: + enabled: false + defaultBackend: + resources: + requests: + cpu: 5m + memory: 5Mi + rbac: + create: true + createClusterRole: true + # Needed for k8s 1.20 and 1.21 + # https://github.com/kubernetes/ingress-nginx/issues/7510 + # https://github.com/kubernetes/ingress-nginx/issues/7519 + scope: false + serviceAccount: + create: true + +# Ingress controller to handle requests forwarded from other Geo sites. +# Configuration differences compared to the main nginx ingress: +# - Pass X-Forwarded-For headers as is +# - Use a different IngressClass name +nginx-ingress-geo: + <<: *nginx-ingress + enabled: false + controller: + <<: *nginx-ingress-controller + config: + <<: *nginx-ingress-controller-config + # Pass incoming X-Forwarded-* headers to upstream. Required to handle requests + # from other Geo sites. + # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers + use-forwarded-headers: true + electionID: ingress-controller-leader-geo + ingressClassResource: + name: '{{ include "gitlab.geo.ingress.class.name" $ | quote }}' + controllerValue: 'k8s.io/nginx-ingress-geo' + # A pre-defined/static external IP can be configured with global.hosts.externalGeoIP. + externalIpTpl: '{{ .Values.global.hosts.externalGeoIP }}' + +haproxy: + install: false + controller: + service: + type: LoadBalancer + tcpPorts: + - name: ssh + port: 22 + targetPort: 22 + extraArgs: + - --configmap-tcp-services=$(POD_NAMESPACE)/$(POD_NAMESPACE)-haproxy-tcp + +## Installation & configuration of stable/prometheus +## See requirements.yaml for current version +prometheus: + install: true + rbac: + create: true + alertmanager: + enabled: true + alertmanagerFiles: + alertmanager.yml: + config: + global: + resolve_timeout: 5m + route: + group_by: ['job'] + group_wait: 30s + group_interval: 5m + repeat_interval: 12h + receiver: 'null' + routes: + - match: + alertname: Watchdog + receiver: 'null' + receivers: + - name: 'null' + + kubeStateMetrics: + enabled: true + nodeExporter: + enabled: false + pushgateway: + enabled: true + server: + retention: 15d + strategy: + type: Recreate + image: + tag: v2.38.0 + serverFiles: + prometheus.yml: + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: + [ + __meta_kubernetes_namespace, + __meta_kubernetes_service_name, + __meta_kubernetes_endpoint_port_name, + ] + action: keep + regex: default;kubernetes;https + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scrape] + action: keep + regex: true + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + [ + __address__, + __meta_kubernetes_pod_annotation_gitlab_com_prometheus_port, + ] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-services + metrics_path: /probe + params: + module: [http_2xx] + kubernetes_sd_configs: + - role: service + relabel_configs: + - source_labels: + [ + __meta_kubernetes_service_annotation_gitlab_com_prometheus_probe, + ] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name + +## Configuration of Redis +## https://docs.gitlab.com/charts/architecture/decisions#redis +## https://docs.gitlab.com/charts/installation/deployment.html#redis +redis: + install: true + auth: + existingSecret: gitlab-redis-secret + existingSecretKey: redis-password + usePasswordFiles: true + architecture: standalone + cluster: + enabled: false + metrics: + enabled: true + +## Installation & configuration of stable/postgresql +## See requirements.yaml for current version +postgresql: + install: true + auth: + ## These need to be set, for the sake of bitnami/postgresql upgrade patterns. + ## They are overridden by use of `existingSecret` + password: bogus-satisfy-upgrade + postgresPassword: bogus-satisfy-upgrade + ## + usePasswordFiles: false + existingSecret: '{{ include "gitlab.psql.password.secret" . }}' + secretKeys: + adminPasswordKey: postgresql-postgres-password + userPasswordKey: '{{ include "gitlab.psql.password.key" $ }}' + image: + tag: 14.8.0 + primary: + initdb: + scriptsConfigMap: '{{ include "gitlab.psql.initdbscripts" $}}' + extraVolumeMounts: + - name: custom-init-scripts + mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh + subPath: init_revision.sh + podAnnotations: + postgresql.gitlab/init-revision: "1" + metrics: + enabled: true + service: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "9187" + + ## Optionally define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + +## Installation & configuration charts/registry +## https://docs.gitlab.com/charts/architecture/decisions#registry +## https://docs.gitlab.com/charts/charts/registry/ +registry: + enabled: true + database: + enabled: true + name: gitlabhq_production # must match the database name you created above + user: gitlab # must match the database username you created above + password: + secret: gitlab-postgres + key: psql-password + sslmode: verify-full + ssl: + secret: gitlab-registry-postgresql-ssl # you will need to create this secret manually + clientKey: client-key.pem + clientCertificate: client-cert.pem + serverCA: server-ca.pem + migrations: + enabled: true # this option will execute the schema migration as part of the registry deployment + tls: + enabled: true + secretName: gitlab-registry-tls + +minio: + ingress: + tls: + secretName: gitlab-minio-tls +## Automatic shared secret generation +## https://docs.gitlab.com/charts/installation/secrets +## https://docs.gitlab.com/charts/charts/shared-secrets.html +shared-secrets: + enabled: true + rbac: + create: true + selfsign: + image: + # pullPolicy: IfNotPresent + # pullSecrets: [] + repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign + # Default tag is `master`, overridable by `global.gitlabVersion`. + # tag: master + keyAlgorithm: "rsa" + keySize: "4096" + expiry: "3650d" + caSubject: "GitLab Helm Chart" + env: production + serviceAccount: + enabled: true + create: true + name: # Specify a pre-existing ServiceAccount name + resources: + requests: + cpu: 50m + securityContext: + # in debian/alpine based images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + tolerations: [] + podLabels: {} + annotations: {} + +## Installation & configuration of gitlab/gitlab-runner +## See requirements.yaml for current version +gitlab-runner: + install: true + rbac: + create: true + runners: + locked: false + # Set secret to an arbitrary value because the runner chart renders the gitlab-runner.secret template only if it is not empty. + # The parent/GitLab chart overrides the template to render the actual secret name. + secret: "nonempty" + privileged: true + config: | + [[runners]] + [runners.kubernetes] + image = "ubuntu:23.04" + privileged = true + {{- if .Values.global.minio.enabled }} + [runners.cache] + Type = "s3" + Path = "gitlab-runner" + Shared = true + [runners.cache.s3] + ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }} + BucketName = "runner-cache" + BucketLocation = "us-east-1" + Insecure = true + {{ end }} + podAnnotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: 9252 + +traefik: + install: false + ports: + gitlab-shell: + expose: true + port: 2222 + exposedPort: 22 + +## Settings for individual sub-charts under GitLab +## Note: Many of these settings are configurable via globals +gitlab: + ## https://docs.gitlab.com/charts/charts/gitlab/toolbox + toolbox: + replicas: 1 + antiAffinityLabels: + matchLabels: + app: gitaly + ## https://docs.gitlab.com/charts/charts/gitlab/migrations + # migrations: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/webservice + webservice: + enabled: true + ingress: + tls: + secretName: gitlab-gitlab-tls + ## https://docs.gitlab.com/charts/charts/gitlab/sidekiq + sidekiq: + enabled: true + ## https://docs.gitlab.com/charts/charts/gitlab/gitaly + # gitaly: + ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell + gitlab-shell: + sshDaemon: gitlab-sshd + ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-pages + # gitlab-pages: + ## https://docs.gitlab.com/charts/charts/gitlab/kas + # kas: + ## https://docs.gitlab.com/charts/charts/gitlab/praefect + # praefect: + +## Installation & configuration of gitlab/gitlab-zoekt +gitlab-zoekt: + install: false + gateway: + basicAuth: + enabled: true + secretName: '{{ include "gitlab.zoekt.gateway.basicAuth.secretName" $ }}' + indexer: + internalApi: + enabled: true + secretName: '{{ include "gitlab.zoekt.indexer.internalApi.secretName" $ }}' + secretKey: '{{ include "gitlab.zoekt.indexer.internalApi.secretKey" $ }}' + gitlabUrl: '{{ include "gitlab.zoekt.indexer.internalApi.gitlabUrl" $ }}' diff --git a/applications/harbor/helmfile.yaml b/applications/harbor/helmfile.yaml new file mode 100644 index 0000000..2807afa --- /dev/null +++ b/applications/harbor/helmfile.yaml @@ -0,0 +1,19 @@ +--- +repositories: + - name: harbor + url: https://helm.goharbor.io + +releases: + - name: harbor + namespace: harbor + chart: harbor/harbor + version: 1.15.1 + values: + - values.yaml + set: + - name: harborAdminPassword + value: '{{ env "HARBOR_ADMIN_PASSWORD" | default "Harbor12345" }}' + - name: database.internal.password + value: '{{ env "HARBOR_DB_PASSWORD" | default "changeme" }}' + - name: redis.internal.password + value: '{{ env "HARBOR_REDIS_PASSWORD" | default "changeme" }}' diff --git a/applications/harbor/values.yaml b/applications/harbor/values.yaml new file mode 100644 index 0000000..1bd41a8 --- /dev/null +++ b/applications/harbor/values.yaml @@ -0,0 +1,152 @@ +harborAdminPassword: "Harbor12345" +tlsSecretName: "harbor.nationtech.io-tls" + +expose: + type: ingress + tls: + enabled: true + certSource: secret + secret: + secretName: "harbor.nationtech.io-tls" + ingress: + hosts: + core: harbor.nationtech.io + annotations: + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + className: "nginx" + ports: + httpPort: 80 + +persistence: + enabled: true + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + subPath: "registry" + accessMode: ReadWriteOnce + size: 20Gi + jobservice: + jobLog: + subPath: "jobservice" + accessMode: ReadWriteOnce + size: 2Gi + database: + subPath: "db" + accessMode: ReadWriteOnce + size: 10Gi + redis: + subPath: "redis" + accessMode: ReadWriteOnce + size: 2Gi + trivy: + subPath: "trivy" + accessMode: ReadWriteOnce + size: 2Gi + imageChartStorage: + disableredirect: false + type: filesystem + filesystem: + rootdirectory: /storage + +# Enable Prometheus metrics +metrics: + enabled: true + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + serviceMonitor: + enabled: true + namespace: monitoring + additionalLabels: + release: prometheus + interval: 15s + metricRelabelings: [] + relabelings: [] + +# Disable tracing as we're not using Jaeger +trace: + enabled: false + +# Enable internal TLS +internalTLS: + enabled: true + strong_ssl_ciphers: true + certSource: "auto" + +# Use internal database for simplicity +database: + type: internal + internal: + password: "changeme" + +# Use internal Redis for simplicity +redis: + type: internal + internal: + password: "changeme" + +# Enable Trivy scanner +trivy: + enabled: true + image: + repository: goharbor/trivy-adapter-photon + tag: dev + replicas: 2 + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + vulnType: "os,library" + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + ignoreUnfixed: false + insecure: false + skipUpdate: false + skipJavaDBUpdate: false + offlineScan: false + securityCheck: "vuln" + timeout: 5m0s + +# High Availability settings +portal: + replicas: 2 + +core: + replicas: 2 + +jobservice: + replicas: 2 + +registry: + replicas: 2 + +chartmuseum: + replicas: 2 + +# Logging configuration +log: + level: info + local: + rotateCount: 50 + rotateSize: 200M + location: /var/log/harbor + external: + enabled: true + endpoint: http://fluentd.logging:24224 + index: harbor + type: fluentd diff --git a/applications/logging/helmfile.yaml b/applications/logging/helmfile.yaml new file mode 100644 index 0000000..87d1401 --- /dev/null +++ b/applications/logging/helmfile.yaml @@ -0,0 +1,46 @@ +repositories: + - name: grafana + url: https://grafana.github.io/helm-charts + - name: elastic + url: https://helm.elastic.co + +releases: + - name: elasticsearch + namespace: {{ .Values.namespace | default "logging" }} + chart: elastic/elasticsearch + version: 7.17.10 + values: + - values/elasticsearch-values.yaml + - ../common-config.yaml + + - name: filebeat + namespace: {{ .Values.namespace | default "logging" }} + chart: elastic/filebeat + version: 7.17.10 + values: + - values/filebeat-values.yaml + - ../common-config.yaml + + - name: loki + namespace: {{ .Values.namespace | default "logging" }} + chart: grafana/loki + version: 5.8.3 + values: + - values/loki-values.yaml + - ../common-config.yaml + + - name: promtail + namespace: {{ .Values.namespace | default "logging" }} + chart: grafana/promtail + version: 6.11.3 + values: + - values/promtail-values.yaml + - ../common-config.yaml + + - name: grafana + namespace: {{ .Values.namespace | default "logging" }} + chart: grafana/grafana + version: 6.50.7 + values: + - values/grafana-values.yaml + - ../common-config.yaml diff --git a/applications/logging/values/elasticsearch-values.yaml b/applications/logging/values/elasticsearch-values.yaml new file mode 100644 index 0000000..5bcc01c --- /dev/null +++ b/applications/logging/values/elasticsearch-values.yaml @@ -0,0 +1,16 @@ +replicas: 3 +minimumMasterNodes: 2 + +resources: + requests: + cpu: "100m" + memory: "1Gi" + limits: + cpu: "1000m" + memory: "2Gi" + +volumeClaimTemplate: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 30Gi diff --git a/applications/logging/values/filebeat-values.yaml b/applications/logging/values/filebeat-values.yaml new file mode 100644 index 0000000..f759ae9 --- /dev/null +++ b/applications/logging/values/filebeat-values.yaml @@ -0,0 +1,12 @@ +daemonset: + enabled: true + +filebeatConfig: + filebeat.yml: | + filebeat.inputs: + - type: container + paths: + - /var/log/containers/*.log + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch-master:9200}'] diff --git a/applications/logging/values/grafana-values.yaml b/applications/logging/values/grafana-values.yaml new file mode 100644 index 0000000..ed3dd1d --- /dev/null +++ b/applications/logging/values/grafana-values.yaml @@ -0,0 +1,62 @@ +persistence: + enabled: true + size: 10Gi + +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Loki + type: loki + url: http://loki.{{ .Release.Namespace }}.svc.cluster.local:3100 + access: proxy + isDefault: false + - name: Elasticsearch + type: elasticsearch + url: http://elasticsearch-master.{{ .Release.Namespace }}.svc.cluster.local:9200 + access: proxy + isDefault: true + +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards + +dashboards: + default: + loki-logs: + gnetId: 12611 + revision: 1 + datasource: Loki + elasticsearch-logs: + gnetId: 4358 + revision: 1 + datasource: Elasticsearch + +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: "letsencrypt-prod" + hosts: + - grafana.{{ .Release.Namespace }}.{{ .Values.global.hosts.domain }} + tls: + - secretName: grafana-tls + hosts: + - grafana.{{ .Release.Namespace }}.{{ .Values.global.hosts.domain }} + +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi diff --git a/applications/logging/values/loki-values.yaml b/applications/logging/values/loki-values.yaml new file mode 100644 index 0000000..dc4fefa --- /dev/null +++ b/applications/logging/values/loki-values.yaml @@ -0,0 +1,33 @@ +config: + schema_config: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + +storage: + type: filesystem + +resources: + requests: + cpu: 200m + memory: 256Mi + limits: + cpu: 400m + memory: 512Mi + +service: + port: 3100 + +persistence: + enabled: true + size: 10Gi + +serviceMonitor: + enabled: true + namespace: logging + interval: 30s diff --git a/applications/logging/values/promtail-values.yaml b/applications/logging/values/promtail-values.yaml new file mode 100644 index 0000000..a0a4dc1 --- /dev/null +++ b/applications/logging/values/promtail-values.yaml @@ -0,0 +1,74 @@ +config: + lokiAddress: "http://loki.{{ .Release.Namespace }}:3100/loki/api/v1/push" + snippets: + extraScrapeConfigs: | + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - job_name: kubernetes-pods-logs + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: {{ .Release.Namespace }} + source_labels: + - __meta_kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_container_name + target_label: container + - replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_uid + - __meta_kubernetes_pod_container_name + target_label: __path__ + +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +tolerations: + - effect: NoSchedule + operator: Exists + +updateStrategy: + type: RollingUpdate + +serviceMonitor: + enabled: true + namespace: {{.Release.Namespace}} + interval: 30s diff --git a/applications/vault/helmfile.yaml b/applications/vault/helmfile.yaml new file mode 100644 index 0000000..b17689e --- /dev/null +++ b/applications/vault/helmfile.yaml @@ -0,0 +1,13 @@ +repositories: + - name: vault-helm + url: https://helm.releases.hashicorp.com + +releases: + - name: vault + namespace: {{ .Values.namespace | default "vault" }} + chart: vault-helm/vault + version: 0.28.1 + installed: true + values: + - values.yaml + - ../common-config.yaml diff --git a/applications/vault/values.yaml b/applications/vault/values.yaml new file mode 100644 index 0000000..110530a --- /dev/null +++ b/applications/vault/values.yaml @@ -0,0 +1,2 @@ +ui: + enabled: true diff --git a/applications/woodpecker/helmfile.yaml b/applications/woodpecker/helmfile.yaml new file mode 100644 index 0000000..e19de95 --- /dev/null +++ b/applications/woodpecker/helmfile.yaml @@ -0,0 +1,12 @@ +--- +repositories: + - name: woodpecker + url: https://woodpecker-ci.org/helm-charts + +releases: + - name: woodpecker + namespace: ci + chart: woodpecker/woodpecker + version: 1.0.3 + values: + - values.yaml diff --git a/applications/woodpecker/values.yaml b/applications/woodpecker/values.yaml new file mode 100644 index 0000000..4e4a817 --- /dev/null +++ b/applications/woodpecker/values.yaml @@ -0,0 +1,108 @@ +--- +# Woodpecker server configuration +woodpecker: + server: + image: + repository: woodpeckerci/woodpecker-server + tag: v1.0.3 # Use a specific version instead of 'latest' + replicaCount: 2 # Run multiple replicas for high availability + service: + type: ClusterIP + port: 8000 + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: "letsencrypt-prod" + hosts: + - host: woodpecker.example.com + paths: + - path: / + tls: + - secretName: woodpecker-tls + hosts: + - woodpecker.example.com + env: + WOODPECKER_OPEN: "false" # Disable open registration for production + WOODPECKER_HOST: "https://woodpecker.example.com" # Use HTTPS + WOODPECKER_GITHUB: "true" + WOODPECKER_GITHUB_CLIENT: "{{ .Env.WOODPECKER_GITHUB_CLIENT }}" + WOODPECKER_GITHUB_SECRET: "{{ .Env.WOODPECKER_GITHUB_SECRET }}" + WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}" + WOODPECKER_GRPC_SECRET: "{{ .Env.WOODPECKER_GRPC_SECRET }}" + WOODPECKER_GRPC_ADDR: ":9000" + WOODPECKER_SERVER_ADDR: ":8000" + WOODPECKER_METRICS_SERVER_ADDR: ":9001" + WOODPECKER_ADMIN: "{{ .Env.WOODPECKER_ADMIN }}" + WOODPECKER_DATABASE_DRIVER: "postgres" + WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Env.POSTGRES_USER }}:{{ .Env.POSTGRES_PASSWORD }}@postgresql:5432/woodpecker?sslmode=require" + resources: + requests: + cpu: 200m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + +# Woodpecker agent configuration +agent: + image: + repository: woodpeckerci/woodpecker-agent + tag: v1.0.3 # Use a specific version instead of 'latest' + replicaCount: 3 # Run multiple agents for better parallelism + env: + WOODPECKER_SERVER: "woodpecker-server:9000" + WOODPECKER_AGENT_SECRET: "{{ .Env.WOODPECKER_AGENT_SECRET }}" + WOODPECKER_BACKEND: "kubernetes" + WOODPECKER_BACKEND_K8S_NAMESPACE: "ci" + WOODPECKER_BACKEND_K8S_VOLUME_SIZE: "20Gi" # Increased volume size + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "managed-premium" # Use a production-grade storage class + WOODPECKER_BACKEND_K8S_STORAGE_RWX: "true" + WOODPECKER_BACKEND_K8S_POD_LABELS: '{"app":"woodpecker-job"}' + WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: '{"prometheus.io/scrape":"true","prometheus.io/port":"9000"}' + WOODPECKER_BACKEND_K8S_POD_NODE_SELECTOR: '{"kubernetes.io/os":"linux"}' + WOODPECKER_BACKEND_K8S_SECCTX_NONROOT: "true" + WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES: "woodpecker-pull-secret" + resources: + requests: + cpu: 200m + memory: 256Mi + limits: + cpu: 1 + memory: 1Gi + +# PostgreSQL configuration +postgresql: + enabled: true + postgresqlUsername: "{{ .Env.POSTGRES_USER }}" + postgresqlPassword: "{{ .Env.POSTGRES_PASSWORD }}" + postgresqlDatabase: "woodpecker" + persistence: + enabled: true + size: 20Gi + storageClass: "managed-premium" # Use a production-grade storage class + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 1Gi + +# Prometheus integration +metrics: + serviceMonitor: + enabled: true + namespace: monitoring + interval: 15s + scrapeTimeout: 14s + selector: + release: prometheus + +# Logging integration +logging: + fluentd: + enabled: true + config: + logLevel: info + fluentdAddress: fluentd.logging:24224 diff --git a/common-config.yaml b/common-config.yaml new file mode 100644 index 0000000..ba50dcc --- /dev/null +++ b/common-config.yaml @@ -0,0 +1,25 @@ +--- +# Common configurations for all applications + +# Ingress configurations +ingress: + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: "letsencrypt-prod" + tls: + enabled: true + +# Persistence configurations +persistence: + storageClass: "ceph-block" + +# Monitoring configurations +monitoring: + enabled: true + namespace: monitoring + +# Logging configurations +logging: + enabled: true + fluentd: + address: fluentd.logging:24224 diff --git a/helmfile.yaml b/helmfile.yaml new file mode 100644 index 0000000..e1d1a06 --- /dev/null +++ b/helmfile.yaml @@ -0,0 +1,45 @@ +--- +helmDefaults: + atomic: true + wait: true + +repositories: + - name: gitea-charts + url: https://dl.gitea.io/charts/ + - name: woodpecker + url: https://woodpecker-ci.org/helm-charts + - name: harbor + url: https://helm.goharbor.io + +releases: + - name: gitea + namespace: nt + chart: gitea-charts/gitea + version: 8.3.0 + values: + - applications/gitea/values.yaml + + - name: woodpecker + namespace: ci + chart: woodpecker/woodpecker + version: 1.0.3 + values: + - applications/woodpecker/values.yaml + + - name: harbor + namespace: harbor + chart: harbor/harbor + version: 1.15.1 + values: + - applications/harbor/values.yaml + +helmfiles: + - path: applications/vault/helmfile.yaml + - path: applications/logging/helmfile.yaml + - path: applications/gitea/helmfile.yaml + - path: applications/woodpecker/helmfile.yaml + - path: applications/harbor/helmfile.yaml + +# Common configurations +commonConfig: + - common-config.yaml