--- serviceAccount: enabled: true certificates: customCAs: [] image: repository: registry.gitlab.com/gitlab-org/build/cng/certificates certmanager: install: false installCRDs: false nameOverride: certmanager rbac: create: true certmanager-issuer: email: security@nationtech.io common: labels: {} deployment: annotations: {} envVars: - name: CI_JOB_ID value: $CI_JOB_ID geo: enabled: false gitlab: gitlab-exporter: enabled: true gitlab-pages: ingress: tls: secretName: gitlab-pages-tls enabled: true gitlab-shell: enabled: true kas: enabled: true mailroom: enabled: true migrations: enabled: true sidekiq: enabled: true toolbox: antiAffinityLabels: matchLabels: app: gitaly enabled: true replicas: 1 webservice: enabled: true ingress: tls: secretName: gitlab-tls gitlab-zoekt: gateway: basicAuth: enabled: true secretName: '{{ include "gitlab.zoekt.gateway.basicAuth.secretName" $ }}' indexer: internalApi: enabled: true gitlabUrl: '{{ include "gitlab.zoekt.indexer.internalApi.gitlabUrl" $ }}' secretKey: '{{ include "gitlab.zoekt.indexer.internalApi.secretKey" $ }}' secretName: '{{ include "gitlab.zoekt.indexer.internalApi.secretName" $ }}' install: true global: edition: ee affinity: nodeAffinity: key: topology.kubernetes.io/zone values: [] podAntiAffinity: topologyKey: kubernetes.io/hostname antiAffinity: soft gitaly: enabled: true replicas: 2 praefect: enabled: false redis: cluster: enabled: false appConfig: resources: requests: cpu: 200m memory: 1Gi limits: cpu: 1 memory: 1Gi smartcard: enabled: false kerberos: dedicatedPort: enabled: false https: true port: 8443 enabled: false keytab: key: keytab simpleLdapLinkingAllowedRealms: [] kubectl: image: repository: registry.gitlab.com/gitlab-org/build/cng/kubectl securityContext: fsGroup: 65534 runAsUser: 65534 ldap: preventSignin: false servers: {} lfs: bucket: git-lfs connection: {} enabled: true proxy_download: true maxRequestDurationSeconds: null microsoft_graph_mailer: enabled: false minio: enabled: true monitoring: enabled: true object_store: enabled: true proxy_download: true omniauth: enabled: false packages: enabled: true proxy_download: true bucket: gitlab-packages connection: {} pages: enabled: true host: pages.gitlab.nationtech.io namespaceInPath: true accessControl: true artifactsServer: true https: null objectStore: bucket: gitlab-pages connection: {} enabled: true applicationSettingsCacheSeconds: 60 artifacts: bucket: gitlab-artifacts enabled: true proxy_download: true backups: bucket: gitlab-backups tmpBucket: tmp ciSecureFiles: bucket: gitlab-ci-secure-files connection: {} enabled: false contentSecurityPolicy: enabled: false report_only: true cron_jobs: {} defaultProjectsFeatures: builds: true issues: true mergeRequests: true snippets: true wiki: true dependencyProxy: bucket: gitlab-dependency-proxy connection: {} enabled: true proxy_download: true duoAuth: enabled: false enableImpersonation: false enableSeatLink: true enableUsagePing: true externalDiffs: bucket: gitlab-mr-diffs connection: {} enabled: false proxy_download: true extra: bizible: googleAnalyticsId: null googleTagManagerNonceId: null matomoDisableCookies: null matomoSiteId: null matomoUrl: null oneTrustId: null gitlab_docs: enabled: false kas: enabled: true service: apiExternalPort: 8153 tls: enabled: false verify: true graphQlTimeout: null gravatar: plainUrl: null sslUrl: null hosts: domain: brizo.nationtech.io externalIP: null https: true gitlab: name: gitlab.nationtech.io minio: name: minio.gitlab.nationtech.io registry: name: registry.gitlab.nationtech.io protocol: https ssh: gitlab.nationtech.io incomingEmail: enabled: false ingress: annotations: cert-manager.io/issuer: letsencrypt-prod kubernetes.io/tls-acme: 'true' nginx.ingress.kubernetes.io/proxy-body-size: 10000m class: nginx configureCertmanager: false enabled: true path: / pathType: Prefix provider: nginx tls: enabled: true secretName: gitlab-tls useNewIngressForCerts: false initialDefaults: {} initialRootPassword: {} issueClosingPattern: null job: nameSuffixOverride: null keda: enabled: false psql: ci: {} connectTimeout: null database: gitlabhq_production keepalives: null keepalivesCount: null keepalivesIdle: null keepalivesInterval: null main: {} password: key: postgres-password secret: gitlab-postgres useSecret: true tcpUserTimeout: null username: gitlab registry: enabled: true host: registry.gitlab.nationtech.io port: 433 tokenIssuer: gitlab-issuer api: protocol: http serviceName: registry port: 5000 tls: enabled: true secretName: gitlab-registry-tls sentry: clientside_dsn: null dsn: null enabled: false environment: null serviceDeskEmail: enabled: false shell: authToken: secret: gitlab-gitlab-shell-auth-token hostKeys: secret: gitlab-gitlab-shell-host-keys sidekiq: routingRules: [] smtp: enabled: false uploads: bucket: gitlab-uploads enabled: true proxy_download: true usernameChangingEnabled: true webhookTimeout: null webservice: tls: enabled: true workerTimeout: 300 workhorse: tls: enabled: false serviceName: webservice-default minio: install: true nginx-ingress: class: nginx enabled: false tcpExternalConfig: 'true' nginx-ingress-geo: enabled: false rbac: create: true scope: false serviceAccount: create: true tcpExternalConfig: 'true' postgresql: auth: existingSecret: '{{ include "gitlab.psql.password.secret" . }}' password: bogus-satisfy-upgrade postgresPassword: bogus-satisfy-upgrade replicationPassword: "" replicationUsername: repl_user secretKeys: adminPasswordKey: postgresql-postgres-password replicationPasswordKey: replication-password userPasswordKey: '{{ include "gitlab.psql.password.key" $ }}' usePasswordFiles: false image: tag: 14.10.0 install: true metrics: enabled: true service: annotations: gitlab.com/prometheus_port: '9187' gitlab.com/prometheus_scrape: 'true' prometheus.io/port: '9187' prometheus.io/scrape: 'true' primary: extraVolumeMounts: - mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh name: custom-init-scripts subPath: init_revision.sh initdb: scriptsConfigMap: '{{ include "gitlab.psql.initdbscripts" $}}' podAnnotations: postgresql.gitlab/init-revision: '1' prometheus: install: false alertmanager: enabled: true config: global: resolve_timeout: 5m route: group_by: ['job'] group_wait: 30s group_interval: 5m repeat_interval: 12h receiver: 'null' routes: - match: alertname: Watchdog receiver: 'null' receivers: - name: 'null' kubeStateMetrics: enabled: true nodeExporter: enabled: true pushgateway: enabled: true rbac: create: true server: image: tag: v2.38.0 retention: 15d strategy: type: Recreate serverFiles: prometheus.yml: scrape_configs: - job_name: prometheus static_configs: - targets: - localhost:9090 - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token job_name: kubernetes-apiservers kubernetes_sd_configs: - role: endpoints relabel_configs: - action: keep regex: default;kubernetes;https source_labels: - __meta_kubernetes_namespace - __meta_kubernetes_service_name - __meta_kubernetes_endpoint_port_name scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt insecure_skip_verify: true - job_name: kubernetes-pods kubernetes_sd_configs: - role: pod relabel_configs: - action: keep regex: true source_labels: - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_scrape - action: replace regex: (https?) source_labels: - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_scheme target_label: __scheme__ - action: replace regex: (.+) source_labels: - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_path target_label: __metrics_path__ - action: replace regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 source_labels: - __address__ - __meta_kubernetes_pod_annotation_gitlab_com_prometheus_port target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - action: replace source_labels: - __meta_kubernetes_namespace target_label: kubernetes_namespace - action: replace source_labels: - __meta_kubernetes_pod_name target_label: kubernetes_pod_name - job_name: kubernetes-service-endpoints kubernetes_sd_configs: - role: endpoints relabel_configs: - action: keep regex: true source_labels: - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scrape - action: replace regex: (https?) source_labels: - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scheme target_label: __scheme__ - action: replace regex: (.+) source_labels: - __meta_kubernetes_service_annotation_gitlab_com_prometheus_path target_label: __metrics_path__ - action: replace regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 source_labels: - __address__ - __meta_kubernetes_service_annotation_gitlab_com_prometheus_port target_label: __address__ - action: labelmap regex: __meta_kubernetes_service_label_(.+) - action: replace source_labels: - __meta_kubernetes_namespace target_label: kubernetes_namespace - action: replace source_labels: - __meta_kubernetes_service_name target_label: kubernetes_name - action: replace source_labels: - __meta_kubernetes_pod_node_name target_label: kubernetes_node - job_name: kubernetes-services kubernetes_sd_configs: - role: service metrics_path: /probe params: module: - http_2xx relabel_configs: - action: keep regex: true source_labels: - __meta_kubernetes_service_annotation_gitlab_com_prometheus_probe - source_labels: - __address__ target_label: __param_target - replacement: blackbox target_label: __address__ - source_labels: - __param_target target_label: instance - action: labelmap regex: __meta_kubernetes_service_label_(.+) - source_labels: - __meta_kubernetes_namespace target_label: kubernetes_namespace - source_labels: - __meta_kubernetes_service_name target_label: kubernetes_name rbac: create: true redis: architecture: standalone auth: existingSecret: gitlab-redis-secret existingSecretKey: redis-password usePasswordFiles: true cluster: enabled: false install: true metrics: enabled: true registry: enabled: true database: enabled: true name: registry # must match the database name you created above user: registry # must match the database username you created above password: secret: gitlab-registry-postgresql # must match the secret name key: password # must match the secret key to read the password from sslmode: verify-full ssl: secret: gitlab-registry-postgresql-ssl # you will need to create this secret manually clientKey: client-key.pem clientCertificate: client-cert.pem serverCA: server-ca.pem migrations: enabled: true # this option will execute the schema migration as part of the registry deployment tls: enabled: true secretName: gitlab-registry-tls shared-secrets: enabled: true env: production rbac: create: true resources: requests: cpu: 50m securityContext: fsGroup: 65534 runAsUser: 65534 selfsign: caSubject: GitLab Helm Chart expiry: 3650d image: repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign keyAlgorithm: rsa keySize: '4096' serviceAccount: create: true enabled: true gitlab-runner: install: true rbac: create: true runners: locked: false # Set secret to an arbitrary value because the runner chart renders the gitlab-runner.secret template only if it is not empty. # The parent/GitLab chart overrides the template to render the actual secret name. secret: "nonempty" privileged: true config: | [[runners]] [runners.kubernetes] privileged = true image = "ubuntu:22.04" {{- if .Values.global.minio.enabled }} [runners.cache] Type = "s3" Path = "gitlab-runner" Shared = true [runners.cache.s3] ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }} BucketName = "runner-cache" BucketLocation = "us-east-1" Insecure = true {{ end }} podAnnotations: gitlab.com/prometheus_scrape: "true" gitlab.com/prometheus_port: 9252 upgradeCheck: annotations: {} configMapAnnotations: {} enabled: true image: {} priorityClassName: '' resources: requests: cpu: 50m securityContext: fsGroup: 65534 runAsUser: 65534 tolerations: []