From cea656bb8bcfffa6fdd2855f3112b8f412ee0f0f Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Fri, 21 Apr 2023 13:24:07 -0600 Subject: [PATCH 01/20] Adding containerSecurityContext logic to gitlab-pages chart Signed-off-by: garcia.ryan --- .../gitlab/charts/gitlab-pages/templates/deployment.yaml | 2 ++ charts/gitlab/charts/gitlab-pages/values.yaml | 7 ++++++- doc/charts/gitlab/gitlab-pages/index.md | 3 +++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml b/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml index 3516a540b6..d046cc7a58 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml +++ b/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml @@ -82,6 +82,7 @@ spec: command: ['sh', '/config/configure'] image: {{ include "gitlab.busybox.image" (dict "local" $.Values.init "global" $.Values.global) | quote }} {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} env: {{- include "gitlab.extraEnv" $ | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} @@ -104,6 +105,7 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} env: {{- include "gitlab.extraEnv" $ | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} diff --git a/charts/gitlab/charts/gitlab-pages/values.yaml b/charts/gitlab/charts/gitlab-pages/values.yaml index b35ab83f2d..669afe383d 100644 --- a/charts/gitlab/charts/gitlab-pages/values.yaml +++ b/charts/gitlab/charts/gitlab-pages/values.yaml @@ -71,6 +71,7 @@ init: resources: requests: cpu: 50m + containerSecurityContext: {} deployment: strategy: {} @@ -113,12 +114,16 @@ resources: cpu: 900m memory: 2G -## Allow to overwrite under which User and Group we're running. +## Allow to overwrite under which User and Group the Pod will be running. securityContext: runAsUser: 1000 fsGroup: 1000 # fsGroupChangePolicy: OnRootMismatch +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + ## Enable deployment to use a serviceAccount serviceAccount: enabled: false diff --git a/doc/charts/gitlab/gitlab-pages/index.md b/doc/charts/gitlab/gitlab-pages/index.md index a07758adc8..04ca92a25b 100644 --- a/doc/charts/gitlab/gitlab-pages/index.md +++ b/doc/charts/gitlab/gitlab-pages/index.md @@ -57,6 +57,7 @@ configurations that can be supplied to the `helm install` command using the | `image.tag` | | image tag | | `init.image.repository` | | initContainer image | | `init.image.tag` | | initContainer image tag | +| `init.containerSecurityContext` | `{}` | initContainer container specific [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) | | `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping | | `metrics.port` | `9235` | Metrics endpoint port | | `metrics.path` | `/metrics` | Metrics endpoint path | @@ -72,6 +73,8 @@ configurations that can be supplied to the `helm install` command using the | `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | | `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | | `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | +| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the container is started | | `service.externalPort` | `8090` | GitLab Pages exposed port | | `service.internalPort` | `8090` | GitLab Pages internal port | | `service.name` | `gitlab-pages` | GitLab Pages service name | -- GitLab From 7e58fa4a4fc32e3f6d88e3ae05a4f4a270b0fa2a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Tue, 18 Apr 2023 17:41:03 -0400 Subject: [PATCH 02/20] Add tests for Webservice ConfigMap name Adds tests to confirm that the Webservice ConfigMap name, and the references to it from the Webservice Deployment Volumes section, properly align. Follow-up to https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3092. Addresses issue first seen in https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3089#note_1352012712. Changelog: other --- .../webservice_deployments_spec.rb | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/spec/configuration/webservice_deployments_spec.rb b/spec/configuration/webservice_deployments_spec.rb index 8048e7d322..e646163578 100644 --- a/spec/configuration/webservice_deployments_spec.rb +++ b/spec/configuration/webservice_deployments_spec.rb @@ -842,4 +842,30 @@ describe 'Webservice Deployments configuration' do end end end + + context 'volumes' do + using RSpec::Parameterized::TableSyntax + where(:nameOverride, :expected_deployment_name, :expected_configmap_name) do + nil | 'test-webservice-default' | 'test-webservice' + 'testnameoverride' | 'test-testnameoverride-default' | 'test-testnameoverride' + end + + with_them do + it 'refers to the ConfigMap by the correct name' do + values = default_values.deep_merge(YAML.safe_load(%( + gitlab: + webservice: + nameOverride: #{nameOverride} + ))) + + t = HelmTemplate.new(values) + expect(t.exit_code).to eq(0), "Unexpected error code #{t.exit_code} -- #{t.stderr}" + + volumes = t.dig("Deployment/#{expected_deployment_name}", 'spec', 'template', 'spec', 'volumes') + expect(volumes).to include({ "name" => "webservice-config", "configMap" => { "name" => expected_configmap_name } }) + + expect(t.dig("ConfigMap/#{expected_configmap_name}")).to be_truthy + end + end + end end -- GitLab From 671cae6a40fcb2f258e90a4f9ac2390908231bc7 Mon Sep 17 00:00:00 2001 From: Julian Paul Dasmarinas Date: Mon, 24 Apr 2023 12:12:25 +0000 Subject: [PATCH 03/20] Documented log rotation using gitlab-logger --- doc/charts/globals.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 3d0a355bd9..ff5cea4e01 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -41,6 +41,8 @@ for more information on how the global variables work. - [Outgoing email](#outgoing-email) - [Platform](#platform) - [Affinity](#affinity) +- [Pod priority and preemption](#pod-priority-and-preemption) +- [Log rotation](#log-rotation) ## Configure Host settings @@ -2434,3 +2436,19 @@ global: | Name | Type | Default | Description | | :-------------------| :--: | :------ | :------------------------------- | | `priorityClassName` | String | | Priority class assigned to pods. | + +## Log rotation + +> [Introduced](https://gitlab.com/gitlab-org/cloud-native/gitlab-logger/-/merge_requests/10) in GitLab 15.6. + +By default, the GitLab Helm chart does not rotate logs. This can cause ephemeral storage issues for containers that run for a long time. + +To enable log rotation, set the `GITLAB_LOGGER_TRUNCATE_LOGS` environment variable to true. You can also configure the log rotation frequency and the maximum log size by setting the `GITLAB_LOGGER_TRUNCATE_INTERVAL` and `GITLAB_LOGGER_MAX_FILESIZE` environment variables, respectively: + +```yaml +global: + extraEnv: + GITLAB_LOGGER_TRUNCATE_LOGS: true + GITLAB_LOGGER_TRUNCATE_INTERVAL: 300 + GITLAB_LOGGER_MAX_FILESIZE: 1000 +``` -- GitLab From 98f8c5900f5d0665ded8c918982110d3ef324534 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Mon, 24 Apr 2023 12:43:52 +0000 Subject: [PATCH 04/20] Update extraEnvFrom docs The 'extraEnvFrom' settings allows exposing additional environment variables from other data sources. The settings can be set on a global and a subchart level. Further, the Webservice and Sidekiq chart allow local overrides. Changelog: other --- doc/charts/gitlab/sidekiq/index.md | 14 +++++++++----- doc/charts/gitlab/webservice/index.md | 14 +++++++++----- doc/charts/globals.md | 26 +++++++++++++------------- 3 files changed, 31 insertions(+), 23 deletions(-) diff --git a/doc/charts/gitlab/sidekiq/index.md b/doc/charts/gitlab/sidekiq/index.md index f11c5f7248..ec52b21f95 100644 --- a/doc/charts/gitlab/sidekiq/index.md +++ b/doc/charts/gitlab/sidekiq/index.md @@ -179,6 +179,7 @@ pod. Pod-level `extraEnv` settings are not added to [init containers](https://ku ### extraEnvFrom `extraEnvFrom` allows you to expose additional environment variables from other data sources in all containers in the pods. +Subsequent variables can be overridden per Sidekiq pod. Below is an example use of `extraEnvFrom`: @@ -196,11 +197,14 @@ extraEnvFrom: name: special-secret key: special_token # optional: boolean - CONFIG_STRING: - configMapKeyRef: - name: useful-config - key: some-string - # optional: boolean +pods: + - name: immediate + extraEnvFrom: + CONFIG_STRING: + configMapKeyRef: + name: useful-config + key: some-string + # optional: boolean ``` ### extraVolumes diff --git a/doc/charts/gitlab/webservice/index.md b/doc/charts/gitlab/webservice/index.md index 4ac68bbe69..6e66988925 100644 --- a/doc/charts/gitlab/webservice/index.md +++ b/doc/charts/gitlab/webservice/index.md @@ -189,6 +189,7 @@ SOME_OTHER_KEY=some_other_value ### extraEnvFrom `extraEnvFrom` allows you to expose additional environment variables from other data sources in all containers in the pods. +Subsequent variables can be overridden per [deployment](#deployments-settings). Below is an example use of `extraEnvFrom`: @@ -206,11 +207,14 @@ extraEnvFrom: name: special-secret key: special_token # optional: boolean - CONFIG_STRING: - configMapKeyRef: - name: useful-config - key: some-string - # optional: boolean +deployments: + default: + extraEnvFrom: + CONFIG_STRING: + configMapKeyRef: + name: useful-config + key: some-string + # optional: boolean ``` ### image.pullSecrets diff --git a/doc/charts/globals.md b/doc/charts/globals.md index ff5cea4e01..ad6d824fb3 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -2227,7 +2227,11 @@ global: ## extraEnvFrom -`extraEnvFrom` allows you to expose additional environment variables from other data sources in all containers in the pods. Extra environment variables can be set up at `global` level (`global.extraEnvFrom`), GitLab chart top level (`extraEnvFrom`) or sub-chart level (`.extraEnvFrom`). +`extraEnvFrom` allows to expose additional environment variables from other data sources in all +containers in the pods. Extra environment variables can be set up at `global` level (`global.extraEnvFrom`) +and on a sub-chart level (`.extraEnvFrom`). + +The Sidekiq and Webservice charts support additional local overrides. See their documentation for more details. Below is an example use of `extraEnvFrom`: @@ -2241,18 +2245,14 @@ global: resourceFieldRef: containerName: test-container resource: requests.cpu -extraEnvFrom: - SECRET_THING: - secretKeyRef: - name: special-secret - key: special_token -webservice: - extraEnvFrom: - CONFIG_STRING: - configMapKeyRef: - name: useful-config - key: some-string - # optional: boolean +gitlab: + kas: + extraEnvFrom: + CONFIG_STRING: + configMapKeyRef: + name: useful-config + key: some-string + # optional: boolean ``` NOTE: -- GitLab From 31c59cf253b53b0975a22779878a9d19b2b706c8 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Fri, 14 Apr 2023 22:16:07 -0700 Subject: [PATCH 05/20] Unpin mail_room version This commit will allow the Helm Chart to fetch the version specified in the GitLab Rails `Gemfile.lock` again. We pinned the mail_room version in https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2236 because updating mail_room required an updated net-imap gem. net-imap attempted to install the digest gem, but due to a bug present in Ruby 2.7 (https://bugs.ruby-lang.org/issues/17761), the installation failed and caused Cloud Native GitLab builds to fail (https://gitlab.com/gitlab-com/gl-infra/production/-/issues/4053). We've updated to Ruby 3.0.5 for Cloud Native GitLab images now and have already bumped the net-imap dependency in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115755. With https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116494, we've now updated GitLab Rails to use mail_room v0.0.23. Removing this dependency makes it a bit easier to update mail_room since there is one less version to bump. https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116858 updates the documentation. Changelog: changed --- charts/gitlab/charts/mailroom/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitlab/charts/mailroom/Chart.yaml b/charts/gitlab/charts/mailroom/Chart.yaml index 2bc8bf224b..504130bcb3 100644 --- a/charts/gitlab/charts/mailroom/Chart.yaml +++ b/charts/gitlab/charts/mailroom/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 name: mailroom version: 6.11.0 -appVersion: 0.0.19 +appVersion: master description: Handling incoming emails keywords: - gitlab -- GitLab From 12f4ffea6f7dd2ada0b358ef3e8f2f8f36ba0f5f Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Tue, 25 Apr 2023 14:47:52 +0000 Subject: [PATCH 06/20] Fix the stop environment script for the gke122 environment Ensure the kubenamespace is being passed. Closes https://gitlab.com/gitlab-org/charts/gitlab/-/issues/4545 --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index caf5f51a1e..b867b54252 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -335,6 +335,7 @@ stop_review_gke122: variables: AGENT_NAME: "gke122-ci-cluster" KUBE_INGRESS_BASE_DOMAIN: "cloud-native-v122.helm-charts.win" + KUBE_NAMESPACE: "helm-charts-win" environment: name: gke122_review/$REVIEW_REF_PREFIX$CI_COMMIT_REF_SLUG action: stop -- GitLab From 1eb748edb974724e036de7e8eed3f8ea04a168ab Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 26 Apr 2023 00:16:15 +0000 Subject: [PATCH 07/20] Ensure upgrade path to 7.0 Only allow upgrades to chart 7.0 (maps to GitLab 16.0) if chart 6.11.x/GitLab 15.11.x is currently installed. Closes: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/4522 Changelog: changed --- doc/releases/7_0.md | 14 ++++++++++++++ templates/_runcheck.tpl | 6 +++--- 2 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 doc/releases/7_0.md diff --git a/doc/releases/7_0.md b/doc/releases/7_0.md new file mode 100644 index 0000000000..3053dbf37e --- /dev/null +++ b/doc/releases/7_0.md @@ -0,0 +1,14 @@ +--- +stage: Enablement +group: Distribution +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +--- + +# GitLab Cloud Native Chart 7.0 + +## Summary of major changes + +## Upgrade path from 6.x + +In order to upgrade to the `7.0` version of the chart, you first need to upgrade to the latest `6.11.x` +release of the chart. Check the [version mapping details](../installation/version_mappings.md) for the latest patch. diff --git a/templates/_runcheck.tpl b/templates/_runcheck.tpl index 14c6815378..b627d588cd 100644 --- a/templates/_runcheck.tpl +++ b/templates/_runcheck.tpl @@ -29,8 +29,8 @@ if [ -d "${secrets_dir}" ]; then fi fi fi -MIN_VERSION=14.10 -CHART_MIN_VERSION=5.10 +MIN_VERSION=15.11 +CHART_MIN_VERSION=6.11 # Only run check for semver releases if ! awk 'BEGIN{exit(!(ARGV[1] ~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/))}' "$GITLAB_VERSION"; then @@ -69,7 +69,7 @@ if [ ${OLD_MAJOR_VERSION} -lt ${NEW_MAJOR_VERSION} ] || [ ${OLD_CHART_MAJOR_VERS if ( ! greater_version $OLD_MINOR_VERSION $MIN_VERSION ) || ( ! greater_version $OLD_CHART_MINOR_VERSION $CHART_MIN_VERSION ); then notify "It seems you are upgrading the GitLab Helm Chart from ${OLD_CHART_VERSION_STRING} (GitLab ${OLD_VERSION_STRING}) to ${CHART_VERSION} (GitLab ${GITLAB_VERSION})." notify "It is required to upgrade to the latest ${CHART_MIN_VERSION}.x version first before proceeding." - notify "Please follow the upgrade documentation at https://docs.gitlab.com/charts/releases/6_0.html" + notify "Please follow the upgrade documentation at https://docs.gitlab.com/charts/releases/7_0.html" notify "and upgrade to GitLab Helm Chart version ${CHART_MIN_VERSION}.x before upgrading to ${CHART_VERSION}." exit 1 fi -- GitLab From f66c588c685ad4ebec6ace8212a4b8db4563b350 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Tue, 18 Apr 2023 13:13:45 +0200 Subject: [PATCH 08/20] Remove 'default_can_create_group' setting Remove the 'default_can_create_group' setting which was deprecated in GitLab 15.5/Chart 6.5. Deprecation MR: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2763 Closes: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3821 Changelog: removed --- charts/gitlab/charts/geo-logcursor/templates/configmap.yml | 1 - charts/gitlab/charts/sidekiq/templates/configmap.yaml | 1 - charts/gitlab/charts/toolbox/templates/configmap.yaml | 1 - charts/gitlab/charts/webservice/templates/configmap.yml | 1 - templates/NOTES.txt | 6 ------ values.yaml | 1 - 6 files changed, 11 deletions(-) diff --git a/charts/gitlab/charts/geo-logcursor/templates/configmap.yml b/charts/gitlab/charts/geo-logcursor/templates/configmap.yml index e895e1f2d6..69bdfe108b 100644 --- a/charts/gitlab/charts/geo-logcursor/templates/configmap.yml +++ b/charts/gitlab/charts/geo-logcursor/templates/configmap.yml @@ -32,7 +32,6 @@ data: application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} usage_ping_enabled: {{ eq .enableUsagePing true }} seat_link_enabled: {{ eq .enableSeatLink true }} - default_can_create_group: {{ eq .defaultCanCreateGroup true }} username_changing_enabled: {{ eq .usernameChangingEnabled true }} issue_closing_pattern: {{ .issueClosingPattern | quote }} default_theme: {{ .defaultTheme }} diff --git a/charts/gitlab/charts/sidekiq/templates/configmap.yaml b/charts/gitlab/charts/sidekiq/templates/configmap.yaml index 32225d4802..e8c5ffbd12 100644 --- a/charts/gitlab/charts/sidekiq/templates/configmap.yaml +++ b/charts/gitlab/charts/sidekiq/templates/configmap.yaml @@ -35,7 +35,6 @@ data: application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} usage_ping_enabled: {{ eq .enableUsagePing true }} seat_link_enabled: {{ eq .enableSeatLink true }} - default_can_create_group: {{ eq .defaultCanCreateGroup true }} username_changing_enabled: {{ eq .usernameChangingEnabled true }} issue_closing_pattern: {{ .issueClosingPattern | quote }} default_theme: {{ .defaultTheme }} diff --git a/charts/gitlab/charts/toolbox/templates/configmap.yaml b/charts/gitlab/charts/toolbox/templates/configmap.yaml index 2f38e14cfa..62aee8fe50 100644 --- a/charts/gitlab/charts/toolbox/templates/configmap.yaml +++ b/charts/gitlab/charts/toolbox/templates/configmap.yaml @@ -33,7 +33,6 @@ data: application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} usage_ping_enabled: {{ eq .enableUsagePing true }} seat_link_enabled: {{ eq .enableSeatLink true }} - default_can_create_group: {{ eq .defaultCanCreateGroup true }} username_changing_enabled: {{ eq .usernameChangingEnabled true }} issue_closing_pattern: {{ .issueClosingPattern | quote }} default_theme: {{ .defaultTheme }} diff --git a/charts/gitlab/charts/webservice/templates/configmap.yml b/charts/gitlab/charts/webservice/templates/configmap.yml index 62f1807a64..a1d01c6208 100644 --- a/charts/gitlab/charts/webservice/templates/configmap.yml +++ b/charts/gitlab/charts/webservice/templates/configmap.yml @@ -44,7 +44,6 @@ data: application_settings_cache_seconds: {{ .applicationSettingsCacheSeconds | int }} usage_ping_enabled: {{ eq .enableUsagePing true }} seat_link_enabled: {{ eq .enableSeatLink true }} - default_can_create_group: {{ eq .defaultCanCreateGroup true }} username_changing_enabled: {{ eq .usernameChangingEnabled true }} issue_closing_pattern: {{ .issueClosingPattern | quote }} default_theme: {{ .defaultTheme }} diff --git a/templates/NOTES.txt b/templates/NOTES.txt index a198dbaca3..aec4fc71d2 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -140,12 +140,6 @@ The in-chart NGINX Ingress Controller has the following requirements: - Ingress objects must be in group/version `networking.k8s.io/v1`. {{- end }} -{{- /* Deprecation notice for `defaultCanCreateGroup` setting */}} -{{- if eq false .Values.global.appConfig.defaultCanCreateGroup }} -{{ $NOTICE }} -`global.appConfig.defaultCanCreateGroup` setting has been deprecated. Starting with GitLab 15.5, this setting cannot be controlled via the configuration file anymore. Follow the steps at https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#prevent-users-from-creating-top-level-groups, to configure this setting via the Admin UI or the API. -{{- end }} - {{- /* Deprecation notice for `gitlab.deprecate.kas.metrics.port` setting */}} {{- if hasKey $.Values.gitlab.kas.metrics "port" }} {{ $NOTICE }} diff --git a/values.yaml b/values.yaml index f933a2fc36..1fbf30665b 100644 --- a/values.yaml +++ b/values.yaml @@ -205,7 +205,6 @@ global: enableSeatLink: true enableImpersonation: applicationSettingsCacheSeconds: 60 - defaultCanCreateGroup: true usernameChangingEnabled: true issueClosingPattern: defaultTheme: -- GitLab From 99896b325aedf5e9a461f8d3c89c2f02d335bc99 Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Wed, 19 Apr 2023 16:10:43 +1000 Subject: [PATCH 09/20] Allow configuring an embedding database This is going to be used as part of https://gitlab.com/gitlab-org/gitlab/-/issues/404396 . We need a database specifically for storing embeddings for AI related features. It will be configured similarly to the `ci` database. The equivalent omnibus change is at https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6823 . Changelog: added --- charts/gitlab/values.yaml | 1 + .../database_decomposition_spec.rb | 23 +++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/charts/gitlab/values.yaml b/charts/gitlab/values.yaml index d319f76b0a..f4b231b4a8 100644 --- a/charts/gitlab/values.yaml +++ b/charts/gitlab/values.yaml @@ -39,6 +39,7 @@ global: knownDecompositions: - main - ci + - embedding gitlab-runner: enabled: false diff --git a/spec/configuration/database_decomposition_spec.rb b/spec/configuration/database_decomposition_spec.rb index d0028ea871..8c98a3e032 100644 --- a/spec/configuration/database_decomposition_spec.rb +++ b/spec/configuration/database_decomposition_spec.rb @@ -257,6 +257,15 @@ describe 'Database configuration' do applicationName: ci preparedStatements: false databaseTasks: false + embedding: + username: embedding-user + password: + secret: embedding-password + preparedStatements: true + databaseTasks: true + applicationName: embedding + host: embedding.host.name + load_balancing: false postgresql: install: false ))) @@ -267,7 +276,7 @@ describe 'Database configuration' do expect(t.exit_code).to eq(0), "Unexpected error code #{t.exit_code} -- #{t.stderr}" db_config = database_config(t, 'webservice') - expect(db_config['production'].keys).to contain_exactly('main', 'ci') + expect(db_config['production'].keys).to contain_exactly('main', 'ci', 'embedding') # check `main` stanza main_config = db_config['production']['main'] @@ -289,12 +298,22 @@ describe 'Database configuration' do expect(ci_config['prepared_statements']).to eq(false) expect(ci_config['database_tasks']).to eq(false) + # check `embedding` stanza + embedding_config = db_config['production']['embedding'] + expect(embedding_config['host']).to eq('embedding.host.name') + expect(embedding_config['port']).to eq(5432) + expect(embedding_config['username']).to eq('embedding-user') + expect(embedding_config['application_name']).to eq('embedding') + expect(embedding_config['prepared_statements']).to eq(true) + expect(embedding_config['database_tasks']).to eq(true) + expect(embedding_config['load_balancing']).to eq(nil) + # Check the secret mounts webservice_secret_mounts = t.projected_volume_sources('Deployment/test-webservice-default', 'init-webservice-secrets').select do |item| item['secret']['items'][0]['key'] == 'postgresql-password' end psql_secret_mounts = webservice_secret_mounts.map { |x| x['secret']['name'] } - expect(psql_secret_mounts).to contain_exactly('main-password', 'ci-password') + expect(psql_secret_mounts).to contain_exactly('main-password', 'ci-password', 'embedding-password') end end -- GitLab From 719fbcd03ab518df838254a15b8c9243808f3bc2 Mon Sep 17 00:00:00 2001 From: Timo Furrer Date: Wed, 26 Apr 2023 02:37:02 +0000 Subject: [PATCH 10/20] Remove deprecated KAS `metrics.port` config This MR removes the deprecated `gitlab.kas.metrics.port` value as per https://gitlab.com/gitlab-org/gitlab/-/issues/383039 for 16.0. Closes https://gitlab.com/gitlab-org/gitlab/-/issues/385250 Changelog: removed --- charts/gitlab/charts/kas/templates/_default-config.yaml | 2 +- charts/gitlab/charts/kas/templates/deployment.yaml | 6 +++--- charts/gitlab/charts/kas/templates/service.yaml | 2 +- charts/gitlab/charts/kas/values.yaml | 1 - doc/charts/gitlab/kas/index.md | 1 - spec/configuration/kas_spec.rb | 4 ++-- templates/NOTES.txt | 8 -------- 7 files changed, 7 insertions(+), 17 deletions(-) diff --git a/charts/gitlab/charts/kas/templates/_default-config.yaml b/charts/gitlab/charts/kas/templates/_default-config.yaml index 8cbb47bc8f..47c95cc64e 100644 --- a/charts/gitlab/charts/kas/templates/_default-config.yaml +++ b/charts/gitlab/charts/kas/templates/_default-config.yaml @@ -20,7 +20,7 @@ gitlab: authentication_secret_file: "/etc/kas/.gitlab_kas_secret" observability: listen: - address: ":{{ default .Values.observability.port .Values.metrics.port }}" + address: ":{{ .Values.observability.port }}" liveness_probe: url_path: "{{ .Values.observability.livenessProbe.path }}" readiness_probe: diff --git a/charts/gitlab/charts/kas/templates/deployment.yaml b/charts/gitlab/charts/kas/templates/deployment.yaml index ca61622230..b393bc032b 100644 --- a/charts/gitlab/charts/kas/templates/deployment.yaml +++ b/charts/gitlab/charts/kas/templates/deployment.yaml @@ -31,10 +31,10 @@ spec: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- if and .Values.metrics.enabled (not .Values.metrics.serviceMonitor.enabled) }} gitlab.com/prometheus_scrape: "true" - gitlab.com/prometheus_port: {{ default .Values.observability.port .Values.metrics.port | quote }} + gitlab.com/prometheus_port: {{ .Values.observability.port | quote }} gitlab.com/prometheus_path: {{ .Values.metrics.path }} prometheus.io/scrape: "true" - prometheus.io/port: {{ default .Values.observability.port .Values.metrics.port | quote }} + prometheus.io/port: {{ .Values.observability.port | quote }} prometheus.io/path: {{ .Values.metrics.path }} {{- end }} {{- range $key, $value := .Values.annotations }} @@ -99,7 +99,7 @@ spec: name: {{ template "name" . }}-k8s-api - containerPort: {{ .Values.service.privateApiPort }} name: {{ template "name" . }}-private-api - - containerPort: {{ default .Values.observability.port .Values.metrics.port }} + - containerPort: {{ .Values.observability.port }} name: http-metrics readinessProbe: httpGet: diff --git a/charts/gitlab/charts/kas/templates/service.yaml b/charts/gitlab/charts/kas/templates/service.yaml index badf3225c8..daf05c6ddf 100644 --- a/charts/gitlab/charts/kas/templates/service.yaml +++ b/charts/gitlab/charts/kas/templates/service.yaml @@ -37,7 +37,7 @@ spec: protocol: TCP name: grpc-{{ template "name" . }}-k8s-api {{- if .Values.metrics.enabled }} - - port: {{ default .Values.observability.port .Values.metrics.port }} + - port: {{ .Values.observability.port }} targetPort: http-metrics protocol: TCP name: http-metrics diff --git a/charts/gitlab/charts/kas/values.yaml b/charts/gitlab/charts/kas/values.yaml index 6bee1541a5..54215b8404 100644 --- a/charts/gitlab/charts/kas/values.yaml +++ b/charts/gitlab/charts/kas/values.yaml @@ -75,7 +75,6 @@ service: # loadBalancerSourceRanges: metrics: enabled: true - # port: 8151 # DEPRECATED: in favor of `observability.port` below path: /metrics serviceMonitor: enabled: false diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index 57516cb18a..e9cd010403 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -86,7 +86,6 @@ You can pass these parameters to the `helm install` command by using the `--set` | `ingress.agentPath` | `/` | Ingress path for the agent API endpoint. | | `ingress.k8sApiPath` | `/k8s-proxy` | Ingress path for Kubernetes API endpoint. | | `metrics.enabled` | `true` | If a metrics endpoint should be made available for scraping. | -| `metrics.port` | `8151` | **DEPRECATED: use `observability.port`**. Metrics endpoint port. | | `metrics.path` | `/metrics` | Metrics endpoint path. | | `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping. Enabling removes the `prometheus.io` scrape annotations. | | `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor. | diff --git a/spec/configuration/kas_spec.rb b/spec/configuration/kas_spec.rb index 8d212a0bb7..c442d73253 100644 --- a/spec/configuration/kas_spec.rb +++ b/spec/configuration/kas_spec.rb @@ -531,7 +531,7 @@ describe 'kas configuration' do context 'when metrics.enabled is true' do let(:metrics_enabled) { true } - it 'exports metrics port' do + it 'exports observability port' do expect(service['spec']['ports']).to include(include("name" => "http-metrics")) end end @@ -539,7 +539,7 @@ describe 'kas configuration' do context 'when metrics.enabled is false' do let(:metrics_enabled) { false } - it 'exports no metrics port' do + it 'exports no observability port' do expect(service['spec']['ports']).not_to include(include("name" => "http-metrics")) end end diff --git a/templates/NOTES.txt b/templates/NOTES.txt index aec4fc71d2..5edc13c39b 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -140,14 +140,6 @@ The in-chart NGINX Ingress Controller has the following requirements: - Ingress objects must be in group/version `networking.k8s.io/v1`. {{- end }} -{{- /* Deprecation notice for `gitlab.deprecate.kas.metrics.port` setting */}} -{{- if hasKey $.Values.gitlab.kas.metrics "port" }} -{{ $NOTICE }} -kas: - The configuration of `gitlab.kas.metrics.port` has moved. Please use `gitlab.kas.observability.port` instead. - This port is used for more observability features than just the metrics, e.g. the liveness and readiness probe endpoints. -{{- end }} - {{- /* Deprecation notice for `gitlab.deprecate.kas.privateApi.tls.enabled` setting */}} {{- if hasKey $.Values.gitlab.kas.privateApi.tls "enabled" }} {{ $NOTICE }} -- GitLab From 7ba024b3a7adbe68095e1d5599c0d42d5616191b Mon Sep 17 00:00:00 2001 From: deps Date: Sat, 22 Apr 2023 12:56:37 +0000 Subject: [PATCH 11/20] Update gitlab-org/charts/gitlab-runner from 0.51.1 to 0.52.0 Changelog: changed --- requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yaml b/requirements.yaml index bbcd142afa..438fe2182d 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -21,7 +21,7 @@ dependencies: repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami condition: postgresql.install - name: gitlab-runner - version: 0.51.1 + version: 0.52.0 repository: https://charts.gitlab.io/ condition: gitlab-runner.install - name: grafana -- GitLab From caa48b7404876f09185dcc77e345a3301f5a9324 Mon Sep 17 00:00:00 2001 From: yuanxiongxiong Date: Thu, 27 Apr 2023 15:17:57 +0000 Subject: [PATCH 12/20] fix: Apply consistent logic to inclusion of GitLab Shell port in NGINX Deployment/DaemonSet Changelog: fixed Signed-off-by: yxxhero --- .../templates/controller-daemonset.yaml | 4 +- .../templates/controller-deployment.yaml | 4 +- ...s_controller_deployments_daemonset_spec.rb | 114 ++++++++++++++++++ 3 files changed, 118 insertions(+), 4 deletions(-) create mode 100644 spec/configuration/nginx_ingress_controller_deployments_daemonset_spec.rb diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index 5084464320..5288d45c36 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -87,7 +87,7 @@ spec: - --election-id={{ .Values.controller.electionID }} - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }} - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }} - {{ if include "gitlab.shell.port" $ }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "ingress-nginx.tcp-configmap" . }} {{- else if .Values.tcp }} - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp @@ -180,7 +180,7 @@ spec: containerPort: {{ .Values.controller.admissionWebhooks.port }} protocol: TCP {{- end }} - {{- if include "gitlab.shell.port" . }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} - name: gitlab-shell containerPort: {{ include "gitlab.shell.port" . | int }} protocol: TCP diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index fbf33e5c02..18af1cd44f 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -96,7 +96,7 @@ spec: - --election-id={{ .Values.controller.electionID }} - --controller-class={{ .Values.controller.ingressClassResource.controllerValue }} - --configmap={{ default "$(POD_NAMESPACE)" .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }} - {{ if include "gitlab.shell.port" $ }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "ingress-nginx.tcp-configmap" . }} {{- else if .Values.tcp }} - --tcp-services-configmap={{ default "$(POD_NAMESPACE)" .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp @@ -186,7 +186,7 @@ spec: containerPort: {{ .Values.controller.admissionWebhooks.port }} protocol: TCP {{- end }} - {{- if include "gitlab.shell.port" $ }} + {{- if (and .Values.controller.service.enableShell (include "gitlab.shell.port" $)) }} - name: gitlab-shell containerPort: {{ include "gitlab.shell.port" $ | int }} protocol: TCP diff --git a/spec/configuration/nginx_ingress_controller_deployments_daemonset_spec.rb b/spec/configuration/nginx_ingress_controller_deployments_daemonset_spec.rb new file mode 100644 index 0000000000..e545031e17 --- /dev/null +++ b/spec/configuration/nginx_ingress_controller_deployments_daemonset_spec.rb @@ -0,0 +1,114 @@ +require 'spec_helper' +require 'helm_template_helper' +require 'yaml' +require 'hash_deep_merge' + +describe 'NGINX configuration(s)' do + def get_ports(template, kind, name) + template.dig("#{kind}/#{name}", 'spec', 'template', 'spec', 'containers', 0, 'ports') + end + + def test_exposed_ports(exposed_ports, expected_ports) + i = 0 + ports_set = Set.new + + while i < expected_ports.length + ports_set.add(exposed_ports[i]['name']) + i += 1 + end + + expect(ports_set.length).to eq(expected_ports.length) + expect(ports_set).to eq(expected_ports) + end + + def test_deployment_ports(template, deployment_name, expected_ports) + ports = get_ports(template, 'Deployment', deployment_name) + test_exposed_ports(ports, expected_ports) + end + + def test_daemonset_ports(template, daemonset_name, expected_ports) + ports = get_ports(template, 'DaemonSet', daemonset_name) + test_exposed_ports(ports, expected_ports) + end + + def get_args(template, kind, name) + template.dig("#{kind}/#{name}", 'spec', 'template', 'spec', 'containers', 0, 'args') + end + + describe 'nginx gitlab shell toggles' do + let(:object_name) do + 'test-nginx-ingress-controller' + end + + let(:default_values) do + HelmTemplate.defaults + end + + let(:nginx_enable_daemonset) do + default_values.deep_merge(YAML.safe_load(%( + nginx-ingress: + controller: + kind: Both + ))) + end + + let(:gitlab_shell_disabled) do + nginx_enable_daemonset.deep_merge(YAML.safe_load(%( + nginx-ingress: + controller: + service: + enableShell: false + ))) + end + + let(:tcp_configmap_name) do + '--tcp-services-configmap=default/test-nginx-ingress-tcp' + end + + context 'with the defaults' do + let(:template) { HelmTemplate.new(nginx_enable_daemonset) } + + it 'templates successfully' do + expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}" + end + + it 'has gitlab shell port enabled on the nginx deployment and daemonset' do + expected_ports = Set['http', 'https', 'metrics', 'gitlab-shell'] + + test_deployment_ports(template, object_name, expected_ports) + test_daemonset_ports(template, object_name, expected_ports) + end + + it 'configures the TCP services ConfigMap argument for the Deployment and Daemonset' do + deployment_args = get_args(template, 'Deployment', object_name) + expect(deployment_args).to include(tcp_configmap_name) + + daemonset_args = get_args(template, 'DaemonSet', object_name) + expect(daemonset_args).to include(tcp_configmap_name) + end + end + + context 'with gitlab shell disabled' do + let(:template) { HelmTemplate.new(gitlab_shell_disabled) } + + it 'templates successfully' do + expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}" + end + + it 'does not have gitlab shell port enabled on the nginx deployment or daemonset' do + expected_ports = Set['http', 'https', 'metrics'] + + test_deployment_ports(template, object_name, expected_ports) + test_daemonset_ports(template, object_name, expected_ports) + end + + it 'does not configure the TCP services ConfigMap argument for the Deployment or DaemonSet' do + deployment_args = get_args(template, 'Deployment', object_name) + expect(deployment_args).not_to include(tcp_configmap_name) + + daemonset_args = get_args(template, 'DaemonSet', object_name) + expect(daemonset_args).not_to include(tcp_configmap_name) + end + end + end +end -- GitLab From 3790da418dc5b1c96e16c7293f182dcf7033c889 Mon Sep 17 00:00:00 2001 From: Jason Plum Date: Wed, 26 Apr 2023 14:16:55 -0400 Subject: [PATCH 13/20] CI: remove MinIO from deps.io runs Remove minio chart/contaienrs form Deps.io. We can no update to the versions due to licensing concerns. --- deps.yml | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/deps.yml b/deps.yml index 47fcdfd38a..73f687d4bf 100644 --- a/deps.yml +++ b/deps.yml @@ -3,9 +3,6 @@ dependencies: - type: git manifest_updates: filters: - - name: ".*minio.*" # minio/mc - group: true - enabled: true - name: .* # everything else enabled: true settings: @@ -16,7 +13,7 @@ dependencies: - 5727219 # @mnielsen (mnielsen) gitlab_labels: - dependencies.io - - "Distribution:Deploy" + - group::distribution::deploy - group::distribution - section::enablement - devops::systems @@ -48,24 +45,6 @@ dependencies: pattern: "tag: 'v(\\S+)'" range: '>= 2.x.x' prereleases: true - # Minio chart / minio container - https://github.com/minio/minio.git: - replace_in_files: - - filename: charts/minio/values.yaml - tag_prefix: 'RELEASE.20' - pattern: 'imageTag: "RELEASE.20(\d\d-\d\d-\d\dT\d\d-\d\d-\d\dZ)"' - semver: false - - filename: doc/charts/minio/index.md - tag_prefix: 'RELEASE.20' - pattern: '`RELEASE.20(\d\d-\d\d-\d\dT\d\d-\d\d-\d\dZ)`' - semver: false - # Minio chart / mc container - https://github.com/minio/mc.git: - replace_in_files: - - filename: charts/minio/values.yaml - tag_prefix: 'RELEASE.20' - pattern: 'tag: "RELEASE.20(\d\d-\d\d-\d\dT\d\d-\d\d-\d\dZ)"' - semver: false # GitLab Exporter https://gitlab.com/gitlab-org/gitlab-exporter.git: replace_in_files: -- GitLab From d990486af8dcc3a122100e83092eda6c20c876c1 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Fri, 28 Apr 2023 00:03:35 -0700 Subject: [PATCH 14/20] Fix typo in troubleshooting page `use-forward-headers` => `use-forwarded-headers` --- doc/troubleshooting/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/troubleshooting/index.md b/doc/troubleshooting/index.md index c123f44a40..70647c7892 100644 --- a/doc/troubleshooting/index.md +++ b/doc/troubleshooting/index.md @@ -615,7 +615,7 @@ Run the certificates container using Docker. `308: Permanent Redirect` can happen if your Load Balancer is configured to send unencrypted traffic (HTTP) to NGINX. Because NGINX defaults to redirecting `HTTP` to `HTTPS`, you may end up in a "redirect loop". -To fix this, [enable NGINX's `use-forward-headers` setting](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers). +To fix this, [enable NGINX's `use-forwarded-headers` setting](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers). ## "Invalid Word" errors in the `nginx-controller` logs and `404` errors -- GitLab From 40360626aca76330e2d0d8bf3d27f4b1b71fe161 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Fri, 28 Apr 2023 13:19:27 +0000 Subject: [PATCH 15/20] Docs: PostgreSQL Command Line Options --- doc/installation/command-line-options.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index 4aaa4a21fe..942bcdb57c 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -6,7 +6,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w # GitLab Helm chart deployment options **(FREE SELF)** -You can supply these configuration options to the `helm install` command by using the `--set` flags. +This page lists commonly used values of the GitLab chart. For a complete list of the available options, refer +to the documentation for each subchart. + +You can pass values to the `helm install` command by using a YAML file and the `--values ` +flag or by using multiple `--set` flags. It is recommended to use a values file that contains only the +overrides needed for your release. The source of the default `values.yaml` file can be found [here](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/values.yaml). These contents change over releases, but you can use Helm itself to retrieve these on a per-version basis: @@ -455,7 +460,7 @@ settings from the [Redis chart](https://github.com/bitnami/charts/tree/master/bi GitLab makes use of several other charts. These are [treated as parent-child relationships](https://helm.sh/docs/topics/charts/#chart-dependencies). Ensure that any properties you wish to configure are provided as `chart-name.property`. -## Prometheus +### Prometheus Prefix Prometheus values with `prometheus`. For example, set the persistence storage value using `prometheus.server.persistentVolume.size`. To disable Prometheus set `prometheus.install=false`. @@ -463,6 +468,17 @@ storage value using `prometheus.server.persistentVolume.size`. To disable Promet Refer to the [Prometheus chart documentation](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus) for the exhaustive list of configuration options. +### PostgreSQL + +Prefix PostgreSQL values with `postgresql`. For example, set the storage class value +using `postgresql.persitence.storageClass`. + +Refer to the default values file for a list of the available configuration options. + +```shell +helm inspect values https://charts.bitnami.com/bitnami/postgresql-8.9.4.tgz +``` + ## Bringing your own images In certain scenarios (i.e. offline environment), you may want to bring your own images rather than pulling them down from the Internet. This requires specifying your own Docker image registry/repository for each of the charts that make up the GitLab release. -- GitLab From 6b3fc99ead09cb3f896694173e2f2da8b9810e0a Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Fri, 21 Apr 2023 09:29:36 -0600 Subject: [PATCH 16/20] Adding containerSecurityContext logic to migrations chart Signed-off-by: garcia.ryan --- charts/gitlab/charts/migrations/templates/_jobspec.yaml | 2 ++ charts/gitlab/charts/migrations/values.yaml | 7 ++++++- doc/charts/gitlab/migrations/index.md | 2 ++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/migrations/templates/_jobspec.yaml b/charts/gitlab/charts/migrations/templates/_jobspec.yaml index 581e01e1e6..2b0b62a26a 100644 --- a/charts/gitlab/charts/migrations/templates/_jobspec.yaml +++ b/charts/gitlab/charts/migrations/templates/_jobspec.yaml @@ -49,6 +49,7 @@ spec: command: ['sh', '/config/configure'] image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" $.Values.global) | quote }} {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} env: {{- include "gitlab.extraEnv" . | nindent 10 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} @@ -81,6 +82,7 @@ spec: - /scripts/db-migrate {{- end}} {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} env: - name: CONFIG_TEMPLATE_DIRECTORY value: '/var/opt/gitlab/templates' diff --git a/charts/gitlab/charts/migrations/values.yaml b/charts/gitlab/charts/migrations/values.yaml index 766faf68ff..7979cf19b1 100644 --- a/charts/gitlab/charts/migrations/values.yaml +++ b/charts/gitlab/charts/migrations/values.yaml @@ -14,6 +14,7 @@ init: resources: requests: cpu: 50m + containerSecurityContext: {} # Tolerations for pod scheduling tolerations: [] @@ -77,12 +78,16 @@ resources: activeDeadlineSeconds: 3600 backoffLimit: 6 -## Allow to overwrite under which User and Group we're running. +## Allow to overwrite under which User and Group the Pod will be running. securityContext: runAsUser: 1000 fsGroup: 1000 # fsGroupChangePolicy: OnRootMismatch +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + ## Enable deployment to use a serviceAccount serviceAccount: enabled: false diff --git a/doc/charts/gitlab/migrations/index.md b/doc/charts/gitlab/migrations/index.md index 9baef9dc61..5b9054c17e 100644 --- a/doc/charts/gitlab/migrations/index.md +++ b/doc/charts/gitlab/migrations/index.md @@ -39,6 +39,7 @@ Table below contains all the possible charts configurations that can be supplied | `image.pullSecrets` | Secrets for the image repository | | | `init.image` | initContainer image | `busybox` | | `init.tag` | initContainer image tag | `latest` | +| `init.containerSecurityContext` | Mailroom init container securityContext overrides | `{}` | | `enabled` | Migrations enable flag | `true` | | `tolerations` | Toleration labels for pod assignment | `[]` | | `annotations` | Annotations for the job spec | `{}` | @@ -54,6 +55,7 @@ Table below contains all the possible charts configurations that can be supplied | `securityContext.fsGroup` | `1000` | Group ID under which the pod should be started | | `securityContext.runAsUser` | `1000` | User ID under which the pod should be started | | `securityContext.fsGroupChangePolicy` | | Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | +| `containerSecurityContext.runAsUser` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | `1000` | | `extraInitContainers` | List of extra init containers to include | | | `extraContainers` | List of extra containers to include | | | `extraVolumes` | List of extra volumes to create | | -- GitLab From 85062095a798f1ff16ce8e2e7dbefc920d71b478 Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Mon, 24 Apr 2023 13:15:41 -0600 Subject: [PATCH 17/20] Adding containerSecurityContext logic to kas chart Signed-off-by: garcia.ryan --- charts/gitlab/charts/kas/templates/deployment.yaml | 1 + charts/gitlab/charts/kas/values.yaml | 7 ++++++- doc/charts/gitlab/kas/index.md | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/kas/templates/deployment.yaml b/charts/gitlab/charts/kas/templates/deployment.yaml index b393bc032b..44d00008a3 100644 --- a/charts/gitlab/charts/kas/templates/deployment.yaml +++ b/charts/gitlab/charts/kas/templates/deployment.yaml @@ -79,6 +79,7 @@ spec: - name: {{ template "name" . }} image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.parseAppVersion" (dict "appVersion" .Chart.AppVersion "prepend" "true")) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} args: - "--configuration-file=/etc/kas/config.yaml" env: diff --git a/charts/gitlab/charts/kas/values.yaml b/charts/gitlab/charts/kas/values.yaml index 54215b8404..623cfaa0b8 100644 --- a/charts/gitlab/charts/kas/values.yaml +++ b/charts/gitlab/charts/kas/values.yaml @@ -22,6 +22,7 @@ init: resources: requests: cpu: 50m + containerSecurityContext: {} hpa: # targetAverageValue: 100m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below @@ -112,13 +113,17 @@ deployment: strategy: {} # minReadySeconds: 0 -## Allow to overwrite under which User and Group we're running. +## Allow to overwrite under which User and Group the Pod will be running. securityContext: runAsUser: 65532 runAsGroup: 65532 fsGroup: 65532 # fsGroupChangePolicy: OnRootMismatch +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 65532 + redis: enabled: true diff --git a/doc/charts/gitlab/kas/index.md b/doc/charts/gitlab/kas/index.md index e9cd010403..4e78e919ae 100644 --- a/doc/charts/gitlab/kas/index.md +++ b/doc/charts/gitlab/kas/index.md @@ -65,9 +65,11 @@ You can pass these parameters to the `helm install` command by using the `--set` |--------------------------------------------|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `annotations` | `{}` | Pod annotations. | | `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | +| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started | | `extraContainers` | | List of extra containers to include. | | `extraEnv` | | List of extra environment variables to expose | | `extraEnvFrom` | | List of extra environment variables from other data sources to expose | +| `init.containerSecurityContext` | `{}` | init container securityContext overrides | | `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-kas` | Image repository. | | `image.tag` | `v13.7.0` | Image tag. | | `hpa.behavior` | `{scaleDown: {stabilizationWindowSeconds: 300 }}` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher). | -- GitLab From 3a8cca999df76198479019e1b3b915aaaa5f008b Mon Sep 17 00:00:00 2001 From: "garcia.ryan" Date: Mon, 24 Apr 2023 14:16:54 -0600 Subject: [PATCH 18/20] Adding containerSecurityContext logic to geo chart Signed-off-by: garcia.ryan Changelog: added --- .../gitlab/charts/geo-logcursor/templates/deployment.yaml | 3 +++ charts/gitlab/charts/geo-logcursor/values.yaml | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml b/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml index 3494031e42..2c5254bf58 100644 --- a/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml +++ b/charts/gitlab/charts/geo-logcursor/templates/deployment.yaml @@ -69,6 +69,7 @@ spec: args: [ '-c', 'sh -x /config-logcursor/configure'] image: {{ include "gitlab.busybox.image" (dict "local" .Values.init "global" $.Values.global) | quote }} {{- include "gitlab.image.pullPolicy" $initImageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} env: {{- include "gitlab.extraEnv" . | nindent 10 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 10 }} @@ -89,6 +90,7 @@ spec: - name: dependencies image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.init.containerSecurityContext" $ | indent 10 }} args: - /scripts/wait-for-deps env: @@ -121,6 +123,7 @@ spec: - name: {{ .Chart.Name }} image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} + {{- include "gitlab.containerSecurityContext" $ | indent 10 }} env: - name: GITALY_FEATURE_DEFAULT_ON value: "1" diff --git a/charts/gitlab/charts/geo-logcursor/values.yaml b/charts/gitlab/charts/geo-logcursor/values.yaml index 86d0030693..2c1c9d01f6 100644 --- a/charts/gitlab/charts/geo-logcursor/values.yaml +++ b/charts/gitlab/charts/geo-logcursor/values.yaml @@ -13,6 +13,7 @@ init: resources: requests: cpu: 50m + containerSecurityContext: {} enabled: true replicaCount: 1 global: @@ -97,12 +98,16 @@ common: # Priority class assigned to pods priorityClassName: "" -## Allow to overwrite under which User and Group we're running. +## Allow to overwrite under which User and Group the Pod will be running. securityContext: runAsUser: 1000 fsGroup: 1000 # fsGroupChangePolicy: OnRootMismatch +## Allow to overwrite the specific security context under which the container is running. +containerSecurityContext: + runAsUser: 1000 + ## Enable deployment to use a serviceAccount serviceAccount: enabled: false -- GitLab From 21a727667323ab1fed87ac873fdecebb0ce548ae Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Wed, 26 Apr 2023 14:28:49 -0700 Subject: [PATCH 19/20] Use the QA license in our ci pipelines - Is already managed and set in the ci config, and has its rotation automated - Uses a staging license --- .gitlab-ci.yml | 2 +- scripts/ci/autodevops.sh | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b867b54252..d16f3256e9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -835,7 +835,7 @@ production_specs_eks: - QA_IMAGE="gitlab/gitlab-ee-qa:nightly" # this will default to use nightly https://gitlab.com/gitlab-org/gitlab-qa/-/blob/master/docs/what_tests_can_be_run.md#specifying-the-gitlab-version - fi; - echo "Running - 'gitlab-qa Test::Instance::Any --qa-image $QA_IMAGE EE https://$QA_ENVIRONMENT_URL -- $TEST_SUITE'" - - SIGNUP_DISABLED=true QA_DEBUG=true GITLAB_USERNAME=root GITLAB_PASSWORD=$ROOT_PASSWORD GITLAB_ADMIN_USERNAME=root GITLAB_ADMIN_PASSWORD=$ROOT_PASSWORD EE_LICENSE=$REVIEW_APPS_EE_LICENSE gitlab-qa Test::Instance::Any --qa-image $QA_IMAGE EE https://$QA_ENVIRONMENT_URL -- $TEST_SUITE + - SIGNUP_DISABLED=true QA_DEBUG=true GITLAB_USERNAME=root GITLAB_PASSWORD=$ROOT_PASSWORD GITLAB_ADMIN_USERNAME=root GITLAB_ADMIN_PASSWORD=$ROOT_PASSWORD gitlab-qa Test::Instance::Any --qa-image $QA_IMAGE EE https://$QA_ENVIRONMENT_URL -- $TEST_SUITE artifacts: when: always expire_in: 7d diff --git a/scripts/ci/autodevops.sh b/scripts/ci/autodevops.sh index 2926dbe323..a020054c55 100644 --- a/scripts/ci/autodevops.sh +++ b/scripts/ci/autodevops.sh @@ -82,7 +82,7 @@ function deploy() { #echo "Generated root login: $ROOT_PASSWORD" kubectl create secret generic "${RELEASE_NAME}-gitlab-initial-root-password" --from-literal=password=$ROOT_PASSWORD -o yaml --dry-run=client | kubectl replace --force -f - - echo "${REVIEW_APPS_EE_LICENSE}" > /tmp/license.gitlab + echo "${QA_EE_LICENSE}" > /tmp/license.gitlab kubectl create secret generic "${RELEASE_NAME}-gitlab-license" --from-file=license=/tmp/license.gitlab -o yaml --dry-run=client | kubectl replace --force -f - # YAML_FILE=""${KUBE_INGRESS_BASE_DOMAIN//\./-}.yaml" @@ -179,6 +179,8 @@ CIYAML --set certmanager.install=false \ --set prometheus.install=$PROMETHEUS_INSTALL \ --set prometheus.server.retention="4d" \ + --set global.extraEnv.GITLAB_LICENSE_MODE="test" \ + --set global.extraEnv.CUSTOMER_PORTAL_URL="https://customers.staging.gitlab.com" \ --set global.gitlab.license.secret="$RELEASE_NAME-gitlab-license" \ --namespace="$NAMESPACE" \ "${gitlab_version_args[@]}" \ -- GitLab From 1ce3dafd8253873a165546e1f1ed267dd6861f2d Mon Sep 17 00:00:00 2001 From: Balasankar 'Balu' C Date: Fri, 28 Apr 2023 19:12:58 +0000 Subject: [PATCH 20/20] Remove bundled Grafana chart and related configuration Changelog: removed Signed-off-by: Balasankar "Balu" C --- .../gitlab/charts/gitlab-grafana/Chart.yaml | 16 ---- .../templates/_import-secret.sh | 16 ---- .../templates/datasource-configmap.yaml | 25 ------ .../templates/import-secret-configmap.yaml | 13 ---- .../gitlab-grafana/templates/ingress.yaml | 55 ------------- .../gitlab/charts/gitlab-grafana/values.yaml | 21 ----- doc/advanced/ubi/index.md | 1 - doc/architecture/architecture.md | 2 - doc/charts/gitlab/gitlab-grafana/index.md | 77 ------------------- doc/charts/gitlab/index.md | 2 - doc/charts/globals.md | 9 --- doc/installation/secrets.md | 20 ++--- doc/installation/tls.md | 12 --- examples/custom-images/values.yaml | 8 -- examples/fips/values.yaml | 3 - examples/ref/10k.yaml | 6 -- examples/ref/25k.yaml | 6 -- examples/ref/2k.yaml | 6 -- examples/ref/3k.yaml | 6 -- examples/ref/50k.yaml | 6 -- examples/ref/5k.yaml | 6 -- examples/ubi/values.yaml | 3 - requirements.yaml | 4 - spec/configuration/image_pull_spec.rb | 2 +- spec/configuration/image_tag_spec.rb | 2 +- spec/configuration/ingress_spec.rb | 3 - templates/_deprecations.tpl | 14 +++- .../shared-secrets/_generate_secrets.sh.tpl | 5 -- values.yaml | 57 -------------- 29 files changed, 20 insertions(+), 386 deletions(-) delete mode 100644 charts/gitlab/charts/gitlab-grafana/Chart.yaml delete mode 100644 charts/gitlab/charts/gitlab-grafana/templates/_import-secret.sh delete mode 100644 charts/gitlab/charts/gitlab-grafana/templates/datasource-configmap.yaml delete mode 100644 charts/gitlab/charts/gitlab-grafana/templates/import-secret-configmap.yaml delete mode 100644 charts/gitlab/charts/gitlab-grafana/templates/ingress.yaml delete mode 100644 charts/gitlab/charts/gitlab-grafana/values.yaml delete mode 100644 doc/charts/gitlab/gitlab-grafana/index.md diff --git a/charts/gitlab/charts/gitlab-grafana/Chart.yaml b/charts/gitlab/charts/gitlab-grafana/Chart.yaml deleted file mode 100644 index 96d96f136a..0000000000 --- a/charts/gitlab/charts/gitlab-grafana/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -name: gitlab-grafana -version: 6.11.0 -description: Adapt the Grafana chart to interface to the GitLab App -keywords: -- gitlab -- grafana -home: https://about.gitlab.com/ -icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.svg -sources: -- https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-grafana -- https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-grafana -maintainers: -- name: GitLab Inc. - email: support@gitlab.com diff --git a/charts/gitlab/charts/gitlab-grafana/templates/_import-secret.sh b/charts/gitlab/charts/gitlab-grafana/templates/_import-secret.sh deleted file mode 100644 index 5ad8814b66..0000000000 --- a/charts/gitlab/charts/gitlab-grafana/templates/_import-secret.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -PW_FILE='/tmp/initial/password' - -# If the password file exists, set the admin password using the contents -if [ -r "$PW_FILE" ]; then - echo "GitLab shim: Setting admin username to root" - export GF_SECURITY_ADMIN_USER="root" - - read -r line < "$PW_FILE" - echo "GitLab shim: Setting admin password in environment" - export GF_SECURITY_ADMIN_PASSWORD="$line" -fi - -# Start up the full grafana service -exec /run.sh diff --git a/charts/gitlab/charts/gitlab-grafana/templates/datasource-configmap.yaml b/charts/gitlab/charts/gitlab-grafana/templates/datasource-configmap.yaml deleted file mode 100644 index 99cdc89671..0000000000 --- a/charts/gitlab/charts/gitlab-grafana/templates/datasource-configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.global.grafana.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "fullname" . }}-datasource - namespace: {{ .Release.Namespace }} - labels: - gitlab_grafana_datasource: "true" - {{- include "gitlab.standardLabels" . | nindent 4 }} - {{- include "gitlab.commonLabels" . | nindent 4 }} -data: - gitlab.yaml: | - apiVersion: 1 - deleteDatasources: - - name: GitLab installed Prometheus - orgId: 1 - datasources: - - name: GitLab installed Prometheus - type: prometheus - orgId: 1 - url: "http://{{ .Release.Name }}-prometheus-server.{{ .Release.Namespace }}.svc" - access: proxy - isDefault: true - editable: false -{{- end }} diff --git a/charts/gitlab/charts/gitlab-grafana/templates/import-secret-configmap.yaml b/charts/gitlab/charts/gitlab-grafana/templates/import-secret-configmap.yaml deleted file mode 100644 index 81f31d6e71..0000000000 --- a/charts/gitlab/charts/gitlab-grafana/templates/import-secret-configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.global.grafana.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: gitlab-grafana-import-secret - namespace: {{ .Release.Namespace }} - labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} - {{- include "gitlab.commonLabels" . | nindent 4 }} -data: - import-secret.sh: |- - {{- include (print $.Template.BasePath "/_import-secret.sh") . | nindent 4 }} -{{- end }} diff --git a/charts/gitlab/charts/gitlab-grafana/templates/ingress.yaml b/charts/gitlab/charts/gitlab-grafana/templates/ingress.yaml deleted file mode 100644 index 40362278f8..0000000000 --- a/charts/gitlab/charts/gitlab-grafana/templates/ingress.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.global.grafana.enabled -}} -{{- $gitlabHostname := include "gitlab.gitlab.hostname" . -}} -{{- if .Values.global.hosts.gitlab.hostnameOverride -}} -{{- $gitlabHostname = .Values.global.hosts.gitlab.hostnameOverride -}} -{{- end -}} -{{- $tlsSecret := include "webservice.tlsSecret" . -}} -{{- $ingressCfg := dict "global" .Values.global.ingress "local" .Values.ingress "context" . -}} -apiVersion: {{ template "gitlab.ingress.apiVersion" $ingressCfg }} -kind: Ingress -metadata: - name: {{ .Release.Name }}-grafana-app - namespace: {{ $.Release.Namespace }} - labels: - {{- include "gitlab.standardLabels" . | nindent 4 }} - {{- include "gitlab.commonLabels" . | nindent 4 }} - annotations: - {{ include "ingress.class.annotation" $ingressCfg }} - kubernetes.io/ingress.provider: "{{ template "gitlab.ingress.provider" $ingressCfg }}" - {{- if eq "nginx" .Values.global.ingress.provider }} - nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.ingress.proxyBodySize | quote }} - nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.ingress.proxyReadTimeout | quote }} - nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .Values.ingress.proxyConnectTimeout | quote }} - {{- end }} - {{ include "gitlab.certmanager_annotations" . }} - {{- range $key, $value := merge .Values.ingress.annotations .Values.global.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - {{ include "ingress.class.field" $ingressCfg }} - rules: - - host: {{ $gitlabHostname }} - http: - paths: - - path: /-/grafana{{ coalesce $.Values.ingress.path $.Values.global.ingress.path }} - {{ if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (eq $.Values.global.ingress.apiVersion "networking.k8s.io/v1") -}} - pathType: {{ default "Prefix" $.Values.global.ingress.pathType }} - backend: - service: - name: {{ .Release.Name }}-grafana-app - port: - number: 80 - {{- else -}} - backend: - serviceName: {{ .Release.Name }}-grafana-app - servicePort: 80 - {{- end -}} - {{- if (and $tlsSecret (eq (include "gitlab.ingress.tls.enabled" $) "true" )) }} - tls: - - hosts: - - {{ $gitlabHostname }} - secretName: {{ $tlsSecret }} - {{- else }} - tls: [] - {{- end }} -{{- end -}} diff --git a/charts/gitlab/charts/gitlab-grafana/values.yaml b/charts/gitlab/charts/gitlab-grafana/values.yaml deleted file mode 100644 index 6421db0740..0000000000 --- a/charts/gitlab/charts/gitlab-grafana/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -## GitLab Grafana configuration -## If enabled, we will deploy a secured Grafana - -# This chart is controlled by `global.grafana.enabled` -global: - ingress: {} - -# We supply an Ingress resource that locates Grafana under /-/grafana -# NOTE: these values are placeholders for template functionality. -ingress: - apiVersion: - tls: {} - annotations: {} - path: # / - proxyBodySize: "0" - # Setting longer read timeout in case there is a lot of data coming back - proxyReadTimeout: 180 - proxyConnectTimeout: 15 - -common: - labels: {} \ No newline at end of file diff --git a/doc/advanced/ubi/index.md b/doc/advanced/ubi/index.md index aae33f7549..3ee29a2a57 100644 --- a/doc/advanced/ubi/index.md +++ b/doc/advanced/ubi/index.md @@ -25,7 +25,6 @@ The services must be disabled are: - CertManager (Let's Encrypt integration) - Prometheus -- Grafana - GitLab Runner ## Sample values diff --git a/doc/architecture/architecture.md b/doc/architecture/architecture.md index bc6deb9544..be133f2cd6 100644 --- a/doc/architecture/architecture.md +++ b/doc/architecture/architecture.md @@ -60,7 +60,6 @@ underlying services: - cert-manager - Redis - PostgreSQL -- Grafana ## The GitLab chart @@ -91,7 +90,6 @@ component services are documented under the [GitLab](../charts/gitlab/index.md) - [Registry](../charts/registry/index.md) - GitLab/[Gitaly](../charts/gitlab/gitaly/index.md) - GitLab/[GitLab Exporter](../charts/gitlab/gitlab-exporter/index.md) -- GitLab/[GitLab Grafana](../charts/gitlab/gitlab-grafana/index.md) - GitLab/[GitLab Shell](../charts/gitlab/gitlab-shell/index.md) - GitLab/[Migrations](../charts/gitlab/migrations/index.md) - GitLab/[Sidekiq](../charts/gitlab/sidekiq/index.md) diff --git a/doc/charts/gitlab/gitlab-grafana/index.md b/doc/charts/gitlab/gitlab-grafana/index.md deleted file mode 100644 index e37e7870c9..0000000000 --- a/doc/charts/gitlab/gitlab-grafana/index.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -stage: Systems -group: Distribution -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments ---- - -# Using the GitLab-Grafana chart **(FREE SELF)** - -The `gitlab-grafana` subchart adapts the [`grafana/grafana`](https://artifacthub.io/packages/helm/grafana/grafana) -chart to operate correctly with the same level of configuration as the Omnibus -GitLab install. In addition, the installation of Grafana allows additional -dashboards to be installed by the end user and be incorporated with the -GitLab supplied dashboards. - -## Requirements - -This chart depends on the `grafana/grafana` chart which is usually installed -by the `GitLab` meta chart. In addition, Kubernetes Ingress support is -needed to properly route the Grafana requests using the `/-/grafana` path. - -## Design Choices - -Because of Helm limitations it is not possible to configure the Grafana -chart with knowledge of a dynamic name for the initial password Secret. -As a result a statically named Secret is created to contain the initial -password. This Secret is named `gitlab-grafana-initial-password`. - -The same issue exists for the ConfigMap that contains the script that -is used to inject the initial password into the Grafana container. That -ConfigMap is named `gitlab-grafana-import-secret`. - -Both the initial password Secret and the import script ConfigMap are -mounted into the Grafana container (Script in `/tmp/initial` and Configmap in `/tmp/scripts`). -The container command line is augmented to use both -of these objects to securely expose the initial password to the -Grafana server. Modification of the container command line will -generally prevent the initial password from being injected into the -Grafana server environment. - -## Configuration - -There are no required settings, it should work out of the box if you deploy -all of the charts together. The administrator credentials are created by -the `shared-secrets` Job and the administrator username is set to `root`. -Password for Grafana's root user can be extracted by the following command: - -```shell -kubectl get secret gitlab-grafana-initial-password -ojsonpath='{.data.password}' | base64 --decode ; echo -``` - -## Installation command line options - -| Parameter | Default | Description | -|-----------------------|---------|----------------------------------------------------------------------| -| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. | -| `ingress.apiVersion` | | Value to use in the `apiVersion` field. | -| `ingress.tls` | `{}` | Hash of Ingress TLS settings if GitLab cert manager is not installed | -| `ingress.annotations` | `{}` | Additional annotations to add to Grafana Ingress resource | - -## Dashboard Support - -Grafana dashboards are automatically discovered from the ConfigMaps in -the deployed namespace. If a ConfigMap has been created with the -`gitlab_grafana_dashboard` label set to `true`, then the JSON encoded -dashboard in the ConfigMap will be imported into Grafana. This import happens -once (when Grafana is restarted) and any changes to the dashboard will not be -written back to the ConfigMap. - -There are currently no dashboards created when the chart is installed. Any -user created dashboards can be imported by creating a ConfigMap using the -`gitlab_grafana_dashboard` label and managing the ConfigMap themselves. - -## Datasource support - -Datasources may be created in the same manner as the dashboards by adding -the `gitlab_grafana_datasource` label. This chart will add a ConfigMap -to direct Grafana to use the embedded Prometheus metrics. diff --git a/doc/charts/gitlab/index.md b/doc/charts/gitlab/index.md index 2e296a64e5..793a87bdb1 100644 --- a/doc/charts/gitlab/index.md +++ b/doc/charts/gitlab/index.md @@ -11,7 +11,6 @@ which provide the core GitLab components: - [Gitaly](gitaly/index.md) - [GitLab Exporter](gitlab-exporter/index.md) -- [GitLab Grafana](gitlab-grafana/index.md) - [GitLab Pages](gitlab-pages/index.md) - [GitLab Runner](gitlab-runner/index.md) - [GitLab Shell](gitlab-shell/index.md) @@ -44,6 +43,5 @@ Use these charts for optional dependencies: Use these charts as optional additions: - [Prometheus](https://artifacthub.io/packages/helm/prometheus-community/prometheus) -- [Grafana](https://artifacthub.io/packages/helm/grafana/grafana) - [_Unprivileged_](https://docs.gitlab.com/runner/install/kubernetes.html#running-docker-in-docker-containers-with-gitlab-runner) [GitLab Runner](https://docs.gitlab.com/runner/) that uses the Kubernetes executor - Automatically provisioned SSL from [Let's Encrypt](https://letsencrypt.org/), which uses [Jetstack](https://www.jetstack.io/)'s [cert-manager](https://cert-manager.io/docs/) with [certmanager-issuer](../certmanager-issuer/index.md) diff --git a/doc/charts/globals.md b/doc/charts/globals.md index ad6d824fb3..41c58a6ea7 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -17,7 +17,6 @@ for more information on how the global variables work. - [GitLab Version](#gitlab-version) - [PostgreSQL](#configure-postgresql-settings) - [Redis](#configure-redis-settings) -- [Grafana](#configure-grafana-integration) - [Registry](#configure-registry-settings) - [Gitaly](#configure-gitaly-settings) - [Praefect](#configure-praefect-settings) @@ -658,14 +657,6 @@ redis: enabled: false ``` -## Configure Grafana integration - -The GitLab global Grafana settings are located under `global.grafana`. At this time, the only setting available is `global.grafana.enabled`. - -When set to `true`, the GitLab chart will deploy the [`grafana/grafana` chart](https://artifacthub.io/packages/helm/grafana/grafana), expose it under `/-/grafana` of the GitLab Ingress, and pre-configure it with a secure random password. The generated password can be found in the Secret named `gitlab-grafana-initial-root-password`. - -The GitLab chart connects to the deployed Prometheus instance. - ## Configure Registry settings The global Registry settings are located under the `global.registry` key. diff --git a/doc/installation/secrets.md b/doc/installation/secrets.md index 37da49b1f6..ca9d3699a6 100644 --- a/doc/installation/secrets.md +++ b/doc/installation/secrets.md @@ -58,7 +58,6 @@ documentation. - [MinIO secret](#minio-secret) - [Registry HTTP secret](#registry-http-secret) - [Registry notification secret](#registry-notification-secret) - - [Grafana password](#grafana-password) - [GitLab Pages secret](#gitlab-pages-secret) - [GitLab incoming email auth token](#gitlab-incoming-email-auth-token) - [GitLab Service Desk email auth token](#gitlab-service-desk-email-auth-token) @@ -361,15 +360,6 @@ To rotate the PostgreSQL secret: command so the new pods are loaded with the new secret and allow them to connect to the database. -### Grafana password - -If configuring [Grafana integration](../charts/globals.md#configure-grafana-integration), generate a random 64 character alpha-numeric password. -Replace `` with the name of the release. - -```shell -kubectl create secret generic -grafana-initial-password --from-literal=password=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64) -``` - ### GitLab Pages secret Generate the GitLab Pages secret. This must have a length of 32 characters and @@ -587,11 +577,11 @@ The key name inside the secret where the certificate is stored MUST BE ### OAuth integration -For configuring OAuth integration of various services like GitLab Pages and -Grafana with GitLab, secrets containing OAuth credentials are required. The -secret should contain an App ID (by default, stored under the `appid` key), -and an App Secret (by default, stored under the `appsecret` key), both of which are -recommended to be alphanumeric strings, at least 64 characters long. +For configuring OAuth integration of various services like GitLab Pages, secrets +containing OAuth credentials are required. The secret should contain an App ID +(by default, stored under the `appid` key), and an App Secret (by default, +stored under the `appsecret` key), both of which are recommended to be +alphanumeric strings, at least 64 characters long. ```shell kubectl create secret generic oauth-gitlab-pages-secret --from-literal=appid= --from-literal=appsecret= diff --git a/doc/installation/tls.md b/doc/installation/tls.md index 7f79a52781..b5bfa46f21 100644 --- a/doc/installation/tls.md +++ b/doc/installation/tls.md @@ -61,12 +61,6 @@ helm install gitlab gitlab/gitlab \ --set gitlab.kas.ingress.tls.secretName=RELEASE-kas-tls ``` -Additionally, if Grafana is enabled: - -```shell - --set gitlab.gitlab-grafana.ingress.tls.secretName=grafana-tls -``` - ## Option 2: Use your own wildcard certificate Add your full chain certificate and key to the cluster as a `Secret`, e.g.: @@ -113,12 +107,6 @@ helm install gitlab gitlab/gitlab \ --set gitlab.kas.ingress.tls.secretName=RELEASE-kas-tls ``` -Additionally, if Grafana is enabled: - -```shell - --set gitlab.gitlab-grafana.ingress.tls.secretName=grafana-tls -``` - NOTE: If you are configuring your GitLab instance to talk with other services, it may be necessary to [provide the certificate chains](../charts/globals.md#custom-certificate-authorities) for those services to GitLab through the Helm chart as well. diff --git a/examples/custom-images/values.yaml b/examples/custom-images/values.yaml index 86f54f45b1..8af9791731 100644 --- a/examples/custom-images/values.yaml +++ b/examples/custom-images/values.yaml @@ -25,8 +25,6 @@ gitlab: gitlab-exporter: <<: *custom init: *custom - # If `global.grafana.enabled=true`, uncomment below to set the custom image - # gitlab-grafana: *custom gitlab-shell: <<: *custom init: *custom @@ -100,9 +98,3 @@ redis: tag: custom-tag upgradeCheck: *custom - -# If `global.grafana.enabled=true`, uncomment below to set the custom image -# grafana: -# <<: *custom -# sidecar: -# image: custom-repository:custom-tag diff --git a/examples/fips/values.yaml b/examples/fips/values.yaml index 65830d98f1..46aa2fd563 100644 --- a/examples/fips/values.yaml +++ b/examples/fips/values.yaml @@ -27,9 +27,6 @@ global: minio: enabled: false - grafana: - enabled: false - image: pullPolicy: Always # You can drop this if you're using release tags. tagSuffix: -fips diff --git a/examples/ref/10k.yaml b/examples/ref/10k.yaml index 7072a17eab..3c2580454b 100644 --- a/examples/ref/10k.yaml +++ b/examples/ref/10k.yaml @@ -116,8 +116,6 @@ global: gitlab: license: secret: example-gitlab-license - grafana: - enabled: true hosts: domain: example.com minio: @@ -168,10 +166,6 @@ prometheus: nodeSelector: workload: support -grafana: - nodeSelector: - workload: support - # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false diff --git a/examples/ref/25k.yaml b/examples/ref/25k.yaml index 5ba742db6c..d40c3382aa 100644 --- a/examples/ref/25k.yaml +++ b/examples/ref/25k.yaml @@ -116,8 +116,6 @@ global: gitlab: license: secret: example-gitlab-license - grafana: - enabled: true hosts: domain: example.com minio: @@ -168,10 +166,6 @@ prometheus: nodeSelector: workload: support -grafana: - nodeSelector: - workload: support - # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false diff --git a/examples/ref/2k.yaml b/examples/ref/2k.yaml index 18e13c0392..e0572bd12f 100644 --- a/examples/ref/2k.yaml +++ b/examples/ref/2k.yaml @@ -116,8 +116,6 @@ global: gitlab: license: secret: example-gitlab-license - grafana: - enabled: true hosts: domain: example.com minio: @@ -155,10 +153,6 @@ prometheus: nodeSelector: workload: support -grafana: - nodeSelector: - workload: support - # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false diff --git a/examples/ref/3k.yaml b/examples/ref/3k.yaml index 3e279f6676..e737f3c9f5 100644 --- a/examples/ref/3k.yaml +++ b/examples/ref/3k.yaml @@ -116,8 +116,6 @@ global: gitlab: license: secret: example-gitlab-license - grafana: - enabled: true hosts: domain: example.com minio: @@ -159,10 +157,6 @@ prometheus: nodeSelector: workload: support -grafana: - nodeSelector: - workload: support - # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false diff --git a/examples/ref/50k.yaml b/examples/ref/50k.yaml index 3c92a13bd5..1eb376387b 100644 --- a/examples/ref/50k.yaml +++ b/examples/ref/50k.yaml @@ -116,8 +116,6 @@ global: gitlab: license: secret: example-gitlab-license - grafana: - enabled: true hosts: domain: example.com minio: @@ -168,10 +166,6 @@ prometheus: nodeSelector: workload: support -grafana: - nodeSelector: - workload: support - # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false diff --git a/examples/ref/5k.yaml b/examples/ref/5k.yaml index 4a43e1a0f4..de22273406 100644 --- a/examples/ref/5k.yaml +++ b/examples/ref/5k.yaml @@ -116,8 +116,6 @@ global: gitlab: license: secret: example-gitlab-license - grafana: - enabled: true hosts: domain: example.com minio: @@ -159,10 +157,6 @@ prometheus: nodeSelector: workload: support -grafana: - nodeSelector: - workload: support - # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false diff --git a/examples/ubi/values.yaml b/examples/ubi/values.yaml index 7c7a930155..f04c1bce9e 100644 --- a/examples/ubi/values.yaml +++ b/examples/ubi/values.yaml @@ -29,9 +29,6 @@ global: minio: enabled: false - grafana: - enabled: false - image: pullPolicy: Always # You can drop this if you're using release tags. tagSuffix: -ubi8 diff --git a/requirements.yaml b/requirements.yaml index 438fe2182d..4e919b5746 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -24,10 +24,6 @@ dependencies: version: 0.52.0 repository: https://charts.gitlab.io/ condition: gitlab-runner.install -- name: grafana - version: 6.11.0 - repository: https://grafana.github.io/helm-charts - condition: global.grafana.enabled - name: redis version: 11.3.4 repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami diff --git a/spec/configuration/image_pull_spec.rb b/spec/configuration/image_pull_spec.rb index b2ca8731ad..9f91600363 100644 --- a/spec/configuration/image_pull_spec.rb +++ b/spec/configuration/image_pull_spec.rb @@ -5,7 +5,7 @@ require 'yaml' TARGET_KINDS = %w[Deployment StatefulSet Job].freeze CONTAINER_TYPES = %w[initContainers containers].freeze EXTERNAL_CHARTS = %w[ - certmanager gitlab-runner grafana postgresql prometheus redis nginx-ingress + certmanager gitlab-runner postgresql prometheus redis nginx-ingress ].freeze def targeted_resource_kind?(resource) diff --git a/spec/configuration/image_tag_spec.rb b/spec/configuration/image_tag_spec.rb index 0fec21491e..c0c9cf7d40 100644 --- a/spec/configuration/image_tag_spec.rb +++ b/spec/configuration/image_tag_spec.rb @@ -5,7 +5,7 @@ require 'yaml' TARGET_KINDS = %w[Deployment StatefulSet Job].freeze CONTAINER_TYPES = %w[initContainers containers].freeze EXTERNAL_CHARTS = %w[ - gitlab-runner grafana postgresql prometheus redis nginx-ingress + gitlab-runner postgresql prometheus redis nginx-ingress ].freeze def targeted_resource_kind?(resource) diff --git a/spec/configuration/ingress_spec.rb b/spec/configuration/ingress_spec.rb index 15115388b7..e57cbdec6e 100644 --- a/spec/configuration/ingress_spec.rb +++ b/spec/configuration/ingress_spec.rb @@ -39,7 +39,6 @@ describe 'GitLab Ingress configuration(s)' do let(:ingress_names) do %w[ - test-grafana-app test-gitlab-pages test-kas test-webservice-default @@ -59,8 +58,6 @@ describe 'GitLab Ingress configuration(s)' do enabled: true pages: enabled: true - grafana: - enabled: true kas: enabled: true registry: diff --git a/templates/_deprecations.tpl b/templates/_deprecations.tpl index 0eac5fc72d..3ce0239971 100644 --- a/templates/_deprecations.tpl +++ b/templates/_deprecations.tpl @@ -57,6 +57,7 @@ Due to gotpl scoping, we can't make use of `range`, so we have to add action lin {{- $deprecated = append $deprecated (include "gitlab.deprecate.gitaly-gitconfig-volume" .) -}} {{- $deprecated = append $deprecated (include "gitlab.deprecate.hpa.legacyCpuTarget" .) -}} {{- $deprecated = append $deprecated (include "gitlab.deprecate.hpa.behaviorMispell" .) -}} +{{- $deprecated = append $deprecated (include "gitlab.deprecate.global.grafana" .) -}} {{- /* prepare output */}} {{- $deprecated = without $deprecated "" -}} @@ -460,4 +461,15 @@ gitlab.{{ $chart }}: {{- end -}} {{- end -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* Deprecation behaviors for Grafana*/}} +{{- define "gitlab.deprecate.global.grafana" -}} +{{- if kindIs "map" (index .Values.global "grafana") }} +{{- if and ( hasKey .Values.global.grafana "enabled" ) (eq true .Values.global.grafana.enabled)}} +grafana: + The bundled Grafana chart has been removed, and thus `global.grafana.enabled` does not have any effect. It is recommended that you switch to the newer chart version from Grafana Labs available at https://artifacthub.io/packages/helm/grafana/grafana or a Grafana Operator from a trusted provider. You can find instructions to integrate Grafana with GitLab at https://docs.gitlab.com/ee/administration/monitoring/performance/grafana_configuration.html. +{{- end -}} +{{- end -}} +{{- end -}} +{{/* END gitlab.deprecate.global.grafana */}} diff --git a/templates/shared-secrets/_generate_secrets.sh.tpl b/templates/shared-secrets/_generate_secrets.sh.tpl index 3724b79fe3..a535c82d54 100644 --- a/templates/shared-secrets/_generate_secrets.sh.tpl +++ b/templates/shared-secrets/_generate_secrets.sh.tpl @@ -195,11 +195,6 @@ generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} - # Container Registry notification_secret generate_secret_if_needed {{ template "gitlab.registry.notificationSecret.secret" . }} --from-literal={{ template "gitlab.registry.notificationSecret.key" . }}=[\"$(gen_random 'a-zA-Z0-9' 32)\"] -{{ if .Values.global.grafana.enabled -}} -# Grafana password -generate_secret_if_needed "gitlab-grafana-initial-password" --from-literal=password=$(gen_random 'a-zA-Z0-9' 64) -{{ end }} - {{ if .Values.global.praefect.enabled -}} {{ if not .Values.global.praefect.psql.host -}} # Praefect DB password diff --git a/values.yaml b/values.yaml index 1fbf30665b..eae06f396b 100644 --- a/values.yaml +++ b/values.yaml @@ -192,10 +192,6 @@ global: credentials: {} # secret: - ## https://docs.gitlab.com/charts/charts/globals#configure-grafana-integration - grafana: - enabled: false - ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings ## Rails based portions of this chart share many settings appConfig: @@ -1162,57 +1158,6 @@ gitlab-runner: gitlab.com/prometheus_scrape: "true" gitlab.com/prometheus_port: 9252 -## Installation & configuration of stable/grafana -## See requirements.yaml for current version -## Controlled by `global.grafana.enabled` -grafana: - # Overrides the Grafana image tag for the 7.5.16 security update - image: - tag: 7.5.16 - ## Override and provide "bogus" administation secrets - ## gitlab/gitlab-grafana provides overrides via shared-secrets - nameOverride: grafana-app - admin: - existingSecret: bogus - env: - GF_SECURITY_ADMIN_USER: bogus - GF_SECURITY_ADMIN_PASSWORD: bogus - ## This override allows gitlab/gitlab-grafana to completely override the secret - ## handling behavior of the upstream chart in combination with the above. - command: ["sh", "-x", "/tmp/scripts/import-secret.sh"] - ## The following settings allow Grafana to dynamically create - ## dashboards and datasources from configmaps. See - ## https://artifacthub.io/packages/helm/grafana/grafana#sidecar-for-dashboards - sidecar: - dashboards: - enabled: true - label: gitlab_grafana_dashboard - datasources: - enabled: true - label: gitlab_grafana_datasource - ## We host Grafana as a sub-url of GitLab - grafana.ini: - server: - serve_from_sub_path: true - root_url: http://localhost/-/grafana/ - auth: - login_cookie_name: gitlab_grafana_session - ## We generate and provide random passwords - ## NOTE: the Secret & ConfigMap names are hard coded! - extraSecretMounts: - - name: initial-password - mountPath: /tmp/initial - readOnly: true - secretName: gitlab-grafana-initial-password - defaultMode: 400 - extraConfigmapMounts: - - name: import-secret - mountPath: /tmp/scripts - configMap: gitlab-grafana-import-secret - readOnly: true - testFramework: - enabled: false - ## Settings for individual sub-charts under GitLab ## Note: Many of these settings are configurable via globals gitlab: @@ -1236,8 +1181,6 @@ gitlab: ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell # gitlab-shell: # enabled: false - ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-grafana - # gitlab-grafana: ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-pages # gitlab-pages: ## https://docs.gitlab.com/charts/charts/gitlab/kas -- GitLab