From e9528829fe7ecdb3aa80a3c4840b26282c53fbe0 Mon Sep 17 00:00:00 2001 From: "Marshall, Riley" Date: Tue, 6 Feb 2024 15:09:19 -0600 Subject: [PATCH 1/3] Added kubernetes resource limits Added kubernetes resource limits to gitlab pages, gitlab shell, and KAS. Added documentation to gitlab-pages, gitlab shell, KAS, mailroom, toolbox, and registry for resource limits. --- charts/gitlab/charts/gitlab-pages/values.yaml | 7 + .../charts/gitlab-shell/values.schema.json | 20 ++ charts/gitlab/charts/kas/values.yaml | 7 + doc/charts/gitlab/gitlab-pages/index.md | 138 +++++----- doc/charts/gitlab/gitlab-shell/index.md | 8 +- doc/charts/gitlab/kas/index.md | 150 +++++----- doc/charts/gitlab/mailroom/index.md | 109 ++++---- doc/charts/gitlab/toolbox/index.md | 137 ++++----- doc/charts/registry/index.md | 260 +++++++++--------- 9 files changed, 442 insertions(+), 394 deletions(-) diff --git a/charts/gitlab/charts/gitlab-pages/values.yaml b/charts/gitlab/charts/gitlab-pages/values.yaml index a717ab69d2..9dfb5a485f 100644 --- a/charts/gitlab/charts/gitlab-pages/values.yaml +++ b/charts/gitlab/charts/gitlab-pages/values.yaml @@ -131,6 +131,13 @@ extraEnv: {} maxUnavailable: 1 resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: + # memory: requests: cpu: 900m memory: 2G diff --git a/charts/gitlab/charts/gitlab-shell/values.schema.json b/charts/gitlab/charts/gitlab-shell/values.schema.json index b8c9d39167..1e4f00fcbb 100644 --- a/charts/gitlab/charts/gitlab-shell/values.schema.json +++ b/charts/gitlab/charts/gitlab-shell/values.schema.json @@ -387,6 +387,26 @@ }, "resources": { "properties": { + "limits": { + "properties": { + "cpu": { + "title": "CPU Limit", + "type": [ + "string", + "number" + ] + }, + "memory": { + "title": "Memory Limit", + "type": [ + "string", + "number" + ] + } + }, + "title": "Resource limits", + "type": "object" + }, "requests": { "properties": { "cpu": { diff --git a/charts/gitlab/charts/kas/values.yaml b/charts/gitlab/charts/kas/values.yaml index 3167234cd8..c020f4b0fc 100644 --- a/charts/gitlab/charts/kas/values.yaml +++ b/charts/gitlab/charts/kas/values.yaml @@ -77,6 +77,13 @@ serviceLabels: {} extraEnv: {} extraEnvFrom: {} resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: + # memory: requests: cpu: 100m memory: 100M diff --git a/doc/charts/gitlab/gitlab-pages/index.md b/doc/charts/gitlab/gitlab-pages/index.md index 2da811617e..d4fb201222 100644 --- a/doc/charts/gitlab/gitlab-pages/index.md +++ b/doc/charts/gitlab/gitlab-pages/index.md @@ -37,74 +37,76 @@ configurations that can be supplied to the `helm install` command using the ### General settings -| Parameter | Default | Description | -| ----------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | | Pod annotations | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data source to expose | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.minReplicas` | `1` | Minimum number of replicas | -| `hpa.maxReplicas` | `10` | Maximum number of replicas | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-pages` | GitLab Pages image repository | -| `image.tag` | | image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | `{}` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `9235` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | -| `metrics.tls.enabled` | `false` | TLS enabled for the metrics endpoint | -| `metrics.tls.secretName` | `{Release.Name}-pages-metrics-tls` | Secret for the metrics endpoint TLS cert and key | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `resources.requests.cpu` | `900m` | GitLab Pages minimum CPU | -| `resources.requests.memory` | `2G` | GitLab Pages minimum memory | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `service.externalPort` | `8090` | GitLab Pages exposed port | -| `service.internalPort` | `8090` | GitLab Pages internal port | -| `service.name` | `gitlab-pages` | GitLab Pages service name | -| `service.annotations` | | Annotations for all pages services. | -| `service.primary.annotations` | | Annotations for the primary service only. | -| `service.metrics.annotations` | | Annotations for the metrics service only. | -| `service.customDomains.annotations` | | Annotations for the custom domains service only. | -| `service.customDomains.type` | `LoadBalancer` | Type of service created for handling custom domains | -| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | -| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | -| `service.customDomains.nodePort.http` | | Node Port to be opened for HTTP connections. Valid only if `service.customDomains.type` is `NodePort` | -| `service.customDomains.nodePort.https` | | Node Port to be opened for HTTPS connections. Valid only if `service.customDomains.type` is `NodePort` | -| `service.sessionAffinity` | `None` | Type of the session affinity. Must be either `ClientIP` or `None` (this only makes sense for traffic originating from within the cluster) | -| `service.sessionAffinityConfig` | | Session affinity config. If `service.sessionAffinity` == `ClientIP` the default session sticky time is 3 hours (10800) | -| `serviceLabels` | `{}` | Supplemental service labels | -| `tolerations` | `[]` | Toleration labels for pod assignment | +| Parameter | Default | Description | +|-------------------------------------------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `annotations` | | Pod annotations | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data source to expose | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.minReplicas` | `1` | Minimum number of replicas | +| `hpa.maxReplicas` | `10` | Maximum number of replicas | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-pages` | GitLab Pages image repository | +| `image.tag` | | image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | `{}` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `9235` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `metrics.tls.enabled` | `false` | TLS enabled for the metrics endpoint | +| `metrics.tls.secretName` | `{Release.Name}-pages-metrics-tls` | Secret for the metrics endpoint TLS cert and key | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `resources.limits.cpu` | | GitLab Pages maximum CPU | +| `resources.limits.memory` | | GitLab Pages maximum memory | +| `resources.requests.cpu` | `900m` | GitLab Pages minimum CPU | +| `resources.requests.memory` | `2G` | GitLab Pages minimum memory | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `service.externalPort` | `8090` | GitLab Pages exposed port | +| `service.internalPort` | `8090` | GitLab Pages internal port | +| `service.name` | `gitlab-pages` | GitLab Pages service name | +| `service.annotations` | | Annotations for all pages services. | +| `service.primary.annotations` | | Annotations for the primary service only. | +| `service.metrics.annotations` | | Annotations for the metrics service only. | +| `service.customDomains.annotations` | | Annotations for the custom domains service only. | +| `service.customDomains.type` | `LoadBalancer` | Type of service created for handling custom domains | +| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | +| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | +| `service.customDomains.nodePort.http` | | Node Port to be opened for HTTP connections. Valid only if `service.customDomains.type` is `NodePort` | +| `service.customDomains.nodePort.https` | | Node Port to be opened for HTTPS connections. Valid only if `service.customDomains.type` is `NodePort` | +| `service.sessionAffinity` | `None` | Type of the session affinity. Must be either `ClientIP` or `None` (this only makes sense for traffic originating from within the cluster) | +| `service.sessionAffinityConfig` | | Session affinity config. If `service.sessionAffinity` == `ClientIP` the default session sticky time is 3 hours (10800) | +| `serviceLabels` | `{}` | Supplemental service labels | +| `tolerations` | `[]` | Toleration labels for pod assignment | ### Pages specific settings diff --git a/doc/charts/gitlab/gitlab-shell/index.md b/doc/charts/gitlab/gitlab-shell/index.md index 6c551f33c9..ce1873a974 100644 --- a/doc/charts/gitlab/gitlab-shell/index.md +++ b/doc/charts/gitlab/gitlab-shell/index.md @@ -35,7 +35,7 @@ controlled by `global.shell.port`. ## Installation command line options | Parameter | Default | Description | -| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `annotations` | | Pod annotations | | `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | | `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | @@ -55,7 +55,7 @@ controlled by `global.shell.port`. | `config.gssapi.keytab.key` | `keytab` | Key holding the keytab in the Kubernetes secret | | `config.gssapi.krb5Config` | | Content of the `/etc/krb5.conf` file in the GitLab Shell container | | `config.gssapi.servicePrincipalName` | | The Kerberos service name to be used by the `gitlab-sshd` daemon | -| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | +| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | | `deployment.livenessProbe.initialDelaySeconds` | 10 | Delay before liveness probe is initiated | | `deployment.livenessProbe.periodSeconds` | 10 | How often to perform the liveness probe | | `deployment.livenessProbe.timeoutSeconds` | 3 | When the liveness probe times out | @@ -104,6 +104,10 @@ controlled by `global.shell.port`. | `logging.format` | `json` | Set to `text` for unstructured logs | | `logging.sshdLogLevel` | `ERROR` | Log level for underlying SSH daemon | | `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `resources.limits.cpu` | | GitLab Pages maximum CPU | +| `resources.limits.memory` | | GitLab Pages maximum memory | +| `resources.requests.cpu` | `0` | GitLab Pages minimum CPU | +| `resources.requests.memory` | `6M` | GitLab Pages minimum memory | | `replicaCount` | `1` | Shell replicas | | `serviceLabels` | `{}` | Supplemental service labels | | `service.externalTrafficPolicy` | `Cluster` | Shell service external traffic policy (Cluster or Local) | diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index 4a3298a056..b3301f3d58 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -65,80 +65,82 @@ specified in `global.hosts.domain`. You can pass these parameters to the `helm install` command by using the `--set` flags. -| Parameter | Default | Description | -| -------------------------------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `annotations` | `{}` | Pod annotations. | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `extraContainers` | | List of extra containers to include. | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `init.containerSecurityContext` | `{}` | init container securityContext overrides | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | -| `image.tag` | `v13.7.0` | Image tag. | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`). | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`. | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value. | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization. | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`. | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value. | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization. | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `ingress.enabled` | `true` if `global.kas.enabled=true` | You can use `kas.ingress.enabled` to explicitly turn it on or off. If not set, you can optionally use `global.ingress.enabled` for the same purpose. | -| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | -| `ingress.annotations` | `{}` | Ingress annotations. | -| `ingress.tls` | `{}` | Ingress TLS configuration. | -| `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | -| `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | -| `metrics.path` | `/metrics` | Metrics endpoint path. | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor. | -| `maxReplicas` | `10` | HPA `maxReplicas`. | -| `maxUnavailable` | `1` | HPA `maxUnavailable`. | -| `minReplicas` | `2` | HPA `maxReplicas`. | -| `nodeSelector` | | Define a [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the `Pod`s of this `Deployment`, if present. | -| `observability.port` | `8151` | Observability endpoint port. Used for metrics and probe endpoints. | -| `observability.livenessProbe.path` | `/liveness` | URI for the liveness probe endpoint. This value has to match the `observability.liveness_probe.url_path` value from the KAS service configuration. | -| `observability.readinessProbe.path` | `/readiness` | URI for the readiness probe endpoint. This value has to match the `observability.readiness_probe.url_path` value from the KAS service configuration. | -| `serviceAccount.annotations` | `{}` | Service account annotations. | -| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | -| `serviceLabels` | `{}` | Supplemental service labels. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `redis.enabled` | `true` | Allows opting-out of using Redis for KAS features. Warnings: Redis will become a hard dependency soon, so this key is already deprecated. | -| `resources.requests.cpu` | `75m` | GitLab Exporter minimum CPU. | -| `resources.requests.memory` | `100M` | GitLab Exporter minimum memory. | -| `service.externalPort` | `8150` | External port (for `agentk` connections). | -| `service.internalPort` | `8150` | Internal port (for `agentk` connections). | -| `service.apiInternalPort` | `8153` | Internal port for the internal API (for GitLab backend). | -| `service.loadBalancerIP` | `nil` | A custom load balancer IP when `service.type` is `LoadBalancer`. | -| `service.loadBalancerSourceRanges` | `nil` | A list of custom load balancer source ranges when `service.type` is `LoadBalancer`. | -| `service.kubernetesApiPort` | `8154` | External port to expose proxied Kubernetes API on. | -| `service.privateApiPort` | `8155` | Internal port to expose `kas`' private API on (for `kas` -> `kas` communication). | -| `privateApi.secret` | Autogenerated | The name of the secret to use for authenticating with the database. | -| `privateApi.key` | Autogenerated | The name of the key in `privateApi.secret` to use. | -| `privateApi.tls.enabled` | `false` | **DEPRECATED: use `global.kas.tls.enabled`**. Enable `kas` pods to communicate with each other using TLS. | -| `privateApi.tls.secretName` | `nil` | **DEPRECATED: use `global.kas.tls.secretName`**. Name of the [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) which contains the certificate and its associated key. Required if `privateApi.tls` is `true`. | -| `global.kas.service.apiExternalPort` | `8153` | External port for the internal API (for GitLab backend). | -| `service.type` | `ClusterIP` | Service type. | -| `tolerations` | `[]` | Toleration labels for pod assignment. | -| `customConfig` | `{}` | When given, merges the default `kas` configuration with these values giving precedence to those defined here. | -| `deployment.minReadySeconds` | `0` | Minimum number of seconds that must pass before a `kas` pod is considered ready. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment. | -| `deployment.terminationGracePeriodSeconds` | `300` | How much time in seconds a Pod is allowed to spend shutting down after receiving SIGTERM. | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| Parameter | Default | Description | +|--------------------------------------------|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `annotations` | `{}` | Pod annotations. | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `extraContainers` | | List of extra containers to include. | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `init.containerSecurityContext` | `{}` | init container securityContext overrides | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | +| `image.tag` | `v13.7.0` | Image tag. | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`). | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`. | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value. | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization. | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`. | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value. | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization. | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `ingress.enabled` | `true` if `global.kas.enabled=true` | You can use `kas.ingress.enabled` to explicitly turn it on or off. If not set, you can optionally use `global.ingress.enabled` for the same purpose. | +| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | +| `ingress.annotations` | `{}` | Ingress annotations. | +| `ingress.tls` | `{}` | Ingress TLS configuration. | +| `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | +| `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | +| `metrics.path` | `/metrics` | Metrics endpoint path. | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor. | +| `maxReplicas` | `10` | HPA `maxReplicas`. | +| `maxUnavailable` | `1` | HPA `maxUnavailable`. | +| `minReplicas` | `2` | HPA `maxReplicas`. | +| `nodeSelector` | | Define a [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the `Pod`s of this `Deployment`, if present. | +| `observability.port` | `8151` | Observability endpoint port. Used for metrics and probe endpoints. | +| `observability.livenessProbe.path` | `/liveness` | URI for the liveness probe endpoint. This value has to match the `observability.liveness_probe.url_path` value from the KAS service configuration. | +| `observability.readinessProbe.path` | `/readiness` | URI for the readiness probe endpoint. This value has to match the `observability.readiness_probe.url_path` value from the KAS service configuration. | +| `serviceAccount.annotations` | `{}` | Service account annotations. | +| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | +| `serviceLabels` | `{}` | Supplemental service labels. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `redis.enabled` | `true` | Allows opting-out of using Redis for KAS features. Warnings: Redis will become a hard dependency soon, so this key is already deprecated. | +| `resources.limits.cpu` | | GitLab Pages maximum CPU | +| `resources.limits.memory` | | GitLab Pages maximum memory | +| `resources.requests.cpu` | `100m` | GitLab Pages minimum CPU | +| `resources.requests.memory` | `100M` | GitLab Pages minimum memory | +| `service.externalPort` | `8150` | External port (for `agentk` connections). | +| `service.internalPort` | `8150` | Internal port (for `agentk` connections). | +| `service.apiInternalPort` | `8153` | Internal port for the internal API (for GitLab backend). | +| `service.loadBalancerIP` | `nil` | A custom load balancer IP when `service.type` is `LoadBalancer`. | +| `service.loadBalancerSourceRanges` | `nil` | A list of custom load balancer source ranges when `service.type` is `LoadBalancer`. | +| `service.kubernetesApiPort` | `8154` | External port to expose proxied Kubernetes API on. | +| `service.privateApiPort` | `8155` | Internal port to expose `kas`' private API on (for `kas` -> `kas` communication). | +| `privateApi.secret` | Autogenerated | The name of the secret to use for authenticating with the database. | +| `privateApi.key` | Autogenerated | The name of the key in `privateApi.secret` to use. | +| `privateApi.tls.enabled` | `false` | **DEPRECATED: use `global.kas.tls.enabled`**. Enable `kas` pods to communicate with each other using TLS. | +| `privateApi.tls.secretName` | `nil` | **DEPRECATED: use `global.kas.tls.secretName`**. Name of the [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) which contains the certificate and its associated key. Required if `privateApi.tls` is `true`. | +| `global.kas.service.apiExternalPort` | `8153` | External port for the internal API (for GitLab backend). | +| `service.type` | `ClusterIP` | Service type. | +| `tolerations` | `[]` | Toleration labels for pod assignment. | +| `customConfig` | `{}` | When given, merges the default `kas` configuration with these values giving precedence to those defined here. | +| `deployment.minReadySeconds` | `0` | Minimum number of seconds that must pass before a `kas` pod is considered ready. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment. | +| `deployment.terminationGracePeriodSeconds` | `300` | How much time in seconds a Pod is allowed to spend shutting down after receiving SIGTERM. | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | ## Enable TLS communication diff --git a/doc/charts/gitlab/mailroom/index.md b/doc/charts/gitlab/mailroom/index.md index f283dad570..0dd00809f7 100644 --- a/doc/charts/gitlab/mailroom/index.md +++ b/doc/charts/gitlab/mailroom/index.md @@ -78,60 +78,61 @@ serviceAccount: # name: ``` -| Parameter | Description | Default | -| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` | -| `enabled` | Mailroom enablement flag | `true` | -| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | -| `hpa.customMetrics` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | `[]` | -| `hpa.cpu.targetType` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | `Utilization` | -| `hpa.cpu.targetAverageValue` | Set the autoscaling CPU target value | | -| `hpa.cpu.targetAverageUtilization` | Set the autoscaling CPU target utilization | `75` | -| `hpa.memory.targetType` | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | | -| `hpa.memory.targetAverageValue` | Set the autoscaling memory target value | | -| `hpa.memory.targetAverageUtilization` | Set the autoscaling memory target utilization | | -| `hpa.maxReplicas` | Maximum number of replicas | `2` | -| `hpa.minReplicas` | Minimum number of replicas | `1` | -| `image.pullPolicy` | Mailroom image pull policy | `IfNotPresent` | -| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | -| `image.pullSecrets` | Mailroom image pull secrets | | -| `image.registry` | Mailroom image registry | | -| `image.repository` | Mailroom image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom` | -| `image.tag` | Mailroom image tag | | -| `init.image.repository` | Mailroom init image repository | | -| `init.image.tag` | Mailroom init image tag | | -| `init.resources` | Mailroom init container resource requirements | `{ requests: { cpu: 50m }}` | -| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `podLabels` | Labels for running Mailroom Pods | `{}` | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `resources` | Mailroom resource requirements | `{ requests: { cpu: 50m, memory: 150M }}` | -| `networkpolicy.annotations` | Annotations to add to the NetworkPolicy | `{}` | -| `networkpolicy.egress.enabled` | Flag to enable egress rules of NetworkPolicy | `false` | -| `networkpolicy.egress.rules` | Define a list of egress rules for NetworkPolicy | `[]` | -| `networkpolicy.enabled` | Flag for using NetworkPolicy | `false` | -| `networkpolicy.ingress.enabled` | Flag to enable `ingress` rules of NetworkPolicy | `false` | -| `networkpolicy.ingress.rules` | Define a list of `ingress` rules for NetworkPolicy | `[]` | -| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `serviceAccount.annotations` | Annotations for ServiceAccount | `{}` | -| `serviceAccount.enabled` | Flag for using ServiceAccount | `false` | -| `serviceAccount.create` | Flag for creating a ServiceAccount | `false` | -| `serviceAccount.name` | Name of ServiceAccount to use | | -| `tolerations` | Tolerations to add to the Mailroom | | -| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | +| Parameter | Description | Default | +|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` | +| `enabled` | Mailroom enablement flag | `true` | +| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | +| `hpa.customMetrics` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | `[]` | +| `hpa.cpu.targetType` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | `Utilization` | +| `hpa.cpu.targetAverageValue` | Set the autoscaling CPU target value | | +| `hpa.cpu.targetAverageUtilization` | Set the autoscaling CPU target utilization | `75` | +| `hpa.memory.targetType` | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | | +| `hpa.memory.targetAverageValue` | Set the autoscaling memory target value | | +| `hpa.memory.targetAverageUtilization` | Set the autoscaling memory target utilization | | +| `hpa.maxReplicas` | Maximum number of replicas | `2` | +| `hpa.minReplicas` | Minimum number of replicas | `1` | +| `image.pullPolicy` | Mailroom image pull policy | `IfNotPresent` | +| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | +| `image.pullSecrets` | Mailroom image pull secrets | | +| `image.registry` | Mailroom image registry | | +| `image.repository` | Mailroom image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom` | +| `image.tag` | Mailroom image tag | | +| `init.image.repository` | Mailroom init image repository | | +| `init.image.tag` | Mailroom init image tag | | +| `init.resources` | Mailroom init container resource requirements | `{ requests: { cpu: 50m }}` | +| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `podLabels` | Labels for running Mailroom Pods | `{}` | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `resources.limits` | Mailroom resource limit requirements | `{}` | +| `resources.requests` | Mailroom resource request requirements | `{ requests: { cpu: 50m, memory: 150M }}` | +| `networkpolicy.annotations` | Annotations to add to the NetworkPolicy | `{}` | +| `networkpolicy.egress.enabled` | Flag to enable egress rules of NetworkPolicy | `false` | +| `networkpolicy.egress.rules` | Define a list of egress rules for NetworkPolicy | `[]` | +| `networkpolicy.enabled` | Flag for using NetworkPolicy | `false` | +| `networkpolicy.ingress.enabled` | Flag to enable `ingress` rules of NetworkPolicy | `false` | +| `networkpolicy.ingress.rules` | Define a list of `ingress` rules for NetworkPolicy | `[]` | +| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | +| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | +| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `serviceAccount.annotations` | Annotations for ServiceAccount | `{}` | +| `serviceAccount.enabled` | Flag for using ServiceAccount | `false` | +| `serviceAccount.create` | Flag for creating a ServiceAccount | `false` | +| `serviceAccount.name` | Name of ServiceAccount to use | | +| `tolerations` | Tolerations to add to the Mailroom | | +| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | ## Configuring KEDA diff --git a/doc/charts/gitlab/toolbox/index.md b/doc/charts/gitlab/toolbox/index.md index f3c372f52c..4118a68c8a 100644 --- a/doc/charts/gitlab/toolbox/index.md +++ b/doc/charts/gitlab/toolbox/index.md @@ -61,74 +61,75 @@ gitlab: runAsUser: '1000' ``` -| Parameter | Description | Default | -|---------------------------------------------|----------------------------------------------|------------------------------| -| `annotations` | Annotations to add to the Toolbox Pods and Jobs | `{}` | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `antiAffinityLabels.matchLabels` | Labels for setting anti-affinity options | | -| `backups.cron.activeDeadlineSeconds` | Backup CronJob active deadline seconds (if null, no active deadline is applied)| `null` | -| `backups.cron.safeToEvict` | Autoscaling safe-to-evict annotation | false | -| `backups.cron.backoffLimit` | Backup CronJob backoff limit| `6` | -| `backups.cron.concurrencyPolicy` | Kubernetes Job concurrency policy | `Replace` | -| `backups.cron.enabled` | Backup CronJob enabled flag | false | -| `backups.cron.extraArgs` | String of arguments to pass to the backup utility | | -| `backups.cron.failedJobsHistoryLimit` | Number of failed backup jobs list in history | `1` | -| `backups.cron.persistence.accessMode` | Backup cron persistence access mode | `ReadWriteOnce` | -| `backups.cron.persistence.enabled` | Backup cron enable persistence flag | false | -| `backups.cron.persistence.matchExpressions` | Label-expression matches to bind | | -| `backups.cron.persistence.matchLabels` | Label-value matches to bind | | -| `backups.cron.persistence.useGenericEphemeralVolume` | Use a [generic ephemeral volume](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) | false | -| `backups.cron.persistence.size` | Backup cron persistence volume size | `10Gi` | -| `backups.cron.persistence.storageClass` | StorageClass name for provisioning | | -| `backups.cron.persistence.subPath` | Backup cron persistence volume mount path | | -| `backups.cron.persistence.volumeName` | Existing persistent volume name | | -| `backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | -| `backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | -| `backups.cron.restartPolicy` | Backup cron restart policy (`Never` or `OnFailure`) | `OnFailure` | -| `backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | -| `backups.cron.startingDeadlineSeconds` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | `null` | -| `backups.cron.successfulJobsHistoryLimit` | Number of successful backup jobs list in history | `3` | -| `backups.cron.suspend` | Backup cron job is suspended | `false` | -| `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | -| `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `backups.objectStorage.config.key` | Key containing credentials in secret | "" | -| `backups.objectStorage.config.secret` | Object storage credentials secret | "" | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | { `type`: `Recreate` } | -| `enabled` | Toolbox enablement flag | true | -| `extra` | YAML block for [extra `gitlab.yml` configuration](https://gitlab.com/gitlab-org/gitlab/-/blob/8d2b59dbf232f17159d63f0359fa4793921896d5/config/gitlab.yml.example#L1193-1199) | {} | -| `image.pullPolicy` | Toolbox image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Toolbox image pull secrets | | -| `image.repository` | Toolbox image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | -| `image.tag` | Toolbox image tag | `master` | -| `init.image.repository` | Toolbox init image repository | | -| `init.image.tag` | Toolbox init image tag | | -| `init.resources` | Toolbox init container resource requirements | { `requests`: { `cpu`: `50m` }} | -| `init.containerSecurityContext` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | {} | -| `nodeSelector` | Toolbox and backup job node selection | | -| `persistence.accessMode` | Toolbox persistence access mode | `ReadWriteOnce` | -| `persistence.enabled` | Toolbox enable persistence flag | false | -| `persistence.matchExpressions` | Label-expression matches to bind | | -| `persistence.matchLabels` | Label-value matches to bind | | -| `persistence.size` | Toolbox persistence volume size | `10Gi` | -| `persistence.storageClass` | StorageClass name for provisioning | | -| `persistence.subPath` | Toolbox persistence volume mount path | | -| `persistence.volumeName` | Existing PersistentVolume name | | -| `podLabels` | Labels for running Toolbox Pods | {} | -| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | -| `replicas` | Number of Toolbox Pods to run | `1` | -| `resources.requests` | Toolbox minimum requested resources | { `cpu`: `50m`, `memory`: `350M` | -| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | -| `containerSecurityContext` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | | -| `containerSecurityContext.runAsUser` | Allow to overwrite the specific security context under which the container is started | `1000` | -| `serviceAccount.annotations` | Annotations for ServiceAccount | {} | -| `serviceAccount.enabled` | Flag for using ServiceAccount | false | -| `serviceAccount.create` | Flag for creating a ServiceAccount | false | -| `serviceAccount.name` | Name of ServiceAccount to use | | -| `tolerations` | Tolerations to add to the Toolbox | | -| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | +| Parameter | Description | Default | +|------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------| +| `annotations` | Annotations to add to the Toolbox Pods and Jobs | `{}` | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `antiAffinityLabels.matchLabels` | Labels for setting anti-affinity options | | +| `backups.cron.activeDeadlineSeconds` | Backup CronJob active deadline seconds (if null, no active deadline is applied) | `null` | +| `backups.cron.safeToEvict` | Autoscaling safe-to-evict annotation | false | +| `backups.cron.backoffLimit` | Backup CronJob backoff limit | `6` | +| `backups.cron.concurrencyPolicy` | Kubernetes Job concurrency policy | `Replace` | +| `backups.cron.enabled` | Backup CronJob enabled flag | false | +| `backups.cron.extraArgs` | String of arguments to pass to the backup utility | | +| `backups.cron.failedJobsHistoryLimit` | Number of failed backup jobs list in history | `1` | +| `backups.cron.persistence.accessMode` | Backup cron persistence access mode | `ReadWriteOnce` | +| `backups.cron.persistence.enabled` | Backup cron enable persistence flag | false | +| `backups.cron.persistence.matchExpressions` | Label-expression matches to bind | | +| `backups.cron.persistence.matchLabels` | Label-value matches to bind | | +| `backups.cron.persistence.useGenericEphemeralVolume` | Use a [generic ephemeral volume](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) | false | +| `backups.cron.persistence.size` | Backup cron persistence volume size | `10Gi` | +| `backups.cron.persistence.storageClass` | StorageClass name for provisioning | | +| `backups.cron.persistence.subPath` | Backup cron persistence volume mount path | | +| `backups.cron.persistence.volumeName` | Existing persistent volume name | | +| `backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | +| `backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | +| `backups.cron.restartPolicy` | Backup cron restart policy (`Never` or `OnFailure`) | `OnFailure` | +| `backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | +| `backups.cron.startingDeadlineSeconds` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | `null` | +| `backups.cron.successfulJobsHistoryLimit` | Number of successful backup jobs list in history | `3` | +| `backups.cron.suspend` | Backup cron job is suspended | `false` | +| `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | +| `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | +| `backups.objectStorage.config.key` | Key containing credentials in secret | "" | +| `backups.objectStorage.config.secret` | Object storage credentials secret | "" | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | { `type`: `Recreate` } | +| `enabled` | Toolbox enablement flag | true | +| `extra` | YAML block for [extra `gitlab.yml` configuration](https://gitlab.com/gitlab-org/gitlab/-/blob/8d2b59dbf232f17159d63f0359fa4793921896d5/config/gitlab.yml.example#L1193-1199) | {} | +| `image.pullPolicy` | Toolbox image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Toolbox image pull secrets | | +| `image.repository` | Toolbox image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | +| `image.tag` | Toolbox image tag | `master` | +| `init.image.repository` | Toolbox init image repository | | +| `init.image.tag` | Toolbox init image tag | | +| `init.resources` | Toolbox init container resource requirements | { `requests`: { `cpu`: `50m` }} | +| `init.containerSecurityContext` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | {} | +| `nodeSelector` | Toolbox and backup job node selection | | +| `persistence.accessMode` | Toolbox persistence access mode | `ReadWriteOnce` | +| `persistence.enabled` | Toolbox enable persistence flag | false | +| `persistence.matchExpressions` | Label-expression matches to bind | | +| `persistence.matchLabels` | Label-value matches to bind | | +| `persistence.size` | Toolbox persistence volume size | `10Gi` | +| `persistence.storageClass` | StorageClass name for provisioning | | +| `persistence.subPath` | Toolbox persistence volume mount path | | +| `persistence.volumeName` | Existing PersistentVolume name | | +| `podLabels` | Labels for running Toolbox Pods | {} | +| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | +| `replicas` | Number of Toolbox Pods to run | `1` | +| `resources.limits` | Toolbox maximum requested resources | {} | +| `resources.requests` | Toolbox minimum requested resources | { `cpu`: `50m`, `memory`: `350M` | +| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | +| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | +| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | +| `containerSecurityContext` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | | +| `containerSecurityContext.runAsUser` | Allow to overwrite the specific security context under which the container is started | `1000` | +| `serviceAccount.annotations` | Annotations for ServiceAccount | {} | +| `serviceAccount.enabled` | Flag for using ServiceAccount | false | +| `serviceAccount.create` | Flag for creating a ServiceAccount | false | +| `serviceAccount.name` | Name of ServiceAccount to use | | +| `tolerations` | Tolerations to add to the Toolbox | | +| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | ## Configuring backups diff --git a/doc/charts/registry/index.md b/doc/charts/registry/index.md index d4549c8f20..7c50dd40d8 100644 --- a/doc/charts/registry/index.md +++ b/doc/charts/registry/index.md @@ -144,134 +144,138 @@ If you chose to deploy this chart as a standalone, remove the `registry` at the ## Installation parameters -| Parameter | Default | Description | -| -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `annotations` | | Pod annotations | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | -| `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | -| `certificate.secret` | `gitlab-registry` | JWT certificate | -| `debug.addr.port` | `5001` | Debug port | -| `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | -| `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | -| `debug.prometheus.enabled` | `false` | **DEPRECATED** Use `metrics.enabled` | -| `debug.prometheus.path` | `""` | **DEPRECATED** Use `metrics.path` | -| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `draintimeout` | `'0'` | Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'`) | -| `relativeurls` | `false` | Enable the registry to return relative URLs in Location headers. | -| `enabled` | `true` | Enable registry flag | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `Utilization` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | `75` | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.minReplicas` | `2` | Minimum number of replicas | -| `hpa.maxReplicas` | `10` | Maximum number of replicas | -| `httpSecret` | | Https secret | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `image.pullPolicy` | | Pull policy for the registry image | -| `image.pullSecrets` | | Secrets to use for image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry` | Registry image | -| `image.tag` | `v3.88.1-gitlab` | Version of the image to use | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `log` | `{level: info, fields: {service: registry}}` | Configure the logging options | -| `minio.bucket` | `global.registry.bucket` | Legacy registry bucket name | -| `maintenance.readonly.enabled` | `false` | Enable registry's read-only mode | -| `maintenance.uploadpurging.enabled` | `true` | Enable upload purging | -| `maintenance.uploadpurging.age` | `168h` | Purge uploads older than the specified age | -| `maintenance.uploadpurging.interval` | `24h` | Frequency at which upload purging is performed | -| `maintenance.uploadpurging.dryrun` | `false` | Only list which uploads will be purged without deleting | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `reporting.sentry.enabled` | `false` | Enable reporting using Sentry | -| `reporting.sentry.dsn` | | The Sentry DSN (Data Source Name) | -| `reporting.sentry.environment` | | The Sentry [environment](https://docs.sentry.io/product/sentry-basics/environments/) | -| `profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | -| `profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | -| `profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | -| `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | -| `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | -| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | -| `database.host` | `global.psql.host` | The database server hostname. | -| `database.port` | `global.psql.port` | The database server port. | -| `database.user` | | The database username. | -| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | -| `database.password.key` | `password` | Secret key in which the database password is stored. | -| `database.name` | | The database name. | -| `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | -| `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | -| `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | -| `database.ssl.clientKey` | `global.psql.ssl.clientKey` | The key inside the secret referring the client key. | -| `database.ssl.serverCA` | `global.psql.ssl.serverCA` | The key inside the secret referring the certificate authority (CA). | -| `database.connecttimeout` | `0` | Maximum time to wait for a connection. Zero or not specified means waiting indefinitely. | -| `database.draintimeout` | `0` | Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely. | -| `database.preparedstatements` | `false` | Enable prepared statements. Disabled by default for compatibility with PgBouncer. | -| `database.primary` | `false` | Target primary database server. This is used to specify a dedicated FQDN to target when running registry `database.migrations`. The `host` will be used to run `database.migrations` when not specified. | -| `database.pool.maxidle` | `0` | The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections. | -| `database.pool.maxopen` | `0` | The maximum number of open connections to the database. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections. | -| `database.pool.maxlifetime` | `0` | The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse. | -| `database.pool.maxidletime` | `0` | The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration. | -| `database.migrations.enabled` | `true` | Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods. | -| `database.migrations.activeDeadlineSeconds` | `3600` | Set the [activeDeadlineSeconds](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | -| `database.migrations.backoffLimit` | `6` | Set the [backoffLimit](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | -| `gc.disabled` | `true` | When set to `true`, the online GC workers are disabled. | -| `gc.maxbackoff` | `24h` | The maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless `gc.noidlebackoff` is `true`. Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added. | -| `gc.noidlebackoff` | `false` | When set to `true`, disables exponential backoffs between worker runs when there are no tasks to be processed. | -| `gc.transactiontimeout` | `10s` | The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions. | -| `gc.blobs.disabled` | `false` | When set to `true`, the GC worker for blobs is disabled. | -| `gc.blobs.interval` | `5s` | The initial sleep interval between each worker run. | -| `gc.blobs.storagetimeout` | `5s` | The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend. | -| `gc.manifests.disabled` | `false` | When set to `true`, the GC worker for manifests is disabled. | -| `gc.manifests.interval` | `5s` | The initial sleep interval between each worker run. | -| `gc.reviewafter` | `24h` | The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait. | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `serviceLabels` | `{}` | Supplemental service labels | -| `tokenService` | `container_registry` | JWT token service | -| `tokenIssuer` | `gitlab-issuer` | JWT token issuer | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `middleware.storage` | | configuration layer for midleware storage ([s3 for instance](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#example-middleware-configuration)) | -| `redis.cache.enabled` | `false` | When set to `true`, the Redis cache is enabled. This feature is dependent on the [metadata database](#database) being enabled. Repository metadata will be cached on the configured Redis instance. | -| `redis.cache.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | -| `redis.cache.port` | `6379` | The port of the Redis instance. | -| `redis.cache.sentinels` | `[]` | List sentinels with host and port. | -| `redis.cache.mainname` | | The main server name. Only applicable for Sentinel. | -| `redis.cache.password.enabled` | `false` | Indicates whether the Redis cache used by the Registry is password protected. | -| `redis.cache.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | -| `redis.cache.password.key` | `redis-password` | Secret key in which the Redis password is stored. | -| `redis.cache.db` | `0` | The name of the database to use for each connection. | -| `redis.cache.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | -| `redis.cache.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | -| `redis.cache.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | -| `redis.cache.tls.enabled` | `false` | Set to `true` to enable TLS. | -| `redis.cache.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | -| `redis.cache.pool.size` | `10` | The maximum number of socket connections. Default is 10 connections. | -| `redis.cache.pool.maxlifetime` | `1h` | The connection age at which client retires a connection. Default is to not close aged connections. | -| `redis.cache.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | +| Parameter | Default | Description | +|---------------------------------------------|----------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `annotations` | | Pod annotations | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | +| `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | +| `certificate.secret` | `gitlab-registry` | JWT certificate | +| `debug.addr.port` | `5001` | Debug port | +| `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | +| `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | +| `debug.prometheus.enabled` | `false` | **DEPRECATED** Use `metrics.enabled` | +| `debug.prometheus.path` | `""` | **DEPRECATED** Use `metrics.path` | +| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `draintimeout` | `'0'` | Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'`) | +| `relativeurls` | `false` | Enable the registry to return relative URLs in Location headers. | +| `enabled` | `true` | Enable registry flag | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `Utilization` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | `75` | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.minReplicas` | `2` | Minimum number of replicas | +| `hpa.maxReplicas` | `10` | Maximum number of replicas | +| `httpSecret` | | Https secret | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `image.pullPolicy` | | Pull policy for the registry image | +| `image.pullSecrets` | | Secrets to use for image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry` | Registry image | +| `image.tag` | `v3.88.1-gitlab` | Version of the image to use | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `log` | `{level: info, fields: {service: registry}}` | Configure the logging options | +| `minio.bucket` | `global.registry.bucket` | Legacy registry bucket name | +| `maintenance.readonly.enabled` | `false` | Enable registry's read-only mode | +| `maintenance.uploadpurging.enabled` | `true` | Enable upload purging | +| `maintenance.uploadpurging.age` | `168h` | Purge uploads older than the specified age | +| `maintenance.uploadpurging.interval` | `24h` | Frequency at which upload purging is performed | +| `maintenance.uploadpurging.dryrun` | `false` | Only list which uploads will be purged without deleting | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `resources.limits.cpu` | | GitLab Registry maximum CPU | +| `resources.limits.memory` | | GitLab Registry maximum memory | +| `resources.requests.cpu` | `50m` | GitLab Registry minimum CPU | +| `resources.requests.memory` | `32Mi` | GitLab Registry minimum memory | +| `reporting.sentry.enabled` | `false` | Enable reporting using Sentry | +| `reporting.sentry.dsn` | | The Sentry DSN (Data Source Name) | +| `reporting.sentry.environment` | | The Sentry [environment](https://docs.sentry.io/product/sentry-basics/environments/) | +| `profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | +| `profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | +| `profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | +| `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | +| `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | +| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | +| `database.host` | `global.psql.host` | The database server hostname. | +| `database.port` | `global.psql.port` | The database server port. | +| `database.user` | | The database username. | +| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | +| `database.password.key` | `password` | Secret key in which the database password is stored. | +| `database.name` | | The database name. | +| `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | +| `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | +| `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | +| `database.ssl.clientKey` | `global.psql.ssl.clientKey` | The key inside the secret referring the client key. | +| `database.ssl.serverCA` | `global.psql.ssl.serverCA` | The key inside the secret referring the certificate authority (CA). | +| `database.connecttimeout` | `0` | Maximum time to wait for a connection. Zero or not specified means waiting indefinitely. | +| `database.draintimeout` | `0` | Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely. | +| `database.preparedstatements` | `false` | Enable prepared statements. Disabled by default for compatibility with PgBouncer. | +| `database.primary` | `false` | Target primary database server. This is used to specify a dedicated FQDN to target when running registry `database.migrations`. The `host` will be used to run `database.migrations` when not specified. | +| `database.pool.maxidle` | `0` | The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections. | +| `database.pool.maxopen` | `0` | The maximum number of open connections to the database. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections. | +| `database.pool.maxlifetime` | `0` | The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse. | +| `database.pool.maxidletime` | `0` | The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration. | +| `database.migrations.enabled` | `true` | Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods. | +| `database.migrations.activeDeadlineSeconds` | `3600` | Set the [activeDeadlineSeconds](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | +| `database.migrations.backoffLimit` | `6` | Set the [backoffLimit](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | +| `gc.disabled` | `true` | When set to `true`, the online GC workers are disabled. | +| `gc.maxbackoff` | `24h` | The maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless `gc.noidlebackoff` is `true`. Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added. | +| `gc.noidlebackoff` | `false` | When set to `true`, disables exponential backoffs between worker runs when there are no tasks to be processed. | +| `gc.transactiontimeout` | `10s` | The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions. | +| `gc.blobs.disabled` | `false` | When set to `true`, the GC worker for blobs is disabled. | +| `gc.blobs.interval` | `5s` | The initial sleep interval between each worker run. | +| `gc.blobs.storagetimeout` | `5s` | The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend. | +| `gc.manifests.disabled` | `false` | When set to `true`, the GC worker for manifests is disabled. | +| `gc.manifests.interval` | `5s` | The initial sleep interval between each worker run. | +| `gc.reviewafter` | `24h` | The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait. | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `serviceLabels` | `{}` | Supplemental service labels | +| `tokenService` | `container_registry` | JWT token service | +| `tokenIssuer` | `gitlab-issuer` | JWT token issuer | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `middleware.storage` | | configuration layer for midleware storage ([s3 for instance](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#example-middleware-configuration)) | +| `redis.cache.enabled` | `false` | When set to `true`, the Redis cache is enabled. This feature is dependent on the [metadata database](#database) being enabled. Repository metadata will be cached on the configured Redis instance. | +| `redis.cache.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | +| `redis.cache.port` | `6379` | The port of the Redis instance. | +| `redis.cache.sentinels` | `[]` | List sentinels with host and port. | +| `redis.cache.mainname` | | The main server name. Only applicable for Sentinel. | +| `redis.cache.password.enabled` | `false` | Indicates whether the Redis cache used by the Registry is password protected. | +| `redis.cache.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | +| `redis.cache.password.key` | `redis-password` | Secret key in which the Redis password is stored. | +| `redis.cache.db` | `0` | The name of the database to use for each connection. | +| `redis.cache.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | +| `redis.cache.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | +| `redis.cache.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | +| `redis.cache.tls.enabled` | `false` | Set to `true` to enable TLS. | +| `redis.cache.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | +| `redis.cache.pool.size` | `10` | The maximum number of socket connections. Default is 10 connections. | +| `redis.cache.pool.maxlifetime` | `1h` | The connection age at which client retires a connection. Default is to not close aged connections. | +| `redis.cache.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | ## Chart configuration examples -- GitLab From 2a4848e1d6fd6fcedc3e07158283c69f170f8269 Mon Sep 17 00:00:00 2001 From: "Marshall, Riley" Date: Mon, 29 Apr 2024 09:27:01 -0500 Subject: [PATCH 2/3] Uncomment Resource Limits. Uncommented kubernetes resource limits in gitlab pages. --- charts/gitlab/charts/gitlab-pages/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitlab/charts/gitlab-pages/values.yaml b/charts/gitlab/charts/gitlab-pages/values.yaml index 9dfb5a485f..fa9efd510f 100644 --- a/charts/gitlab/charts/gitlab-pages/values.yaml +++ b/charts/gitlab/charts/gitlab-pages/values.yaml @@ -135,9 +135,9 @@ resources: # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: - # memory: + limits: + cpu: + memory: requests: cpu: 900m memory: 2G -- GitLab From 195aceaa1c41e52bd69f37f13c5fdccba61e5949 Mon Sep 17 00:00:00 2001 From: "Marshall, Riley" Date: Mon, 29 Apr 2024 11:43:03 -0500 Subject: [PATCH 3/3] Reformat Docs. Reformatted documentation for Gitlab-Pages, Gitlab-Shell, KAS, Mailroom, Toolbox, and Registry. --- doc/charts/gitlab/gitlab-pages/index.md | 140 ++++++------ doc/charts/gitlab/gitlab-shell/index.md | 17 +- doc/charts/gitlab/kas/index.md | 159 +++++++------ doc/charts/gitlab/mailroom/index.md | 112 ++++----- doc/charts/gitlab/toolbox/index.md | 142 ++++++------ doc/charts/registry/index.md | 291 ++++++++++++------------ 6 files changed, 431 insertions(+), 430 deletions(-) diff --git a/doc/charts/gitlab/gitlab-pages/index.md b/doc/charts/gitlab/gitlab-pages/index.md index d4fb201222..3e3b232175 100644 --- a/doc/charts/gitlab/gitlab-pages/index.md +++ b/doc/charts/gitlab/gitlab-pages/index.md @@ -37,76 +37,76 @@ configurations that can be supplied to the `helm install` command using the ### General settings -| Parameter | Default | Description | -|-------------------------------------------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `annotations` | | Pod annotations | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data source to expose | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.minReplicas` | `1` | Minimum number of replicas | -| `hpa.maxReplicas` | `10` | Maximum number of replicas | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | -| `image.pullSecrets` | | Secrets for the image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-pages` | GitLab Pages image repository | -| `image.tag` | | image tag | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | `{}` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | -| `metrics.port` | `9235` | Metrics endpoint port | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | -| `metrics.tls.enabled` | `false` | TLS enabled for the metrics endpoint | -| `metrics.tls.secretName` | `{Release.Name}-pages-metrics-tls` | Secret for the metrics endpoint TLS cert and key | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `resources.limits.cpu` | | GitLab Pages maximum CPU | -| `resources.limits.memory` | | GitLab Pages maximum memory | -| `resources.requests.cpu` | `900m` | GitLab Pages minimum CPU | -| `resources.requests.memory` | `2G` | GitLab Pages minimum memory | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `service.externalPort` | `8090` | GitLab Pages exposed port | -| `service.internalPort` | `8090` | GitLab Pages internal port | -| `service.name` | `gitlab-pages` | GitLab Pages service name | -| `service.annotations` | | Annotations for all pages services. | -| `service.primary.annotations` | | Annotations for the primary service only. | -| `service.metrics.annotations` | | Annotations for the metrics service only. | -| `service.customDomains.annotations` | | Annotations for the custom domains service only. | -| `service.customDomains.type` | `LoadBalancer` | Type of service created for handling custom domains | -| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | -| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | -| `service.customDomains.nodePort.http` | | Node Port to be opened for HTTP connections. Valid only if `service.customDomains.type` is `NodePort` | -| `service.customDomains.nodePort.https` | | Node Port to be opened for HTTPS connections. Valid only if `service.customDomains.type` is `NodePort` | -| `service.sessionAffinity` | `None` | Type of the session affinity. Must be either `ClientIP` or `None` (this only makes sense for traffic originating from within the cluster) | -| `service.sessionAffinityConfig` | | Session affinity config. If `service.sessionAffinity` == `ClientIP` the default session sticky time is 3 hours (10800) | -| `serviceLabels` | `{}` | Supplemental service labels | -| `tolerations` | `[]` | Toleration labels for pod assignment | +| Parameter | Default | Description | +| ----------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `annotations` | | Pod annotations | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data source to expose | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.minReplicas` | `1` | Minimum number of replicas | +| `hpa.maxReplicas` | `10` | Maximum number of replicas | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `image.pullPolicy` | `IfNotPresent` | GitLab image pull policy | +| `image.pullSecrets` | | Secrets for the image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-pages` | GitLab Pages image repository | +| `image.tag` | | image tag | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | `{}` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | +| `metrics.port` | `9235` | Metrics endpoint port | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `metrics.annotations` | | **DEPRECATED** Set explicit metrics annotations. Replaced by template content. | +| `metrics.tls.enabled` | `false` | TLS enabled for the metrics endpoint | +| `metrics.tls.secretName` | `{Release.Name}-pages-metrics-tls` | Secret for the metrics endpoint TLS cert and key | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `resources.limits.cpu` | | Gitlab Pages maximum CPU | +| `resources.limits.memory` | | Gitlab Pages maximum memory +| `resources.requests.cpu` | `900m` | GitLab Pages minimum CPU | +| `resources.requests.memory` | `2G` | GitLab Pages minimum memory | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `service.externalPort` | `8090` | GitLab Pages exposed port | +| `service.internalPort` | `8090` | GitLab Pages internal port | +| `service.name` | `gitlab-pages` | GitLab Pages service name | +| `service.annotations` | | Annotations for all pages services. | +| `service.primary.annotations` | | Annotations for the primary service only. | +| `service.metrics.annotations` | | Annotations for the metrics service only. | +| `service.customDomains.annotations` | | Annotations for the custom domains service only. | +| `service.customDomains.type` | `LoadBalancer` | Type of service created for handling custom domains | +| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | +| `service.customDomains.internalHttpsPort` | `8091` | Port where Pages daemon listens for HTTPS requests | +| `service.customDomains.nodePort.http` | | Node Port to be opened for HTTP connections. Valid only if `service.customDomains.type` is `NodePort` | +| `service.customDomains.nodePort.https` | | Node Port to be opened for HTTPS connections. Valid only if `service.customDomains.type` is `NodePort` | +| `service.sessionAffinity` | `None` | Type of the session affinity. Must be either `ClientIP` or `None` (this only makes sense for traffic originating from within the cluster) | +| `service.sessionAffinityConfig` | | Session affinity config. If `service.sessionAffinity` == `ClientIP` the default session sticky time is 3 hours (10800) | +| `serviceLabels` | `{}` | Supplemental service labels | +| `tolerations` | `[]` | Toleration labels for pod assignment | ### Pages specific settings diff --git a/doc/charts/gitlab/gitlab-shell/index.md b/doc/charts/gitlab/gitlab-shell/index.md index ce1873a974..e93359ab86 100644 --- a/doc/charts/gitlab/gitlab-shell/index.md +++ b/doc/charts/gitlab/gitlab-shell/index.md @@ -35,7 +35,7 @@ controlled by `global.shell.port`. ## Installation command line options | Parameter | Default | Description | -|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `annotations` | | Pod annotations | | `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | | `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | @@ -55,7 +55,7 @@ controlled by `global.shell.port`. | `config.gssapi.keytab.key` | `keytab` | Key holding the keytab in the Kubernetes secret | | `config.gssapi.krb5Config` | | Content of the `/etc/krb5.conf` file in the GitLab Shell container | | `config.gssapi.servicePrincipalName` | | The Kerberos service name to be used by the `gitlab-sshd` daemon | -| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | +| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) | | `deployment.livenessProbe.initialDelaySeconds` | 10 | Delay before liveness probe is initiated | | `deployment.livenessProbe.periodSeconds` | 10 | How often to perform the liveness probe | | `deployment.livenessProbe.timeoutSeconds` | 3 | When the liveness probe times out | @@ -104,10 +104,10 @@ controlled by `global.shell.port`. | `logging.format` | `json` | Set to `text` for unstructured logs | | `logging.sshdLogLevel` | `ERROR` | Log level for underlying SSH daemon | | `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `resources.limits.cpu` | | GitLab Pages maximum CPU | -| `resources.limits.memory` | | GitLab Pages maximum memory | -| `resources.requests.cpu` | `0` | GitLab Pages minimum CPU | -| `resources.requests.memory` | `6M` | GitLab Pages minimum memory | +| `resources.limits.cpu` | | Gitlab Shell maximum CPU | +| `resources.limits.memory` | | Gitlab Shell maximum memory | +| `resources.requests.cpu` | `0` | Gitlab Shell minimum CPU | +| `resources.requests.memory` | `6M` | Gitlab Shell minimum memory | | `replicaCount` | `1` | Shell replicas | | `serviceLabels` | `{}` | Supplemental service labels | | `service.externalTrafficPolicy` | `Cluster` | Shell service external traffic policy (Cluster or Local) | @@ -341,8 +341,7 @@ Any configuration supplied _must_ meet the functional requirements of `sshd_conf The content of `.opensshd.supplemental_config` will be directly placed at the end the `sshd_config` file within the container. This value should be a mutli-line string. -Example, enabling older clients using the `ssh-rsa` key exchange algorithms, which -[have been deprecated by OpenSSH](https://www.openssh.com/txt/release-8.8): +Example, enabling older clients using the `ssh-rsa` key exchange algorithms. Note that enabling deprecated algorithms, such as `ssh-rsa`, creates [significant security vulnerabilities](https://www.openssh.com/txt/release-8.8). The likelihood of exploitation is **significantly amplified** on publicly exposed GitLab instances with these changes. ```yaml opensshd: @@ -457,4 +456,4 @@ Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-dep | `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | | `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -See [`examples/keda/gitlab-shell.yml`](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/keda/gitlab-shell.yml) for an usage example of `keda`. +See [`examples/keda/gitlab-shell.yml`](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/keda/gitlab-shell.yml) for an usage example of `keda`. \ No newline at end of file diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index b3301f3d58..32fd4b3feb 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -65,89 +65,86 @@ specified in `global.hosts.domain`. You can pass these parameters to the `helm install` command by using the `--set` flags. -| Parameter | Default | Description | -|--------------------------------------------|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `annotations` | `{}` | Pod annotations. | -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `extraContainers` | | List of extra containers to include. | -| `extraEnv` | | List of extra environment variables to expose | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `init.containerSecurityContext` | `{}` | init container securityContext overrides | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | -| `image.tag` | `v13.7.0` | Image tag. | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`). | -| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`. | -| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value. | -| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization. | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`. | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value. | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization. | -| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | -| `ingress.enabled` | `true` if `global.kas.enabled=true` | You can use `kas.ingress.enabled` to explicitly turn it on or off. If not set, you can optionally use `global.ingress.enabled` for the same purpose. | -| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | -| `ingress.annotations` | `{}` | Ingress annotations. | -| `ingress.tls` | `{}` | Ingress TLS configuration. | -| `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | -| `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | -| `metrics.path` | `/metrics` | Metrics endpoint path. | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor. | -| `maxReplicas` | `10` | HPA `maxReplicas`. | -| `maxUnavailable` | `1` | HPA `maxUnavailable`. | -| `minReplicas` | `2` | HPA `maxReplicas`. | -| `nodeSelector` | | Define a [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the `Pod`s of this `Deployment`, if present. | -| `observability.port` | `8151` | Observability endpoint port. Used for metrics and probe endpoints. | -| `observability.livenessProbe.path` | `/liveness` | URI for the liveness probe endpoint. This value has to match the `observability.liveness_probe.url_path` value from the KAS service configuration. | -| `observability.readinessProbe.path` | `/readiness` | URI for the readiness probe endpoint. This value has to match the `observability.readiness_probe.url_path` value from the KAS service configuration. | -| `serviceAccount.annotations` | `{}` | Service account annotations. | -| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | -| `serviceLabels` | `{}` | Supplemental service labels. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `redis.enabled` | `true` | Allows opting-out of using Redis for KAS features. Warnings: Redis will become a hard dependency soon, so this key is already deprecated. | -| `resources.limits.cpu` | | GitLab Pages maximum CPU | -| `resources.limits.memory` | | GitLab Pages maximum memory | -| `resources.requests.cpu` | `100m` | GitLab Pages minimum CPU | -| `resources.requests.memory` | `100M` | GitLab Pages minimum memory | -| `service.externalPort` | `8150` | External port (for `agentk` connections). | -| `service.internalPort` | `8150` | Internal port (for `agentk` connections). | -| `service.apiInternalPort` | `8153` | Internal port for the internal API (for GitLab backend). | -| `service.loadBalancerIP` | `nil` | A custom load balancer IP when `service.type` is `LoadBalancer`. | -| `service.loadBalancerSourceRanges` | `nil` | A list of custom load balancer source ranges when `service.type` is `LoadBalancer`. | -| `service.kubernetesApiPort` | `8154` | External port to expose proxied Kubernetes API on. | -| `service.privateApiPort` | `8155` | Internal port to expose `kas`' private API on (for `kas` -> `kas` communication). | -| `privateApi.secret` | Autogenerated | The name of the secret to use for authenticating with the database. | -| `privateApi.key` | Autogenerated | The name of the key in `privateApi.secret` to use. | -| `privateApi.tls.enabled` | `false` | **DEPRECATED: use `global.kas.tls.enabled`**. Enable `kas` pods to communicate with each other using TLS. | -| `privateApi.tls.secretName` | `nil` | **DEPRECATED: use `global.kas.tls.secretName`**. Name of the [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) which contains the certificate and its associated key. Required if `privateApi.tls` is `true`. | -| `global.kas.service.apiExternalPort` | `8153` | External port for the internal API (for GitLab backend). | -| `service.type` | `ClusterIP` | Service type. | -| `tolerations` | `[]` | Toleration labels for pod assignment. | -| `customConfig` | `{}` | When given, merges the default `kas` configuration with these values giving precedence to those defined here. | -| `deployment.minReadySeconds` | `0` | Minimum number of seconds that must pass before a `kas` pod is considered ready. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment. | -| `deployment.terminationGracePeriodSeconds` | `300` | How much time in seconds a Pod is allowed to spend shutting down after receiving SIGTERM. | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| Parameter | Default | Description | +| -------------------------------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `annotations` | `{}` | Pod annotations. | +| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `extraContainers` | | List of extra containers to include. | +| `extraEnv` | | List of extra environment variables to expose | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `init.containerSecurityContext` | `{}` | init container securityContext overrides | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | +| `image.tag` | `v13.7.0` | Image tag. | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`). | +| `hpa.cpu.targetType` | `AverageValue` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue`. | +| `hpa.cpu.targetAverageValue` | `100m` | Set the autoscaling CPU target value. | +| `hpa.cpu.targetAverageUtilization` | | Set the autoscaling CPU target utilization. | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue`. | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value. | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization. | +| `hpa.targetAverageValue` | | **DEPRECATED** Set the autoscaling CPU target value | +| `ingress.enabled` | `true` if `global.kas.enabled=true` | You can use `kas.ingress.enabled` to explicitly turn it on or off. If not set, you can optionally use `global.ingress.enabled` for the same purpose. | +| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | +| `ingress.annotations` | `{}` | Ingress annotations. | +| `ingress.tls` | `{}` | Ingress TLS configuration. | +| `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | +| `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | +| `metrics.path` | `/metrics` | Metrics endpoint path. | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor. | +| `maxReplicas` | `10` | HPA `maxReplicas`. | +| `maxUnavailable` | `1` | HPA `maxUnavailable`. | +| `minReplicas` | `2` | HPA `maxReplicas`. | +| `nodeSelector` | | Define a [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the `Pod`s of this `Deployment`, if present. | +| `observability.port` | `8151` | Observability endpoint port. Used for metrics and probe endpoints. | +| `observability.livenessProbe.path` | `/liveness` | URI for the liveness probe endpoint. This value has to match the `observability.liveness_probe.url_path` value from the KAS service configuration. | +| `observability.readinessProbe.path` | `/readiness` | URI for the readiness probe endpoint. This value has to match the `observability.readiness_probe.url_path` value from the KAS service configuration. | +| `serviceAccount.annotations` | `{}` | Service account annotations. | +| `podLabels` | `{}` | Supplemental Pod labels. Not used for selectors. | +| `serviceLabels` | `{}` | Supplemental service labels. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `redis.enabled` | `true` | Allows opting-out of using Redis for KAS features. Warnings: Redis will become a hard dependency soon, so this key is already deprecated. | +| `resources.limits.cpu` | | GitLab Exporter maximum CPU. | +| `resources.limits.memory` | | GitLab Exporter maximum memory. | +| `resources.requests.cpu` | `75m` | GitLab Exporter minimum CPU. | +| `resources.requests.memory` | `100M` | GitLab Exporter minimum memory. | +| `service.externalPort` | `8150` | External port (for `agentk` connections). | +| `service.internalPort` | `8150` | Internal port (for `agentk` connections). | +| `service.apiInternalPort` | `8153` | Internal port for the internal API (for GitLab backend). | +| `service.loadBalancerIP` | `nil` | A custom load balancer IP when `service.type` is `LoadBalancer`. | +| `service.loadBalancerSourceRanges` | `nil` | A list of custom load balancer source ranges when `service.type` is `LoadBalancer`. | +| `service.kubernetesApiPort` | `8154` | External port to expose proxied Kubernetes API on. | +| `service.privateApiPort` | `8155` | Internal port to expose `kas`' private API on (for `kas` -> `kas` communication). | +| `privateApi.secret` | Autogenerated | The name of the secret to use for authenticating with the database. | +| `privateApi.key` | Autogenerated | The name of the key in `privateApi.secret` to use. | +| `privateApi.tls.enabled` | `false` | **DEPRECATED: use `global.kas.tls.enabled`**. Enable `kas` pods to communicate with each other using TLS. | +| `privateApi.tls.secretName` | `nil` | **DEPRECATED: use `global.kas.tls.secretName`**. Name of the [Kubernetes TLS secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) which contains the certificate and its associated key. Required if `privateApi.tls` is `true`. | +| `global.kas.service.apiExternalPort` | `8153` | External port for the internal API (for GitLab backend). | +| `service.type` | `ClusterIP` | Service type. | +| `tolerations` | `[]` | Toleration labels for pod assignment. | +| `customConfig` | `{}` | When given, merges the default `kas` configuration with these values giving precedence to those defined here. | +| `deployment.minReadySeconds` | `0` | Minimum number of seconds that must pass before a `kas` pod is considered ready. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment. | +| `deployment.terminationGracePeriodSeconds` | `300` | How much time in seconds a Pod is allowed to spend shutting down after receiving SIGTERM. | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | ## Enable TLS communication -> - The `gitlab.kas.privateApi.tls.enabled` and `gitlab.kas.privateApi.tls.secretName` attributes were - [deprecated](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3843) in GitLab 15.8, and will be - removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals.md#tls-settings-1) - instead. +> - The `gitlab.kas.privateApi.tls.enabled` and `gitlab.kas.privateApi.tls.secretName` attributes were [deprecated](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3843) in GitLab 15.8, and will be removed in GitLab 17.0. Enable TLS via the [global KAS attribute](../../globals.md#tls-settings-1) instead. Enable TLS communication between your `kas` pods and other GitLab chart components, through the [global KAS attribute](../../globals.md#tls-settings-1). @@ -283,4 +280,4 @@ Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-dep | `hpaName` | String | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | | `restoreToOriginalReplicaCount` | Boolean | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | | `behavior` | Map | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `triggers` | Array | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | \ No newline at end of file diff --git a/doc/charts/gitlab/mailroom/index.md b/doc/charts/gitlab/mailroom/index.md index 0dd00809f7..ce5ba0cbae 100644 --- a/doc/charts/gitlab/mailroom/index.md +++ b/doc/charts/gitlab/mailroom/index.md @@ -78,61 +78,61 @@ serviceAccount: # name: ``` -| Parameter | Description | Default | -|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` | -| `enabled` | Mailroom enablement flag | `true` | -| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | -| `hpa.customMetrics` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | `[]` | -| `hpa.cpu.targetType` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | `Utilization` | -| `hpa.cpu.targetAverageValue` | Set the autoscaling CPU target value | | -| `hpa.cpu.targetAverageUtilization` | Set the autoscaling CPU target utilization | `75` | -| `hpa.memory.targetType` | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | | -| `hpa.memory.targetAverageValue` | Set the autoscaling memory target value | | -| `hpa.memory.targetAverageUtilization` | Set the autoscaling memory target utilization | | -| `hpa.maxReplicas` | Maximum number of replicas | `2` | -| `hpa.minReplicas` | Minimum number of replicas | `1` | -| `image.pullPolicy` | Mailroom image pull policy | `IfNotPresent` | -| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | -| `image.pullSecrets` | Mailroom image pull secrets | | -| `image.registry` | Mailroom image registry | | -| `image.repository` | Mailroom image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom` | -| `image.tag` | Mailroom image tag | | -| `init.image.repository` | Mailroom init image repository | | -| `init.image.tag` | Mailroom init image tag | | -| `init.resources` | Mailroom init container resource requirements | `{ requests: { cpu: 50m }}` | -| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `podLabels` | Labels for running Mailroom Pods | `{}` | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `resources.limits` | Mailroom resource limit requirements | `{}` | -| `resources.requests` | Mailroom resource request requirements | `{ requests: { cpu: 50m, memory: 150M }}` | -| `networkpolicy.annotations` | Annotations to add to the NetworkPolicy | `{}` | -| `networkpolicy.egress.enabled` | Flag to enable egress rules of NetworkPolicy | `false` | -| `networkpolicy.egress.rules` | Define a list of egress rules for NetworkPolicy | `[]` | -| `networkpolicy.enabled` | Flag for using NetworkPolicy | `false` | -| `networkpolicy.ingress.enabled` | Flag to enable `ingress` rules of NetworkPolicy | `false` | -| `networkpolicy.ingress.rules` | Define a list of `ingress` rules for NetworkPolicy | `[]` | -| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `serviceAccount.annotations` | Annotations for ServiceAccount | `{}` | -| `serviceAccount.enabled` | Flag for using ServiceAccount | `false` | -| `serviceAccount.create` | Flag for creating a ServiceAccount | `false` | -| `serviceAccount.name` | Name of ServiceAccount to use | | -| `tolerations` | Tolerations to add to the Mailroom | | -| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | +| Parameter | Description | Default | +| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | +| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` | +| `enabled` | Mailroom enablement flag | `true` | +| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | +| `hpa.customMetrics` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | `[]` | +| `hpa.cpu.targetType` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | `Utilization` | +| `hpa.cpu.targetAverageValue` | Set the autoscaling CPU target value | | +| `hpa.cpu.targetAverageUtilization` | Set the autoscaling CPU target utilization | `75` | +| `hpa.memory.targetType` | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | | +| `hpa.memory.targetAverageValue` | Set the autoscaling memory target value | | +| `hpa.memory.targetAverageUtilization` | Set the autoscaling memory target utilization | | +| `hpa.maxReplicas` | Maximum number of replicas | `2` | +| `hpa.minReplicas` | Minimum number of replicas | `1` | +| `image.pullPolicy` | Mailroom image pull policy | `IfNotPresent` | +| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | +| `image.pullSecrets` | Mailroom image pull secrets | | +| `image.registry` | Mailroom image registry | | +| `image.repository` | Mailroom image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-mailroom` | +| `image.tag` | Mailroom image tag | | +| `init.image.repository` | Mailroom init image repository | | +| `init.image.tag` | Mailroom init image tag | | +| `init.resources` | Mailroom init container resource requirements | `{ requests: { cpu: 50m }}` | +| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `podLabels` | Labels for running Mailroom Pods | `{}` | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `resources.limits` | Mailroom resource limits requirements | `{}` | +| `resources.requests` | Mailroom resource requests requirements | `{ requests: { cpu: 50m, memory: 150M }}` | +| `networkpolicy.annotations` | Annotations to add to the NetworkPolicy | `{}` | +| `networkpolicy.egress.enabled` | Flag to enable egress rules of NetworkPolicy | `false` | +| `networkpolicy.egress.rules` | Define a list of egress rules for NetworkPolicy | `[]` | +| `networkpolicy.enabled` | Flag for using NetworkPolicy | `false` | +| `networkpolicy.ingress.enabled` | Flag to enable `ingress` rules of NetworkPolicy | `false` | +| `networkpolicy.ingress.rules` | Define a list of `ingress` rules for NetworkPolicy | `[]` | +| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | +| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | +| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `serviceAccount.annotations` | Annotations for ServiceAccount | `{}` | +| `serviceAccount.enabled` | Flag for using ServiceAccount | `false` | +| `serviceAccount.create` | Flag for creating a ServiceAccount | `false` | +| `serviceAccount.name` | Name of ServiceAccount to use | | +| `tolerations` | Tolerations to add to the Mailroom | | +| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | ## Configuring KEDA @@ -240,4 +240,4 @@ Provide the tenant ID, client ID, and client secret using the these settings in the [command line options](../../../installation/command-line-options.md#service-desk-email-configuration). You will also have to create a Kubernetes secret containing the client secret -as described in the [secrets guide](../../../installation/secrets.md#imap-password-for-service-desk-emails). +as described in the [secrets guide](../../../installation/secrets.md#imap-password-for-service-desk-emails). \ No newline at end of file diff --git a/doc/charts/gitlab/toolbox/index.md b/doc/charts/gitlab/toolbox/index.md index 4118a68c8a..0d93f1c89e 100644 --- a/doc/charts/gitlab/toolbox/index.md +++ b/doc/charts/gitlab/toolbox/index.md @@ -59,77 +59,81 @@ gitlab: securityContext: fsGroup: '1000' runAsUser: '1000' + runAsGroup: '1000' + containerSecurityContext: + runAsUser: '1000' ``` -| Parameter | Description | Default | -|------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------| -| `annotations` | Annotations to add to the Toolbox Pods and Jobs | `{}` | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `antiAffinityLabels.matchLabels` | Labels for setting anti-affinity options | | -| `backups.cron.activeDeadlineSeconds` | Backup CronJob active deadline seconds (if null, no active deadline is applied) | `null` | -| `backups.cron.safeToEvict` | Autoscaling safe-to-evict annotation | false | -| `backups.cron.backoffLimit` | Backup CronJob backoff limit | `6` | -| `backups.cron.concurrencyPolicy` | Kubernetes Job concurrency policy | `Replace` | -| `backups.cron.enabled` | Backup CronJob enabled flag | false | -| `backups.cron.extraArgs` | String of arguments to pass to the backup utility | | -| `backups.cron.failedJobsHistoryLimit` | Number of failed backup jobs list in history | `1` | -| `backups.cron.persistence.accessMode` | Backup cron persistence access mode | `ReadWriteOnce` | -| `backups.cron.persistence.enabled` | Backup cron enable persistence flag | false | -| `backups.cron.persistence.matchExpressions` | Label-expression matches to bind | | -| `backups.cron.persistence.matchLabels` | Label-value matches to bind | | -| `backups.cron.persistence.useGenericEphemeralVolume` | Use a [generic ephemeral volume](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) | false | -| `backups.cron.persistence.size` | Backup cron persistence volume size | `10Gi` | -| `backups.cron.persistence.storageClass` | StorageClass name for provisioning | | -| `backups.cron.persistence.subPath` | Backup cron persistence volume mount path | | -| `backups.cron.persistence.volumeName` | Existing persistent volume name | | -| `backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | -| `backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | -| `backups.cron.restartPolicy` | Backup cron restart policy (`Never` or `OnFailure`) | `OnFailure` | -| `backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | -| `backups.cron.startingDeadlineSeconds` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | `null` | -| `backups.cron.successfulJobsHistoryLimit` | Number of successful backup jobs list in history | `3` | -| `backups.cron.suspend` | Backup cron job is suspended | `false` | -| `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | -| `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `backups.objectStorage.config.key` | Key containing credentials in secret | "" | -| `backups.objectStorage.config.secret` | Object storage credentials secret | "" | -| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | -| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | { `type`: `Recreate` } | -| `enabled` | Toolbox enablement flag | true | -| `extra` | YAML block for [extra `gitlab.yml` configuration](https://gitlab.com/gitlab-org/gitlab/-/blob/8d2b59dbf232f17159d63f0359fa4793921896d5/config/gitlab.yml.example#L1193-1199) | {} | -| `image.pullPolicy` | Toolbox image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Toolbox image pull secrets | | -| `image.repository` | Toolbox image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | -| `image.tag` | Toolbox image tag | `master` | -| `init.image.repository` | Toolbox init image repository | | -| `init.image.tag` | Toolbox init image tag | | -| `init.resources` | Toolbox init container resource requirements | { `requests`: { `cpu`: `50m` }} | -| `init.containerSecurityContext` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | {} | -| `nodeSelector` | Toolbox and backup job node selection | | -| `persistence.accessMode` | Toolbox persistence access mode | `ReadWriteOnce` | -| `persistence.enabled` | Toolbox enable persistence flag | false | -| `persistence.matchExpressions` | Label-expression matches to bind | | -| `persistence.matchLabels` | Label-value matches to bind | | -| `persistence.size` | Toolbox persistence volume size | `10Gi` | -| `persistence.storageClass` | StorageClass name for provisioning | | -| `persistence.subPath` | Toolbox persistence volume mount path | | -| `persistence.volumeName` | Existing PersistentVolume name | | -| `podLabels` | Labels for running Toolbox Pods | {} | -| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | -| `replicas` | Number of Toolbox Pods to run | `1` | -| `resources.limits` | Toolbox maximum requested resources | {} | -| `resources.requests` | Toolbox minimum requested resources | { `cpu`: `50m`, `memory`: `350M` | -| `securityContext.fsGroup` | Group ID under which the pod should be started | `1000` | -| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | -| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | -| `containerSecurityContext` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | | -| `containerSecurityContext.runAsUser` | Allow to overwrite the specific security context under which the container is started | `1000` | -| `serviceAccount.annotations` | Annotations for ServiceAccount | {} | -| `serviceAccount.enabled` | Flag for using ServiceAccount | false | -| `serviceAccount.create` | Flag for creating a ServiceAccount | false | -| `serviceAccount.name` | Name of ServiceAccount to use | | -| `tolerations` | Tolerations to add to the Toolbox | | -| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | +| Parameter | Description | Default | +|---------------------------------------------|----------------------------------------------|------------------------------| +| `annotations` | Annotations to add to the Toolbox Pods and Jobs | `{}` | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `antiAffinityLabels.matchLabels` | Labels for setting anti-affinity options | | +| `backups.cron.activeDeadlineSeconds` | Backup CronJob active deadline seconds (if null, no active deadline is applied)| `null` | +| `backups.cron.safeToEvict` | Autoscaling safe-to-evict annotation | false | +| `backups.cron.backoffLimit` | Backup CronJob backoff limit| `6` | +| `backups.cron.concurrencyPolicy` | Kubernetes Job concurrency policy | `Replace` | +| `backups.cron.enabled` | Backup CronJob enabled flag | false | +| `backups.cron.extraArgs` | String of arguments to pass to the backup utility | | +| `backups.cron.failedJobsHistoryLimit` | Number of failed backup jobs list in history | `1` | +| `backups.cron.persistence.accessMode` | Backup cron persistence access mode | `ReadWriteOnce` | +| `backups.cron.persistence.enabled` | Backup cron enable persistence flag | false | +| `backups.cron.persistence.matchExpressions` | Label-expression matches to bind | | +| `backups.cron.persistence.matchLabels` | Label-value matches to bind | | +| `backups.cron.persistence.useGenericEphemeralVolume` | Use a [generic ephemeral volume](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) | false | +| `backups.cron.persistence.size` | Backup cron persistence volume size | `10Gi` | +| `backups.cron.persistence.storageClass` | StorageClass name for provisioning | | +| `backups.cron.persistence.subPath` | Backup cron persistence volume mount path | | +| `backups.cron.persistence.volumeName` | Existing persistent volume name | | +| `backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | +| `backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | +| `backups.cron.restartPolicy` | Backup cron restart policy (`Never` or `OnFailure`) | `OnFailure` | +| `backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | +| `backups.cron.startingDeadlineSeconds` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | `null` | +| `backups.cron.successfulJobsHistoryLimit` | Number of successful backup jobs list in history | `3` | +| `backups.cron.suspend` | Backup cron job is suspended | `false` | +| `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | +| `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | +| `backups.objectStorage.config.key` | Key containing credentials in secret | "" | +| `backups.objectStorage.config.secret` | Object storage credentials secret | "" | +| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | +| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | { `type`: `Recreate` } | +| `enabled` | Toolbox enablement flag | true | +| `extra` | YAML block for [extra `gitlab.yml` configuration](https://gitlab.com/gitlab-org/gitlab/-/blob/8d2b59dbf232f17159d63f0359fa4793921896d5/config/gitlab.yml.example#L1193-1199) | {} | +| `image.pullPolicy` | Toolbox image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Toolbox image pull secrets | | +| `image.repository` | Toolbox image repository | `registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee` | +| `image.tag` | Toolbox image tag | `master` | +| `init.image.repository` | Toolbox init image repository | | +| `init.image.tag` | Toolbox init image tag | | +| `init.resources` | Toolbox init container resource requirements | { `requests`: { `cpu`: `50m` }} | +| `init.containerSecurityContext` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | {} | +| `nodeSelector` | Toolbox and backup job node selection | | +| `persistence.accessMode` | Toolbox persistence access mode | `ReadWriteOnce` | +| `persistence.enabled` | Toolbox enable persistence flag | false | +| `persistence.matchExpressions` | Label-expression matches to bind | | +| `persistence.matchLabels` | Label-value matches to bind | | +| `persistence.size` | Toolbox persistence volume size | `10Gi` | +| `persistence.storageClass` | StorageClass name for provisioning | | +| `persistence.subPath` | Toolbox persistence volume mount path | | +| `persistence.volumeName` | Existing PersistentVolume name | | +| `podLabels` | Labels for running Toolbox Pods | {} | +| `priorityClassName` | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | | +| `replicas` | Number of Toolbox Pods to run | `1` | +| `resources.limits` | Toolbox maximum requested resources | {} | +| `resources.requests` | Toolbox minimum requested resources | { `cpu`: `50m`, `memory`: `350M`}| +| `securityContext.fsGroup` | File System Group ID under which the pod should be started | `1000` | +| `securityContext.runAsUser` | User ID under which the pod should be started | `1000` | +| `securityContext.runAsGroup` | Group ID under which the pod should be started | `1000` | +| `securityContext.fsGroupChangePolicy` | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | | +| `containerSecurityContext` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | | +| `containerSecurityContext.runAsUser` | Allow to overwrite the specific security context under which the container is started | `1000` | +| `serviceAccount.annotations` | Annotations for ServiceAccount | {} | +| `serviceAccount.enabled` | Flag for using ServiceAccount | false | +| `serviceAccount.create` | Flag for creating a ServiceAccount | false | +| `serviceAccount.name` | Name of ServiceAccount to use | | +| `tolerations` | Tolerations to add to the Toolbox | | +| `extraEnvFrom` | List of extra environment variables from other data sources to expose | | ## Configuring backups diff --git a/doc/charts/registry/index.md b/doc/charts/registry/index.md index 7c50dd40d8..d9c253d534 100644 --- a/doc/charts/registry/index.md +++ b/doc/charts/registry/index.md @@ -46,7 +46,7 @@ This chart makes use of two required secrets and one optional: GitLab instance(s). See [documentation](https://docs.gitlab.com/ee/administration/packages/container_registry.html#use-an-external-container-registry-with-gitlab-as-an-auth-endpoint) on using GitLab as an auth endpoint. - `global.registry.httpSecret.secret`: A global secret that will contain the - [shared secret](https://docs.docker.com/registry/configuration/#http) between registry pods. + [shared secret](https://distribution.github.io/distribution/about/configuration/#http) between registry pods. ### Optional @@ -76,7 +76,7 @@ registry: interval: 24h dryrun: false image: - tag: 'v3.88.1-gitlab' + tag: 'v3.92.0-gitlab' pullPolicy: IfNotPresent annotations: service: @@ -144,138 +144,139 @@ If you chose to deploy this chart as a standalone, remove the `registry` at the ## Installation parameters -| Parameter | Default | Description | -|---------------------------------------------|----------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `annotations` | | Pod annotations | -| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | -| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | -| `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | -| `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | -| `certificate.secret` | `gitlab-registry` | JWT certificate | -| `debug.addr.port` | `5001` | Debug port | -| `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | -| `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | -| `debug.prometheus.enabled` | `false` | **DEPRECATED** Use `metrics.enabled` | -| `debug.prometheus.path` | `""` | **DEPRECATED** Use `metrics.path` | -| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | -| `metrics.path` | `/metrics` | Metrics endpoint path | -| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | -| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | -| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | -| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | -| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | -| `draintimeout` | `'0'` | Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'`) | -| `relativeurls` | `false` | Enable the registry to return relative URLs in Location headers. | -| `enabled` | `true` | Enable registry flag | -| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | -| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | -| `hpa.cpu.targetType` | `Utilization` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | -| `hpa.cpu.targetAverageValue` | | Set the autoscaling CPU target value | -| `hpa.cpu.targetAverageUtilization` | `75` | Set the autoscaling CPU target utilization | -| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | -| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | -| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | -| `hpa.minReplicas` | `2` | Minimum number of replicas | -| `hpa.maxReplicas` | `10` | Maximum number of replicas | -| `httpSecret` | | Https secret | -| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | -| `image.pullPolicy` | | Pull policy for the registry image | -| `image.pullSecrets` | | Secrets to use for image repository | -| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry` | Registry image | -| `image.tag` | `v3.88.1-gitlab` | Version of the image to use | -| `init.image.repository` | | initContainer image | -| `init.image.tag` | | initContainer image tag | -| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | -| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | -| `keda.pollingInterval` | `30` | The interval to check each trigger on | -| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | -| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | -| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | -| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | -| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | -| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | -| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | -| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | -| `log` | `{level: info, fields: {service: registry}}` | Configure the logging options | -| `minio.bucket` | `global.registry.bucket` | Legacy registry bucket name | -| `maintenance.readonly.enabled` | `false` | Enable registry's read-only mode | -| `maintenance.uploadpurging.enabled` | `true` | Enable upload purging | -| `maintenance.uploadpurging.age` | `168h` | Purge uploads older than the specified age | -| `maintenance.uploadpurging.interval` | `24h` | Frequency at which upload purging is performed | -| `maintenance.uploadpurging.dryrun` | `false` | Only list which uploads will be purged without deleting | -| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | -| `resources.limits.cpu` | | GitLab Registry maximum CPU | -| `resources.limits.memory` | | GitLab Registry maximum memory | -| `resources.requests.cpu` | `50m` | GitLab Registry minimum CPU | -| `resources.requests.memory` | `32Mi` | GitLab Registry minimum memory | -| `reporting.sentry.enabled` | `false` | Enable reporting using Sentry | -| `reporting.sentry.dsn` | | The Sentry DSN (Data Source Name) | -| `reporting.sentry.environment` | | The Sentry [environment](https://docs.sentry.io/product/sentry-basics/environments/) | -| `profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | -| `profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | -| `profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | -| `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | -| `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | -| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | -| `database.host` | `global.psql.host` | The database server hostname. | -| `database.port` | `global.psql.port` | The database server port. | -| `database.user` | | The database username. | -| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | -| `database.password.key` | `password` | Secret key in which the database password is stored. | -| `database.name` | | The database name. | -| `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | -| `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | -| `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | -| `database.ssl.clientKey` | `global.psql.ssl.clientKey` | The key inside the secret referring the client key. | -| `database.ssl.serverCA` | `global.psql.ssl.serverCA` | The key inside the secret referring the certificate authority (CA). | -| `database.connecttimeout` | `0` | Maximum time to wait for a connection. Zero or not specified means waiting indefinitely. | -| `database.draintimeout` | `0` | Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely. | -| `database.preparedstatements` | `false` | Enable prepared statements. Disabled by default for compatibility with PgBouncer. | -| `database.primary` | `false` | Target primary database server. This is used to specify a dedicated FQDN to target when running registry `database.migrations`. The `host` will be used to run `database.migrations` when not specified. | -| `database.pool.maxidle` | `0` | The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections. | -| `database.pool.maxopen` | `0` | The maximum number of open connections to the database. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections. | -| `database.pool.maxlifetime` | `0` | The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse. | -| `database.pool.maxidletime` | `0` | The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration. | -| `database.migrations.enabled` | `true` | Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods. | -| `database.migrations.activeDeadlineSeconds` | `3600` | Set the [activeDeadlineSeconds](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | -| `database.migrations.backoffLimit` | `6` | Set the [backoffLimit](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | -| `gc.disabled` | `true` | When set to `true`, the online GC workers are disabled. | +| Parameter | Default | Description | +|---------------------------------------------|----------------------------------------------------------------------|-------------| +| `annotations` | | Pod annotations | +| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. | +| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. | +| `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | +| `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | +| `certificate.secret` | `gitlab-registry` | JWT certificate | +| `debug.addr.port` | `5001` | Debug port | +| `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | +| `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | +| `debug.prometheus.enabled` | `false` | **DEPRECATED** Use `metrics.enabled` | +| `debug.prometheus.path` | `""` | **DEPRECATED** Use `metrics.path` | +| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping | +| `metrics.path` | `/metrics` | Metrics endpoint path | +| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations | +| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor | +| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor | +| `deployment.terminationGracePeriodSeconds` | `30` | Optional duration in seconds the pod needs to terminate gracefully. | +| `deployment.strategy` | `{}` | Allows one to configure the update strategy utilized by the deployment | +| `draintimeout` | `'0'` | Amount of time to wait for HTTP connections to drain after receiving a SIGTERM signal (e.g. `'10s'`) | +| `relativeurls` | `false` | Enable the registry to return relative URLs in Location headers. | +| `enabled` | `true` | Enable registry flag | +| `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | +| `hpa.customMetrics` | `[]` | Custom metrics contains the specifications for which to use to calculate the desired replica count (overrides the default use of Average CPU Utilization configured in `targetAverageUtilization`) | +| `hpa.cpu.targetType` | `Utilization` | Set the autoscaling CPU target type, must be either `Utilization` or `AverageValue` | +| `hpa.cpu.targetAverageValue` | | Set the autoscaling CPU target value | +| `hpa.cpu.targetAverageUtilization` | `75` | Set the autoscaling CPU target utilization | +| `hpa.memory.targetType` | | Set the autoscaling memory target type, must be either `Utilization` or `AverageValue` | +| `hpa.memory.targetAverageValue` | | Set the autoscaling memory target value | +| `hpa.memory.targetAverageUtilization` | | Set the autoscaling memory target utilization | +| `hpa.minReplicas` | `2` | Minimum number of replicas | +| `hpa.maxReplicas` | `10` | Maximum number of replicas | +| `httpSecret` | | Https secret | +| `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `image.pullPolicy` | | Pull policy for the registry image | +| `image.pullSecrets` | | Secrets to use for image repository | +| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry` | Registry image | +| `image.tag` | `v3.92.0-gitlab` | Version of the image to use | +| `init.image.repository` | | initContainer image | +| `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | +| `keda.enabled` | `false` | Use [KEDA](https://keda.sh/) `ScaledObjects` instead of `HorizontalPodAutoscalers` | +| `keda.pollingInterval` | `30` | The interval to check each trigger on | +| `keda.cooldownPeriod` | `300` | The period to wait after the last trigger reported active before scaling the resource back to 0 | +| `keda.minReplicaCount` | | Minimum number of replicas KEDA will scale the resource down to, defaults to `hpa.minReplicas` | +| `keda.maxReplicaCount` | | Maximum number of replicas KEDA will scale the resource up to, defaults to `hpa.maxReplicas` | +| `keda.fallback` | | KEDA fallback configuration, see the [documentation](https://keda.sh/docs/2.10/concepts/scaling-deployments/#fallback) | +| `keda.hpaName` | | The name of the HPA resource KEDA will create, defaults to `keda-hpa-{scaled-object-name}` | +| `keda.restoreToOriginalReplicaCount` | | Specifies whether the target resource should be scaled back to original replicas count after the `ScaledObject` is deleted | +| `keda.behavior` | | The specifications for up- and downscaling behavior, defaults to `hpa.behavior` | +| `keda.triggers` | | List of triggers to activate scaling of the target resource, defaults to triggers computed from `hpa.cpu` and `hpa.memory` | +| `log` | `{level: info, fields: {service: registry}}` | Configure the logging options | +| `minio.bucket` | `global.registry.bucket` | Legacy registry bucket name | +| `maintenance.readonly.enabled` | `false` | Enable registry's read-only mode | +| `maintenance.uploadpurging.enabled` | `true` | Enable upload purging | +| `maintenance.uploadpurging.age` | `168h` | Purge uploads older than the specified age | +| `maintenance.uploadpurging.interval` | `24h` | Frequency at which upload purging is performed | +| `maintenance.uploadpurging.dryrun` | `false` | Only list which uploads will be purged without deleting | +| `priorityClassName` | | [Priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) assigned to pods. | +| `resource.limits.cpu` | | Gitlab registry maximum CPU | +| `resource.limits.memory` | | Gitlab registry maximum memory | +| `maintenance.uploadpurging.interval` | `50m` | Gitlab registry minimum CPU | +| `maintenance.uploadpurging.interval` | `32Mi` | Gitlab registry minimum memroy | +| `reporting.sentry.enabled` | `false` | Enable reporting using Sentry | +| `reporting.sentry.dsn` | | The Sentry DSN (Data Source Name) | +| `reporting.sentry.environment` | | The Sentry [environment](https://docs.sentry.io/product/sentry-basics/concepts/environments/) | +| `profiling.stackdriver.enabled` | `false` | Enable continuous profiling using Stackdriver | +| `profiling.stackdriver.credentials.secret` | `gitlab-registry-profiling-creds` | Name of the secret containing credentials | +| `profiling.stackdriver.credentials.key` | `credentials` | Secret key in which the credentials are stored | +| `profiling.stackdriver.service` | `RELEASE-registry` (templated Service name) | Name of the Stackdriver service to record profiles under | +| `profiling.stackdriver.projectid` | GCP project where running | GCP project to report profiles to | +| `database.enabled` | `false` | Enable metadata database. This is an experimental feature and must not be used in production environments. | +| `database.host` | `global.psql.host` | The database server hostname. | +| `database.port` | `global.psql.port` | The database server port. | +| `database.user` | | The database username. | +| `database.password.secret` | `RELEASE-registry-database-password` | Name of the secret containing the database password. | +| `database.password.key` | `password` | Secret key in which the database password is stored. | +| `database.name` | | The database name. | +| `database.sslmode` | | The SSL mode. Can be one of `disable`, `allow`, `prefer`, `require`, `verify-ca` or `verify-full`. | +| `database.ssl.secret` | `global.psql.ssl.secret` | A secret containing client certificate, key and certificate authority. Defaults to the main PostgreSQL SSL secret. | +| `database.ssl.clientCertificate` | `global.psql.ssl.clientCertificate` | The key inside the secret referring the client certificate. | +| `database.ssl.clientKey` | `global.psql.ssl.clientKey` | The key inside the secret referring the client key. | +| `database.ssl.serverCA` | `global.psql.ssl.serverCA` | The key inside the secret referring the certificate authority (CA). | +| `database.connecttimeout` | `0` | Maximum time to wait for a connection. Zero or not specified means waiting indefinitely. | +| `database.draintimeout` | `0` | Maximum time to wait to drain all connections on shutdown. Zero or not specified means waiting indefinitely. | +| `database.preparedstatements` | `false` | Enable prepared statements. Disabled by default for compatibility with PgBouncer. | +| `database.primary` | `false` | Target primary database server. This is used to specify a dedicated FQDN to target when running registry `database.migrations`. The `host` will be used to run `database.migrations` when not specified. | +| `database.pool.maxidle` | `0` | The maximum number of connections in the idle connection pool. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means no idle connections. | +| `database.pool.maxopen` | `0` | The maximum number of open connections to the database. If `maxopen` is less than `maxidle`, then `maxidle` is reduced to match the `maxopen` limit. Zero or not specified means unlimited open connections. | +| `database.pool.maxlifetime` | `0` | The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited reuse. | +| `database.pool.maxidletime` | `0` | The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. Zero or not specified means unlimited duration. | +| `database.migrations.enabled` | `true` | Enable the migrations job to automatically run migrations upon initial deployment and upgrades of the Chart. Note that migrations can also be run manually from within any running Registry pods. | +| `database.migrations.activeDeadlineSeconds` | `3600` | Set the [activeDeadlineSeconds](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | +| `database.migrations.annotations` | `{}` | Additional annotations to add to the migrations job. | +| `database.migrations.backoffLimit` | `6` | Set the [backoffLimit](https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) on the migrations job. | +| `gc.disabled` | `true` | When set to `true`, the online GC workers are disabled. | | `gc.maxbackoff` | `24h` | The maximum exponential backoff duration used to sleep between worker runs when an error occurs. Also applied when there are no tasks to be processed unless `gc.noidlebackoff` is `true`. Please note that this is not the absolute maximum, as a randomized jitter factor of up to 33% is always added. | -| `gc.noidlebackoff` | `false` | When set to `true`, disables exponential backoffs between worker runs when there are no tasks to be processed. | -| `gc.transactiontimeout` | `10s` | The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions. | -| `gc.blobs.disabled` | `false` | When set to `true`, the GC worker for blobs is disabled. | -| `gc.blobs.interval` | `5s` | The initial sleep interval between each worker run. | -| `gc.blobs.storagetimeout` | `5s` | The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend. | -| `gc.manifests.disabled` | `false` | When set to `true`, the GC worker for manifests is disabled. | -| `gc.manifests.interval` | `5s` | The initial sleep interval between each worker run. | -| `gc.reviewafter` | `24h` | The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait. | -| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | -| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | -| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | -| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | -| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | -| `serviceLabels` | `{}` | Supplemental service labels | -| `tokenService` | `container_registry` | JWT token service | -| `tokenIssuer` | `gitlab-issuer` | JWT token issuer | -| `tolerations` | `[]` | Toleration labels for pod assignment | -| `middleware.storage` | | configuration layer for midleware storage ([s3 for instance](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#example-middleware-configuration)) | -| `redis.cache.enabled` | `false` | When set to `true`, the Redis cache is enabled. This feature is dependent on the [metadata database](#database) being enabled. Repository metadata will be cached on the configured Redis instance. | -| `redis.cache.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | -| `redis.cache.port` | `6379` | The port of the Redis instance. | -| `redis.cache.sentinels` | `[]` | List sentinels with host and port. | -| `redis.cache.mainname` | | The main server name. Only applicable for Sentinel. | -| `redis.cache.password.enabled` | `false` | Indicates whether the Redis cache used by the Registry is password protected. | -| `redis.cache.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | -| `redis.cache.password.key` | `redis-password` | Secret key in which the Redis password is stored. | -| `redis.cache.db` | `0` | The name of the database to use for each connection. | -| `redis.cache.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | -| `redis.cache.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | -| `redis.cache.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | -| `redis.cache.tls.enabled` | `false` | Set to `true` to enable TLS. | -| `redis.cache.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | -| `redis.cache.pool.size` | `10` | The maximum number of socket connections. Default is 10 connections. | -| `redis.cache.pool.maxlifetime` | `1h` | The connection age at which client retires a connection. Default is to not close aged connections. | -| `redis.cache.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | +| `gc.noidlebackoff` | `false` | When set to `true`, disables exponential backoffs between worker runs when there are no tasks to be processed. | +| `gc.transactiontimeout` | `10s` | The database transaction timeout for each worker run. Each worker starts a database transaction at the start. The worker run is canceled if this timeout is exceeded to avoid stalled or long-running transactions. | +| `gc.blobs.disabled` | `false` | When set to `true`, the GC worker for blobs is disabled. | +| `gc.blobs.interval` | `5s` | The initial sleep interval between each worker run. | +| `gc.blobs.storagetimeout` | `5s` | The timeout for storage operations. Used to limit the duration of requests to delete dangling blobs on the storage backend. | +| `gc.manifests.disabled` | `false` | When set to `true`, the GC worker for manifests is disabled. | +| `gc.manifests.interval` | `5s` | The initial sleep interval between each worker run. | +| `gc.reviewafter` | `24h` | The minimum amount of time after which the garbage collector should pick up a record for review. `-1` means no wait. | +| `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | +| `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | +| `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | +| `serviceLabels` | `{}` | Supplemental service labels | +| `tokenService` | `container_registry` | JWT token service | +| `tokenIssuer` | `gitlab-issuer` | JWT token issuer | +| `tolerations` | `[]` | Toleration labels for pod assignment | +| `middleware.storage` | | configuration layer for midleware storage ([s3 for instance](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#example-middleware-configuration)) | +| `redis.cache.enabled` | `false` | When set to `true`, the Redis cache is enabled. This feature is dependent on the [metadata database](#database) being enabled. Repository metadata will be cached on the configured Redis instance. | +| `redis.cache.host` | `` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. | +| `redis.cache.port` | `6379` | The port of the Redis instance. | +| `redis.cache.sentinels` | `[]` | List sentinels with host and port. | +| `redis.cache.mainname` | | The main server name. Only applicable for Sentinel. | +| `redis.cache.password.enabled` | `false` | Indicates whether the Redis cache used by the Registry is password protected. | +| `redis.cache.password.secret` | `gitlab-redis-secret` | Name of the secret containing the Redis password. This will be automatically created if not provided, when the `shared-secrets` feature is enabled. | +| `redis.cache.password.key` | `redis-password` | Secret key in which the Redis password is stored. | +| `redis.cache.db` | `0` | The name of the database to use for each connection. | +| `redis.cache.dialtimeout` | `0s` | The timeout for connecting to the Redis instance. Defaults to no timeout. | +| `redis.cache.readtimeout` | `0s` | The timeout for reading from the Redis instance. Defaults to no timeout. | +| `redis.cache.writetimeout` | `0s` | The timeout for writing to the Redis instance. Defaults to no timeout. | +| `redis.cache.tls.enabled` | `false` | Set to `true` to enable TLS. | +| `redis.cache.tls.insecure` | `false` | Set to `true` to disable server name verification when connecting over TLS. | +| `redis.cache.pool.size` | `10` | The maximum number of socket connections. Default is 10 connections. | +| `redis.cache.pool.maxlifetime` | `1h` | The connection age at which client retires a connection. Default is to not close aged connections. | +| `redis.cache.pool.idletimeout` | `300s` | How long to wait before closing inactive connections. | ## Chart configuration examples @@ -343,7 +344,7 @@ You can change the included version of the Registry and `pullPolicy`. Default settings: -- `tag: 'v3.88.1-gitlab'` +- `tag: 'v3.92.0-gitlab'` - `pullPolicy: 'IfNotPresent'` ## Configuring the `service` @@ -558,7 +559,7 @@ The following properties of this chart pertain to the configuration of the under [registry](https://hub.docker.com/_/registry/) container. Only the most critical values for integration with GitLab are exposed. For this integration, we make use of the `auth.token.x` settings of [Docker Distribution](https://github.com/docker/distribution), controlling -authentication to the registry via JWT [authentication tokens](https://docs.docker.com/registry/spec/auth/token/). +authentication to the registry via JWT [authentication tokens](https://distribution.github.io/distribution/spec/auth/token/). ### httpSecret @@ -690,13 +691,13 @@ the `deny` field. ### notifications -The `notifications` field is used to configure [Registry notifications](https://docs.docker.com/registry/notifications/#configuration). +The `notifications` field is used to configure [Registry notifications](https://distribution.github.io/distribution/about/notifications/#configuration). It has an empty hash as default value. | Name | Type | Default | Description | | :---------: | :---: | :------ | :------------------------------------------------------------------------------------------------------------------: | -| `endpoints` | Array | `[]` | List of items where each item correspond to an [endpoint](https://docs.docker.com/registry/configuration/#endpoints) | -| `events` | Hash | `{}` | Information provided in [event](https://docs.docker.com/registry/configuration/#events) notifications | +| `endpoints` | Array | `[]` | List of items where each item correspond to an [endpoint](https://distribution.github.io/distribution/about/configuration/#endpoints) | +| `events` | Hash | `{}` | Information provided in [event](https://distribution.github.io/distribution/about/configuration/#events) notifications | An example setting will look like the following: @@ -738,18 +739,18 @@ storage: ``` The `storage` field is a reference to a Kubernetes Secret and associated key. The content -of this secret is taken directly from [Registry Configuration: `storage`](https://docs.docker.com/registry/configuration/#storage). +of this secret is taken directly from [Registry Configuration: `storage`](https://distribution.github.io/distribution/about/configuration/#storage). Please refer to that documentation for more details. -Examples for [AWS s3](https://docs.docker.com/registry/storage-drivers/s3/) and -[Google GCS](https://docs.docker.com/registry/storage-drivers/gcs/) drivers can be +Examples for [AWS s3](https://distribution.github.io/distribution/storage-drivers/s3/) and +[Google GCS](https://distribution.github.io/distribution/storage-drivers/gcs/) drivers can be found in [`examples/objectstorage`](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/objectstorage): - [`registry.s3.yaml`](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/objectstorage/registry.s3.yaml) - [`registry.gcs.yaml`](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/objectstorage/registry.gcs.yaml) For S3, make sure you give the correct -[permissions for registry storage](https://docs.docker.com/registry/storage-drivers/s3/#s3-permission-scopes). For more information about storage configuration, see +[permissions for registry storage](https://distribution.github.io/distribution/storage-drivers/s3/#s3-permission-scopes). For more information about storage configuration, see [Container Registry storage driver](https://docs.gitlab.com/ee/administration/packages/container_registry.html#container-registry-storage-driver) in the administration documentation. Place the *contents* of the `storage` block into the secret, and provide the following @@ -859,7 +860,7 @@ metrics: The `health` property is optional, and contains preferences for a periodic health check on the storage driver's backend storage. -For more details, see Docker's [configuration documentation](https://docs.docker.com/registry/configuration/#health). +For more details, see Docker's [configuration documentation](https://distribution.github.io/distribution/about/configuration/#health). ```yaml health: @@ -1031,7 +1032,7 @@ redis: ## Garbage Collection The Docker Registry will build up extraneous data over time which can be freed using -[garbage collection](https://docs.docker.com/registry/garbage-collection/). +[garbage collection](https://distribution.github.io/distribution/about/garbage-collection/). As of [now](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1586) there is no fully automated or scheduled way to run the garbage collection with this Chart. @@ -1091,4 +1092,4 @@ For further details and other available commands, refer to the relevant documentation: - [General Registry documentation](https://docs.docker.com/registry/) -- [GitLab-specific Registry documentation](https://gitlab.com/gitlab-org/container-registry/-/tree/master/docs-gitlab) +- [GitLab-specific Registry documentation](https://gitlab.com/gitlab-org/container-registry/-/tree/master/docs-gitlab) \ No newline at end of file -- GitLab