From 77ec86cd03646a54e1897e13992a41812106e967 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 26 Oct 2020 16:07:28 -0400 Subject: [PATCH 01/83] Allow user to bring their own Praefect Addresses one portion of the requirements for 2307 by enabling a user to provide an address for Praefect. In this situation, the GitLab application will be configured to point to Praefect at this address, and the user will need to provide & configure both Praefect and downstream Gitaly nodes. --- charts/gitlab/templates/_praefect.tpl | 17 ++++++++++++++++- values.yaml | 1 + 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index 44395b3524..d11d83f871 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -4,7 +4,22 @@ Return the default praefect storage line for gitlab.yml {{- define "gitlab.praefect.storages" -}} default: path: /var/opt/gitlab/repo - gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ .Values.global.gitaly.service.externalPort }} + gitaly_address: {{ template "gitlab.praefect.gitalyAddress" . }} +{{- end -}} + + +{{/* +Return the gitaly address in the context of praefect being enabled. +If an address for praefect is not provided, either to a load balancer +or directly to a praefect node, then return the service name for the +praefect statefulset to be generated. +*/}} +{{- define "gitlab.praefect.gitalyAddress" -}} +{{- if $.Values.global.praefect.address }} +{{- $.Values.global.praefect.address }} +{{- else -}} +tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ $.Values.global.gitaly.service.externalPort }} +{{- end }} {{- end -}} diff --git a/values.yaml b/values.yaml index ff245d3640..0b200427ea 100644 --- a/values.yaml +++ b/values.yaml @@ -129,6 +129,7 @@ global: praefect: enabled: false + # address: mypraefect.com authToken: {} autoMigrate: true gitalyReplicas: 3 -- GitLab From d3eccd24d231ad41d943bd61466bc814f5d78a38 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 26 Oct 2020 16:26:45 -0400 Subject: [PATCH 02/83] Add changelog entry --- .../2307-praefect-support-multiple-virtual-storages.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/2307-praefect-support-multiple-virtual-storages.yml diff --git a/changelogs/unreleased/2307-praefect-support-multiple-virtual-storages.yml b/changelogs/unreleased/2307-praefect-support-multiple-virtual-storages.yml new file mode 100644 index 0000000000..7bf77873b2 --- /dev/null +++ b/changelogs/unreleased/2307-praefect-support-multiple-virtual-storages.yml @@ -0,0 +1,5 @@ +--- +title: Support multiple virtual_storages in Praefect +merge_request: 1618 +author: +type: changed -- GitLab From 07c1a4354d86e78f0b8c99a250a3a089d90b78d7 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 27 Oct 2020 14:22:36 -0400 Subject: [PATCH 03/83] Revert "Allow user to bring their own Praefect" This reverts commit 77ec86cd03646a54e1897e13992a41812106e967. --- charts/gitlab/templates/_praefect.tpl | 17 +---------------- values.yaml | 1 - 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index d11d83f871..44395b3524 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -4,22 +4,7 @@ Return the default praefect storage line for gitlab.yml {{- define "gitlab.praefect.storages" -}} default: path: /var/opt/gitlab/repo - gitaly_address: {{ template "gitlab.praefect.gitalyAddress" . }} -{{- end -}} - - -{{/* -Return the gitaly address in the context of praefect being enabled. -If an address for praefect is not provided, either to a load balancer -or directly to a praefect node, then return the service name for the -praefect statefulset to be generated. -*/}} -{{- define "gitlab.praefect.gitalyAddress" -}} -{{- if $.Values.global.praefect.address }} -{{- $.Values.global.praefect.address }} -{{- else -}} -tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ $.Values.global.gitaly.service.externalPort }} -{{- end }} + gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ .Values.global.gitaly.service.externalPort }} {{- end -}} diff --git a/values.yaml b/values.yaml index 0b200427ea..ff245d3640 100644 --- a/values.yaml +++ b/values.yaml @@ -129,7 +129,6 @@ global: praefect: enabled: false - # address: mypraefect.com authToken: {} autoMigrate: true gitalyReplicas: 3 -- GitLab From 91eb2dd6fb039c2170bd747fecf541818dc99284 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 27 Oct 2020 15:10:37 -0400 Subject: [PATCH 04/83] Allow for a list of virtual_storages - Allows for a list of virtual_storages to be provided. - Defaults to one virtual_storage (`default`) with 3 gitalyReplicas. Note: This generates multiple virtual_storage configuration blocks for Praefect, but each address needs to point to a different Kubernetes service for Gitaly. This means we need to follow a similar pattern to Sidekiq and generate a StatefulSet and Service per virtual_storage when Praefect is enabled. --- .../charts/praefect/templates/configmap.yaml | 11 ++++++----- charts/gitlab/templates/_praefect.tpl | 14 ++++---------- values.yaml | 4 +++- 3 files changed, 13 insertions(+), 16 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index b9b59b2cf1..6fa6626079 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -52,15 +52,16 @@ data: {{- end }} {{- end }} + {{ range $.Values.global.praefect.virtualStorages }} [[virtual_storage]] - name = 'default' - {{- range compact (include "gitlab.praefect.gitalyPodNames" . | splitList "," ) }} + name = '{{ .name }}' + {{- range until (.gitalyReplicas | int) }} [[virtual_storage.node]] - storage = '{{ . }}' - address = 'tcp://{{ . }}.{{ $.Release.Name }}-gitaly:{{ $.Values.global.gitaly.service.externalPort }}' + storage = '{{ $.Release.Name }}-gitaly-{{ . }}' + address = 'tcp://{{ $.Release.Name }}-gitaly-{{ . }}.{{ $.Release.Name }}-gitaly:{{ $.Values.global.gitaly.service.externalPort }}' token = "<%= gitaly_token %>" - {{- end }} + {{ end }} [database] host = '{{ template "gitlab.praefect.psql.host" . }}' diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index 44395b3524..a0d4145851 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -2,9 +2,11 @@ Return the default praefect storage line for gitlab.yml */}} {{- define "gitlab.praefect.storages" -}} -default: +{{- range $.Values.global.praefect.virtualStorages }} +{{ .name }}: path: /var/opt/gitlab/repo - gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ .Values.global.gitaly.service.externalPort }} + gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" $ }}:{{ $.Values.global.gitaly.service.externalPort }} +{{- end }} {{- end -}} @@ -14,11 +16,3 @@ Return the resolvable name of the praefect service {{- define "gitlab.praefect.serviceName" -}} {{ $.Release.Name }}-praefect {{- end -}} - - -{{/* -Return a list of Gitaly pod names -*/}} -{{- define "gitlab.praefect.gitalyPodNames" -}} -{{ range until ($.Values.global.praefect.gitalyReplicas | int) }}{{ printf "%s-gitaly-%d" $.Release.Name . }},{{- end}} -{{- end -}} diff --git a/values.yaml b/values.yaml index ff245d3640..1dfd69678e 100644 --- a/values.yaml +++ b/values.yaml @@ -131,8 +131,10 @@ global: enabled: false authToken: {} autoMigrate: true - gitalyReplicas: 3 dbSecret: {} + virtualStorages: + - name: default + gitalyReplicas: 3 psql: sslMode: 'disable' -- GitLab From 78f70ddac82f29f82a143f89df11302045827a35 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 5 Nov 2020 10:00:44 -0500 Subject: [PATCH 05/83] Restore single Praefect node logic in gitlab.yml In gitlab.yml, we still want to connect to a single Praefect instance. This restores the setup from `master`. Instead, we will generate multiple Gitaly statefulsets (one per virtualStorage defined), and connect the single Praefect instance to those nodes. Multiple Praefect nodes can/will be a future MR. --- charts/gitlab/templates/_praefect.tpl | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index a0d4145851..c141b38b90 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -2,11 +2,9 @@ Return the default praefect storage line for gitlab.yml */}} {{- define "gitlab.praefect.storages" -}} -{{- range $.Values.global.praefect.virtualStorages }} -{{ .name }}: +default: path: /var/opt/gitlab/repo - gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" $ }}:{{ $.Values.global.gitaly.service.externalPort }} -{{- end }} + gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ .Values.global.gitaly.service.externalPort }} {{- end -}} -- GitLab From 2055d248ea82ea1bf81be503c00984ea1bffbd0a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 5 Nov 2020 15:36:59 -0500 Subject: [PATCH 06/83] Correctly define virtual_storage praefect entries Updates the virtual_storage entries generator to use the correct storage name and address for each Gitaly StatefulSet. Likely want to template some of these values out, but keeping things "simple" for now. --- charts/gitlab/charts/praefect/templates/configmap.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 6fa6626079..f76e7eeb76 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -52,13 +52,15 @@ data: {{- end }} {{- end }} + {{ $context := $ }} {{ range $.Values.global.praefect.virtualStorages }} + {{- $vsName := .name }} [[virtual_storage]] - name = '{{ .name }}' + name = '{{ $vsName }}' {{- range until (.gitalyReplicas | int) }} [[virtual_storage.node]] - storage = '{{ $.Release.Name }}-gitaly-{{ . }}' - address = 'tcp://{{ $.Release.Name }}-gitaly-{{ . }}.{{ $.Release.Name }}-gitaly:{{ $.Values.global.gitaly.service.externalPort }}' + storage = '{{ $.Release.Name }}-gitaly-{{ $vsName }}-{{ . }}' + address = 'tcp://{{ $.Release.Name }}-gitaly-{{ $vsName }}-{{ . }}.{{ $.Release.Name }}-gitaly-{{ $vsName }}:{{ $.Values.global.gitaly.service.externalPort }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} -- GitLab From 1a78463d77ba2cdd6ab2a256a227c16090e92e41 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 11:37:52 -0500 Subject: [PATCH 07/83] Create gitaly service per virtual storage If Praefect is used, it will generate a Gitaly Service per virtual storage provided. If Praefect is not used, it will generate one Gitaly service for the required "default" storage. --- .../charts/gitaly/templates/service.yaml | 41 ++++++++++--------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index cd41361b76..0fcdde3d2b 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -1,37 +1,40 @@ {{- if .Values.global.gitaly.enabled -}} +{{- range default ((dict "name" "default") | list) .Values.global.praefect.virtualStorages }} apiVersion: v1 kind: Service metadata: - name: {{ include "gitlab.gitaly.serviceName" . }} + name: {{ printf "%s-gitaly-%s" $.Release.Name .name }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} - {{- include "gitlab.serviceLabels" . | nindent 4 }} + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.serviceLabels" $ | nindent 4 }} annotations: - {{- if .Values.metrics.enabled }} + {{- if $.Values.metrics.enabled }} gitlab.com/prometheus_scrape: "true" - gitlab.com/prometheus_port: "{{ .Values.metrics.metricsPort }}" + gitlab.com/prometheus_port: "{{ $.Values.metrics.metricsPort }}" prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.metricsPort }}" + prometheus.io/port: "{{ $.Values.metrics.metricsPort }}" {{- end }} - {{- include "gitlab.serviceAnnotations" . | nindent 4 }} + {{- include "gitlab.serviceAnnotations" $ | nindent 4 }} spec: - type: {{ coalesce .Values.service.type .Values.global.gitaly.service.type }} + type: {{ coalesce $.Values.service.type $.Values.global.gitaly.service.type }} clusterIP: "None" ports: - - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }} - name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }} - targetPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} - {{- if .Values.metrics.enabled }} - - port: {{ .Values.metrics.metricsPort }} - name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }}-metrics + - port: {{ coalesce $.Values.service.externalPort $.Values.global.gitaly.service.externalPort }} + name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }} + targetPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} + {{- if $.Values.metrics.enabled }} + - port: {{ $.Values.metrics.metricsPort }} + name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-metrics {{- end }} {{- if $.Values.global.gitaly.tls.enabled }} - - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }} - name: {{coalesce .Values.service.name .Values.global.gitaly.service.name }}-tls - targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }} + - port: {{ coalesce $.Values.service.tls.externalPort $.Values.global.gitaly.service.tls.externalPort }} + name: {{coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-tls + targetPort: {{ coalesce $.Values.service.tls.internalPort $.Values.global.gitaly.service.tls.internalPort }} {{- end }} selector: - app: {{ template "name" . }} - release: {{ .Release.Name }} + app: {{ template "name" $ }}-{{ .name }} + release: {{ $.Release.Name }} +--- +{{- end }} {{- end }} -- GitLab From 75d8ca2d8bb3efaf51b18bb17cb598b488dcfb37 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 11:38:42 -0500 Subject: [PATCH 08/83] Generate a Gitaly StatefulSet per virtual storage If Praefect is inabled, it will generate a Gitaly StatefulSet per virtual storage defined. If Praefect is disabled, it will generate a Gitaly Statefulset for the required "default" storage. --- .../charts/gitaly/templates/statefulset.yml | 156 +++++++++--------- 1 file changed, 80 insertions(+), 76 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 3728c76cdc..51b2d10bfa 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -1,54 +1,56 @@ -{{- if .Values.global.gitaly.enabled -}} +{{- if and .Values.global.gitaly.enabled (not .Values.global.gitaly.host) -}} +{{- $defaultStorages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list }} +{{- range default $defaultStorages .Values.global.praefect.virtualStorages }} apiVersion: apps/v1 kind: StatefulSet metadata: - name: {{ template "fullname" . }} + name: {{ printf "%s-gitaly-%s" $.Release.Name .name }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.immutableLabels" . | nindent 4 }} + {{- include "gitlab.immutableLabels" $ | nindent 4 }} spec: selector: matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - serviceName: {{ template "gitlab.gitaly.serviceName" . }} - replicas: {{template "gitlab.gitaly.replicas" . }} + app: {{ printf "%s-%s" ( include "name" $ ) .name }} + release: {{ $.Release.Name }} + serviceName: {{ printf "%s-gitaly-%s" $.Release.Name .name }} + replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} podManagementPolicy: Parallel - {{- if .Values.global.operator.enabled }} + {{- if $.Values.global.operator.enabled }} updateStrategy: rollingUpdate: - partition: {{template "gitlab.gitaly.replicas" . }} + partition: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} {{- end }} template: metadata: labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - {{- include "gitlab.podLabels" . | nindent 8 }} + app: {{ template "name" $ }}-{{ .name }} + release: {{ $.Release.Name }} + {{- include "gitlab.podLabels" $ | nindent 8 }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} - {{- range $key, $value := .Values.annotations }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} + {{- range $key, $value := $.Values.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: - {{- if .Values.tolerations }} + {{- if $.Values.tolerations }} tolerations: - {{- toYaml .Values.tolerations | nindent 8 }} + {{- toYaml $.Values.tolerations | nindent 8 }} {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" + {{- if $.Values.priorityClassName }} + priorityClassName: "{{ $.Values.priorityClassName }}" {{- end }} terminationGracePeriodSeconds: 30 initContainers: - {{- include "gitlab.extraInitContainers" . | nindent 8 }} - {{- include "gitlab.certificates.initContainer" . | nindent 8 }} + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} - name: configure command: ['sh', '/config/configure'] - image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" $.Values.global.busybox) | quote }} + image: {{ include "gitlab.busybox.image" (dict "local" $.Values.init "global" $.Values.global.busybox) | quote }} env: - {{- include "gitlab.extraEnv" . | nindent 10 }} + {{- include "gitlab.extraEnv" $ | nindent 10 }} volumeMounts: - {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} - name: gitaly-config mountPath: /config readOnly: true @@ -59,21 +61,21 @@ spec: mountPath: /init-secrets readOnly: false resources: - {{- toYaml .Values.init.resources | nindent 12 }} + {{- toYaml $.Values.init.resources | nindent 12 }} securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - fsGroup: {{ .Values.securityContext.fsGroup }} -{{- include "pullsecrets" .Values.image | indent 6 }} - {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} + runAsUser: {{ $.Values.securityContext.runAsUser }} + fsGroup: {{ $.Values.securityContext.fsGroup }} +{{- include "pullsecrets" $.Values.image | indent 6 }} + {{- if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "hard" }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - topologyKey: "kubernetes.io/hostname" labelSelector: matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} + app: {{ template "name" $ }}-{{ .name }} + release: {{ $.Release.Name }} + {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -82,21 +84,21 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} + app: {{ template "name" $ }}-{{ .name }} + release: {{ $.Release.Name }} {{- end }} - {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} - serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} {{- end }} containers: - {{- include "gitlab.extraContainers" . | nindent 8 }} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}" - {{ template "gitlab.imagePullPolicy" . }} + {{- include "gitlab.extraContainers" $ | nindent 8 }} + - name: {{ $.Chart.Name }} + image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" $ }} ports: - - containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} - {{- if .Values.metrics.enabled }} - - containerPort: {{ .Values.metrics.metricsPort }} + - containerPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} + {{- if $.Values.metrics.enabled }} + - containerPort: {{ $.Values.metrics.metricsPort }} {{- end }} env: - name: CONFIG_TEMPLATE_DIRECTORY @@ -107,15 +109,15 @@ spec: value: '/etc/gitaly/config.toml' - name: SSL_CERT_DIR value: '/etc/ssl/certs' - {{- if .Values.metrics.enabled }} + {{- if $.Values.metrics.enabled }} - name: GITALY_PROMETHEUS_LISTEN_ADDR - value: ':{{ .Values.metrics.metricsPort }}' + value: ':{{ $.Values.metrics.metricsPort }}' {{- end }} - {{- include "gitlab.tracing.env" . | nindent 12 }} - {{- include "gitlab.extraEnv" . | nindent 12 }} + {{- include "gitlab.tracing.env" $ | nindent 12 }} + {{- include "gitlab.extraEnv" $ | nindent 12 }} volumeMounts: - {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} - {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} - name: gitaly-config mountPath: '/etc/gitaly/templates' - name: gitaly-secrets @@ -123,8 +125,8 @@ spec: readOnly: true - name: repo-data mountPath: '/home/git/repositories' - {{- if and .Values.persistence.enabled .Values.persistence.subPath }} - subPath: "{{ .Values.persistence.subPath }}" + {{- if and $.Values.persistence.enabled $.Values.persistence.subPath }} + subPath: "{{ $.Values.persistence.subPath }}" {{- end }} livenessProbe: exec: @@ -141,13 +143,13 @@ spec: timeoutSeconds: 3 periodSeconds: 10 resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml $.Values.resources | nindent 12 }} volumes: - {{- include "gitlab.extraVolumes" . | nindent 6 }} + {{- include "gitlab.extraVolumes" $ | nindent 6 }} - name: gitaly-config configMap: - name: {{ template "fullname" . }} - {{- if not .Values.persistence.enabled }} + name: {{ template "fullname" $ }} + {{- if not $.Values.persistence.enabled }} - name: repo-data emptyDir: {} {{- end }} @@ -159,61 +161,63 @@ spec: defaultMode: 0440 sources: - secret: - name: {{ template "gitlab.gitaly.authToken.secret" . }} + name: {{ template "gitlab.gitaly.authToken.secret" $ }} items: - - key: {{ template "gitlab.gitaly.authToken.key" . }} + - key: {{ template "gitlab.gitaly.authToken.key" $ }} path: "gitaly_token" - secret: - name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + name: {{ template "gitlab.gitlab-shell.authToken.secret" $ }} items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} + - key: {{ template "gitlab.gitlab-shell.authToken.key" $ }} path: ".gitlab_shell_secret" - {{- if .Values.global.gitaly.tls.enabled }} + {{- if $.Values.global.gitaly.tls.enabled }} - secret: - name: {{ template "gitlab.gitaly.tls.secret" . }} + name: {{ template "gitlab.gitaly.tls.secret" $ }} items: - key: "tls.crt" path: "gitaly.crt" - key: "tls.key" path: "gitaly.key" {{- end }} - {{- include "gitlab.certificates.volumes" . | nindent 6 }} - {{- if .Values.nodeSelector }} + {{- include "gitlab.certificates.volumes" $ | nindent 6 }} + {{- if $.Values.nodeSelector }} nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- toYaml $.Values.nodeSelector | nindent 8 }} {{- end -}} - {{- if .Values.persistence.enabled }} + {{- if $.Values.persistence.enabled }} volumeClaimTemplates: - metadata: name: repo-data labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} + app: {{ template "name" $ }}-{{ .name }} + release: {{ $.Release.Name }} annotations: - {{- range $key, $value := .Values.persistence.annotations }} + {{- range $key, $value := $.Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: accessModes: - - {{ .Values.persistence.accessMode | quote }} + - {{ $.Values.persistence.accessMode | quote }} resources: requests: - storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} + storage: {{ $.Values.persistence.size | quote }} + {{- if $.Values.persistence.storageClass }} + {{- if (eq "-" $.Values.persistence.storageClass) }} storageClassName: "" {{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" + storageClassName: "{{ $.Values.persistence.storageClass }}" {{- end -}} {{- end }} selector: - {{- if .Values.persistence.matchLabels }} + {{- if $.Values.persistence.matchLabels }} matchLabels: - {{- toYaml .Values.persistence.matchLabels | nindent 12 }} + {{- toYaml $.Values.persistence.matchLabels | nindent 12 }} {{- end -}} - {{- if .Values.persistence.matchExpressions }} + {{- if $.Values.persistence.matchExpressions }} matchExpressions: - {{- toYaml .Values.persistence.matchExpressions | nindent 12 }} + {{- toYaml $.Values.persistence.matchExpressions | nindent 12 }} {{- end -}} {{- end }} +--- +{{- end }} {{- end }} -- GitLab From 94c5dc1749bd35f88c5dafb370e72c56fb96c797 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 11:49:43 -0500 Subject: [PATCH 09/83] Define Gitaly storages for each praefect storage If Praefect is enabled, loop through each virtualStorage entry and generate the associated pod names. This differs from before because there was only ever a `default` Praefect virtual storage, and now this allows multiple. --- charts/gitlab/templates/_gitaly.tpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index 23e2f6283a..810c8195f7 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -70,7 +70,9 @@ Return the number of replicas set for Gitaly statefulset {{- define "gitlab.gitaly.storageNames" -}} {{- if $.Values.global.praefect.enabled -}} -{{ range until ($.Values.global.praefect.gitalyReplicas | int) }} {{ printf "%s-gitaly-%d" $.Release.Name . | quote }}, {{- end }} +{{- range $_, $storage := $.Values.global.praefect.virtualStorages -}} +{{ range until ($storage.gitalyReplicas | int) }} {{ printf "%s-gitaly-%s-%d" $.Release.Name $storage.name . | quote }}, {{- end }} +{{- end -}} {{- else -}} {{- range (coalesce $.Values.internal.names $.Values.global.gitaly.internal.names) }} {{ . | quote }}, {{- end }} {{- end -}} -- GitLab From 1b66a97187512f6f48540bc3f21d7d87f964b9b1 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 12:08:15 -0500 Subject: [PATCH 10/83] Only use Praefect's storages if Praefect enabled It's helpful to set `global.praefect.virtualStorages` given the requirement for at least a `default` storage. The logic in this file would use `praefect.virtualStorages` even if Praefect was not enabled. This rearranges the logic to only loop on Praefect's virtual storages if Praefect is enabled. --- charts/gitlab/charts/gitaly/templates/statefulset.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 51b2d10bfa..f2faf68324 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -1,6 +1,9 @@ {{- if and .Values.global.gitaly.enabled (not .Values.global.gitaly.host) -}} -{{- $defaultStorages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list }} -{{- range default $defaultStorages .Values.global.praefect.virtualStorages }} +{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} +{{ if .Values.global.praefect.enabled }} +{{ $storages = .Values.global.praefect.virtualStorages }} +{{- end }} +{{ range $storages }} apiVersion: apps/v1 kind: StatefulSet metadata: -- GitLab From 91b5a62abbf1c11df6695f94f8087a8d6aff92e6 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 12:23:24 -0500 Subject: [PATCH 11/83] Simplify range logic for storages Rather than defining a variable with the storage name for each loop in the range, this tracks the storage name in the same line as the range and references it where needed. --- charts/gitlab/charts/praefect/templates/configmap.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index f76e7eeb76..3686bebd42 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -53,14 +53,13 @@ data: {{- end }} {{ $context := $ }} - {{ range $.Values.global.praefect.virtualStorages }} - {{- $vsName := .name }} + {{ range $_, $storage := $.Values.global.praefect.virtualStorages }} [[virtual_storage]] - name = '{{ $vsName }}' + name = '{{ $storage.name }}' {{- range until (.gitalyReplicas | int) }} [[virtual_storage.node]] - storage = '{{ $.Release.Name }}-gitaly-{{ $vsName }}-{{ . }}' - address = 'tcp://{{ $.Release.Name }}-gitaly-{{ $vsName }}-{{ . }}.{{ $.Release.Name }}-gitaly-{{ $vsName }}:{{ $.Values.global.gitaly.service.externalPort }}' + storage = '{{ $.Release.Name }}-gitaly-{{ $storage.name }}-{{ . }}' + address = 'tcp://{{ $.Release.Name }}-gitaly-{{ $storage.name }}-{{ . }}.{{ $.Release.Name }}-gitaly-{{ $storage.name }}:{{ $.Values.global.gitaly.service.externalPort }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} -- GitLab From cccdf4920ab6f7db3e2cdcc945ab0ab3eb5ce1d0 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 13:52:00 -0500 Subject: [PATCH 12/83] Fix labels for Gitaly Now that we generate a Gitaly statefuset per storage defined, we need to add a label to correctly identify the storage so the associated service(s) only select the relevant pods. --- .../gitlab/charts/gitaly/templates/service.yaml | 4 +++- .../charts/gitaly/templates/statefulset.yml | 16 +++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index 0fcdde3d2b..b342f2b1d5 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -8,6 +8,7 @@ metadata: labels: {{- include "gitlab.standardLabels" $ | nindent 4 }} {{- include "gitlab.serviceLabels" $ | nindent 4 }} + storage: {{ .name }} annotations: {{- if $.Values.metrics.enabled }} gitlab.com/prometheus_scrape: "true" @@ -33,8 +34,9 @@ spec: targetPort: {{ coalesce $.Values.service.tls.internalPort $.Values.global.gitaly.service.tls.internalPort }} {{- end }} selector: - app: {{ template "name" $ }}-{{ .name }} + app: {{ template "name" $ }} release: {{ $.Release.Name }} + storage: {{ .name }} --- {{- end }} {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index f2faf68324..a063a4738c 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -11,11 +11,13 @@ metadata: namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.immutableLabels" $ | nindent 4 }} + storage: {{ .name }} spec: selector: matchLabels: - app: {{ printf "%s-%s" ( include "name" $ ) .name }} + app: {{ template "name" $ }} release: {{ $.Release.Name }} + storage: {{ .name }} serviceName: {{ printf "%s-gitaly-%s" $.Release.Name .name }} replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} podManagementPolicy: Parallel @@ -27,8 +29,9 @@ spec: template: metadata: labels: - app: {{ template "name" $ }}-{{ .name }} + app: {{ template "name" $ }} release: {{ $.Release.Name }} + storage: {{ .name }} {{- include "gitlab.podLabels" $ | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} @@ -76,8 +79,9 @@ spec: - topologyKey: "kubernetes.io/hostname" labelSelector: matchLabels: - app: {{ template "name" $ }}-{{ .name }} + app: {{ template "name" $ }} release: {{ $.Release.Name }} + storage: {{ .name }} {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} affinity: podAntiAffinity: @@ -87,8 +91,9 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ template "name" $ }}-{{ .name }} + app: {{ template "name" $ }} release: {{ $.Release.Name }} + storage: {{ .name }} {{- end }} {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} @@ -192,8 +197,9 @@ spec: - metadata: name: repo-data labels: - app: {{ template "name" $ }}-{{ .name }} + app: {{ template "name" $ }} release: {{ $.Release.Name }} + storage: {{ .name }} annotations: {{- range $key, $value := $.Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} -- GitLab From 115e1240865eeafc580a34480502c907f0ead1a1 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 14:42:32 -0500 Subject: [PATCH 13/83] Use template to calculate Gitaly service name - Uses template to calculate Gitaly service name so it's consistent - Uses this template in the qualifiedServiceName template so the service name is correct when Praefect is disabled --- charts/gitlab/charts/gitaly/templates/service.yaml | 2 +- charts/gitlab/charts/gitaly/templates/statefulset.yml | 4 ++-- templates/_gitaly.tpl | 11 +++++++++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index b342f2b1d5..b7b925067b 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ printf "%s-gitaly-%s" $.Release.Name .name }} + name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.standardLabels" $ | nindent 4 }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index a063a4738c..9b51f2a532 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -7,7 +7,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: {{ printf "%s-gitaly-%s" $.Release.Name .name }} + name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.immutableLabels" $ | nindent 4 }} @@ -18,7 +18,7 @@ spec: app: {{ template "name" $ }} release: {{ $.Release.Name }} storage: {{ .name }} - serviceName: {{ printf "%s-gitaly-%s" $.Release.Name .name }} + serviceName: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} podManagementPolicy: Parallel {{- if $.Values.global.operator.enabled }} diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 826b1f5288..65aa45bf4b 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -30,9 +30,15 @@ Order of operations: - chart-local gitaly service name override - global gitaly service name override - derived from chart name + +Call: + +``` +name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} +``` */}} {{- define "gitlab.gitaly.serviceName" -}} -{{- coalesce ( .Values.gitaly.serviceName ) .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} +{{- coalesce .context.Values.gitaly.serviceName .context.Values.global.gitaly.serviceName (printf "%s-gitaly-%s" .context.Release.Name .name) -}} {{- end -}} {{/* @@ -45,6 +51,7 @@ Call: ``` */}} {{- define "gitlab.gitaly.qualifiedServiceName" -}} -{{- $name := include "gitlab.gitaly.serviceName" .context -}} +{{- $storageName := default (.context.Values.global.gitaly.internal.names | first) .context.name -}} +{{- $name := include "gitlab.gitaly.serviceName" (dict "context" .context "name" $storageName) -}} {{ include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" ) }}-{{ .index }}.{{ $name }} {{- end -}} -- GitLab From 482db80ec74bd8bb7add15fb6de4be14cf38ecf2 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 14:56:53 -0500 Subject: [PATCH 14/83] Correct logic for qualified service name Makes the logic for calculating the service name more consistent, thereby fixing the fully qualified domain name for Gitaly when Praefect is not in use. --- templates/_gitaly.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 65aa45bf4b..8e1cf5000b 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -53,5 +53,5 @@ Call: {{- define "gitlab.gitaly.qualifiedServiceName" -}} {{- $storageName := default (.context.Values.global.gitaly.internal.names | first) .context.name -}} {{- $name := include "gitlab.gitaly.serviceName" (dict "context" .context "name" $storageName) -}} -{{ include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" ) }}-{{ .index }}.{{ $name }} +{{ printf "%s-%d.%s" $name .index $name }} {{- end -}} -- GitLab From 98ebe3a6951740742dfdb33cfa15a979cde85fe8 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 17:14:54 -0500 Subject: [PATCH 15/83] Fix reference to chart-local value For finding the chart-local value, we would use `.Values.xyz`, not `.Values.gitaly.xyz`. --- templates/_gitaly.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 8e1cf5000b..06358a9383 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -38,7 +38,7 @@ name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} ``` */}} {{- define "gitlab.gitaly.serviceName" -}} -{{- coalesce .context.Values.gitaly.serviceName .context.Values.global.gitaly.serviceName (printf "%s-gitaly-%s" .context.Release.Name .name) -}} +{{- coalesce .context.Values.serviceName .context.Values.global.gitaly.serviceName (printf "%s-gitaly-%s" .context.Release.Name .name) -}} {{- end -}} {{/* -- GitLab From 6628e202b6bdb168177ccf588321841de3af90d0 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 17:16:15 -0500 Subject: [PATCH 16/83] Remove unused $context variable --- charts/gitlab/charts/praefect/templates/configmap.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 3686bebd42..b2e15b6e00 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -52,7 +52,6 @@ data: {{- end }} {{- end }} - {{ $context := $ }} {{ range $_, $storage := $.Values.global.praefect.virtualStorages }} [[virtual_storage]] name = '{{ $storage.name }}' -- GitLab From b3382a42356b125f5b7478afef37aac84436cc3d Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 6 Nov 2020 17:16:58 -0500 Subject: [PATCH 17/83] Use 'serviceName' template to reduce repetition Rather than redefining how the serviceName is calculated here, we can use the `gitlab.gitaly.serviceName` template. I'd like to use the `qualifiedServiceName` template, but I'm having issues with context passing again. Will work on this for a follow-up commit. --- charts/gitlab/charts/praefect/templates/configmap.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index b2e15b6e00..d6539a2a23 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -53,12 +53,14 @@ data: {{- end }} {{ range $_, $storage := $.Values.global.praefect.virtualStorages }} + {{- $serviceName := include "gitlab.gitaly.serviceName" (dict "context" $ "name" $storage.name) }} + {{- $port := $.Values.global.gitaly.service.externalPort }} [[virtual_storage]] name = '{{ $storage.name }}' {{- range until (.gitalyReplicas | int) }} [[virtual_storage.node]] - storage = '{{ $.Release.Name }}-gitaly-{{ $storage.name }}-{{ . }}' - address = 'tcp://{{ $.Release.Name }}-gitaly-{{ $storage.name }}-{{ . }}.{{ $.Release.Name }}-gitaly-{{ $storage.name }}:{{ $.Values.global.gitaly.service.externalPort }}' + storage = '{{ printf "%s-%d" $serviceName . }}' + address = '{{ printf "%s-%d.%s:%g" $serviceName . $serviceName $port }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} -- GitLab From 4abd4411cdbd0a19c5277ff05412fc047c5404ae Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 10 Nov 2020 15:46:08 -0500 Subject: [PATCH 18/83] Use 'qualifiedServiceName' template for address Generates the storage address using the 'gitlab.gitaly.qualifiedServiceName' template. This keeps the values consistent and avoids repetition. --- charts/gitlab/charts/praefect/templates/configmap.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index d6539a2a23..368381c0fd 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -58,9 +58,10 @@ data: [[virtual_storage]] name = '{{ $storage.name }}' {{- range until (.gitalyReplicas | int) }} + {{- $url := include "gitlab.gitaly.qualifiedServiceName" (dict "index" . "context" $) }} [[virtual_storage.node]] storage = '{{ printf "%s-%d" $serviceName . }}' - address = '{{ printf "%s-%d.%s:%g" $serviceName . $serviceName $port }}' + address = '{{ printf "%s:%g" $url $port }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} -- GitLab From d717c39d1474e3e0181a78fafbc8e4638c6e5702 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 11 Nov 2020 13:26:26 -0500 Subject: [PATCH 19/83] Make storages list more legible Makes the storages list more legible by setting the required "default" storage and overridding it with the Praefect virtualStorages if Praefect is enabled. --- charts/gitlab/charts/gitaly/templates/service.yaml | 6 +++++- charts/gitlab/charts/gitaly/templates/statefulset.yml | 8 ++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index b7b925067b..e54fa842c8 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -1,5 +1,9 @@ {{- if .Values.global.gitaly.enabled -}} -{{- range default ((dict "name" "default") | list) .Values.global.praefect.virtualStorages }} +{{- $storages := (dict "name" "default") | list -}} +{{- if .Values.global.praefect.enabled -}} +{{- $storages = .Values.global.praefect.virtualStorages -}} +{{- end -}} +{{ range $storages }} apiVersion: v1 kind: Service metadata: diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 9b51f2a532..061040f431 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -1,8 +1,8 @@ {{- if and .Values.global.gitaly.enabled (not .Values.global.gitaly.host) -}} -{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} -{{ if .Values.global.praefect.enabled }} -{{ $storages = .Values.global.praefect.virtualStorages }} -{{- end }} +{{- $storages := (dict "name" "default") | list -}} +{{- if .Values.global.praefect.enabled -}} +{{- $storages = .Values.global.praefect.virtualStorages -}} +{{- end -}} {{ range $storages }} apiVersion: apps/v1 kind: StatefulSet -- GitLab From b2c141edba1ae247f308ec62cf5a8db7d8190f6a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 11 Nov 2020 13:30:40 -0500 Subject: [PATCH 20/83] Append storage name to Gitaly service name Now that Gitaly statefulsets will be generated per virtual storage, each statefulset/service needs a suffix on the end to identify which storage it represents. --- .../charts/praefect/templates/configmap.yaml | 14 ++++++++------ templates/_gitaly.tpl | 11 ++++++----- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 368381c0fd..3ea021eb8f 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -52,16 +52,18 @@ data: {{- end }} {{- end }} - {{ range $_, $storage := $.Values.global.praefect.virtualStorages }} - {{- $serviceName := include "gitlab.gitaly.serviceName" (dict "context" $ "name" $storage.name) }} + {{- $context := $ }} + {{ range $.Values.global.praefect.virtualStorages }} + {{- $storageName := .name }} {{- $port := $.Values.global.gitaly.service.externalPort }} [[virtual_storage]] - name = '{{ $storage.name }}' + name = '{{ $storageName }}' {{- range until (.gitalyReplicas | int) }} - {{- $url := include "gitlab.gitaly.qualifiedServiceName" (dict "index" . "context" $) }} [[virtual_storage.node]] - storage = '{{ printf "%s-%d" $serviceName . }}' - address = '{{ printf "%s:%g" $url $port }}' + {{- $podName := include "gitlab.gitaly.serviceName" (dict "context" $context "name" $storageName) -}} + {{- $podAddress := include "gitlab.gitaly.qualifiedServiceName" (dict "context" $context "index" . "name" $storageName) }} + storage = '{{ $podName }}-{{ . }}' + address = '{{ printf "tcp://%s.%s:%g" $podAddress $context.Release.Name $port }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 06358a9383..ffc7903782 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -38,7 +38,9 @@ name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} ``` */}} {{- define "gitlab.gitaly.serviceName" -}} -{{- coalesce .context.Values.serviceName .context.Values.global.gitaly.serviceName (printf "%s-gitaly-%s" .context.Release.Name .name) -}} +{{- $baseName := coalesce .context.Values.serviceName .context.Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" )) -}} +{{- $suffix := default "default" .name -}} +{{ printf "%s-%s" $baseName $suffix }} {{- end -}} {{/* @@ -47,11 +49,10 @@ Return a qualified gitaly service name, for direct access to the gitaly headless Call: ``` -{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i)-}} +{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i "name" .name)-}} ``` */}} {{- define "gitlab.gitaly.qualifiedServiceName" -}} -{{- $storageName := default (.context.Values.global.gitaly.internal.names | first) .context.name -}} -{{- $name := include "gitlab.gitaly.serviceName" (dict "context" .context "name" $storageName) -}} +{{- $name := include "gitlab.gitaly.serviceName" (dict "context" .context "name" .name) -}} {{ printf "%s-%d.%s" $name .index $name }} -{{- end -}} +{{- end -}} \ No newline at end of file -- GitLab From 0ec85f6b391d16121b35763ef89e86c435ce6b01 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 11 Nov 2020 13:35:48 -0500 Subject: [PATCH 21/83] Rename context variable for clarity Renames the $context variable to $globalContext to indicate that it represents the global context, and not the context from where it is called. --- charts/gitlab/charts/praefect/templates/configmap.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 3ea021eb8f..85d1e6ee6c 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -52,7 +52,7 @@ data: {{- end }} {{- end }} - {{- $context := $ }} + {{- $globalContext := $ }} {{ range $.Values.global.praefect.virtualStorages }} {{- $storageName := .name }} {{- $port := $.Values.global.gitaly.service.externalPort }} @@ -60,10 +60,10 @@ data: name = '{{ $storageName }}' {{- range until (.gitalyReplicas | int) }} [[virtual_storage.node]] - {{- $podName := include "gitlab.gitaly.serviceName" (dict "context" $context "name" $storageName) -}} - {{- $podAddress := include "gitlab.gitaly.qualifiedServiceName" (dict "context" $context "index" . "name" $storageName) }} + {{- $podName := include "gitlab.gitaly.serviceName" (dict "context" $globalContext "name" $storageName) -}} + {{- $podAddress := include "gitlab.gitaly.qualifiedServiceName" (dict "context" $globalContext "index" . "name" $storageName) }} storage = '{{ $podName }}-{{ . }}' - address = '{{ printf "tcp://%s.%s:%g" $podAddress $context.Release.Name $port }}' + address = '{{ printf "tcp://%s.%s:%g" $podAddress $globalContext.Release.Name $port }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} -- GitLab From faedd8bc6efccac09fb9c0ce6f975e659f620bd0 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 11 Nov 2020 13:37:50 -0500 Subject: [PATCH 22/83] Make example include statements more consistent Makes the 'Call:' examples more consistent. --- templates/_gitaly.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index ffc7903782..c8f3ab53d2 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -34,7 +34,7 @@ Order of operations: Call: ``` -name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} +{{- include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) -}} ``` */}} {{- define "gitlab.gitaly.serviceName" -}} @@ -49,7 +49,7 @@ Return a qualified gitaly service name, for direct access to the gitaly headless Call: ``` -{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i "name" .name)-}} +{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i "name" .name) -}} ``` */}} {{- define "gitlab.gitaly.qualifiedServiceName" -}} -- GitLab From 848af0a62042acece503b9c8feb1eeab48a3a55f Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 13 Nov 2020 08:45:06 -0500 Subject: [PATCH 23/83] Remove note about virtual storage known limitation This MR enables multiple virtual storages, so it removes the line marking that as a known limitation. --- doc/charts/gitlab/praefect/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 3e6f45773a..91cce5e6f8 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -10,7 +10,6 @@ The Praefect chart is used to manage a [Gitaly cluster](https://docs.gitlab.com/ ## Known Limitations -1. Only a managed, `default` [virtual storage](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2307) is supported. 1. [TLS is not supported](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2306). 1. The database has to be [manually created](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2310). 1. [Migrating from an existing Gitaly setup](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2311) to Praefect is not supported. -- GitLab From ff9346ff3674ced5597ea9b2098c66da685318b0 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 16 Nov 2020 13:53:29 -0500 Subject: [PATCH 24/83] Use release namespace for Gitaly pod address Uses the release namespace (not the release name) for the Gitaly pod address. --- charts/gitlab/charts/praefect/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 85d1e6ee6c..2708a545bb 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -63,7 +63,7 @@ data: {{- $podName := include "gitlab.gitaly.serviceName" (dict "context" $globalContext "name" $storageName) -}} {{- $podAddress := include "gitlab.gitaly.qualifiedServiceName" (dict "context" $globalContext "index" . "name" $storageName) }} storage = '{{ $podName }}-{{ . }}' - address = '{{ printf "tcp://%s.%s:%g" $podAddress $globalContext.Release.Name $port }}' + address = '{{ printf "tcp://%s.%s:%g" $podAddress $globalContext.Release.Namespace $port }}' token = "<%= gitaly_token %>" {{- end }} {{ end }} -- GitLab From 8ea0935a4ff2113a78919e775b321a04cf592231 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 16 Nov 2020 14:16:57 -0500 Subject: [PATCH 25/83] Generate storage per virtualstorage Generates a storage entry per Praefect VirtualStorage. --- charts/gitlab/templates/_praefect.tpl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index c141b38b90..a0d4145851 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -2,9 +2,11 @@ Return the default praefect storage line for gitlab.yml */}} {{- define "gitlab.praefect.storages" -}} -default: +{{- range $.Values.global.praefect.virtualStorages }} +{{ .name }}: path: /var/opt/gitlab/repo - gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" . }}:{{ .Values.global.gitaly.service.externalPort }} + gitaly_address: tcp://{{ template "gitlab.praefect.serviceName" $ }}:{{ $.Values.global.gitaly.service.externalPort }} +{{- end }} {{- end -}} -- GitLab From 6b909c65bfa2d901ec9909b57c81e25a6b662c68 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 16 Nov 2020 16:53:38 -0500 Subject: [PATCH 26/83] Correctly select storage name for gitaly nodes Now that we include the storage name in the list of storages, the syntax of the shell-ism to echo out the HOSTNAME and just pick off the last character (the hostname's integer, like 0, 1, etc.) isn't sufficient because with multiple virtual storages, there may be multiple storage names that end in the same integer: - gitaly-default-0 - gitaly-vs2-0 This would surface because gitaly-vs2-0 pod would have "gitaly-default-0" in its config.toml, which is wrong! Given this is Praefect-specific, we should only create new logic for grabbing the relevant storage name in the scenario that Praefect is enabled. Otherwise, we can keep the same logic. --- .../gitlab/charts/gitaly/templates/configmap.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/gitlab/charts/gitaly/templates/configmap.yml b/charts/gitlab/charts/gitaly/templates/configmap.yml index 8f94eb6563..7fba8b9368 100644 --- a/charts/gitlab/charts/gitaly/templates/configmap.yml +++ b/charts/gitlab/charts/gitaly/templates/configmap.yml @@ -42,6 +42,20 @@ data: {{- end }} <% @storages = [ {{ include "gitlab.gitaly.storageNames" . }} ] %> + + {{- if $.Values.global.praefect.enabled }} + + <% @hostname=ENV['HOSTNAME'].strip %> + <% if @storages.any? { |s| s.include?(@hostname) } %> + [[storage]] + name = "<%= @hostname %>" + path = "/home/git/repositories" + <% else %> + <% raise Exception, "Storage for node #{@hostname} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %> + <% end %> + + {{- else }} + <% @index=`echo ${HOSTNAME##*-}`.to_i %> <% if @storages.length > @index %> [[storage]] @@ -51,6 +65,8 @@ data: <% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %> <% end %> + {{- end }} + [logging] {{- with .Values.logging }} {{- if .level }} -- GitLab From ef7bc5b61b761d5036e0625bb0305c9915c77e7f Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 16 Nov 2020 17:02:23 -0500 Subject: [PATCH 27/83] Small syntax fixes Makes small syntax fixes in the exception handler. --- charts/gitlab/charts/gitaly/templates/configmap.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/configmap.yml b/charts/gitlab/charts/gitaly/templates/configmap.yml index 7fba8b9368..98d5ef1c48 100644 --- a/charts/gitlab/charts/gitaly/templates/configmap.yml +++ b/charts/gitlab/charts/gitaly/templates/configmap.yml @@ -51,7 +51,7 @@ data: name = "<%= @hostname %>" path = "/home/git/repositories" <% else %> - <% raise Exception, "Storage for node #{@hostname} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %> + <% raise Exception, "Storage for node #{@hostname} is not present in the storageNames array. Did you use kubectl to scale up? You need to solely use helm for this purpose." %> <% end %> {{- else }} @@ -62,7 +62,7 @@ data: name = "<%= @storages[@index] %>" path = "/home/git/repositories" <% else %> - <% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %> + <% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up? You need to solely use helm for this purpose." %> <% end %> {{- end }} -- GitLab From 3bc3dd48e76143d8dad209fabe203e73726c5ed4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 16 Nov 2020 19:45:34 -0500 Subject: [PATCH 28/83] Fix values condition for Gitaly pause job Rather than .Values.enabled, we need to check .Values.global.gitaly.enabled. In its previous state, it was not possible to turn on this pause job at all since a local `gitaly.enabled` is not configured/referenced. --- charts/gitlab/charts/gitaly/templates/pause_job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/pause_job.yaml b/charts/gitlab/charts/gitaly/templates/pause_job.yaml index 3b18b5bf21..a535cc1908 100644 --- a/charts/gitlab/charts/gitaly/templates/pause_job.yaml +++ b/charts/gitlab/charts/gitaly/templates/pause_job.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.enabled .Values.global.operator.rollout.autoPause .Values.global.operator.enabled }} +{{- if and .Values.global.gitaly.enabled .Values.global.operator.rollout.autoPause .Values.global.operator.enabled }} apiVersion: v1 kind: ServiceAccount metadata: -- GitLab From 9fcfb126cee0bd411231c0d73b1a258017917790 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 16 Nov 2020 19:46:55 -0500 Subject: [PATCH 29/83] Loop through each statefulset on the pause job Because there may no longer be only one Gitaly statefulset, we now loop through each possible virtual storage's statefulset in the pause job. --- .../gitlab/charts/gitaly/templates/pause_job.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/pause_job.yaml b/charts/gitlab/charts/gitaly/templates/pause_job.yaml index a535cc1908..0063034861 100644 --- a/charts/gitlab/charts/gitaly/templates/pause_job.yaml +++ b/charts/gitlab/charts/gitaly/templates/pause_job.yaml @@ -75,5 +75,16 @@ spec: - name: pause-task image: {{ include "gitlab.kubectl.image" . | quote }} {{ template "gitlab.imagePullPolicy" }} - command: ["sh", "-c", "echo Number of Gitaly replicas is {{include "gitlab.gitaly.replicas" . }}; kubectl patch statefulset {{include "fullname" . }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{include "gitlab.gitaly.replicas" . }}} } } }'"] + command: + - "sh" + - "-c" + - | + {{- $storages := (dict "name" "default") | list -}} + {{- if .Values.global.praefect.enabled -}} + {{- $storages = .Values.global.praefect.virtualStorages -}} + {{- end -}} + {{ range $storages }} + echo Number of Gitaly replicas for storage {{ .name }} is {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}; + kubectl patch statefulset {{include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }'" + {{- end }} {{- end }} -- GitLab From 522f362cf452dfa37d60cc66bfbf221b3fc2fcc7 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 09:29:04 -0500 Subject: [PATCH 30/83] Generate Gitaly PDB per virtual storage We'll need one Gitaly PDB per virtual storage defined. Before this change, even with multiple virtual storages, only one PDB would be defined and the selectors would match all Gitaly StatefulSets. Also adds an option to define `maxUnavailable` per virtual storage, which will be used in the PDB and will fall back on the Gitaly chart's default value if not provided. --- charts/gitlab/charts/gitaly/templates/pdb.yaml | 18 +++++++++++++----- values.yaml | 1 + 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/pdb.yaml b/charts/gitlab/charts/gitaly/templates/pdb.yaml index e31cac0370..15c8f7cca6 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb.yaml @@ -1,15 +1,23 @@ {{- if .Values.global.gitaly.enabled -}} +{{- $storages := (dict "name" "default") | list -}} +{{- if .Values.global.praefect.enabled -}} +{{- $storages = .Values.global.praefect.virtualStorages -}} +{{- end -}} +{{ range $storages }} apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: - name: {{ template "fullname" . }} + name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.standardLabels" $ | nindent 4 }} spec: - maxUnavailable: {{ .Values.maxUnavailable }} + maxUnavailable: {{ default $.Values.maxUnavailable .maxUnavailable }} selector: matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} +--- +{{- end -}} {{- end -}} diff --git a/values.yaml b/values.yaml index 7ab7144787..eedecfabd1 100644 --- a/values.yaml +++ b/values.yaml @@ -136,6 +136,7 @@ global: virtualStorages: - name: default gitalyReplicas: 3 + maxUnavailable: 1 psql: sslMode: 'disable' -- GitLab From c5a2fd40125274b8dbabd91000dce78c0ca5f4ef Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 09:30:26 -0500 Subject: [PATCH 31/83] Add rspec tests for Praefect Adds rspec tests for Praefect. At this point, it mostly just tests that the expected resources are created. Further tests may be added with more specific checks. --- spec/configuration/praefect_spec.rb | 156 ++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 spec/configuration/praefect_spec.rb diff --git a/spec/configuration/praefect_spec.rb b/spec/configuration/praefect_spec.rb new file mode 100644 index 0000000000..eda053987e --- /dev/null +++ b/spec/configuration/praefect_spec.rb @@ -0,0 +1,156 @@ +require 'spec_helper' +require 'helm_template_helper' +require 'yaml' +require 'hash_deep_merge' + +describe 'Praefect configuration' do + let(:default_values) do + { 'certmanager-issuer' => { 'email' => 'test@example.com' } } + end + + let(:praefect_resources) do + [ + 'Service/test-praefect', + 'ConfigMap/test-praefect', + 'ConfigMap/test-praefect-scripts', + 'PodDisruptionBudget/test-praefect', + 'StatefulSet/test-praefect', + ] + end + + context 'wtih Praefect disabled' do + let(:values_praefect_disabled) do + { + 'global' => { + 'praefect' => { + 'enabled' => false + } + } + }.deep_merge(default_values) + end + + let(:template) { HelmTemplate.new(values_praefect_disabled) } + + it 'templates successfully' do + expect(template.exit_code).to eq(0) + end + + it 'does not render Praefect resources' do + praefect_resources.each do |r| + expect(template.dig(r)).to be_falsey + end + end + end + + context 'with Praefect enabled' do + let(:values_praefect_enabled) do + { + 'global' => { + 'praefect' => { + 'enabled' => true + } + } + }.deep_merge(default_values) + end + + let(:gitaly_resources_default) do + [ + 'PodDisruptionBudget/test-gitaly-default', + 'ConfigMap/test-gitaly', + 'Service/test-gitaly-default', + 'StatefulSet/test-gitaly-default', + ] + end + + let(:template) { HelmTemplate.new(values_praefect_enabled) } + + it 'templates successfully' do + expect(template.exit_code).to eq(0) + end + + it 'renders Praefect resources' do + praefect_resources.each do |r| + expect(template.dig(r)).to be_truthy + end + end + + it 'renders one set of Gitaly resources' do + gitaly_resources_default.each do |r| + expect(template.dig(r)).to be_truthy + end + end + + context 'with multiple virtual storages' do + let(:values_multiple_virtual_storages) do + { + 'global' => { + 'praefect' => { + 'virtualStorages' => [ + { + 'name' => 'default', + 'gitalyReplicas' => 3 + }, + { + 'name' => 'vs2', + 'gitalyReplicas' => 3 + }, + ] + } + } + }.deep_merge(values_praefect_enabled) + end + + let(:gitaly_resources_multiple) do + [ + 'PodDisruptionBudget/test-gitaly-vs2', + 'ConfigMap/test-gitaly', + 'Service/test-gitaly-vs2', + 'StatefulSet/test-gitaly-vs2', + ].concat(gitaly_resources_default) + end + + let(:template) { HelmTemplate.new(values_multiple_virtual_storages) } + + it 'templates successfully' do + expect(template.exit_code).to eq(0) + end + + it 'generates Gitaly resources per virtual storage' do + gitaly_resources_multiple.each do |r| + expect(template.dig(r)).to be_truthy + end + end + + context 'with operator enabled' do + let(:values_operator_enabled) do + { + 'global' => { + 'operator' => { 'enabled' => true }, + } + }.deep_merge(values_multiple_virtual_storages) + end + + let(:operator_resources) do + [ + 'ServiceAccount/test-gitaly-pause', + 'Role/test-gitaly-pause', + 'RoleBinding/test-gitaly-pause', + 'Job/test-gitaly-pause', + ] + end + + let(:template) { HelmTemplate.new(values_operator_enabled) } + + it 'templates successfully' do + expect(template.exit_code).to eq(0) + end + + it 'generates one set of operator-related resources' do + operator_resources.each do |r| + expect(template.dig(r)).to be_truthy + end + end + end + end + end +end -- GitLab From ed46de87801ca72106681eeefef6b09434da2189 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 09:55:42 -0500 Subject: [PATCH 32/83] Update Praefect documentation Updates Praefect documentation to reflect the addition of multiple virtual storages. --- doc/charts/gitlab/praefect/index.md | 36 ++++++++++++++++++++++++++++- doc/charts/globals.md | 9 +++++--- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 91cce5e6f8..bf2bb8e71c 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -22,7 +22,41 @@ This chart depends on the resources in the Gitaly chart. By default, it will spi The chart is disabled by default. To enable it as part of a chart deploy set `global.praefect.enabled=true`. -The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.gitalyReplicas` to the desired number of replicas. +### Replicas + +The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.virtualStorages` with the desired number of replicas. For example: + +```yaml +global: + praefect: + enabled: true + virtualStorages: + - name: default + gitalyReplicas: 4 + maxUnavailable: 1 +``` + +### Virtual storages + +Multiple virtual storages can be configured (see [Gitaly Cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) documentation). For example: + +```yaml +global: + praefect: + enabled: true + virtualStorages: + - name: default + gitalyReplicas: 4 + maxUnavailable: 1 + - name: vs2 + gitalyReplicas: 5 + maxUnavailable: 2 +``` + +This will create two sets of resources for Gitaly. This includes two Gitaly StatefulSets (one per virtual storage). In the Admin UI, under +`admin/application_settings/repository` > `Repository storage`, weights can be assigned to each virtual storage. Click the question mark (?) icon icon in the +`Storage nodes for new repositories` section for more information. + ### Creating the database diff --git a/doc/charts/globals.md b/doc/charts/globals.md index a3312c6a2f..32e8665c35 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -625,7 +625,7 @@ Configuring Gitaly to serve via TLS is detailed [in the Gitaly chart's documenta The global Praefect settings are located under the `global.praefect` key. -Praefect is disabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will be created on the default PostgreSQL instance. +Praefect is disabled by default. When enabled with no extra settings, 3 Gitaly replicas will be created, and the Praefect database will need to be manually created on the default PostgreSQL instance. ### Enable Praefect @@ -639,7 +639,10 @@ See the [Praefect documentation](https://docs.gitlab.com/ee/administration/gital global: praefect: enabled: false - gitalyReplicas: 3 + virtualStorages: + - name: default + gitalyReplicas: 3 + maxUnavailable: 2 dbSecret: {} psql: {} ``` @@ -647,7 +650,7 @@ global: | Name | Type | Default | Description | | ---- | ---- | ------- | ----------- | | enabled | Bool | false | Whether or not to enable Praefect | -| gitalyReplicas | Integer | 3 | The number of Gitaly replicas that should be created | +| virtualStorages | List | See [docs](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#virtual-storages) | The list of desired virtual storages (each backed by a Gitaly StatefulSet) | | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | | psql.host | String | | The hostname of the database server to use (when using an external database) | -- GitLab From 96bab195863525a1aaff9031bfe78a0e3f2bb0c8 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 09:58:07 -0500 Subject: [PATCH 33/83] Fix maxUnavailable default in docs The maxUnavailable is 1, not 2 by default. --- doc/charts/globals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 32e8665c35..875404b976 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -642,7 +642,7 @@ global: virtualStorages: - name: default gitalyReplicas: 3 - maxUnavailable: 2 + maxUnavailable: 1 dbSecret: {} psql: {} ``` -- GitLab From 3b8a7cc9e5c9bde2abe2cf9e59fd2e87c8bc862c Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 10:05:36 -0500 Subject: [PATCH 34/83] Adjust logic for Gitaly replicas template Removes the praefect reference in the Gitaly replicas template. This could be adjusted to take in an optional `.name` field, but requires handing the template a dict with the global scope and the optional `.name` field. Currently, we use `default` from where the template is called to achieve this. --- charts/gitlab/templates/_gitaly.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/templates/_gitaly.tpl b/charts/gitlab/templates/_gitaly.tpl index 810c8195f7..6a6dd58237 100644 --- a/charts/gitlab/templates/_gitaly.tpl +++ b/charts/gitlab/templates/_gitaly.tpl @@ -64,7 +64,7 @@ default: Return the number of replicas set for Gitaly statefulset */}} {{- define "gitlab.gitaly.replicas" -}} -{{- if .Values.global.gitaly.host }} 0 {{- else if .Values.global.praefect.enabled }}{{ .Values.global.praefect.gitalyReplicas }}{{- else }} {{ len .Values.global.gitaly.internal.names }} {{- end }} +{{- if .Values.global.gitaly.host }}0{{- else }}{{ len .Values.global.gitaly.internal.names }}{{- end }} {{- end -}} -- GitLab From 37220e57487b4748e1889c681f141e3adcaa9969 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 10:09:03 -0500 Subject: [PATCH 35/83] Remove repeated word in docs "icon icon" --- doc/charts/gitlab/praefect/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index bf2bb8e71c..bcec2ef0c0 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -54,7 +54,7 @@ global: ``` This will create two sets of resources for Gitaly. This includes two Gitaly StatefulSets (one per virtual storage). In the Admin UI, under -`admin/application_settings/repository` > `Repository storage`, weights can be assigned to each virtual storage. Click the question mark (?) icon icon in the +`admin/application_settings/repository` > `Repository storage`, weights can be assigned to each virtual storage. Click the question mark (?) icon in the `Storage nodes for new repositories` section for more information. -- GitLab From 0a7c317517f37d696b941ab4a79078fef0833d77 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 17 Nov 2020 10:12:01 -0500 Subject: [PATCH 36/83] Remove multiple blank lines --- doc/charts/gitlab/praefect/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index bcec2ef0c0..c72506092c 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -57,7 +57,6 @@ This will create two sets of resources for Gitaly. This includes two Gitaly Stat `admin/application_settings/repository` > `Repository storage`, weights can be assigned to each virtual storage. Click the question mark (?) icon in the `Storage nodes for new repositories` section for more information. - ### Creating the database Praefect uses its own database to track its state. This has to be manually created in order for Praefect to be functional. -- GitLab From c8c742b43c7a66fe707549f1169a1d92884aa985 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 18 Nov 2020 13:46:53 +0000 Subject: [PATCH 37/83] Apply 1 suggestion(s) to 1 file(s) --- charts/gitlab/charts/gitaly/templates/pause_job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/pause_job.yaml b/charts/gitlab/charts/gitaly/templates/pause_job.yaml index 0063034861..782dd2983f 100644 --- a/charts/gitlab/charts/gitaly/templates/pause_job.yaml +++ b/charts/gitlab/charts/gitaly/templates/pause_job.yaml @@ -85,6 +85,6 @@ spec: {{- end -}} {{ range $storages }} echo Number of Gitaly replicas for storage {{ .name }} is {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}; - kubectl patch statefulset {{include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }'" + kubectl patch statefulset {{include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }';" {{- end }} {{- end }} -- GitLab From 658ac74df6b48d45c254a977a11cec80797e13c9 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 18 Nov 2020 13:50:12 +0000 Subject: [PATCH 38/83] Apply 1 suggestion(s) to 1 file(s) --- charts/gitlab/charts/gitaly/templates/statefulset.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 061040f431..aeb9b90630 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -71,7 +71,7 @@ spec: securityContext: runAsUser: {{ $.Values.securityContext.runAsUser }} fsGroup: {{ $.Values.securityContext.fsGroup }} -{{- include "pullsecrets" $.Values.image | indent 6 }} + {{- include "pullsecrets" $.Values.image | indent 6 }} {{- if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "hard" }} affinity: podAntiAffinity: -- GitLab From 921ab424a5f3c7aa24dd2b3f657ee5a8bd94fc04 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 18 Nov 2020 10:09:05 -0500 Subject: [PATCH 39/83] Update docs on Gitaly PVC names Updates Gitaly PVC names in the storage documentation to match the new naming convention. Also notes the PVC(s) required when using Praefect with multiple virtual storages. --- doc/installation/storage.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/installation/storage.md b/doc/installation/storage.md index 56af7c36b4..98a56c3e50 100644 --- a/doc/installation/storage.md +++ b/doc/installation/storage.md @@ -132,7 +132,16 @@ The GitLab Cloud Native Chart determines the `statefulset-name` using: - ``` -The correct name for the Gitaly PersistentVolumeClaim is: `repo-data-gitlab-gitaly-0`. +The correct name for the Gitaly PersistentVolumeClaim is: `repo-data-gitlab-gitaly-default-0`. + +> **Note**: If using Praefect with multiple Virtual Storages, you will need one PersistentVolumeClaim +> per Gitaly replica per Virtual Storage defined. For example, if you have `default` and `vs2` Virtual +> Storages defined, each with 2 replicas, then you need the following PersistentVolumeClaims: +> +> - `repo-data-gitlab-gitaly-default-0` +> - `repo-data-gitlab-gitaly-default-1` +> - `repo-data-gitlab-gitaly-vs2-0` +> - `repo-data-gitlab-gitaly-vs2-1` Modify the [example YAML configuration](https://gitlab.com/gitlab-org/charts/gitlab/blob/master/examples/storage/gitaly_persistent_volume_claim.yml) for your environment and reference it when invoking `helm`. -- GitLab From 2b9479fd33fd4a04249035eca74b353a03e52eb4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 13:53:26 -0500 Subject: [PATCH 40/83] Pull first entry from gitaly.internal.names Pulls first entry from gitaly.internal.names instead of assuming the storage name of "default" --- charts/gitlab/charts/gitaly/templates/pause_job.yaml | 2 +- charts/gitlab/charts/gitaly/templates/pdb.yaml | 2 +- charts/gitlab/charts/gitaly/templates/service.yaml | 2 +- charts/gitlab/charts/gitaly/templates/statefulset.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/pause_job.yaml b/charts/gitlab/charts/gitaly/templates/pause_job.yaml index 782dd2983f..68fa3bc3b2 100644 --- a/charts/gitlab/charts/gitaly/templates/pause_job.yaml +++ b/charts/gitlab/charts/gitaly/templates/pause_job.yaml @@ -79,7 +79,7 @@ spec: - "sh" - "-c" - | - {{- $storages := (dict "name" "default") | list -}} + {{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} {{- if .Values.global.praefect.enabled -}} {{- $storages = .Values.global.praefect.virtualStorages -}} {{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/pdb.yaml b/charts/gitlab/charts/gitaly/templates/pdb.yaml index 15c8f7cca6..0a8a273afd 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.gitaly.enabled -}} -{{- $storages := (dict "name" "default") | list -}} +{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} {{- if .Values.global.praefect.enabled -}} {{- $storages = .Values.global.praefect.virtualStorages -}} {{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index e54fa842c8..f3db5fae9f 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.gitaly.enabled -}} -{{- $storages := (dict "name" "default") | list -}} +{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} {{- if .Values.global.praefect.enabled -}} {{- $storages = .Values.global.praefect.virtualStorages -}} {{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 4702ce199f..049fd23c74 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -1,5 +1,5 @@ {{- if and .Values.global.gitaly.enabled (not .Values.global.gitaly.host) -}} -{{- $storages := (dict "name" "default") | list -}} +{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} {{- if .Values.global.praefect.enabled -}} {{- $storages = .Values.global.praefect.virtualStorages -}} {{- end -}} -- GitLab From ae1d055e2825657429964a682865f32d727506a4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 13:56:37 -0500 Subject: [PATCH 41/83] Trim length and suffix for Gitaly service names Trims length and "-" suffix for Gitaly service names for DNS compliance. --- templates/_gitaly.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index c8f3ab53d2..3bdf6a54cc 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -40,7 +40,7 @@ Call: {{- define "gitlab.gitaly.serviceName" -}} {{- $baseName := coalesce .context.Values.serviceName .context.Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" )) -}} {{- $suffix := default "default" .name -}} -{{ printf "%s-%s" $baseName $suffix }} +{{ printf "%s-%s" $baseName $suffix | trunc 63 | trimSuffix "-" }} {{- end -}} {{/* @@ -54,5 +54,5 @@ Call: */}} {{- define "gitlab.gitaly.qualifiedServiceName" -}} {{- $name := include "gitlab.gitaly.serviceName" (dict "context" .context "name" .name) -}} -{{ printf "%s-%d.%s" $name .index $name }} -{{- end -}} \ No newline at end of file +{{ printf "%s-%d.%s" $name .index $name | trunc 63 | trimSuffix "-" }} +{{- end -}} -- GitLab From e1f9ed4e66e65f327312aef15e668cecb116122d Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 14:26:38 -0500 Subject: [PATCH 42/83] Only add storage label if Praefect enabled Only adds 'storage:' label if Praefect is enabled. This will help by not breaking current installations that do not use Praefect anyway. --- .../gitlab/charts/gitaly/templates/statefulset.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 049fd23c74..c719a5ed58 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -11,13 +11,17 @@ metadata: namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.immutableLabels" $ | nindent 4 }} + {{- if $.Values.global.praefect.enabled }} storage: {{ .name }} + {{- end }} spec: selector: matchLabels: app: {{ template "name" $ }} release: {{ $.Release.Name }} + {{- if $.Values.global.praefect.enabled }} storage: {{ .name }} + {{- end }} serviceName: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} podManagementPolicy: Parallel @@ -31,7 +35,9 @@ spec: labels: app: {{ template "name" $ }} release: {{ $.Release.Name }} + {{- if $.Values.global.praefect.enabled }} storage: {{ .name }} + {{- end }} {{- include "gitlab.podLabels" $ | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} @@ -81,7 +87,9 @@ spec: matchLabels: app: {{ template "name" $ }} release: {{ $.Release.Name }} + {{- if $.Values.global.praefect.enabled }} storage: {{ .name }} + {{- end }} {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} affinity: podAntiAffinity: @@ -93,7 +101,9 @@ spec: matchLabels: app: {{ template "name" $ }} release: {{ $.Release.Name }} + {{- if $.Values.global.praefect.enabled }} storage: {{ .name }} + {{- end }} {{- end }} {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} @@ -233,7 +243,9 @@ spec: labels: app: {{ template "name" $ }} release: {{ $.Release.Name }} + {{- if $.Values.global.praefect.enabled }} storage: {{ .name }} + {{- end }} annotations: {{- range $key, $value := $.Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} -- GitLab From cc459100532732cc8ab8d19b872b146e21144c52 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 14:32:57 -0500 Subject: [PATCH 43/83] Keep names the same if Praefect disabled Keeps the old name formatting for Gitaly objects if Praefect. This will help by not breaking existing installations. --- charts/gitlab/charts/gitaly/templates/pdb.yaml | 4 ++++ charts/gitlab/charts/gitaly/templates/service.yaml | 4 ++++ charts/gitlab/charts/gitaly/templates/statefulset.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/charts/gitlab/charts/gitaly/templates/pdb.yaml b/charts/gitlab/charts/gitaly/templates/pdb.yaml index 0a8a273afd..a68b8054d4 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb.yaml @@ -7,7 +7,11 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: + {{- if $.Values.global.praefect.enabled }} name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} + {{- else }} + name: {{ template "fullname" $ }} + {{- end }} namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.standardLabels" $ | nindent 4 }} diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index f3db5fae9f..f1a7fbcdde 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -7,7 +7,11 @@ apiVersion: v1 kind: Service metadata: + {{- if $.Values.global.praefect.enabled }} name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} + {{- else }} + name: {{ include "gitlab.gitaly.serviceName" (dict "context" $) }} + {{- end }} namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.standardLabels" $ | nindent 4 }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index c719a5ed58..b9f3190a55 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -7,7 +7,11 @@ apiVersion: apps/v1 kind: StatefulSet metadata: + {{- if $.Values.global.praefect.enabled }} name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} + {{- else }} + name: {{ include "gitlab.gitaly.serviceName" (dict "context" $) }} + {{- end }} namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.immutableLabels" $ | nindent 4 }} -- GitLab From 5de558e0445f7ab785de9b84aa39fae14a7ff01a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 17:04:04 -0500 Subject: [PATCH 44/83] Separate Gitaly templates when Praefect is enabled Adds separate Gitaly templates when Praefect is enabled. This greatly simplifies the logic required when only one template per resource was defined (lots of `if/else`s). Also adds a couple helper templates to Praefect for serviceName and qualifiedServiceName that build off of Gitaly's helper templates, but add the storage name as a suffix. --- .../gitaly/templates/pdb-with-praefect.yaml | 20 ++ .../gitlab/charts/gitaly/templates/pdb.yaml | 24 +- .../templates/service-with-praefect.yaml | 42 +++ .../charts/gitaly/templates/service.yaml | 55 ++-- .../templates/statefulset-with-praefect.yml | 262 ++++++++++++++++++ .../charts/gitaly/templates/statefulset.yml | 181 +++++------- .../charts/praefect/templates/configmap.yaml | 4 +- charts/gitlab/templates/_praefect.tpl | 27 ++ templates/_gitaly.tpl | 15 +- 9 files changed, 460 insertions(+), 170 deletions(-) create mode 100644 charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml create mode 100644 charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml create mode 100644 charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml diff --git a/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml b/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml new file mode 100644 index 0000000000..1eee5c90ec --- /dev/null +++ b/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml @@ -0,0 +1,20 @@ +{{- if and (not .Values.global.gitaly.enabled) .Values.global.praefect.enabled -}} +{{- range .Values.global.praefect.virtualStorages -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "fullname" . }}-{{ .name }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + storage: {{ .name }} +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + storage: {{ .name }} +--- +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/pdb.yaml b/charts/gitlab/charts/gitaly/templates/pdb.yaml index a68b8054d4..8c10315a30 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb.yaml @@ -1,27 +1,15 @@ -{{- if .Values.global.gitaly.enabled -}} -{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} -{{- if .Values.global.praefect.enabled -}} -{{- $storages = .Values.global.praefect.virtualStorages -}} -{{- end -}} -{{ range $storages }} +{{- if and .Values.global.gitaly.enabled (not .Values.global.praefect.enabled) -}} apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: - {{- if $.Values.global.praefect.enabled }} - name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} - {{- else }} - name: {{ template "fullname" $ }} - {{- end }} + name: {{ template "fullname" . }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.standardLabels" . | nindent 4 }} spec: - maxUnavailable: {{ default $.Values.maxUnavailable .maxUnavailable }} + maxUnavailable: {{ .Values.maxUnavailable }} selector: matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} ---- -{{- end -}} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml b/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml new file mode 100644 index 0000000000..3dbb4e2269 --- /dev/null +++ b/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled -}} +{{- range .Values.global.praefect.virtualStorages -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" $ | nindent 4 }} + {{- include "gitlab.serviceLabels" $ | nindent 4 }} + storage: {{ .name }} + annotations: + {{- if $.Values.metrics.enabled }} + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "{{ $.Values.metrics.metricsPort }}" + prometheus.io/scrape: "true" + prometheus.io/port: "{{ $.Values.metrics.metricsPort }}" + {{- end }} + {{- include "gitlab.serviceAnnotations" $ | nindent 4 }} +spec: + type: {{ coalesce $.Values.service.type $.Values.global.gitaly.service.type }} + clusterIP: "None" + ports: + - port: {{ coalesce $.Values.service.externalPort $.Values.global.gitaly.service.externalPort }} + name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }} + targetPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} + {{- if $.Values.metrics.enabled }} + - port: {{ $.Values.metrics.metricsPort }} + name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-metrics + {{- end }} + {{- if $.Values.global.gitaly.tls.enabled }} + - port: {{ coalesce $.Values.service.tls.externalPort $.Values.global.gitaly.service.tls.externalPort }} + name: {{coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-tls + targetPort: {{ coalesce $.Values.service.tls.internalPort $.Values.global.gitaly.service.tls.internalPort }} + {{- end }} + selector: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index f1a7fbcdde..a2289ecded 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -1,50 +1,37 @@ -{{- if .Values.global.gitaly.enabled -}} -{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} -{{- if .Values.global.praefect.enabled -}} -{{- $storages = .Values.global.praefect.virtualStorages -}} -{{- end -}} -{{ range $storages }} +{{- if and .Values.global.gitaly.enabled (not .Values.global.praefect.enabled) -}} apiVersion: v1 kind: Service metadata: - {{- if $.Values.global.praefect.enabled }} - name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} - {{- else }} - name: {{ include "gitlab.gitaly.serviceName" (dict "context" $) }} - {{- end }} + name: {{ include "gitlab.gitaly.serviceName" . }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.standardLabels" $ | nindent 4 }} - {{- include "gitlab.serviceLabels" $ | nindent 4 }} - storage: {{ .name }} + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.serviceLabels" . | nindent 4 }} annotations: - {{- if $.Values.metrics.enabled }} + {{- if .Values.metrics.enabled }} gitlab.com/prometheus_scrape: "true" - gitlab.com/prometheus_port: "{{ $.Values.metrics.metricsPort }}" + gitlab.com/prometheus_port: "{{ .Values.metrics.metricsPort }}" prometheus.io/scrape: "true" - prometheus.io/port: "{{ $.Values.metrics.metricsPort }}" + prometheus.io/port: "{{ .Values.metrics.metricsPort }}" {{- end }} - {{- include "gitlab.serviceAnnotations" $ | nindent 4 }} + {{- include "gitlab.serviceAnnotations" . | nindent 4 }} spec: - type: {{ coalesce $.Values.service.type $.Values.global.gitaly.service.type }} + type: {{ coalesce .Values.service.type .Values.global.gitaly.service.type }} clusterIP: "None" ports: - - port: {{ coalesce $.Values.service.externalPort $.Values.global.gitaly.service.externalPort }} - name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }} - targetPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} - {{- if $.Values.metrics.enabled }} - - port: {{ $.Values.metrics.metricsPort }} - name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-metrics + - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }} + name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }} + targetPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.metricsPort }} + name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }}-metrics {{- end }} - {{- if $.Values.global.gitaly.tls.enabled }} - - port: {{ coalesce $.Values.service.tls.externalPort $.Values.global.gitaly.service.tls.externalPort }} - name: {{coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-tls - targetPort: {{ coalesce $.Values.service.tls.internalPort $.Values.global.gitaly.service.tls.internalPort }} + {{- if .Values.global.gitaly.tls.enabled }} + - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }} + name: {{coalesce .Values.service.name .Values.global.gitaly.service.name }}-tls + targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }} {{- end }} selector: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} ---- -{{- end }} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml b/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml new file mode 100644 index 0000000000..0e91aa8572 --- /dev/null +++ b/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml @@ -0,0 +1,262 @@ +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled (not .Values.global.gitaly.host) -}} +{{- range .Values.global.praefect.virtualStorages -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.immutableLabels" $ | nindent 4 }} + storage: {{ .name }} +spec: + selector: + matchLabels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} + serviceName: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} + replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} + podManagementPolicy: Parallel + {{- if $.Values.global.operator.enabled }} + updateStrategy: + rollingUpdate: + partition: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} + {{- end }} + template: + metadata: + labels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} + {{- include "gitlab.podLabels" $ | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} + {{- range $key, $value := $.Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if $.Values.tolerations }} + tolerations: + {{- toYaml $.Values.tolerations | nindent 8 }} + {{- end }} + {{- if $.Values.priorityClassName }} + priorityClassName: "{{ $.Values.priorityClassName }}" + {{- end }} + terminationGracePeriodSeconds: 30 + initContainers: + {{- include "gitlab.extraInitContainers" $ | nindent 8 }} + {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.busybox.image" (dict "local" $.Values.init "global" $.Values.global.busybox) | quote }} + env: + {{- include "gitlab.extraEnv" $ | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + - name: gitaly-config + mountPath: /config + readOnly: true + - name: init-gitaly-secrets + mountPath: /init-config + readOnly: true + - name: gitaly-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml $.Values.init.resources | nindent 12 }} + securityContext: + runAsUser: {{ $.Values.securityContext.runAsUser }} + fsGroup: {{ $.Values.securityContext.fsGroup }} + {{- include "pullsecrets" $.Values.image | indent 6 }} + {{- if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} + {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} + {{- end }} + {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} + {{- end }} + containers: + {{- include "gitlab.extraContainers" $ | nindent 8 }} + - name: {{ $.Chart.Name }} + image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" $ }} + ports: + - containerPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} + {{- if $.Values.metrics.enabled }} + - containerPort: {{ $.Values.metrics.metricsPort }} + {{- end }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitaly/templates' + - name: CONFIG_DIRECTORY + value: '/etc/gitaly' + - name: GITALY_CONFIG_FILE + value: '/etc/gitaly/config.toml' + - name: SSL_CERT_DIR + value: '/etc/ssl/certs' + {{- if $.Values.metrics.enabled }} + - name: GITALY_PROMETHEUS_LISTEN_ADDR + value: ':{{ $.Values.metrics.metricsPort }}' + {{- end }} + {{- include "gitlab.tracing.env" $ | nindent 12 }} + {{- include "gitlab.extraEnv" $ | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} + - name: gitaly-config + mountPath: '/etc/gitaly/templates' + - name: gitaly-secrets + mountPath: '/etc/gitlab-secrets' + readOnly: true + - name: repo-data + mountPath: '/home/git/repositories' + {{- if and $.Values.persistence.enabled $.Values.persistence.subPath }} + subPath: "{{ $.Values.persistence.subPath }}" + {{- end }} + {{- with $.Values.global.gitaly.hooks }} + {{- if .preReceive }} + - name: gitaly-hooks-pre-recieve + mountPath: "/home/git/custom_hooks/pre-receive.d" + {{- end }} + {{- if .postReceive }} + - name: gitaly-hooks-post-recieve + mountPath: "/home/git/custom_hooks/post-receive.d" + {{- end }} + {{- if .update }} + - name: gitaly-hooks-update + mountPath: "/home/git/custom_hooks/update.d" + {{- end }} + {{- end }} + livenessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: 30 + timeoutSeconds: 3 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + resources: + {{- toYaml $.Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" $ | nindent 6 }} + - name: gitaly-config + configMap: + name: {{ template "fullname" $ }} + {{- if not $.Values.persistence.enabled }} + - name: repo-data + emptyDir: {} + {{- end }} + - name: gitaly-secrets + emptyDir: + medium: "Memory" + - name: init-gitaly-secrets + projected: + defaultMode: 0440 + sources: + - secret: + name: {{ template "gitlab.gitaly.authToken.secret" $ }} + items: + - key: {{ template "gitlab.gitaly.authToken.key" $ }} + path: "gitaly_token" + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" $ }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" $ }} + path: ".gitlab_shell_secret" + {{- if $.Values.global.gitaly.tls.enabled }} + - secret: + name: {{ template "gitlab.gitaly.tls.secret" $ }} + items: + - key: "tls.crt" + path: "gitaly.crt" + - key: "tls.key" + path: "gitaly.key" + {{- end }} + {{- with $.Values.global.gitaly.hooks }} + {{- if and .preReceive (has .preReceive .configmap) }} + - name: gitaly-hooks-preReceive + configMap: + name: {{ .preReceive.configmap }} + defaultMode: 0555 + {{- end }} + {{- if and .postReceive (has .postReceive .configmap) }} + - name: gitaly-hooks-postReceive + configMap: + name: {{ .postReceive.configmap }} + defaultMode: 0555 + {{- end }} + {{- if and .update (hasKey .update "configmap") }} + - name: gitaly-hooks-update + configMap: + name: {{ .update.configmap }} + defaultMode: 0555 + {{- end }} + {{- end }} + {{- include "gitlab.certificates.volumes" $ | nindent 6 }} + {{- if $.Values.nodeSelector }} + nodeSelector: + {{- toYaml $.Values.nodeSelector | nindent 8 }} + {{- end -}} + {{- if $.Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: repo-data + labels: + app: {{ template "name" $ }} + release: {{ $.Release.Name }} + storage: {{ .name }} + annotations: + {{- range $key, $value := $.Values.persistence.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: + - {{ $.Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ $.Values.persistence.size | quote }} + {{- if $.Values.persistence.storageClass }} + {{- if (eq "-" $.Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $.Values.persistence.storageClass }}" + {{- end -}} + {{- end }} + selector: + {{- if $.Values.persistence.matchLabels }} + matchLabels: + {{- toYaml $.Values.persistence.matchLabels | nindent 12 }} + {{- end -}} + {{- if $.Values.persistence.matchExpressions }} + matchExpressions: + {{- toYaml $.Values.persistence.matchExpressions | nindent 12 }} + {{- end -}} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index b9f3190a55..6401587a73 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -1,72 +1,54 @@ -{{- if and .Values.global.gitaly.enabled (not .Values.global.gitaly.host) -}} -{{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} -{{- if .Values.global.praefect.enabled -}} -{{- $storages = .Values.global.praefect.virtualStorages -}} -{{- end -}} -{{ range $storages }} +{{- if and .Values.global.gitaly.enabled (not .Values.global.gitaly.host) (not .Values.global.praefect.enabled) -}} apiVersion: apps/v1 kind: StatefulSet metadata: - {{- if $.Values.global.praefect.enabled }} - name: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} - {{- else }} - name: {{ include "gitlab.gitaly.serviceName" (dict "context" $) }} - {{- end }} + name: {{ template "fullname" . }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.immutableLabels" $ | nindent 4 }} - {{- if $.Values.global.praefect.enabled }} - storage: {{ .name }} - {{- end }} + {{- include "gitlab.immutableLabels" . | nindent 4 }} spec: selector: matchLabels: - app: {{ template "name" $ }} + app: {{ template "name" . }} release: {{ $.Release.Name }} - {{- if $.Values.global.praefect.enabled }} - storage: {{ .name }} - {{- end }} - serviceName: {{ include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} - replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} + serviceName: {{ include "gitlab.gitaly.serviceName" . }} + replicas: {{ include "gitlab.gitaly.replicas" . }} podManagementPolicy: Parallel - {{- if $.Values.global.operator.enabled }} + {{- if .Values.global.operator.enabled }} updateStrategy: rollingUpdate: - partition: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} + partition: {{ include "gitlab.gitaly.replicas" . }} {{- end }} template: metadata: labels: - app: {{ template "name" $ }} + app: {{ template "name" . }} release: {{ $.Release.Name }} - {{- if $.Values.global.praefect.enabled }} - storage: {{ .name }} - {{- end }} - {{- include "gitlab.podLabels" $ | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} - {{- range $key, $value := $.Values.annotations }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} + {{- range $key, $value := .Values.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: - {{- if $.Values.tolerations }} + {{- if .Values.tolerations }} tolerations: - {{- toYaml $.Values.tolerations | nindent 8 }} + {{- toYaml .Values.tolerations | nindent 8 }} {{- end }} - {{- if $.Values.priorityClassName }} - priorityClassName: "{{ $.Values.priorityClassName }}" + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" {{- end }} terminationGracePeriodSeconds: 30 initContainers: - {{- include "gitlab.extraInitContainers" $ | nindent 8 }} - {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} - name: configure command: ['sh', '/config/configure'] - image: {{ include "gitlab.busybox.image" (dict "local" $.Values.init "global" $.Values.global.busybox) | quote }} + image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} env: - {{- include "gitlab.extraEnv" $ | nindent 10 }} + {{- include "gitlab.extraEnv" . | nindent 10 }} volumeMounts: - {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} - name: gitaly-config mountPath: /config readOnly: true @@ -77,24 +59,21 @@ spec: mountPath: /init-secrets readOnly: false resources: - {{- toYaml $.Values.init.resources | nindent 12 }} + {{- toYaml .Values.init.resources | nindent 12 }} securityContext: - runAsUser: {{ $.Values.securityContext.runAsUser }} - fsGroup: {{ $.Values.securityContext.fsGroup }} - {{- include "pullsecrets" $.Values.image | indent 6 }} - {{- if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "hard" }} + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- include "pullsecrets" .Values.image | indent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - topologyKey: "kubernetes.io/hostname" labelSelector: matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - {{- if $.Values.global.praefect.enabled }} - storage: {{ .name }} - {{- end }} - {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -103,24 +82,21 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - {{- if $.Values.global.praefect.enabled }} - storage: {{ .name }} - {{- end }} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- end }} - {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} - serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} {{- end }} containers: - {{- include "gitlab.extraContainers" $ | nindent 8 }} - - name: {{ $.Chart.Name }} - image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" - {{ template "gitlab.imagePullPolicy" $ }} + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" . }} ports: - - containerPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} - {{- if $.Values.metrics.enabled }} - - containerPort: {{ $.Values.metrics.metricsPort }} + - containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} + {{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.metrics.metricsPort }} {{- end }} env: - name: CONFIG_TEMPLATE_DIRECTORY @@ -131,15 +107,15 @@ spec: value: '/etc/gitaly/config.toml' - name: SSL_CERT_DIR value: '/etc/ssl/certs' - {{- if $.Values.metrics.enabled }} + {{- if .Values.metrics.enabled }} - name: GITALY_PROMETHEUS_LISTEN_ADDR - value: ':{{ $.Values.metrics.metricsPort }}' + value: ':{{ .Values.metrics.metricsPort }}' {{- end }} - {{- include "gitlab.tracing.env" $ | nindent 12 }} - {{- include "gitlab.extraEnv" $ | nindent 12 }} + {{- include "gitlab.tracing.env" . | nindent 12 }} + {{- include "gitlab.extraEnv" . | nindent 12 }} volumeMounts: - {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} - {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} - name: gitaly-config mountPath: '/etc/gitaly/templates' - name: gitaly-secrets @@ -147,10 +123,10 @@ spec: readOnly: true - name: repo-data mountPath: '/home/git/repositories' - {{- if and $.Values.persistence.enabled $.Values.persistence.subPath }} - subPath: "{{ $.Values.persistence.subPath }}" + {{- if and .Values.persistence.enabled .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" {{- end }} - {{- with $.Values.global.gitaly.hooks }} + {{- with .Values.global.gitaly.hooks }} {{- if .preReceive }} - name: gitaly-hooks-pre-recieve mountPath: "/home/git/custom_hooks/pre-receive.d" @@ -179,13 +155,13 @@ spec: timeoutSeconds: 3 periodSeconds: 10 resources: - {{- toYaml $.Values.resources | nindent 12 }} + {{- toYaml .Values.resources | nindent 12 }} volumes: - {{- include "gitlab.extraVolumes" $ | nindent 6 }} + {{- include "gitlab.extraVolumes" . | nindent 6 }} - name: gitaly-config configMap: - name: {{ template "fullname" $ }} - {{- if not $.Values.persistence.enabled }} + name: {{ template "fullname" . }} + {{- if not .Values.persistence.enabled }} - name: repo-data emptyDir: {} {{- end }} @@ -197,25 +173,25 @@ spec: defaultMode: 0440 sources: - secret: - name: {{ template "gitlab.gitaly.authToken.secret" $ }} + name: {{ template "gitlab.gitaly.authToken.secret" . }} items: - - key: {{ template "gitlab.gitaly.authToken.key" $ }} + - key: {{ template "gitlab.gitaly.authToken.key" . }} path: "gitaly_token" - secret: - name: {{ template "gitlab.gitlab-shell.authToken.secret" $ }} + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" $ }} + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" - {{- if $.Values.global.gitaly.tls.enabled }} + {{- if .Values.global.gitaly.tls.enabled }} - secret: - name: {{ template "gitlab.gitaly.tls.secret" $ }} + name: {{ template "gitlab.gitaly.tls.secret" . }} items: - key: "tls.crt" path: "gitaly.crt" - key: "tls.key" path: "gitaly.key" {{- end }} - {{- with $.Values.global.gitaly.hooks }} + {{- with .Values.global.gitaly.hooks }} {{- if and .preReceive (has .preReceive .configmap) }} - name: gitaly-hooks-preReceive configMap: @@ -235,48 +211,43 @@ spec: defaultMode: 0555 {{- end }} {{- end }} - {{- include "gitlab.certificates.volumes" $ | nindent 6 }} - {{- if $.Values.nodeSelector }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- if .Values.nodeSelector }} nodeSelector: - {{- toYaml $.Values.nodeSelector | nindent 8 }} + {{- toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} - {{- if $.Values.persistence.enabled }} + {{- if .Values.persistence.enabled }} volumeClaimTemplates: - metadata: name: repo-data labels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - {{- if $.Values.global.praefect.enabled }} - storage: {{ .name }} - {{- end }} + app: {{ template "name" . }} + release: {{ .Release.Name }} annotations: - {{- range $key, $value := $.Values.persistence.annotations }} + {{- range $key, $value := .Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: accessModes: - - {{ $.Values.persistence.accessMode | quote }} + - {{ .Values.persistence.accessMode | quote }} resources: requests: - storage: {{ $.Values.persistence.size | quote }} - {{- if $.Values.persistence.storageClass }} - {{- if (eq "-" $.Values.persistence.storageClass) }} + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} storageClassName: "" {{- else }} - storageClassName: "{{ $.Values.persistence.storageClass }}" + storageClassName: "{{ .Values.persistence.storageClass }}" {{- end -}} {{- end }} selector: - {{- if $.Values.persistence.matchLabels }} + {{- if .Values.persistence.matchLabels }} matchLabels: - {{- toYaml $.Values.persistence.matchLabels | nindent 12 }} + {{- toYaml .Values.persistence.matchLabels | nindent 12 }} {{- end -}} - {{- if $.Values.persistence.matchExpressions }} + {{- if .Values.persistence.matchExpressions }} matchExpressions: - {{- toYaml $.Values.persistence.matchExpressions | nindent 12 }} + {{- toYaml .Values.persistence.matchExpressions | nindent 12 }} {{- end -}} {{- end }} ---- -{{- end }} {{- end }} diff --git a/charts/gitlab/charts/praefect/templates/configmap.yaml b/charts/gitlab/charts/praefect/templates/configmap.yaml index 2708a545bb..88c0c6135b 100644 --- a/charts/gitlab/charts/praefect/templates/configmap.yaml +++ b/charts/gitlab/charts/praefect/templates/configmap.yaml @@ -60,8 +60,8 @@ data: name = '{{ $storageName }}' {{- range until (.gitalyReplicas | int) }} [[virtual_storage.node]] - {{- $podName := include "gitlab.gitaly.serviceName" (dict "context" $globalContext "name" $storageName) -}} - {{- $podAddress := include "gitlab.gitaly.qualifiedServiceName" (dict "context" $globalContext "index" . "name" $storageName) }} + {{- $podName := include "gitlab.praefect.gitaly.serviceName" (dict "context" $globalContext "name" $storageName) -}} + {{- $podAddress := include "gitlab.praefect.gitaly.qualifiedServiceName" (dict "context" $globalContext "index" . "name" $storageName) }} storage = '{{ $podName }}-{{ . }}' address = '{{ printf "tcp://%s.%s:%g" $podAddress $globalContext.Release.Namespace $port }}' token = "<%= gitaly_token %>" diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index a0d4145851..e9e8ee980b 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -16,3 +16,30 @@ Return the resolvable name of the praefect service {{- define "gitlab.praefect.serviceName" -}} {{ $.Release.Name }}-praefect {{- end -}} + +{{/* +Return the service name for Gitaly when Praefect is enabled + +Call: + +``` +include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) +``` +*/}} +{{- define "gitlab.praefect.gitaly.serviceName" -}} +{{ include "gitlab.gitaly.serviceName" .context }}-{{ .name }} +{{- end -}} + +{{/* +Return the qualified service name for a given Gitaly pod. + +Call: + +``` +include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "index" $i "name" .name) +``` +*/}} +{{- define "gitlab.praefect.gitaly.qualifiedServiceName" -}} +{{- $name := include "gitlab.praefect.gitaly.serviceName" (dict "context" .context "name" .name) -}} +{{ $name }}-{{ .index }}.{{ $name }} +{{- end -}} diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 3bdf6a54cc..423daef4eb 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -31,16 +31,9 @@ Order of operations: - global gitaly service name override - derived from chart name -Call: - -``` -{{- include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) -}} -``` */}} {{- define "gitlab.gitaly.serviceName" -}} -{{- $baseName := coalesce .context.Values.serviceName .context.Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" )) -}} -{{- $suffix := default "default" .name -}} -{{ printf "%s-%s" $baseName $suffix | trunc 63 | trimSuffix "-" }} +{{- coalesce ( .Values.serviceName ) .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} {{- end -}} {{/* @@ -49,10 +42,10 @@ Return a qualified gitaly service name, for direct access to the gitaly headless Call: ``` -{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i "name" .name) -}} +{{- include "gitlab.gitaly.qualifiedServiceName" (dict "context" . "index" $i) -}} ``` */}} {{- define "gitlab.gitaly.qualifiedServiceName" -}} -{{- $name := include "gitlab.gitaly.serviceName" (dict "context" .context "name" .name) -}} -{{ printf "%s-%d.%s" $name .index $name | trunc 63 | trimSuffix "-" }} +{{- $name := include "gitlab.gitaly.serviceName" .context -}} +{{ include "gitlab.other.fullname" (dict "context" .context "chartName" "gitaly" ) }}-{{ .index }}.{{ $name }} {{- end -}} -- GitLab From 81d0eb05026dfa4c3635c72a8c661dd420769051 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 18:35:04 -0500 Subject: [PATCH 45/83] Separate logic for pause job if Praefect on Separates the logic in the pause job for Gitaly statefulsets if Praefect is on or off. This follows the pattern where we had a separate template for Praefect on vs off, but in this case we need only one job because it's consumed by the operator. --- charts/gitlab/charts/gitaly/templates/pause_job.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/pause_job.yaml b/charts/gitlab/charts/gitaly/templates/pause_job.yaml index 68fa3bc3b2..e38a986ec0 100644 --- a/charts/gitlab/charts/gitaly/templates/pause_job.yaml +++ b/charts/gitlab/charts/gitaly/templates/pause_job.yaml @@ -79,12 +79,13 @@ spec: - "sh" - "-c" - | - {{- $storages := (dict "name" (.Values.global.gitaly.internal.names | first)) | list -}} {{- if .Values.global.praefect.enabled -}} - {{- $storages = .Values.global.praefect.virtualStorages -}} - {{- end -}} - {{ range $storages }} + {{ range .Values.global.praefect.virtualStorages }} echo Number of Gitaly replicas for storage {{ .name }} is {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}; - kubectl patch statefulset {{include "gitlab.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }';" + kubectl patch statefulset {{include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }'; + {{- end }} + {{- else }} + echo Number of Gitaly replicas is {{include "gitlab.gitaly.replicas" . }}; + kubectl patch statefulset {{include "fullname" . }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{include "gitlab.gitaly.replicas" . }}} } } }' {{- end }} {{- end }} -- GitLab From c005c9bbdf33184cfe6f2cd83dee1376c5dedc16 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 18:36:01 -0500 Subject: [PATCH 46/83] Fix logic and scope for PDB with praefect Fixes the logic for when to include the template and adjusts the scope accordingly. --- .../charts/gitaly/templates/pdb-with-praefect.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml b/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml index 1eee5c90ec..981a7b7815 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml @@ -1,19 +1,19 @@ -{{- if and (not .Values.global.gitaly.enabled) .Values.global.praefect.enabled -}} +{{- if and .Values.global.gitaly.enabled .Values.global.praefect.enabled -}} {{- range .Values.global.praefect.virtualStorages -}} apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: - name: {{ template "fullname" . }}-{{ .name }} + name: {{ template "fullname" $ }}-{{ .name }} namespace: {{ $.Release.Namespace }} labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.standardLabels" $ | nindent 4 }} storage: {{ .name }} spec: - maxUnavailable: {{ .Values.maxUnavailable }} + maxUnavailable: {{ default $.Values.maxUnavailable .maxUnavailable }} selector: matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} + app: {{ template "name" $ }} + release: {{ $.Release.Name }} storage: {{ .name }} --- {{- end -}} -- GitLab From df3611fbed6efea898f5e1a8b900e6b744de0e28 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 24 Nov 2020 18:37:38 -0500 Subject: [PATCH 47/83] Rename variables for clarity Renames some variables in the Praefect spec to more clearly represent the condition. --- spec/configuration/praefect_spec.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/spec/configuration/praefect_spec.rb b/spec/configuration/praefect_spec.rb index eda053987e..1b86893c2d 100644 --- a/spec/configuration/praefect_spec.rb +++ b/spec/configuration/praefect_spec.rb @@ -53,7 +53,7 @@ describe 'Praefect configuration' do }.deep_merge(default_values) end - let(:gitaly_resources_default) do + let(:gitaly_resources) do [ 'PodDisruptionBudget/test-gitaly-default', 'ConfigMap/test-gitaly', @@ -75,7 +75,7 @@ describe 'Praefect configuration' do end it 'renders one set of Gitaly resources' do - gitaly_resources_default.each do |r| + gitaly_resources.each do |r| expect(template.dig(r)).to be_truthy end end @@ -100,13 +100,12 @@ describe 'Praefect configuration' do }.deep_merge(values_praefect_enabled) end - let(:gitaly_resources_multiple) do + let(:gitaly_resources_with_multiple_storages) do [ 'PodDisruptionBudget/test-gitaly-vs2', - 'ConfigMap/test-gitaly', 'Service/test-gitaly-vs2', 'StatefulSet/test-gitaly-vs2', - ].concat(gitaly_resources_default) + ].concat(gitaly_resources) end let(:template) { HelmTemplate.new(values_multiple_virtual_storages) } @@ -116,7 +115,7 @@ describe 'Praefect configuration' do end it 'generates Gitaly resources per virtual storage' do - gitaly_resources_multiple.each do |r| + gitaly_resources_with_multiple_storages.each do |r| expect(template.dig(r)).to be_truthy end end -- GitLab From 989dc498d6404fe1e256287158181d6b80be4c29 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 30 Nov 2020 13:55:19 -0500 Subject: [PATCH 48/83] Restore default Gitaly PVC name in docs Restores the standard Gitaly PVC name in the docs, but keeps the additional note on the PVC names if using multiple virtual storages. --- doc/installation/storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/installation/storage.md b/doc/installation/storage.md index 98a56c3e50..a67cfea282 100644 --- a/doc/installation/storage.md +++ b/doc/installation/storage.md @@ -132,7 +132,7 @@ The GitLab Cloud Native Chart determines the `statefulset-name` using: - ``` -The correct name for the Gitaly PersistentVolumeClaim is: `repo-data-gitlab-gitaly-default-0`. +The correct name for the Gitaly PersistentVolumeClaim is: `repo-data-gitlab-gitaly-0`. > **Note**: If using Praefect with multiple Virtual Storages, you will need one PersistentVolumeClaim > per Gitaly replica per Virtual Storage defined. For example, if you have `default` and `vs2` Virtual -- GitLab From 4b27d3fb6a0d82dd4a1ca9b4dff21606de25f3b5 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 30 Nov 2020 14:21:00 -0500 Subject: [PATCH 49/83] Fix template name in example Fixes the template name in the example comment. --- charts/gitlab/templates/_praefect.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/templates/_praefect.tpl b/charts/gitlab/templates/_praefect.tpl index e9e8ee980b..7a20dcd31e 100644 --- a/charts/gitlab/templates/_praefect.tpl +++ b/charts/gitlab/templates/_praefect.tpl @@ -36,7 +36,7 @@ Return the qualified service name for a given Gitaly pod. Call: ``` -include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "index" $i "name" .name) +include "gitlab.praefect.gitaly.qualifiedServiceName" (dict "context" $ "index" $i "name" .name) ``` */}} {{- define "gitlab.praefect.gitaly.qualifiedServiceName" -}} -- GitLab From ac041b5d5bb04fd435b6274982ffc8a66d9cc015 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 30 Nov 2020 17:14:18 -0500 Subject: [PATCH 50/83] Move StatefulSet spec to underscore tempalte - Moves the Gitaly StatefulSet `spec` to an underscore template to avoid repetition - Includes the `spec` underscore template in the Gitaly statefulsets with and without Praefect, adjusting the context as needed givent hat the 'with Praefect' statefulset uses `range` --- .../gitaly/templates/_statefulset_spec.yaml | 271 ++++++++++++++++++ .../templates/statefulset-with-praefect.yml | 250 +--------------- .../charts/gitaly/templates/statefulset.yml | 251 +--------------- 3 files changed, 273 insertions(+), 499 deletions(-) create mode 100644 charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml new file mode 100644 index 0000000000..ddfe8341e0 --- /dev/null +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -0,0 +1,271 @@ +{{- $praefect := .context.Values.global.praefect.enabled -}} +spec: + selector: + matchLabels: + app: {{ template "name" .context }} + release: {{ .context.Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} + {{- if $praefect }} + serviceName: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" .context "name" .storage.name) }} + {{- else }} + serviceName: {{ include "gitlab.gitaly.serviceName" .context }} + {{- end }} + {{- if $praefect }} + replicas: {{ default (include "gitlab.gitaly.replicas" .context) .storage.gitalyReplicas }} + {{- else }} + replicas: {{ include "gitlab.gitaly.replicas" .context }} + {{- end }} + podManagementPolicy: Parallel + {{- if .context.Values.global.operator.enabled }} + updateStrategy: + rollingUpdate: + partition: {{ include "gitlab.gitaly.replicas" .context }} + {{- end }} + template: + metadata: + labels: + app: {{ template "name" .context }} + release: {{ .context.Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} + {{- include "gitlab.podLabels" .context | nindent 8 }} + annotations: + checksum/config: {{ include (print .context.Template.BasePath "/configmap.yml") .context | sha256sum }} + {{- range $key, $value := .context.Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .context.Values.tolerations }} + tolerations: + {{- toYaml .context.Values.tolerations | nindent 8 }} + {{- end }} + {{- if .context.Values.priorityClassName }} + priorityClassName: "{{ .context.Values.priorityClassName }}" + {{- end }} + terminationGracePeriodSeconds: 30 + initContainers: + {{- include "gitlab.extraInitContainers" .context | nindent 8 }} + {{- include "gitlab.certificates.initContainer" .context | nindent 8 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.busybox.image" (dict "local" .context.Values.init "global" .context.Values.global.busybox) | quote }} + env: + {{- include "gitlab.extraEnv" .context | nindent 10 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" .context | nindent 10 }} + - name: gitaly-config + mountPath: /config + readOnly: true + - name: init-gitaly-secrets + mountPath: /init-config + readOnly: true + - name: gitaly-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .context.Values.init.resources | nindent 12 }} + {{- if .context.Values.securityContext }} + securityContext: + {{- if not (empty .context.Values.securityContext.runAsUser) }} + runAsUser: {{ .context.Values.securityContext.runAsUser }} + {{- end }} + {{- if not (empty .context.Values.securityContext.fsGroup) }} + fsGroup: {{ .context.Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- include "pullsecrets" .context.Values.image | indent 6 }} + {{- if eq (default .context.Values.global.antiAffinity .context.Values.antiAffinity) "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + app: {{ template "name" .context }} + release: {{ .context.Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} + {{- else if eq (default .context.Values.global.antiAffinity .context.Values.antiAffinity) "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: {{ template "name" .context }} + release: {{ .context.Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} + {{- end }} + {{- if or .context.Values.serviceAccount.enabled .context.Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" .context }} + {{- end }} + containers: + {{- include "gitlab.extraContainers" .context | nindent 8 }} + - name: {{ .context.Chart.Name }} + image: "{{ .context.Values.image.repository }}:{{ coalesce .context.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .context.Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" .context }} + ports: + - containerPort: {{ coalesce .context.Values.service.internalPort .context.Values.global.gitaly.service.internalPort }} + {{- if .context.Values.metrics.enabled }} + - containerPort: {{ .context.Values.metrics.metricsPort }} + {{- end }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitaly/templates' + - name: CONFIG_DIRECTORY + value: '/etc/gitaly' + - name: GITALY_CONFIG_FILE + value: '/etc/gitaly/config.toml' + - name: SSL_CERT_DIR + value: '/etc/ssl/certs' + {{- if .context.Values.metrics.enabled }} + - name: GITALY_PROMETHEUS_LISTEN_ADDR + value: ':{{ .context.Values.metrics.metricsPort }}' + {{- end }} + {{- include "gitlab.tracing.env" .context | nindent 12 }} + {{- include "gitlab.extraEnv" .context | nindent 12 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" .context | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" .context | nindent 12 }} + - name: gitaly-config + mountPath: '/etc/gitaly/templates' + - name: gitaly-secrets + mountPath: '/etc/gitlab-secrets' + readOnly: true + - name: repo-data + mountPath: '/home/git/repositories' + {{- if and .context.Values.persistence.enabled .context.Values.persistence.subPath }} + subPath: "{{ .context.Values.persistence.subPath }}" + {{- end }} + {{- with .context.Values.global.gitaly.hooks }} + {{- if .preReceive }} + - name: gitaly-hooks-pre-recieve + mountPath: "/home/git/custom_hooks/pre-receive.d" + {{- end }} + {{- if .postReceive }} + - name: gitaly-hooks-post-recieve + mountPath: "/home/git/custom_hooks/post-receive.d" + {{- end }} + {{- if .update }} + - name: gitaly-hooks-update + mountPath: "/home/git/custom_hooks/update.d" + {{- end }} + {{- end }} + livenessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: 30 + timeoutSeconds: 3 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + resources: + {{- toYaml .context.Values.resources | nindent 12 }} + volumes: + {{- include "gitlab.extraVolumes" .context | nindent 6 }} + - name: gitaly-config + configMap: + name: {{ template "fullname" .context }} + {{- if not .context.Values.persistence.enabled }} + - name: repo-data + emptyDir: {} + {{- end }} + - name: gitaly-secrets + emptyDir: + medium: "Memory" + - name: init-gitaly-secrets + projected: + defaultMode: 0440 + sources: + - secret: + name: {{ template "gitlab.gitaly.authToken.secret" .context }} + items: + - key: {{ template "gitlab.gitaly.authToken.key" .context }} + path: "gitaly_token" + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" .context }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" .context }} + path: ".gitlab_shell_secret" + {{- if .context.Values.global.gitaly.tls.enabled }} + - secret: + name: {{ template "gitlab.gitaly.tls.secret" .context }} + items: + - key: "tls.crt" + path: "gitaly.crt" + - key: "tls.key" + path: "gitaly.key" + {{- end }} + {{- with .context.Values.global.gitaly.hooks }} + {{- if and .preReceive (has .preReceive .configmap) }} + - name: gitaly-hooks-preReceive + configMap: + name: {{ .preReceive.configmap }} + defaultMode: 0555 + {{- end }} + {{- if and .postReceive (has .postReceive .configmap) }} + - name: gitaly-hooks-postReceive + configMap: + name: {{ .postReceive.configmap }} + defaultMode: 0555 + {{- end }} + {{- if and .update (hasKey .update "configmap") }} + - name: gitaly-hooks-update + configMap: + name: {{ .update.configmap }} + defaultMode: 0555 + {{- end }} + {{- end }} + {{- include "gitlab.certificates.volumes" .context | nindent 6 }} + {{- if .context.Values.nodeSelector }} + nodeSelector: + {{- toYaml .context.Values.nodeSelector | nindent 8 }} + {{- end -}} + {{- if .context.Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: repo-data + labels: + app: {{ template "name" .context }} + release: {{ .context.Release.Name }} + annotations: + {{- range $key, $value := .context.Values.persistence.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: + - {{ .context.Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .context.Values.persistence.size | quote }} + {{- if .context.Values.persistence.storageClass }} + {{- if (eq "-" .context.Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .context.Values.persistence.storageClass }}" + {{- end -}} + {{- end }} + selector: + {{- if .context.Values.persistence.matchLabels }} + matchLabels: + {{- toYaml .context.Values.persistence.matchLabels | nindent 12 }} + {{- end -}} + {{- if .context.Values.persistence.matchExpressions }} + matchExpressions: + {{- toYaml .context.Values.persistence.matchExpressions | nindent 12 }} + {{- end -}} + {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml b/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml index 0e91aa8572..14b643c730 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml @@ -8,255 +8,7 @@ metadata: labels: {{- include "gitlab.immutableLabels" $ | nindent 4 }} storage: {{ .name }} -spec: - selector: - matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} - serviceName: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} - replicas: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} - podManagementPolicy: Parallel - {{- if $.Values.global.operator.enabled }} - updateStrategy: - rollingUpdate: - partition: {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }} - {{- end }} - template: - metadata: - labels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} - {{- include "gitlab.podLabels" $ | nindent 8 }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") $ | sha256sum }} - {{- range $key, $value := $.Values.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - {{- if $.Values.tolerations }} - tolerations: - {{- toYaml $.Values.tolerations | nindent 8 }} - {{- end }} - {{- if $.Values.priorityClassName }} - priorityClassName: "{{ $.Values.priorityClassName }}" - {{- end }} - terminationGracePeriodSeconds: 30 - initContainers: - {{- include "gitlab.extraInitContainers" $ | nindent 8 }} - {{- include "gitlab.certificates.initContainer" $ | nindent 8 }} - - name: configure - command: ['sh', '/config/configure'] - image: {{ include "gitlab.busybox.image" (dict "local" $.Values.init "global" $.Values.global.busybox) | quote }} - env: - {{- include "gitlab.extraEnv" $ | nindent 10 }} - volumeMounts: - {{- include "gitlab.extraVolumeMounts" $ | nindent 10 }} - - name: gitaly-config - mountPath: /config - readOnly: true - - name: init-gitaly-secrets - mountPath: /init-config - readOnly: true - - name: gitaly-secrets - mountPath: /init-secrets - readOnly: false - resources: - {{- toYaml $.Values.init.resources | nindent 12 }} - securityContext: - runAsUser: {{ $.Values.securityContext.runAsUser }} - fsGroup: {{ $.Values.securityContext.fsGroup }} - {{- include "pullsecrets" $.Values.image | indent 6 }} - {{- if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} - {{- else if eq (default $.Values.global.antiAffinity $.Values.antiAffinity) "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} - {{- end }} - {{- if or $.Values.serviceAccount.enabled $.Values.global.serviceAccount.enabled }} - serviceAccountName: {{ include "gitlab.serviceAccount.name" $ }} - {{- end }} - containers: - {{- include "gitlab.extraContainers" $ | nindent 8 }} - - name: {{ $.Chart.Name }} - image: "{{ $.Values.image.repository }}:{{ coalesce $.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" $.Chart.AppVersion "prepend" "true")) }}" - {{ template "gitlab.imagePullPolicy" $ }} - ports: - - containerPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} - {{- if $.Values.metrics.enabled }} - - containerPort: {{ $.Values.metrics.metricsPort }} - {{- end }} - env: - - name: CONFIG_TEMPLATE_DIRECTORY - value: '/etc/gitaly/templates' - - name: CONFIG_DIRECTORY - value: '/etc/gitaly' - - name: GITALY_CONFIG_FILE - value: '/etc/gitaly/config.toml' - - name: SSL_CERT_DIR - value: '/etc/ssl/certs' - {{- if $.Values.metrics.enabled }} - - name: GITALY_PROMETHEUS_LISTEN_ADDR - value: ':{{ $.Values.metrics.metricsPort }}' - {{- end }} - {{- include "gitlab.tracing.env" $ | nindent 12 }} - {{- include "gitlab.extraEnv" $ | nindent 12 }} - volumeMounts: - {{- include "gitlab.extraVolumeMounts" $ | nindent 12 }} - {{- include "gitlab.certificates.volumeMount" $ | nindent 12 }} - - name: gitaly-config - mountPath: '/etc/gitaly/templates' - - name: gitaly-secrets - mountPath: '/etc/gitlab-secrets' - readOnly: true - - name: repo-data - mountPath: '/home/git/repositories' - {{- if and $.Values.persistence.enabled $.Values.persistence.subPath }} - subPath: "{{ $.Values.persistence.subPath }}" - {{- end }} - {{- with $.Values.global.gitaly.hooks }} - {{- if .preReceive }} - - name: gitaly-hooks-pre-recieve - mountPath: "/home/git/custom_hooks/pre-receive.d" - {{- end }} - {{- if .postReceive }} - - name: gitaly-hooks-post-recieve - mountPath: "/home/git/custom_hooks/post-receive.d" - {{- end }} - {{- if .update }} - - name: gitaly-hooks-update - mountPath: "/home/git/custom_hooks/update.d" - {{- end }} - {{- end }} - livenessProbe: - exec: - command: - - /scripts/healthcheck - initialDelaySeconds: 30 - timeoutSeconds: 3 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /scripts/healthcheck - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - resources: - {{- toYaml $.Values.resources | nindent 12 }} - volumes: - {{- include "gitlab.extraVolumes" $ | nindent 6 }} - - name: gitaly-config - configMap: - name: {{ template "fullname" $ }} - {{- if not $.Values.persistence.enabled }} - - name: repo-data - emptyDir: {} - {{- end }} - - name: gitaly-secrets - emptyDir: - medium: "Memory" - - name: init-gitaly-secrets - projected: - defaultMode: 0440 - sources: - - secret: - name: {{ template "gitlab.gitaly.authToken.secret" $ }} - items: - - key: {{ template "gitlab.gitaly.authToken.key" $ }} - path: "gitaly_token" - - secret: - name: {{ template "gitlab.gitlab-shell.authToken.secret" $ }} - items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" $ }} - path: ".gitlab_shell_secret" - {{- if $.Values.global.gitaly.tls.enabled }} - - secret: - name: {{ template "gitlab.gitaly.tls.secret" $ }} - items: - - key: "tls.crt" - path: "gitaly.crt" - - key: "tls.key" - path: "gitaly.key" - {{- end }} - {{- with $.Values.global.gitaly.hooks }} - {{- if and .preReceive (has .preReceive .configmap) }} - - name: gitaly-hooks-preReceive - configMap: - name: {{ .preReceive.configmap }} - defaultMode: 0555 - {{- end }} - {{- if and .postReceive (has .postReceive .configmap) }} - - name: gitaly-hooks-postReceive - configMap: - name: {{ .postReceive.configmap }} - defaultMode: 0555 - {{- end }} - {{- if and .update (hasKey .update "configmap") }} - - name: gitaly-hooks-update - configMap: - name: {{ .update.configmap }} - defaultMode: 0555 - {{- end }} - {{- end }} - {{- include "gitlab.certificates.volumes" $ | nindent 6 }} - {{- if $.Values.nodeSelector }} - nodeSelector: - {{- toYaml $.Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if $.Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: repo-data - labels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} - annotations: - {{- range $key, $value := $.Values.persistence.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - accessModes: - - {{ $.Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ $.Values.persistence.size | quote }} - {{- if $.Values.persistence.storageClass }} - {{- if (eq "-" $.Values.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ $.Values.persistence.storageClass }}" - {{- end -}} - {{- end }} - selector: - {{- if $.Values.persistence.matchLabels }} - matchLabels: - {{- toYaml $.Values.persistence.matchLabels | nindent 12 }} - {{- end -}} - {{- if $.Values.persistence.matchExpressions }} - matchExpressions: - {{- toYaml $.Values.persistence.matchExpressions | nindent 12 }} - {{- end -}} - {{- end }} +{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") (dict "context" $ "storage" .) }} --- {{- end }} {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 4f7bd99f32..78c4aeb995 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -6,254 +6,5 @@ metadata: namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.immutableLabels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: {{ template "name" . }} - release: {{ $.Release.Name }} - serviceName: {{ include "gitlab.gitaly.serviceName" . }} - replicas: {{ include "gitlab.gitaly.replicas" . }} - podManagementPolicy: Parallel - {{- if .Values.global.operator.enabled }} - updateStrategy: - rollingUpdate: - partition: {{ include "gitlab.gitaly.replicas" . }} - {{- end }} - template: - metadata: - labels: - app: {{ template "name" . }} - release: {{ $.Release.Name }} - {{- include "gitlab.podLabels" . | nindent 8 }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} - {{- range $key, $value := .Values.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - {{- if .Values.tolerations }} - tolerations: - {{- toYaml .Values.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - terminationGracePeriodSeconds: 30 - initContainers: - {{- include "gitlab.extraInitContainers" . | nindent 8 }} - {{- include "gitlab.certificates.initContainer" . | nindent 8 }} - - name: configure - command: ['sh', '/config/configure'] - image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} - env: - {{- include "gitlab.extraEnv" . | nindent 10 }} - volumeMounts: - {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} - - name: gitaly-config - mountPath: /config - readOnly: true - - name: init-gitaly-secrets - mountPath: /init-config - readOnly: true - - name: gitaly-secrets - mountPath: /init-secrets - readOnly: false - resources: - {{- toYaml .Values.init.resources | nindent 12 }} - {{- if .Values.securityContext }} - securityContext: - {{- if not (empty .Values.securityContext.runAsUser) }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - {{- if not (empty .Values.securityContext.fsGroup) }} - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- end }} - {{- include "pullsecrets" .Values.image | indent 6 }} - {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - {{- end }} - {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} - serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} - {{- end }} - containers: - {{- include "gitlab.extraContainers" . | nindent 8 }} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}" - {{ template "gitlab.imagePullPolicy" . }} - ports: - - containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} - {{- if .Values.metrics.enabled }} - - containerPort: {{ .Values.metrics.metricsPort }} - {{- end }} - env: - - name: CONFIG_TEMPLATE_DIRECTORY - value: '/etc/gitaly/templates' - - name: CONFIG_DIRECTORY - value: '/etc/gitaly' - - name: GITALY_CONFIG_FILE - value: '/etc/gitaly/config.toml' - - name: SSL_CERT_DIR - value: '/etc/ssl/certs' - {{- if .Values.metrics.enabled }} - - name: GITALY_PROMETHEUS_LISTEN_ADDR - value: ':{{ .Values.metrics.metricsPort }}' - {{- end }} - {{- include "gitlab.tracing.env" . | nindent 12 }} - {{- include "gitlab.extraEnv" . | nindent 12 }} - volumeMounts: - {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} - {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} - - name: gitaly-config - mountPath: '/etc/gitaly/templates' - - name: gitaly-secrets - mountPath: '/etc/gitlab-secrets' - readOnly: true - - name: repo-data - mountPath: '/home/git/repositories' - {{- if and .Values.persistence.enabled .Values.persistence.subPath }} - subPath: "{{ .Values.persistence.subPath }}" - {{- end }} - {{- with .Values.global.gitaly.hooks }} - {{- if .preReceive }} - - name: gitaly-hooks-pre-recieve - mountPath: "/home/git/custom_hooks/pre-receive.d" - {{- end }} - {{- if .postReceive }} - - name: gitaly-hooks-post-recieve - mountPath: "/home/git/custom_hooks/post-receive.d" - {{- end }} - {{- if .update }} - - name: gitaly-hooks-update - mountPath: "/home/git/custom_hooks/update.d" - {{- end }} - {{- end }} - livenessProbe: - exec: - command: - - /scripts/healthcheck - initialDelaySeconds: 30 - timeoutSeconds: 3 - periodSeconds: 10 - readinessProbe: - exec: - command: - - /scripts/healthcheck - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumes: - {{- include "gitlab.extraVolumes" . | nindent 6 }} - - name: gitaly-config - configMap: - name: {{ template "fullname" . }} - {{- if not .Values.persistence.enabled }} - - name: repo-data - emptyDir: {} - {{- end }} - - name: gitaly-secrets - emptyDir: - medium: "Memory" - - name: init-gitaly-secrets - projected: - defaultMode: 0440 - sources: - - secret: - name: {{ template "gitlab.gitaly.authToken.secret" . }} - items: - - key: {{ template "gitlab.gitaly.authToken.key" . }} - path: "gitaly_token" - - secret: - name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} - items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} - path: ".gitlab_shell_secret" - {{- if .Values.global.gitaly.tls.enabled }} - - secret: - name: {{ template "gitlab.gitaly.tls.secret" . }} - items: - - key: "tls.crt" - path: "gitaly.crt" - - key: "tls.key" - path: "gitaly.key" - {{- end }} - {{- with .Values.global.gitaly.hooks }} - {{- if and .preReceive (has .preReceive .configmap) }} - - name: gitaly-hooks-preReceive - configMap: - name: {{ .preReceive.configmap }} - defaultMode: 0555 - {{- end }} - {{- if and .postReceive (has .postReceive .configmap) }} - - name: gitaly-hooks-postReceive - configMap: - name: {{ .postReceive.configmap }} - defaultMode: 0555 - {{- end }} - {{- if and .update (hasKey .update "configmap") }} - - name: gitaly-hooks-update - configMap: - name: {{ .update.configmap }} - defaultMode: 0555 - {{- end }} - {{- end }} - {{- include "gitlab.certificates.volumes" . | nindent 6 }} - {{- if .Values.nodeSelector }} - nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: repo-data - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.persistence.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" - {{- end -}} - {{- end }} - selector: - {{- if .Values.persistence.matchLabels }} - matchLabels: - {{- toYaml .Values.persistence.matchLabels | nindent 12 }} - {{- end -}} - {{- if .Values.persistence.matchExpressions }} - matchExpressions: - {{- toYaml .Values.persistence.matchExpressions | nindent 12 }} - {{- end -}} - {{- end }} +{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") (dict "context" .) }} {{- end }} -- GitLab From 55f80c5bcecc584fa8d22cca7927428b4d219c71 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 1 Dec 2020 14:30:58 -0500 Subject: [PATCH 51/83] Restore gitlab.gitaly.serviceName template Restores the original gitlab.gitaly.serviceName partial specification to ensure that it returns the gitaly-specific service name when called. To avoid breaking Praefect when it calls this partial, this also sets an empty `gitlab` object in Praefect's values.yaml. --- charts/gitlab/charts/praefect/values.yaml | 3 +++ templates/_gitaly.tpl | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/praefect/values.yaml b/charts/gitlab/charts/praefect/values.yaml index 6314b26ad2..fd18722e27 100644 --- a/charts/gitlab/charts/praefect/values.yaml +++ b/charts/gitlab/charts/praefect/values.yaml @@ -49,3 +49,6 @@ tolerations: [] ## The Gitaly StatefulSet's priorityClassName # priorityClassName: + +gitaly: {} + # serviceName: diff --git a/templates/_gitaly.tpl b/templates/_gitaly.tpl index 423daef4eb..839b6b766e 100644 --- a/templates/_gitaly.tpl +++ b/templates/_gitaly.tpl @@ -33,7 +33,7 @@ Order of operations: */}} {{- define "gitlab.gitaly.serviceName" -}} -{{- coalesce ( .Values.serviceName ) .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} +{{- coalesce ( .Values.gitaly.serviceName ) .Values.global.gitaly.serviceName (include "gitlab.other.fullname" (dict "context" . "chartName" "gitaly" )) -}} {{- end -}} {{/* -- GitLab From e20b8ad145b7a080be24d3f2ad8356e6a67ca30d Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 1 Dec 2020 14:52:02 -0500 Subject: [PATCH 52/83] Remove .context from statefulset spec - Removes .context from gitaly's statefulset spec - Merges the relevant context and storage dictionaries for the statefulset spec when Praefect is enabled --- .../gitaly/templates/_statefulset_spec.yaml | 162 +++++++++--------- .../templates/statefulset-with-praefect.yml | 2 +- .../charts/gitaly/templates/statefulset.yml | 2 +- 3 files changed, 83 insertions(+), 83 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index ddfe8341e0..b5f7645cdf 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -1,61 +1,61 @@ -{{- $praefect := .context.Values.global.praefect.enabled -}} +{{- $praefect := .Values.global.praefect.enabled -}} spec: selector: matchLabels: - app: {{ template "name" .context }} - release: {{ .context.Release.Name }} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- if $praefect }} storage: {{ .storage.name }} {{- end }} {{- if $praefect }} - serviceName: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" .context "name" .storage.name) }} + serviceName: {{ include "gitlab.praefect.gitaly.serviceName" (dict "context" . "name" .storage.name) }} {{- else }} - serviceName: {{ include "gitlab.gitaly.serviceName" .context }} + serviceName: {{ include "gitlab.gitaly.serviceName" . }} {{- end }} {{- if $praefect }} - replicas: {{ default (include "gitlab.gitaly.replicas" .context) .storage.gitalyReplicas }} + replicas: {{ default (include "gitlab.gitaly.replicas" .) .storage.gitalyReplicas }} {{- else }} - replicas: {{ include "gitlab.gitaly.replicas" .context }} + replicas: {{ include "gitlab.gitaly.replicas" . }} {{- end }} podManagementPolicy: Parallel - {{- if .context.Values.global.operator.enabled }} + {{- if .Values.global.operator.enabled }} updateStrategy: rollingUpdate: - partition: {{ include "gitlab.gitaly.replicas" .context }} + partition: {{ include "gitlab.gitaly.replicas" . }} {{- end }} template: metadata: labels: - app: {{ template "name" .context }} - release: {{ .context.Release.Name }} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- if $praefect }} storage: {{ .storage.name }} {{- end }} - {{- include "gitlab.podLabels" .context | nindent 8 }} + {{- include "gitlab.podLabels" . | nindent 8 }} annotations: - checksum/config: {{ include (print .context.Template.BasePath "/configmap.yml") .context | sha256sum }} - {{- range $key, $value := .context.Values.annotations }} + checksum/config: {{ include (print .Template.BasePath "/configmap.yml") . | sha256sum }} + {{- range $key, $value := .Values.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: - {{- if .context.Values.tolerations }} + {{- if .Values.tolerations }} tolerations: - {{- toYaml .context.Values.tolerations | nindent 8 }} + {{- toYaml .Values.tolerations | nindent 8 }} {{- end }} - {{- if .context.Values.priorityClassName }} - priorityClassName: "{{ .context.Values.priorityClassName }}" + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" {{- end }} terminationGracePeriodSeconds: 30 initContainers: - {{- include "gitlab.extraInitContainers" .context | nindent 8 }} - {{- include "gitlab.certificates.initContainer" .context | nindent 8 }} + {{- include "gitlab.extraInitContainers" . | nindent 8 }} + {{- include "gitlab.certificates.initContainer" . | nindent 8 }} - name: configure command: ['sh', '/config/configure'] - image: {{ include "gitlab.busybox.image" (dict "local" .context.Values.init "global" .context.Values.global.busybox) | quote }} + image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" .Values.global.busybox) | quote }} env: - {{- include "gitlab.extraEnv" .context | nindent 10 }} + {{- include "gitlab.extraEnv" . | nindent 10 }} volumeMounts: - {{- include "gitlab.extraVolumeMounts" .context | nindent 10 }} + {{- include "gitlab.extraVolumeMounts" . | nindent 10 }} - name: gitaly-config mountPath: /config readOnly: true @@ -66,30 +66,30 @@ spec: mountPath: /init-secrets readOnly: false resources: - {{- toYaml .context.Values.init.resources | nindent 12 }} - {{- if .context.Values.securityContext }} + {{- toYaml .Values.init.resources | nindent 12 }} + {{- if .Values.securityContext }} securityContext: - {{- if not (empty .context.Values.securityContext.runAsUser) }} - runAsUser: {{ .context.Values.securityContext.runAsUser }} + {{- if not (empty .Values.securityContext.runAsUser) }} + runAsUser: {{ .Values.securityContext.runAsUser }} {{- end }} - {{- if not (empty .context.Values.securityContext.fsGroup) }} - fsGroup: {{ .context.Values.securityContext.fsGroup }} + {{- if not (empty .Values.securityContext.fsGroup) }} + fsGroup: {{ .Values.securityContext.fsGroup }} {{- end }} {{- end }} - {{- include "pullsecrets" .context.Values.image | indent 6 }} - {{- if eq (default .context.Values.global.antiAffinity .context.Values.antiAffinity) "hard" }} + {{- include "pullsecrets" .Values.image | indent 6 }} + {{- if eq (default .Values.global.antiAffinity .Values.antiAffinity) "hard" }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - topologyKey: "kubernetes.io/hostname" labelSelector: matchLabels: - app: {{ template "name" .context }} - release: {{ .context.Release.Name }} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- if $praefect }} storage: {{ .storage.name }} {{- end }} - {{- else if eq (default .context.Values.global.antiAffinity .context.Values.antiAffinity) "soft" }} + {{- else if eq (default .Values.global.antiAffinity .Values.antiAffinity) "soft" }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -98,24 +98,24 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ template "name" .context }} - release: {{ .context.Release.Name }} + app: {{ template "name" . }} + release: {{ .Release.Name }} {{- if $praefect }} storage: {{ .storage.name }} {{- end }} {{- end }} - {{- if or .context.Values.serviceAccount.enabled .context.Values.global.serviceAccount.enabled }} - serviceAccountName: {{ include "gitlab.serviceAccount.name" .context }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} {{- end }} containers: - {{- include "gitlab.extraContainers" .context | nindent 8 }} - - name: {{ .context.Chart.Name }} - image: "{{ .context.Values.image.repository }}:{{ coalesce .context.Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .context.Chart.AppVersion "prepend" "true")) }}" - {{ template "gitlab.imagePullPolicy" .context }} + {{- include "gitlab.extraContainers" . | nindent 8 }} + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}" + {{ template "gitlab.imagePullPolicy" . }} ports: - - containerPort: {{ coalesce .context.Values.service.internalPort .context.Values.global.gitaly.service.internalPort }} - {{- if .context.Values.metrics.enabled }} - - containerPort: {{ .context.Values.metrics.metricsPort }} + - containerPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} + {{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.metrics.metricsPort }} {{- end }} env: - name: CONFIG_TEMPLATE_DIRECTORY @@ -126,15 +126,15 @@ spec: value: '/etc/gitaly/config.toml' - name: SSL_CERT_DIR value: '/etc/ssl/certs' - {{- if .context.Values.metrics.enabled }} + {{- if .Values.metrics.enabled }} - name: GITALY_PROMETHEUS_LISTEN_ADDR - value: ':{{ .context.Values.metrics.metricsPort }}' + value: ':{{ .Values.metrics.metricsPort }}' {{- end }} - {{- include "gitlab.tracing.env" .context | nindent 12 }} - {{- include "gitlab.extraEnv" .context | nindent 12 }} + {{- include "gitlab.tracing.env" . | nindent 12 }} + {{- include "gitlab.extraEnv" . | nindent 12 }} volumeMounts: - {{- include "gitlab.extraVolumeMounts" .context | nindent 12 }} - {{- include "gitlab.certificates.volumeMount" .context | nindent 12 }} + {{- include "gitlab.extraVolumeMounts" . | nindent 12 }} + {{- include "gitlab.certificates.volumeMount" . | nindent 12 }} - name: gitaly-config mountPath: '/etc/gitaly/templates' - name: gitaly-secrets @@ -142,10 +142,10 @@ spec: readOnly: true - name: repo-data mountPath: '/home/git/repositories' - {{- if and .context.Values.persistence.enabled .context.Values.persistence.subPath }} - subPath: "{{ .context.Values.persistence.subPath }}" + {{- if and .Values.persistence.enabled .Values.persistence.subPath }} + subPath: "{{ .Values.persistence.subPath }}" {{- end }} - {{- with .context.Values.global.gitaly.hooks }} + {{- with .Values.global.gitaly.hooks }} {{- if .preReceive }} - name: gitaly-hooks-pre-recieve mountPath: "/home/git/custom_hooks/pre-receive.d" @@ -174,13 +174,13 @@ spec: timeoutSeconds: 3 periodSeconds: 10 resources: - {{- toYaml .context.Values.resources | nindent 12 }} + {{- toYaml .Values.resources | nindent 12 }} volumes: - {{- include "gitlab.extraVolumes" .context | nindent 6 }} + {{- include "gitlab.extraVolumes" . | nindent 6 }} - name: gitaly-config configMap: - name: {{ template "fullname" .context }} - {{- if not .context.Values.persistence.enabled }} + name: {{ template "fullname" . }} + {{- if not .Values.persistence.enabled }} - name: repo-data emptyDir: {} {{- end }} @@ -192,25 +192,25 @@ spec: defaultMode: 0440 sources: - secret: - name: {{ template "gitlab.gitaly.authToken.secret" .context }} + name: {{ template "gitlab.gitaly.authToken.secret" . }} items: - - key: {{ template "gitlab.gitaly.authToken.key" .context }} + - key: {{ template "gitlab.gitaly.authToken.key" . }} path: "gitaly_token" - secret: - name: {{ template "gitlab.gitlab-shell.authToken.secret" .context }} + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} items: - - key: {{ template "gitlab.gitlab-shell.authToken.key" .context }} + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" - {{- if .context.Values.global.gitaly.tls.enabled }} + {{- if .Values.global.gitaly.tls.enabled }} - secret: - name: {{ template "gitlab.gitaly.tls.secret" .context }} + name: {{ template "gitlab.gitaly.tls.secret" . }} items: - key: "tls.crt" path: "gitaly.crt" - key: "tls.key" path: "gitaly.key" {{- end }} - {{- with .context.Values.global.gitaly.hooks }} + {{- with .Values.global.gitaly.hooks }} {{- if and .preReceive (has .preReceive .configmap) }} - name: gitaly-hooks-preReceive configMap: @@ -230,42 +230,42 @@ spec: defaultMode: 0555 {{- end }} {{- end }} - {{- include "gitlab.certificates.volumes" .context | nindent 6 }} - {{- if .context.Values.nodeSelector }} + {{- include "gitlab.certificates.volumes" . | nindent 6 }} + {{- if .Values.nodeSelector }} nodeSelector: - {{- toYaml .context.Values.nodeSelector | nindent 8 }} + {{- toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} - {{- if .context.Values.persistence.enabled }} + {{- if .Values.persistence.enabled }} volumeClaimTemplates: - metadata: name: repo-data labels: - app: {{ template "name" .context }} - release: {{ .context.Release.Name }} + app: {{ template "name" . }} + release: {{ .Release.Name }} annotations: - {{- range $key, $value := .context.Values.persistence.annotations }} + {{- range $key, $value := .Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: accessModes: - - {{ .context.Values.persistence.accessMode | quote }} + - {{ .Values.persistence.accessMode | quote }} resources: requests: - storage: {{ .context.Values.persistence.size | quote }} - {{- if .context.Values.persistence.storageClass }} - {{- if (eq "-" .context.Values.persistence.storageClass) }} + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} storageClassName: "" {{- else }} - storageClassName: "{{ .context.Values.persistence.storageClass }}" + storageClassName: "{{ .Values.persistence.storageClass }}" {{- end -}} {{- end }} selector: - {{- if .context.Values.persistence.matchLabels }} + {{- if .Values.persistence.matchLabels }} matchLabels: - {{- toYaml .context.Values.persistence.matchLabels | nindent 12 }} + {{- toYaml .Values.persistence.matchLabels | nindent 12 }} {{- end -}} - {{- if .context.Values.persistence.matchExpressions }} + {{- if .Values.persistence.matchExpressions }} matchExpressions: - {{- toYaml .context.Values.persistence.matchExpressions | nindent 12 }} + {{- toYaml .Values.persistence.matchExpressions | nindent 12 }} {{- end -}} {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml b/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml index 14b643c730..a1d38822e1 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset-with-praefect.yml @@ -8,7 +8,7 @@ metadata: labels: {{- include "gitlab.immutableLabels" $ | nindent 4 }} storage: {{ .name }} -{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") (dict "context" $ "storage" .) }} +{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") (merge (dict) $ (dict "storage" .)) }} --- {{- end }} {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/statefulset.yml b/charts/gitlab/charts/gitaly/templates/statefulset.yml index 78c4aeb995..ce4332c2f1 100644 --- a/charts/gitlab/charts/gitaly/templates/statefulset.yml +++ b/charts/gitlab/charts/gitaly/templates/statefulset.yml @@ -6,5 +6,5 @@ metadata: namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.immutableLabels" . | nindent 4 }} -{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") (dict "context" .) }} +{{ include (print $.Template.BasePath "/_statefulset_spec.yaml") . }} {{- end }} -- GitLab From 917f3d70e795bd4e4e228b0d5bc876b813cf6a12 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 1 Dec 2020 14:54:23 -0500 Subject: [PATCH 53/83] Add storage label to volume claim template Adds storage label to Gitaly's volume claim template when Praefect is enabled. --- charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index b5f7645cdf..cd440fb6cd 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -242,6 +242,9 @@ spec: labels: app: {{ template "name" . }} release: {{ .Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} annotations: {{- range $key, $value := .Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} -- GitLab From ead4ee3940a8f4e6e6b9c69e79f5a37fcf41d2a5 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 1 Dec 2020 15:10:32 -0500 Subject: [PATCH 54/83] Implement underscore template for svc and pdb Implements the underscore template approach for Gitaly's services and PDBs, in line with what we do for the StatefulSet. --- .../charts/gitaly/templates/_pdb_spec.yaml | 14 +++++++++++++ .../gitaly/templates/_service_spec.yaml | 0 .../gitaly/templates/pdb-with-praefect.yaml | 8 +------ .../gitlab/charts/gitaly/templates/pdb.yaml | 7 +------ .../templates/service-with-praefect.yaml | 21 +------------------ .../charts/gitaly/templates/service.yaml | 20 +----------------- 6 files changed, 18 insertions(+), 52 deletions(-) create mode 100644 charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml create mode 100644 charts/gitlab/charts/gitaly/templates/_service_spec.yaml diff --git a/charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml b/charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml new file mode 100644 index 0000000000..0ca276eae2 --- /dev/null +++ b/charts/gitlab/charts/gitaly/templates/_pdb_spec.yaml @@ -0,0 +1,14 @@ +{{- $praefect := .Values.global.praefect.enabled -}} +spec: + {{- if $praefect }} + maxUnavailable: {{ default .Values.maxUnavailable .storage.maxUnavailable }} + {{- else }} + maxUnavailable: {{ .Values.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/_service_spec.yaml b/charts/gitlab/charts/gitaly/templates/_service_spec.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml b/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml index 981a7b7815..9f37e46da1 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb-with-praefect.yaml @@ -8,13 +8,7 @@ metadata: labels: {{- include "gitlab.standardLabels" $ | nindent 4 }} storage: {{ .name }} -spec: - maxUnavailable: {{ default $.Values.maxUnavailable .maxUnavailable }} - selector: - matchLabels: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} +{{ include (print $.Template.BasePath "/_pdb_spec.yaml") (merge (dict) $ (dict "storage" .)) }} --- {{- end -}} {{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/pdb.yaml b/charts/gitlab/charts/gitaly/templates/pdb.yaml index 8c10315a30..c7fd699c6a 100644 --- a/charts/gitlab/charts/gitaly/templates/pdb.yaml +++ b/charts/gitlab/charts/gitaly/templates/pdb.yaml @@ -6,10 +6,5 @@ metadata: namespace: {{ $.Release.Namespace }} labels: {{- include "gitlab.standardLabels" . | nindent 4 }} -spec: - maxUnavailable: {{ .Values.maxUnavailable }} - selector: - matchLabels: - app: {{ template "name" . }} - release: {{ .Release.Name }} +{{ include (print $.Template.BasePath "/_pdb_spec.yaml") . }} {{- end -}} diff --git a/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml b/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml index 3dbb4e2269..9e3d11f91f 100644 --- a/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml +++ b/charts/gitlab/charts/gitaly/templates/service-with-praefect.yaml @@ -17,26 +17,7 @@ metadata: prometheus.io/port: "{{ $.Values.metrics.metricsPort }}" {{- end }} {{- include "gitlab.serviceAnnotations" $ | nindent 4 }} -spec: - type: {{ coalesce $.Values.service.type $.Values.global.gitaly.service.type }} - clusterIP: "None" - ports: - - port: {{ coalesce $.Values.service.externalPort $.Values.global.gitaly.service.externalPort }} - name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }} - targetPort: {{ coalesce $.Values.service.internalPort $.Values.global.gitaly.service.internalPort }} - {{- if $.Values.metrics.enabled }} - - port: {{ $.Values.metrics.metricsPort }} - name: {{ coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-metrics - {{- end }} - {{- if $.Values.global.gitaly.tls.enabled }} - - port: {{ coalesce $.Values.service.tls.externalPort $.Values.global.gitaly.service.tls.externalPort }} - name: {{coalesce $.Values.service.name $.Values.global.gitaly.service.name }}-tls - targetPort: {{ coalesce $.Values.service.tls.internalPort $.Values.global.gitaly.service.tls.internalPort }} - {{- end }} - selector: - app: {{ template "name" $ }} - release: {{ $.Release.Name }} - storage: {{ .name }} +{{ include (print $.Template.BasePath "/_service_spec.yaml") (merge (dict) $ (dict "storage" .)) }} --- {{- end }} {{- end }} diff --git a/charts/gitlab/charts/gitaly/templates/service.yaml b/charts/gitlab/charts/gitaly/templates/service.yaml index a2289ecded..3860c172a5 100644 --- a/charts/gitlab/charts/gitaly/templates/service.yaml +++ b/charts/gitlab/charts/gitaly/templates/service.yaml @@ -15,23 +15,5 @@ metadata: prometheus.io/port: "{{ .Values.metrics.metricsPort }}" {{- end }} {{- include "gitlab.serviceAnnotations" . | nindent 4 }} -spec: - type: {{ coalesce .Values.service.type .Values.global.gitaly.service.type }} - clusterIP: "None" - ports: - - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }} - name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }} - targetPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} - {{- if .Values.metrics.enabled }} - - port: {{ .Values.metrics.metricsPort }} - name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }}-metrics - {{- end }} - {{- if .Values.global.gitaly.tls.enabled }} - - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }} - name: {{coalesce .Values.service.name .Values.global.gitaly.service.name }}-tls - targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }} - {{- end }} - selector: - app: {{ template "name" . }} - release: {{ .Release.Name }} +{{ include (print $.Template.BasePath "/_service_spec.yaml") . }} {{- end }} -- GitLab From 80fb0c64737bd122335e35deedf0013966ce0c28 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 1 Dec 2020 16:18:53 -0500 Subject: [PATCH 55/83] Add content to service spec file Somehow this file was committed empty. --- .../gitaly/templates/_service_spec.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/charts/gitlab/charts/gitaly/templates/_service_spec.yaml b/charts/gitlab/charts/gitaly/templates/_service_spec.yaml index e69de29bb2..c27cec9505 100644 --- a/charts/gitlab/charts/gitaly/templates/_service_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_service_spec.yaml @@ -0,0 +1,23 @@ +{{- $praefect := .Values.global.praefect.enabled -}} +spec: + type: {{ coalesce .Values.service.type .Values.global.gitaly.service.type }} + clusterIP: "None" + ports: + - port: {{ coalesce .Values.service.externalPort .Values.global.gitaly.service.externalPort }} + name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }} + targetPort: {{ coalesce .Values.service.internalPort .Values.global.gitaly.service.internalPort }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.metricsPort }} + name: {{ coalesce .Values.service.name .Values.global.gitaly.service.name }}-metrics + {{- end }} + {{- if .Values.global.gitaly.tls.enabled }} + - port: {{ coalesce .Values.service.tls.externalPort .Values.global.gitaly.service.tls.externalPort }} + name: {{coalesce .Values.service.name .Values.global.gitaly.service.name }}-tls + targetPort: {{ coalesce .Values.service.tls.internalPort .Values.global.gitaly.service.tls.internalPort }} + {{- end }} + selector: + app: {{ template "name" . }} + release: {{ .Release.Name }} + {{- if $praefect }} + storage: {{ .storage.name }} + {{- end }} -- GitLab From 80a4924dd0d4221204559eacc1f7be9c72f1a5b8 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 7 Dec 2020 17:11:56 -0500 Subject: [PATCH 56/83] Inject virtual-storage-specific TLS secret If Praefect is in use, inject the VirtualStorage-specific TLS secret name on the Gitaly statefulset. Otherwise, use the default TLS secret name. --- .../charts/gitaly/templates/_statefulset_spec.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index cd440fb6cd..e2eea437b1 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -202,6 +202,15 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" {{- if .Values.global.gitaly.tls.enabled }} + {{- if $praefect }} + - secret: + name: {{ .storage.tls.secretName }} + items: + - key: "tls.crt" + path: "gitaly.crt" + - key: "tls.key" + path: "gitaly.key" + {{- else }} - secret: name: {{ template "gitlab.gitaly.tls.secret" . }} items: @@ -210,6 +219,7 @@ spec: - key: "tls.key" path: "gitaly.key" {{- end }} + {{- end }} {{- with .Values.global.gitaly.hooks }} {{- if and .preReceive (has .preReceive .configmap) }} - name: gitaly-hooks-preReceive -- GitLab From b217007d9797a354f8ca4a95c7d3e274b141b78b Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Mon, 7 Dec 2020 17:12:49 -0500 Subject: [PATCH 57/83] Update config check for Gitaly TLS w/ Praefect When using Praefect with multiple virtual storages, the Gitaly TLS secretNames need to be provided per virtual storage. In that case, check to see if they have been provided, and if not, throw an error. --- templates/_checkConfig.tpl | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index b731d9f836..eb83458ce6 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -76,7 +76,13 @@ contentSecurityPolicy: Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} -{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not $.Values.global.gitaly.tls.secretName) }} +{{- $praefectGitalyTLSProvided := false -}} +{{- range .Values.global.praefect.virtualStorages -}} +{{- if .tls.secretName -}} +{{- $praefectGitalyTLSProvided = true -}} +{{- end }} +{{- end }} +{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not (or $.Values.global.gitaly.tls.secretName $praefectGitalyTLSProvided)) }} gitaly: server enabled with TLS, no TLS certificate provided It appears Gitaly is specified to listen over TLS, but no certificate was specified. {{- end -}} -- GitLab From a3c107b1bb679fb0c996bac137b6e2468a68d349 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 12:05:05 -0500 Subject: [PATCH 58/83] Fix checkConfig if key does not exist Loops through and checks that keys exist before checking the condition. --- templates/_checkConfig.tpl | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index eb83458ce6..39468cc835 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -77,10 +77,12 @@ Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} {{- $praefectGitalyTLSProvided := false -}} -{{- range .Values.global.praefect.virtualStorages -}} -{{- if .tls.secretName -}} -{{- $praefectGitalyTLSProvided = true -}} -{{- end }} +{{- range $vs := .Values.global.praefect.virtualStorages -}} +{{- if hasKey $vs "tls" -}} +{{- if and (hasKey $vs.tls "secretName") (kindIs "string" $vs.tls.secretName) -}} +{{- $praefectGitalyTLSProvided = true -}} +{{- end }} +{{- end }} {{- end }} {{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not (or $.Values.global.gitaly.tls.secretName $praefectGitalyTLSProvided)) }} gitaly: server enabled with TLS, no TLS certificate provided -- GitLab From 29c273dff77358dd1cdbccc7e36f32a97c6cbaa1 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 12:24:56 -0500 Subject: [PATCH 59/83] Adjust config check for Gitaly VS TLS Start with a default of `true`, and then range through each virtual storage. If any of them don't specify `tls.secretName`, then mark the variable as `false` and use it in the broader check statement. Effectively, this accounts for providing tls secretNames per virtual storage rather than setting one globally via `global.gitaly.tls.secretName`. --- templates/_checkConfig.tpl | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 39468cc835..3f1856c0df 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -76,15 +76,13 @@ contentSecurityPolicy: Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} -{{- $praefectGitalyTLSProvided := false -}} -{{- range $vs := .Values.global.praefect.virtualStorages -}} -{{- if hasKey $vs "tls" -}} -{{- if and (hasKey $vs.tls "secretName") (kindIs "string" $vs.tls.secretName) -}} -{{- $praefectGitalyTLSProvided = true -}} -{{- end }} +{{- $gitalyVirtualStorageTLS := true -}} +{{- range $vs := $.Values.global.praefect.virtualStorages -}} +{{- if not (hasKey $vs "tls.secretName") -}} +{{- $gitalyVirtualStorageTLS = false -}} {{- end }} {{- end }} -{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not (or $.Values.global.gitaly.tls.secretName $praefectGitalyTLSProvided)) }} +{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not (or $.Values.global.gitaly.tls.secretName $gitalyVirtualStorageTLS)) }} gitaly: server enabled with TLS, no TLS certificate provided It appears Gitaly is specified to listen over TLS, but no certificate was specified. {{- end -}} -- GitLab From 35cacb4d363a439caa707b34a25e713a745689f3 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 12:29:37 -0500 Subject: [PATCH 60/83] Only inject TLS cert if one is specified When Praefect is enabled, only inject the TLS certificate if one is specified. --- charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index e2eea437b1..157e9f9c06 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -202,7 +202,7 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" {{- if .Values.global.gitaly.tls.enabled }} - {{- if $praefect }} + {{- if and $praefect (hasKey .storage "tls.secretName") }} - secret: name: {{ .storage.tls.secretName }} items: -- GitLab From d178d8340f4dc2cbe6c37e31e566315441a0b12d Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 13:06:15 -0500 Subject: [PATCH 61/83] Split out check logic for storage TLS config First checks if Praefect is enabled, and if so, then it will check the `.storage` map. Helps avoid the scenario where Praefect is disabled but it still tries to check if the `.storage` map (nonexistent) has a given key. --- charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index 157e9f9c06..6282fff5da 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -202,7 +202,8 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" {{- if .Values.global.gitaly.tls.enabled }} - {{- if and $praefect (hasKey .storage "tls.secretName") }} + {{- if $praefect -}} + {{- if hasKey .storage "tls.secretName" }} - secret: name: {{ .storage.tls.secretName }} items: @@ -210,6 +211,7 @@ spec: path: "gitaly.crt" - key: "tls.key" path: "gitaly.key" + {{- end }} {{- else }} - secret: name: {{ template "gitlab.gitaly.tls.secret" . }} -- GitLab From 281c31e089208946451c2e0eee3a2d2847962457 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 13:07:20 -0500 Subject: [PATCH 62/83] Expand logic for checking if TLS provided Expands the logic when checking if TLS is provided for a given virtual storage: - If `tls` is provided and is a map, but doesn't contain `secretName`, then mark it `false` - Else, if `tls` is not provided at all, also set it to `false` There may be a more concise way to do this, but at the moment it works. --- templates/_checkConfig.tpl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 3f1856c0df..3ea0503eaf 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -78,8 +78,12 @@ listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} {{- $gitalyVirtualStorageTLS := true -}} {{- range $vs := $.Values.global.praefect.virtualStorages -}} -{{- if not (hasKey $vs "tls.secretName") -}} +{{- if and (hasKey $vs "tls") (kindIs "map" $vs.tls) -}} +{{- if not (hasKey $vs.tls "secretName") }} {{- $gitalyVirtualStorageTLS = false -}} +{{- end }} +{{- else }} +{{- $gitalyVirtualStorageTLS = false -}} {{- end }} {{- end }} {{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not (or $.Values.global.gitaly.tls.secretName $gitalyVirtualStorageTLS)) }} -- GitLab From 97426bb5130ef40167653ea544eea13aac1ca4d2 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 16:37:31 -0500 Subject: [PATCH 63/83] Refactor Gitaly tls secret config - Calculates the secret name using the template, and overrides it with the config from Praefect if enabled - Uses the secret name calculated above in a single projected volume block rather than repeating a block in each condition --- .../gitaly/templates/_statefulset_spec.yaml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index 6282fff5da..c2748a9b35 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -202,26 +202,18 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" {{- if .Values.global.gitaly.tls.enabled }} - {{- if $praefect -}} - {{- if hasKey .storage "tls.secretName" }} - - secret: - name: {{ .storage.tls.secretName }} - items: - - key: "tls.crt" - path: "gitaly.crt" - - key: "tls.key" - path: "gitaly.key" - {{- end }} - {{- else }} + {{- $secretName := include "gitlab.gitaly.tls.secret" . -}} + {{- if $praefect }} + {{- $secretName = .storage.tls.secretName -}} + {{- end }} - secret: - name: {{ template "gitlab.gitaly.tls.secret" . }} + name: {{ $secretName }} items: - key: "tls.crt" path: "gitaly.crt" - key: "tls.key" path: "gitaly.key" {{- end }} - {{- end }} {{- with .Values.global.gitaly.hooks }} {{- if and .preReceive (has .preReceive .configmap) }} - name: gitaly-hooks-preReceive -- GitLab From 7cfa3c3f58270b6e792fe38ba12e6d02fe67d5da Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 17:25:44 -0500 Subject: [PATCH 64/83] Use `tlsSecretName` instead of `tls.secretName` There's currently no need to have `secretName` as part of the `tls` map, so it's been removed and can now be accessed via `.storage.tlsSecretName`. --- charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index c2748a9b35..96c2c04ccf 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -204,7 +204,7 @@ spec: {{- if .Values.global.gitaly.tls.enabled }} {{- $secretName := include "gitlab.gitaly.tls.secret" . -}} {{- if $praefect }} - {{- $secretName = .storage.tls.secretName -}} + {{- $secretName = .storage.tlsSecretName -}} {{- end }} - secret: name: {{ $secretName }} -- GitLab From fc60904a8ad850f8e7a725e6f089e54c3394ee55 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 8 Dec 2020 17:32:44 -0500 Subject: [PATCH 65/83] Make the gitaly tls configCheck more clear Makes the error message produced by the gitaly TLS config check more clear by printint out the specific value that was not provided. --- templates/_checkConfig.tpl | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 3ea0503eaf..073feb223a 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -76,19 +76,28 @@ contentSecurityPolicy: Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} -{{- $gitalyVirtualStorageTLS := true -}} -{{- range $vs := $.Values.global.praefect.virtualStorages -}} -{{- if and (hasKey $vs "tls") (kindIs "map" $vs.tls) -}} -{{- if not (hasKey $vs.tls "secretName") }} -{{- $gitalyVirtualStorageTLS = false -}} -{{- end }} -{{- else }} -{{- $gitalyVirtualStorageTLS = false -}} +{{- $msg := "" -}} +{{- $tlsProvided := true -}} +{{- if $.Values.global.praefect.enabled -}} +{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} +{{- if not $vs.tlsSecretName }} +{{- $tlsProvided = false -}} +{{- $msg = printf "global.praefect.virtualStorages[%d].tlsSecretName not provided ('%s')" $i $vs.name -}} +{{- end }} {{- end }} +{{- else }} +{{- if not $.Values.global.gitaly.tls.secretName -}} +{{- $tlsProvided = false -}} +{{- $msg = "global.gitaly.tls.secretName not defined" -}} +{{- end }} +{{- end }} +{{- $tlsEnabled := false -}} +{{- if and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled -}} +{{- $tlsEnabled = true -}} {{- end }} -{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not (or $.Values.global.gitaly.tls.secretName $gitalyVirtualStorageTLS)) }} -gitaly: server enabled with TLS, no TLS certificate provided - It appears Gitaly is specified to listen over TLS, but no certificate was specified. +{{- if and $tlsEnabled (not $tlsProvided) -}} +gitaly: TLS enabled, but TLS certificate not provided + {{ $msg }} {{- end -}} {{- end -}} {{/* END gitlab.checkConfig.gitaly.tls */}} @@ -455,4 +464,4 @@ When type-specific object storage is enabled the `connection` property can not b {{- end -}} {{- end -}} {{- end -}} -{{/* END gitlab.checkConfig.objectStorage.typeSpecificConfig */}} \ No newline at end of file +{{/* END gitlab.checkConfig.objectStorage.typeSpecificConfig */}} -- GitLab From 9b33d0f59c8ebd8559a1d6f2f0f485dc86daa6d9 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 9 Dec 2020 10:16:59 -0500 Subject: [PATCH 66/83] Use 'specified' consistently Removes 'defined' and 'provided' and uses 'specified' consistently in the error message output. --- templates/_checkConfig.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 073feb223a..0586e688b3 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -82,13 +82,13 @@ listen over TLS */}} {{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} {{- if not $vs.tlsSecretName }} {{- $tlsProvided = false -}} -{{- $msg = printf "global.praefect.virtualStorages[%d].tlsSecretName not provided ('%s')" $i $vs.name -}} +{{- $msg = printf "global.praefect.virtualStorages[%d].tlsSecretName not specified ('%s')" $i $vs.name -}} {{- end }} {{- end }} {{- else }} {{- if not $.Values.global.gitaly.tls.secretName -}} {{- $tlsProvided = false -}} -{{- $msg = "global.gitaly.tls.secretName not defined" -}} +{{- $msg = "global.gitaly.tls.secretName not specified" -}} {{- end }} {{- end }} {{- $tlsEnabled := false -}} @@ -96,7 +96,7 @@ listen over TLS */}} {{- $tlsEnabled = true -}} {{- end }} {{- if and $tlsEnabled (not $tlsProvided) -}} -gitaly: TLS enabled, but TLS certificate not provided +gitaly: TLS enabled, but TLS certificate not specified {{ $msg }} {{- end -}} {{- end -}} -- GitLab From 1f6c9aa3eefb4ba157f87602fc050193c81a3f7b Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 9 Dec 2020 10:17:45 -0500 Subject: [PATCH 67/83] Update spec for Gitaly TLS with Praefect Updates the check config spec to test Gitaly TLS configuration when Praefect is enabled. --- spec/integration/check_config_spec.rb | 52 +++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/spec/integration/check_config_spec.rb b/spec/integration/check_config_spec.rb index 4de3427d1b..b4f49d0c91 100644 --- a/spec/integration/check_config_spec.rb +++ b/spec/integration/check_config_spec.rb @@ -51,7 +51,7 @@ describe 'checkConfig template' do error_description: 'when unset' end - describe 'gitaly.tls' do + describe 'gitaly.tls without Praefect' do let(:success_values) do { 'global' => { @@ -74,7 +74,55 @@ describe 'checkConfig template' do }.merge(default_required_values) end - let(:error_output) { 'no certificate was specified' } + let(:error_output) { 'global.gitaly.tls.secretName not specified' } + + include_examples 'config validation', + success_description: 'when TLS is enabled correctly', + error_description: 'when TLS is enabled but there is no certificate' + end + + describe 'gitaly.tls with Praefect' do + let(:success_values) do + { + 'global' => { + 'praefect' => { + 'enabled' => true, + 'virtualStorages' => [ + { 'name' => 'default', 'gitalyReplicas' => 3, + 'maxUnavailable' => 2, 'tlsSecretName' => 'gitaly-default-tls' }, + { 'name' => 'vs1', 'gitalyReplicas' => 2, + 'maxUnavailable' => 1, 'tlsSecretName' => 'gitaly-vs2-tls' } + ] + }, + 'gitaly' => { + 'enabled' => 'true', + 'tls' => { 'enabled' => true } + } + } + }.merge(default_required_values) + end + + let(:error_values) do + { + 'global' => { + 'praefect' => { + 'enabled' => 'true', + 'virtualStorages' => [ + { 'name' => 'default', 'gitalyReplicas' => 3, + 'maxUnavailable' => 2, 'tlsSecretName' => 'gitaly-default-tls' }, + { 'name' => 'vs2', 'gitalyReplicas' => 2, + 'maxUnavailable' => 1 } + ] + }, + 'gitaly' => { + 'enabled' => 'true', + 'tls' => { 'enabled' => true } + } + } + }.merge(default_required_values) + end + + let(:error_output) { 'global.praefect.virtualStorages[1].tlsSecretName not specified (\'vs2\')' } include_examples 'config validation', success_description: 'when TLS is enabled correctly', -- GitLab From d75310a7e13189ff9d412bd1ae03503b5424f9d4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 9 Dec 2020 10:40:48 -0500 Subject: [PATCH 68/83] Remove `virtualStorages[].tlsSecretName` Removes `virtualStorages[].tlsSecretName` and uses `global.gitaly.tls.secretName` when Praefect is enabled. This greatly simplifies configuration for both the end user and the chart. Of course, this means a wildcard certificate must be used for `global.gitaly.tls.secretName`. For example: `./scripts/generate_certificates.sh 'gitaly-*'` --- .../gitaly/templates/_statefulset_spec.yaml | 6 +-- spec/integration/check_config_spec.rb | 52 +------------------ templates/_checkConfig.tpl | 25 ++------- 3 files changed, 6 insertions(+), 77 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index 96c2c04ccf..cd440fb6cd 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -202,12 +202,8 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" {{- if .Values.global.gitaly.tls.enabled }} - {{- $secretName := include "gitlab.gitaly.tls.secret" . -}} - {{- if $praefect }} - {{- $secretName = .storage.tlsSecretName -}} - {{- end }} - secret: - name: {{ $secretName }} + name: {{ template "gitlab.gitaly.tls.secret" . }} items: - key: "tls.crt" path: "gitaly.crt" diff --git a/spec/integration/check_config_spec.rb b/spec/integration/check_config_spec.rb index b4f49d0c91..4de3427d1b 100644 --- a/spec/integration/check_config_spec.rb +++ b/spec/integration/check_config_spec.rb @@ -51,7 +51,7 @@ describe 'checkConfig template' do error_description: 'when unset' end - describe 'gitaly.tls without Praefect' do + describe 'gitaly.tls' do let(:success_values) do { 'global' => { @@ -74,55 +74,7 @@ describe 'checkConfig template' do }.merge(default_required_values) end - let(:error_output) { 'global.gitaly.tls.secretName not specified' } - - include_examples 'config validation', - success_description: 'when TLS is enabled correctly', - error_description: 'when TLS is enabled but there is no certificate' - end - - describe 'gitaly.tls with Praefect' do - let(:success_values) do - { - 'global' => { - 'praefect' => { - 'enabled' => true, - 'virtualStorages' => [ - { 'name' => 'default', 'gitalyReplicas' => 3, - 'maxUnavailable' => 2, 'tlsSecretName' => 'gitaly-default-tls' }, - { 'name' => 'vs1', 'gitalyReplicas' => 2, - 'maxUnavailable' => 1, 'tlsSecretName' => 'gitaly-vs2-tls' } - ] - }, - 'gitaly' => { - 'enabled' => 'true', - 'tls' => { 'enabled' => true } - } - } - }.merge(default_required_values) - end - - let(:error_values) do - { - 'global' => { - 'praefect' => { - 'enabled' => 'true', - 'virtualStorages' => [ - { 'name' => 'default', 'gitalyReplicas' => 3, - 'maxUnavailable' => 2, 'tlsSecretName' => 'gitaly-default-tls' }, - { 'name' => 'vs2', 'gitalyReplicas' => 2, - 'maxUnavailable' => 1 } - ] - }, - 'gitaly' => { - 'enabled' => 'true', - 'tls' => { 'enabled' => true } - } - } - }.merge(default_required_values) - end - - let(:error_output) { 'global.praefect.virtualStorages[1].tlsSecretName not specified (\'vs2\')' } + let(:error_output) { 'no certificate was specified' } include_examples 'config validation', success_description: 'when TLS is enabled correctly', diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 0586e688b3..958d3ec861 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -76,28 +76,9 @@ contentSecurityPolicy: Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} -{{- $msg := "" -}} -{{- $tlsProvided := true -}} -{{- if $.Values.global.praefect.enabled -}} -{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} -{{- if not $vs.tlsSecretName }} -{{- $tlsProvided = false -}} -{{- $msg = printf "global.praefect.virtualStorages[%d].tlsSecretName not specified ('%s')" $i $vs.name -}} -{{- end }} -{{- end }} -{{- else }} -{{- if not $.Values.global.gitaly.tls.secretName -}} -{{- $tlsProvided = false -}} -{{- $msg = "global.gitaly.tls.secretName not specified" -}} -{{- end }} -{{- end }} -{{- $tlsEnabled := false -}} -{{- if and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled -}} -{{- $tlsEnabled = true -}} -{{- end }} -{{- if and $tlsEnabled (not $tlsProvided) -}} -gitaly: TLS enabled, but TLS certificate not specified - {{ $msg }} +{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not $.Values.global.gitaly.tls.secretName) }} +gitaly: server enabled with TLS, no TLS certificate provided + It appears Gitaly is specified to listen over TLS, but no certificate was specified. {{- end -}} {{- end -}} {{/* END gitlab.checkConfig.gitaly.tls */}} -- GitLab From e7d4e9f690a254213ac576df63d59b2c860cc2a4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 9 Dec 2020 11:24:04 -0500 Subject: [PATCH 69/83] Revert "Remove `virtualStorages[].tlsSecretName`" This reverts commit d75310a7e13189ff9d412bd1ae03503b5424f9d4. --- .../gitaly/templates/_statefulset_spec.yaml | 6 ++- spec/integration/check_config_spec.rb | 52 ++++++++++++++++++- templates/_checkConfig.tpl | 25 +++++++-- 3 files changed, 77 insertions(+), 6 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index cd440fb6cd..96c2c04ccf 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -202,8 +202,12 @@ spec: - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} path: ".gitlab_shell_secret" {{- if .Values.global.gitaly.tls.enabled }} + {{- $secretName := include "gitlab.gitaly.tls.secret" . -}} + {{- if $praefect }} + {{- $secretName = .storage.tlsSecretName -}} + {{- end }} - secret: - name: {{ template "gitlab.gitaly.tls.secret" . }} + name: {{ $secretName }} items: - key: "tls.crt" path: "gitaly.crt" diff --git a/spec/integration/check_config_spec.rb b/spec/integration/check_config_spec.rb index 4de3427d1b..b4f49d0c91 100644 --- a/spec/integration/check_config_spec.rb +++ b/spec/integration/check_config_spec.rb @@ -51,7 +51,7 @@ describe 'checkConfig template' do error_description: 'when unset' end - describe 'gitaly.tls' do + describe 'gitaly.tls without Praefect' do let(:success_values) do { 'global' => { @@ -74,7 +74,55 @@ describe 'checkConfig template' do }.merge(default_required_values) end - let(:error_output) { 'no certificate was specified' } + let(:error_output) { 'global.gitaly.tls.secretName not specified' } + + include_examples 'config validation', + success_description: 'when TLS is enabled correctly', + error_description: 'when TLS is enabled but there is no certificate' + end + + describe 'gitaly.tls with Praefect' do + let(:success_values) do + { + 'global' => { + 'praefect' => { + 'enabled' => true, + 'virtualStorages' => [ + { 'name' => 'default', 'gitalyReplicas' => 3, + 'maxUnavailable' => 2, 'tlsSecretName' => 'gitaly-default-tls' }, + { 'name' => 'vs1', 'gitalyReplicas' => 2, + 'maxUnavailable' => 1, 'tlsSecretName' => 'gitaly-vs2-tls' } + ] + }, + 'gitaly' => { + 'enabled' => 'true', + 'tls' => { 'enabled' => true } + } + } + }.merge(default_required_values) + end + + let(:error_values) do + { + 'global' => { + 'praefect' => { + 'enabled' => 'true', + 'virtualStorages' => [ + { 'name' => 'default', 'gitalyReplicas' => 3, + 'maxUnavailable' => 2, 'tlsSecretName' => 'gitaly-default-tls' }, + { 'name' => 'vs2', 'gitalyReplicas' => 2, + 'maxUnavailable' => 1 } + ] + }, + 'gitaly' => { + 'enabled' => 'true', + 'tls' => { 'enabled' => true } + } + } + }.merge(default_required_values) + end + + let(:error_output) { 'global.praefect.virtualStorages[1].tlsSecretName not specified (\'vs2\')' } include_examples 'config validation', success_description: 'when TLS is enabled correctly', diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 958d3ec861..0586e688b3 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -76,9 +76,28 @@ contentSecurityPolicy: Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} -{{- if and (and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled) (not $.Values.global.gitaly.tls.secretName) }} -gitaly: server enabled with TLS, no TLS certificate provided - It appears Gitaly is specified to listen over TLS, but no certificate was specified. +{{- $msg := "" -}} +{{- $tlsProvided := true -}} +{{- if $.Values.global.praefect.enabled -}} +{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} +{{- if not $vs.tlsSecretName }} +{{- $tlsProvided = false -}} +{{- $msg = printf "global.praefect.virtualStorages[%d].tlsSecretName not specified ('%s')" $i $vs.name -}} +{{- end }} +{{- end }} +{{- else }} +{{- if not $.Values.global.gitaly.tls.secretName -}} +{{- $tlsProvided = false -}} +{{- $msg = "global.gitaly.tls.secretName not specified" -}} +{{- end }} +{{- end }} +{{- $tlsEnabled := false -}} +{{- if and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled -}} +{{- $tlsEnabled = true -}} +{{- end }} +{{- if and $tlsEnabled (not $tlsProvided) -}} +gitaly: TLS enabled, but TLS certificate not specified + {{ $msg }} {{- end -}} {{- end -}} {{/* END gitlab.checkConfig.gitaly.tls */}} -- GitLab From 3f18352f59bd4bd0dcdfc3f9477befe46a41c474 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 9 Dec 2020 11:59:22 -0500 Subject: [PATCH 70/83] Specify secret volumes for each VirtualStorage If Praefect is enabled, and Gitaly TLS is enabled, then mount each Gitaly TLS secret in the custom-ca-certificates volume so Praefect trusts Gitaly's certificates. --- templates/_certificates.tpl | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/templates/_certificates.tpl b/templates/_certificates.tpl index cd3d631262..aa8916f474 100644 --- a/templates/_certificates.tpl +++ b/templates/_certificates.tpl @@ -2,7 +2,7 @@ {{- define "gitlab.certificates.initContainer" -}} {{- $customCAsEnabled := .Values.global.certificates.customCAs }} -{{- $internalGitalyTLSEnabled := and $.Values.global.gitaly.tls.enabled $.Values.global.gitaly.tls.secretName }} +{{- $internalGitalyTLSEnabled := $.Values.global.gitaly.tls.enabled }} {{- $internalPraefectTLSEnabled := and $.Values.global.praefect.tls.enabled $.Values.global.praefect.tls.secretName }} {{- $certmanagerDisabled := not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }} - name: certificates @@ -25,7 +25,7 @@ {{- define "gitlab.certificates.volumes" -}} {{- $customCAsEnabled := .Values.global.certificates.customCAs }} -{{- $internalGitalyTLSEnabled := and $.Values.global.gitaly.tls.enabled $.Values.global.gitaly.tls.secretName }} +{{- $internalGitalyTLSEnabled := and $.Values.global.gitaly.tls.enabled }} {{- $internalPraefectTLSEnabled := and $.Values.global.praefect.tls.enabled $.Values.global.praefect.tls.secretName }} {{- $certmanagerDisabled := not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }} - name: etc-ssl-certs @@ -46,11 +46,21 @@ name: {{ template "gitlab.wildcard-self-signed-cert-name" $ }}-ca {{- end }} {{- if $internalGitalyTLSEnabled }} + {{- if $.Values.global.praefect.enabled }} + {{- range $vs := $.Values.global.praefect.virtualStorages }} + - secret: + name: {{ $vs.tlsSecretName }} + items: + - key: "tls.crt" + path: "gitaly-{{ $vs.name }}-tls.crt" + {{- end }} + {{- else }} - secret: name: {{ template "gitlab.gitaly.tls.secret" $ }} items: - key: "tls.crt" path: "gitaly-internal-tls.crt" + {{- end }} {{- end }} {{- if $internalPraefectTLSEnabled }} - secret: -- GitLab From b34ebfebc2d4503809f620cf1418f7e56c365207 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 11 Dec 2020 15:08:54 +0000 Subject: [PATCH 71/83] Apply 1 suggestion(s) to 1 file(s) --- templates/_certificates.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/_certificates.tpl b/templates/_certificates.tpl index aa8916f474..fe0579d6b9 100644 --- a/templates/_certificates.tpl +++ b/templates/_certificates.tpl @@ -25,7 +25,7 @@ {{- define "gitlab.certificates.volumes" -}} {{- $customCAsEnabled := .Values.global.certificates.customCAs }} -{{- $internalGitalyTLSEnabled := and $.Values.global.gitaly.tls.enabled }} +{{- $internalGitalyTLSEnabled := $.Values.global.gitaly.tls.enabled }} {{- $internalPraefectTLSEnabled := and $.Values.global.praefect.tls.enabled $.Values.global.praefect.tls.secretName }} {{- $certmanagerDisabled := not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }} - name: etc-ssl-certs -- GitLab From 1d006bcd7cf52036fcf401e0ebb11ec593646428 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 11 Dec 2020 10:24:32 -0500 Subject: [PATCH 72/83] Catch every error in gitaly tls config check Rather than only catching and printing the last error for the Gitaly TLS config check, this collects a list of errors and prints them out at the end if the list is not empty. This more closely aligns with other config checks in the same file. --- templates/_checkConfig.tpl | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl index 0586e688b3..7d11855f6f 100644 --- a/templates/_checkConfig.tpl +++ b/templates/_checkConfig.tpl @@ -76,28 +76,26 @@ contentSecurityPolicy: Ensure a certificate is provided when Gitaly is enabled and is instructed to listen over TLS */}} {{- define "gitlab.checkConfig.gitaly.tls" -}} -{{- $msg := "" -}} -{{- $tlsProvided := true -}} -{{- if $.Values.global.praefect.enabled -}} -{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} -{{- if not $vs.tlsSecretName }} -{{- $tlsProvided = false -}} -{{- $msg = printf "global.praefect.virtualStorages[%d].tlsSecretName not specified ('%s')" $i $vs.name -}} +{{- $errorMsg := list -}} +{{- if and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled -}} +{{- if $.Values.global.praefect.enabled -}} +{{- range $i, $vs := $.Values.global.praefect.virtualStorages -}} +{{- if not $vs.tlsSecretName }} +{{- $errorMsg = append $errorMsg (printf "global.praefect.virtualStorages[%d].tlsSecretName not specified ('%s')" $i $vs.name) -}} +{{- end }} +{{- end }} +{{- else }} +{{- if not $.Values.global.gitaly.tls.secretName -}} +{{- $errorMsg = append $errorMsg ("global.gitaly.tls.secretName not specified") -}} {{- end }} -{{- end }} -{{- else }} -{{- if not $.Values.global.gitaly.tls.secretName -}} -{{- $tlsProvided = false -}} -{{- $msg = "global.gitaly.tls.secretName not specified" -}} {{- end }} {{- end }} -{{- $tlsEnabled := false -}} -{{- if and $.Values.global.gitaly.enabled $.Values.global.gitaly.tls.enabled -}} -{{- $tlsEnabled = true -}} +{{- if not (empty $errorMsg) }} +gitaly: +{{- range $msg := $errorMsg }} + {{ $msg }} {{- end }} -{{- if and $tlsEnabled (not $tlsProvided) -}} -gitaly: TLS enabled, but TLS certificate not specified - {{ $msg }} + This configuration is not supported. {{- end -}} {{- end -}} {{/* END gitlab.checkConfig.gitaly.tls */}} -- GitLab From 5d30af443a862b74cab22bdf456cea3e9eb19a9c Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 11 Dec 2020 12:16:44 -0500 Subject: [PATCH 73/83] Change wording of test cases Changes the wording of the test cases - from saying "generates one set of X" to "generates X". The test cases didn't actually check that only one set was generated. While we could do that, it isn't a blocker for this MR, so for now we'll just adjust the wording to be more accurate. --- spec/configuration/praefect_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/configuration/praefect_spec.rb b/spec/configuration/praefect_spec.rb index 1b86893c2d..cb528a009c 100644 --- a/spec/configuration/praefect_spec.rb +++ b/spec/configuration/praefect_spec.rb @@ -74,7 +74,7 @@ describe 'Praefect configuration' do end end - it 'renders one set of Gitaly resources' do + it 'renders Gitaly resources' do gitaly_resources.each do |r| expect(template.dig(r)).to be_truthy end @@ -144,7 +144,7 @@ describe 'Praefect configuration' do expect(template.exit_code).to eq(0) end - it 'generates one set of operator-related resources' do + it 'generates operator-related resources' do operator_resources.each do |r| expect(template.dig(r)).to be_truthy end -- GitLab From dd2dacfc1f729e6bc72c63c9cdf5c2805cb05219 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 11 Dec 2020 14:35:15 -0500 Subject: [PATCH 74/83] Link to documentation to choose storage paths Links to documentation that discusses repository storage paths rather than restating the information. --- doc/charts/gitlab/praefect/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index c0fdf6e154..c6c7723733 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -56,9 +56,9 @@ global: maxUnavailable: 2 ``` -This will create two sets of resources for Gitaly. This includes two Gitaly StatefulSets (one per virtual storage). In the Admin UI, under -`admin/application_settings/repository` > `Repository storage`, weights can be assigned to each virtual storage. Click the question mark (?) icon in the -`Storage nodes for new repositories` section for more information. +This will create two sets of resources for Gitaly. This includes two Gitaly StatefulSets (one per virtual storage). + +Admins can then [choose where new repositories are stored](https://docs.gitlab.com/ee/administration/repository_storage_paths.html#choose-where-new-repositories-are-stored). ### Creating the database -- GitLab From 2befd265773842a6aacb7631416c7fb7ccef7422 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Fri, 11 Dec 2020 14:39:05 -0500 Subject: [PATCH 75/83] Add `gitalyReplicas` to replicas statement in docs Adds the `gitalyReplicas` key to the value statement that configures the number of Gitaly replicas. This matches the example YAML configuration below the statement. --- doc/charts/gitlab/praefect/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index c6c7723733..426b1f1bf3 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -27,7 +27,7 @@ The chart is disabled by default. To enable it as part of a chart deploy set `gl ### Replicas -The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.virtualStorages` with the desired number of replicas. For example: +The default number of replicas to deploy is 3. This can be changed by setting `global.praefect.virtualStorages[].gitalyReplicas` with the desired number of replicas. For example: ```yaml global: -- GitLab From f9f8ae2e85bcf8fb1135dd9c93324b66d2904570 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 15 Dec 2020 16:40:03 -0500 Subject: [PATCH 76/83] Allow persistence config per virtual storage Allows a user to proivde persistence configuration per virtual storage. --- .../gitaly/templates/_statefulset_spec.yaml | 56 +++++++++++++++---- 1 file changed, 45 insertions(+), 11 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml index 96c2c04ccf..a8723e8ae5 100644 --- a/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml +++ b/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml @@ -239,7 +239,41 @@ spec: nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} - {{- if .Values.persistence.enabled }} + + {{- $persistence := .Values.persistence.enabled -}} + {{- $accessMode := .Values.persistence.accessMode -}} + {{- $annotations := .Values.persistence.annotations -}} + {{- $size := .Values.persistence.size -}} + {{- $storageClass := .Values.persistence.storageClass -}} + {{- $matchLabels := .Values.persistence.matchLabels -}} + {{- $matchExpressions := .Values.persistence.matchLabels -}} + {{- if $praefect -}} + {{- if hasKey .storage "persistence" -}} + {{- if and (hasKey .storage.persistence "enabled") .storage.persistence.enabled -}} + {{- $persistence = .storage.persistence.enabled -}} + {{- if .storage.persistence.accessMode -}} + {{- $accessMode = .storage.persistence.accessMode -}} + {{- end -}} + {{- if .storage.persistence.annotations -}} + {{- $annotations = .storage.persistence.annotations -}} + {{- end -}} + {{- if .storage.persistence.size -}} + {{- $size = .storage.persistence.size -}} + {{- end -}} + {{- if .storage.persistence.storageClass -}} + {{- $storageClass = .storage.persistence.storageClass -}} + {{- end -}} + {{- if .storage.persistence.matchLabels -}} + {{- $matchLabels = .storage.persistence.matchLabels -}} + {{- end -}} + {{- if .storage.persistence.matchLabels -}} + {{- $matchLabels = .storage.persistence.matchLabels -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end }} + + {{ if $persistence }} volumeClaimTemplates: - metadata: name: repo-data @@ -250,29 +284,29 @@ spec: storage: {{ .storage.name }} {{- end }} annotations: - {{- range $key, $value := .Values.persistence.annotations }} + {{- range $key, $value := $annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: accessModes: - - {{ .Values.persistence.accessMode | quote }} + - {{ $accessMode | quote }} resources: requests: - storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} + storage: {{ $size | quote }} + {{- if $storageClass }} + {{- if (eq "-" $storageClass) }} storageClassName: "" {{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" + storageClassName: "{{ $storageClass }}" {{- end -}} {{- end }} selector: - {{- if .Values.persistence.matchLabels }} + {{- if $matchLabels }} matchLabels: - {{- toYaml .Values.persistence.matchLabels | nindent 12 }} + {{- toYaml $matchLabels | nindent 12 }} {{- end -}} - {{- if .Values.persistence.matchExpressions }} + {{- if $matchExpressions }} matchExpressions: - {{- toYaml .Values.persistence.matchExpressions | nindent 12 }} + {{- toYaml $matchExpressions | nindent 12 }} {{- end -}} {{- end }} -- GitLab From 8bed6ecd00dc00b2eaefe7433d43844a5bf60533 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 15 Dec 2020 16:40:46 -0500 Subject: [PATCH 77/83] Add docs on virtual storage TLS and persistence - Adds docs on how to configure Gitaly TLS with Praefect - Adds docs on how to configure persistence settings per virtual storage --- doc/charts/gitlab/praefect/index.md | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 915f828c39..ec2318fb07 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -60,6 +60,46 @@ This will create two sets of resources for Gitaly. This includes two Gitaly Stat Admins can then [choose where new repositories are stored](https://docs.gitlab.com/ee/administration/repository_storage_paths.html#choose-where-new-repositories-are-stored). +When running Gitaly over TLS, a secret name must be provided for each virtual storage. + +```yaml +global: + praefect: + enabled: true + virtualStorages: + - name: default + gitalyReplicas: 4 + maxUnavailable: 1 + tlsSecretName: default-tls + - name: vs2 + gitalyReplicas: 5 + maxUnavailable: 2 + tlsSecretName: vs2-tls +``` + +It is also possible to provide persistence configuration per virtual storage. + +```yaml +global: + gitaly: + tls: + enabled: true + praefect: + enabled: true + tls: + enabled: true + secretName: praefect-tls + virtualStorages: + - name: default + gitalyReplicas: 4 + maxUnavailable: 1 + tlsSecretName: gitaly-default-tls + - name: vs2 + gitalyReplicas: 5 + maxUnavailable: 2 + tlsSecretName: gitaly-vs2-tls +``` + ### Creating the database Praefect uses its own database to track its state. This has to be manually created in order for Praefect to be functional. -- GitLab From b078be4e16cce12e5a089d4a4adcb7a81e62be24 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 16 Dec 2020 18:14:48 -0500 Subject: [PATCH 78/83] Fix example values files in Praefect docs Fixes the example values in the Praefect docs related to enabling Gitaly TLS and persistence configuration on virtual storages. --- doc/charts/gitlab/praefect/index.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index ec2318fb07..9c8c646e46 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -64,8 +64,14 @@ When running Gitaly over TLS, a secret name must be provided for each virtual st ```yaml global: + gitaly: + tls: + enabled: true praefect: enabled: true + tls: + enabled: true + secretName: praefect-tls virtualStorages: - name: default gitalyReplicas: 4 @@ -81,23 +87,25 @@ It is also possible to provide persistence configuration per virtual storage. ```yaml global: - gitaly: - tls: - enabled: true praefect: enabled: true - tls: - enabled: true - secretName: praefect-tls virtualStorages: - name: default gitalyReplicas: 4 maxUnavailable: 1 - tlsSecretName: gitaly-default-tls + persistence: + enabled: true + size: 50Gi + accessMode: ReadWriteOnce + storageClass: storageclass1 - name: vs2 gitalyReplicas: 5 maxUnavailable: 2 - tlsSecretName: gitaly-vs2-tls + persistence: + enabled: true + size: 100Gi + accessMode: ReadWriteOnce + storageClass: storageclass2 ``` ### Creating the database -- GitLab From 209a951ddd4daf73180816d9b47b1cdbcf017753 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 16 Dec 2020 18:52:22 -0500 Subject: [PATCH 79/83] Move Gitaly TLS docs under Praefect TLS docs Moves the section on Gitaly TLS configuration below the Praefect TLS documentation for better flow. --- doc/charts/gitlab/praefect/index.md | 46 ++++++++++++++--------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 9c8c646e46..d347035a6d 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -60,29 +60,6 @@ This will create two sets of resources for Gitaly. This includes two Gitaly Stat Admins can then [choose where new repositories are stored](https://docs.gitlab.com/ee/administration/repository_storage_paths.html#choose-where-new-repositories-are-stored). -When running Gitaly over TLS, a secret name must be provided for each virtual storage. - -```yaml -global: - gitaly: - tls: - enabled: true - praefect: - enabled: true - tls: - enabled: true - secretName: praefect-tls - virtualStorages: - - name: default - gitalyReplicas: 4 - maxUnavailable: 1 - tlsSecretName: default-tls - - name: vs2 - gitalyReplicas: 5 - maxUnavailable: 2 - tlsSecretName: vs2-tls -``` - It is also possible to provide persistence configuration per virtual storage. ```yaml @@ -185,6 +162,29 @@ Users can use or refer that script to generate certificates with proper SAN attr 1. Redeploy the Helm chart by passing the additional arguments `--set global.praefect.tls.enabled=true --set global.praefect.tls.secretName=` +When running Gitaly over TLS, a secret name must be provided for each virtual storage. + +```yaml +global: + gitaly: + tls: + enabled: true + praefect: + enabled: true + tls: + enabled: true + secretName: praefect-tls + virtualStorages: + - name: default + gitalyReplicas: 4 + maxUnavailable: 1 + tlsSecretName: default-tls + - name: vs2 + gitalyReplicas: 5 + maxUnavailable: 2 + tlsSecretName: vs2-tls +``` + ### Installation command line options The table below contains all the possible charts configurations that can be supplied to -- GitLab From 7d9bffb9cf220ba35197c0414fea8a700cf33ac4 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 16 Dec 2020 18:54:27 -0500 Subject: [PATCH 80/83] Add heading for Persistence - Renames 'Virtual storages' heading to 'Multiple virtual storages' for better specificity - Adds a separate heading for 'Persistence' after 'Multiple virtual storages' (since persistence configuration can be provided with only one virtual storage) --- doc/charts/gitlab/praefect/index.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index d347035a6d..97c7967bac 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -39,7 +39,7 @@ global: maxUnavailable: 1 ``` -### Virtual storages +### Multiple virtual storages Multiple virtual storages can be configured (see [Gitaly Cluster](https://docs.gitlab.com/ee/administration/gitaly/praefect.html) documentation). For example: @@ -60,7 +60,9 @@ This will create two sets of resources for Gitaly. This includes two Gitaly Stat Admins can then [choose where new repositories are stored](https://docs.gitlab.com/ee/administration/repository_storage_paths.html#choose-where-new-repositories-are-stored). -It is also possible to provide persistence configuration per virtual storage. +### Persistence + +It is possible to provide persistence configuration per virtual storage. ```yaml global: -- GitLab From 401bd7bf3ea82af4b349a60066111985dfb7bf25 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 17 Dec 2020 08:05:05 -0500 Subject: [PATCH 81/83] Update link to match new heading Updates the virtual storages link for Praefect given the heading change in 7d9bffb9cf. --- doc/charts/globals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 033cead458..b7cc2146f3 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -649,7 +649,7 @@ global: | Name | Type | Default | Description | | ---- | ---- | ------- | ----------- | | enabled | Bool | false | Whether or not to enable Praefect | -| virtualStorages | List | See [docs](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#virtual-storages) | The list of desired virtual storages (each backed by a Gitaly StatefulSet) | +| virtualStorages | List | See [docs](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#multiple-virtual-storages) | The list of desired virtual storages (each backed by a Gitaly StatefulSet) | | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | | psql.host | String | | The hostname of the database server to use (when using an external database) | -- GitLab From 855bf794f190ddab3306e5f7aa913de89c864d1a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 17 Dec 2020 13:17:53 -0500 Subject: [PATCH 82/83] Remove backslashes from kubectl command Removes the backslashes from the kubectl command escaping the double quotes. In CI, these backslashes lead to a JSON object error. Without these backslashes (tested locally), the patch command passes. --- charts/gitlab/charts/gitaly/templates/pause_job.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/charts/gitaly/templates/pause_job.yaml b/charts/gitlab/charts/gitaly/templates/pause_job.yaml index e38a986ec0..b624ecd7e8 100644 --- a/charts/gitlab/charts/gitaly/templates/pause_job.yaml +++ b/charts/gitlab/charts/gitaly/templates/pause_job.yaml @@ -82,10 +82,10 @@ spec: {{- if .Values.global.praefect.enabled -}} {{ range .Values.global.praefect.virtualStorages }} echo Number of Gitaly replicas for storage {{ .name }} is {{ default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}; - kubectl patch statefulset {{include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }'; + kubectl patch statefulset {{include "gitlab.praefect.gitaly.serviceName" (dict "context" $ "name" .name) }} -p '{"spec": {"updateStrategy": {"rollingUpdate": {"partition": {{default (include "gitlab.gitaly.replicas" $) .gitalyReplicas }}} } } }'; {{- end }} {{- else }} echo Number of Gitaly replicas is {{include "gitlab.gitaly.replicas" . }}; - kubectl patch statefulset {{include "fullname" . }} -p '{\"spec\": {\"updateStrategy\": {\"rollingUpdate\": {\"partition\": {{include "gitlab.gitaly.replicas" . }}} } } }' + kubectl patch statefulset {{include "fullname" . }} -p '{"spec": {"updateStrategy": {"rollingUpdate": {"partition": {{include "gitlab.gitaly.replicas" . }}} } } }' {{- end }} {{- end }} -- GitLab From 10fce045357a34d9aa4afaa568acbec1a2e316df Mon Sep 17 00:00:00 2001 From: Jason Plum Date: Thu, 17 Dec 2020 21:27:38 +0000 Subject: [PATCH 83/83] Apply 2 suggestion(s) to 2 file(s) --- doc/charts/gitlab/praefect/index.md | 2 +- doc/charts/globals.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/charts/gitlab/praefect/index.md b/doc/charts/gitlab/praefect/index.md index 97c7967bac..5df137b84d 100644 --- a/doc/charts/gitlab/praefect/index.md +++ b/doc/charts/gitlab/praefect/index.md @@ -58,7 +58,7 @@ global: This will create two sets of resources for Gitaly. This includes two Gitaly StatefulSets (one per virtual storage). -Admins can then [choose where new repositories are stored](https://docs.gitlab.com/ee/administration/repository_storage_paths.html#choose-where-new-repositories-are-stored). +Administrators can then [choose where new repositories are stored](https://docs.gitlab.com/ee/administration/repository_storage_paths.html#choose-where-new-repositories-are-stored). ### Persistence diff --git a/doc/charts/globals.md b/doc/charts/globals.md index b7cc2146f3..20424e1cfe 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -649,7 +649,7 @@ global: | Name | Type | Default | Description | | ---- | ---- | ------- | ----------- | | enabled | Bool | false | Whether or not to enable Praefect | -| virtualStorages | List | See [docs](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#multiple-virtual-storages) | The list of desired virtual storages (each backed by a Gitaly StatefulSet) | +| virtualStorages | List | See [multiple virtual storages](https://docs.gitlab.com/ee/administration/gitaly/praefect.html#multiple-virtual-storages) above. | The list of desired virtual storages (each backed by a Gitaly StatefulSet) | | dbSecret.secret | String | | The name of the secret to use for authenticating with the database | | dbSecret.key | String | | The name of the key in `dbSecret.secret` to use | | psql.host | String | | The hostname of the database server to use (when using an external database) | -- GitLab