diff --git a/charts/gitlab/charts/toolbox/templates/upkeep-job.yaml b/charts/gitlab/charts/toolbox/templates/upkeep-job.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2988f9ac0efe70d6439868f958376070e860ca24 --- /dev/null +++ b/charts/gitlab/charts/toolbox/templates/upkeep-job.yaml @@ -0,0 +1,217 @@ +{{- if and .Values.enabled .Values.upkeep.cron.enabled }} +{{- $imageCfg := dict "global" .Values.global.image "local" .Values.image -}} +{{- $initImageCfg := dict "global" .Values.global.busybox.image "local" .Values.init.image -}} +{{- include "database.datamodel.prepare" . -}} +{{ if or ($.Capabilities.APIVersions.Has "batch/v1/CronJob") (eq $.Values.global.batch.cronJob.apiVersion "batch/v1") -}} +apiVersion: batch/v1 +{{- else -}} +apiVersion: batch/v1beta1 +{{- end }} +kind: CronJob +metadata: + name: {{ template "fullname" . }}-upkeep + namespace: {{ $.Release.Namespace }} + labels: + {{- include "gitlab.standardLabels" . | nindent 4 }} + {{- include "gitlab.commonLabels" . | nindent 4 }} +spec: + concurrencyPolicy: {{ .Values.upkeep.cron.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.upkeep.cron.failedJobsHistoryLimit }} + schedule: {{ .Values.upkeep.cron.schedule | quote }} + startingDeadlineSeconds: {{ .Values.upkeep.cron.startingDeadlineSeconds }} + successfulJobsHistoryLimit: {{ .Values.upkeep.cron.successfulJobsHistoryLimit }} + suspend: {{ .Values.upkeep.cron.suspend }} + jobTemplate: + spec: + backoffLimit: {{ .Values.upkeep.cron.backoffLimit }} + {{- if .Values.upkeep.cron.activeDeadlineSeconds }} + activeDeadlineSeconds: {{ .Values.upkeep.cron.activeDeadlineSeconds }} + {{- end }} + template: + metadata: + labels: + {{- include "gitlab.standardLabels" . | nindent 12 }} + {{- include "gitlab.commonLabels" . | nindent 12 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + restartPolicy: {{ .Values.upkeep.cron.restartPolicy }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 12 }} + {{- end }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if or .Values.serviceAccount.enabled .Values.global.serviceAccount.enabled }} + serviceAccountName: {{ include "gitlab.serviceAccount.name" . }} + {{- end }} + initContainers: + {{- include "gitlab.extraInitContainers" . | nindent 12 }} + {{- include "gitlab.certificates.initContainer" . | nindent 12 }} + - name: configure + command: ['sh', '/config/configure'] + image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" $.Values.global.busybox) | quote }} + {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 14 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 16 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 16 }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} + {{- include "gitlab.psql.ssl.volumeMount" . | nindent 16 }} + - name: toolbox-config + mountPath: /config + readOnly: true + - name: init-toolbox-secrets + mountPath: /init-config + readOnly: true + - name: toolbox-secrets + mountPath: /init-secrets + readOnly: false + resources: + {{- toYaml .Values.init.resources | nindent 16 }} + {{- include "gitlab.image.pullSecrets" $imageCfg | indent 10 }} + containers: + {{- include "gitlab.extraContainers" . | nindent 12 }} + - name: {{ .Chart.Name }}-upkeep + args: + - /bin/bash + - -c + - {{ .Values.upkeep.cron.upkeepCommand }} + image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}" + {{- include "gitlab.image.pullPolicy" $imageCfg | indent 14 }} + env: + {{- include "gitlab.extraEnv" $ | nindent 16 }} + {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 16 }} + - name: ARTIFACTS_BUCKET_NAME + value: {{ .Values.global.appConfig.artifacts.bucket }} + - name: REGISTRY_BUCKET_NAME + value: {{ .Values.global.registry.bucket }} + - name: LFS_BUCKET_NAME + value: {{ .Values.global.appConfig.lfs.bucket }} + - name: UPLOADS_BUCKET_NAME + value: {{ .Values.global.appConfig.uploads.bucket }} + - name: PACKAGES_BUCKET_NAME + value: {{ .Values.global.appConfig.packages.bucket }} + - name: EXTERNAL_DIFFS_BUCKET_NAME + value: {{ .Values.global.appConfig.externalDiffs.bucket }} + - name: TERRAFORM_STATE_BUCKET_NAME + value: {{ .Values.global.appConfig.terraformState.bucket }} + - name: CI_SECURE_FILES_BUCKET_NAME + value: {{ .Values.global.appConfig.ciSecureFiles.bucket }} + - name: BACKUP_BUCKET_NAME + value: {{ .Values.global.appConfig.backups.bucket }} + - name: BACKUP_BACKEND + value: {{ .Values.upkeep.objectStorage.backend }} + - name: TMP_BUCKET_NAME + value: {{ .Values.global.appConfig.backups.tmpBucket }} + - name: PAGES_BUCKET_NAME + value: {{ .Values.global.pages.objectStore.bucket }} + - name: GITALY_FEATURE_DEFAULT_ON + value: "1" + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/var/opt/gitlab/templates' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab/config' + {{- if eq .Values.upkeep.objectStorage.backend "gcs" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: '/etc/gitlab/objectstorage/{{ default "config" .Values.upkeep.objectStorage.config.key }}' + {{- end }} + volumeMounts: + {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} + - name: toolbox-config + mountPath: '/var/opt/gitlab/templates' + - name: toolbox-secrets + mountPath: '/etc/gitlab' + readOnly: true + - name: toolbox-secrets + mountPath: /srv/gitlab/config/secrets.yml + subPath: rails-secrets/secrets.yml + - name: toolbox-tmp + mountPath: '/srv/gitlab/tmp' + {{- if and .Values.upkeep.cron.persistence.enabled .Values.upkeep.cron.persistence.subPath }} + subPath: "{{ .Values.upkeep.cron.persistence.subPath }}" + {{- end }} + readOnly: false + {{- include "gitlab.certificates.volumeMount" . | nindent 16 }} + resources: + {{- toYaml .Values.upkeep.cron.resources | nindent 16 }} + volumes: + {{- include "gitlab.extraVolumes" . | nindent 12 }} + {{- include "gitlab.psql.ssl.volume" . | nindent 12 }} + - name: toolbox-config + projected: + sources: + - configMap: + name: {{ template "fullname" . }} + - name: toolbox-tmp + {{- if .Values.upkeep.cron.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ template "fullname" . }}-upkeep-tmp + {{- else }} + emptyDir: {} + {{- end }} + - name: init-toolbox-secrets + projected: + defaultMode: 0400 + sources: + - secret: + name: {{ template "gitlab.rails-secrets.secret" . }} + items: + - key: secrets.yml + path: rails-secrets/secrets.yml + - secret: + name: {{ template "gitlab.gitlab-shell.authToken.secret" . }} + items: + - key: {{ template "gitlab.gitlab-shell.authToken.key" . }} + path: shell/.gitlab_shell_secret + {{- include "gitlab.gitaly.clientSecrets" . | nindent 16 }} + {{- include "gitlab.redis.secrets" . | nindent 16 }} + {{- range $.Values.local.psql }} + {{- include "gitlab.psql.secret" . | nindent 16 }} + {{- end }} + - secret: + name: {{ template "gitlab.registry.certificate.secret" . }} + items: + - key: registry-auth.key + path: registry/gitlab-registry.key + {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 16 -}} + {{- if or .Values.upkeep.objectStorage.config (not .Values.global.minio.enabled) }} + - secret: + name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.upkeep.objectStorage.config.secret }} + items: + - key: {{ default "config" .Values.upkeep.objectStorage.config.key }} + path: objectstorage/.s3cfg + {{- end }} + {{- if eq .Values.upkeep.objectStorage.backend "gcs" }} + - secret: + name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.upkeep.objectStorage.config.secret }} + items: + - key: {{ default "config" .Values.upkeep.objectStorage.config.key }} + path: objectstorage/{{ default "config" .Values.upkeep.objectStorage.config.key }} + {{- end }} + {{- include "gitlab.kas.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.pages.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.minio.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "object_store" "config" $.Values.global.appConfig.object_store) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "artifacts" "config" $.Values.global.appConfig.artifacts) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "lfs" "config" $.Values.global.appConfig.lfs) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "uploads" "config" $.Values.global.appConfig.uploads) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "packages" "config" $.Values.global.appConfig.packages) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "external_diffs" "config" $.Values.global.appConfig.externalDiffs) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "terraform_state" "config" $.Values.global.appConfig.terraformState) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "ci_secure_files" "config" $.Values.global.appConfig.ciSecureFiles) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "dependency_proxy" "config" $.Values.global.appConfig.dependencyProxy) | nindent 16 }} + {{- include "gitlab.appConfig.objectStorage.mountSecrets" (dict "name" "pages" "config" $.Values.global.pages.objectStore) | nindent 16 }} + {{- include "gitlab.appConfig.ldap.servers.mountSecrets" $ | nindent 16 }} + {{- include "gitlab.appConfig.omniauth.mountSecrets" $ | nindent 16 }} + - name: toolbox-secrets + emptyDir: + medium: "Memory" + {{- include "gitlab.certificates.volumes" . | nindent 12 }} + {{- include "gitlab.nodeSelector" . | nindent 10 }} +{{- end }} diff --git a/charts/gitlab/charts/toolbox/values.yaml b/charts/gitlab/charts/toolbox/values.yaml index dfb4c7766a591bf1e07579a22e48936d0cee9298..948db64cce855507ac5570ac34e94f02822499bb 100644 --- a/charts/gitlab/charts/toolbox/values.yaml +++ b/charts/gitlab/charts/toolbox/values.yaml @@ -130,6 +130,52 @@ global: providers: [] # - secret: gitlab-google-oauth2 # key: provider + +## General purpose gitlab-toolbox running custom commands on a schedule +upkeep: + cron: + enabled: false + upkeepCommand: "echo hello world" + concurrencyPolicy: Replace + failedJobsHistoryLimit: 1 + schedule: "0 1 * * *" + startingDeadlineSeconds: null + successfulJobsHistoryLimit: 3 + suspend: false + backoffLimit: 6 + # activeDeadlineSeconds: + restartPolicy: "OnFailure" + resources: + # limits: + # cpu: 1 + # memory: 2G + requests: + cpu: 50m + memory: 350M + persistence: + enabled: false + ## toolbox temporarily Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 10Gi + subPath: "" + ## if volumeName is set, use this existing PersistentVolume + # volumeName: + matchLabels: {} + matchExpressions: [] + objectStorage: + backend: s3 + config: {} + # secret: my-backup-secret + # key: config + # gcpProject: my-gcp-project-id + backups: cron: enabled: false