From 5ee91a31ab7269f026dd3d6fa52eedbf9389dc8d Mon Sep 17 00:00:00 2001
From: Kevin Wilder <kevin.wilder@darkwolfsolutions.com>
Date: Tue, 9 Feb 2021 12:28:44 -0700
Subject: [PATCH] feat: upgrade gitlab to 13.7.2 and add new bigbang features
---
chart/templates/NOTES.txt | 136 +++++++++-----------
chart/templates/gitlab/helmrelease.yaml | 158 ++++++++++++++++++++++--
chart/templates/gitlab/namespace.yaml | 93 ++++++++++++++
chart/values.yaml | 30 ++++-
tests/ci/k3d/values.yaml | 9 +-
5 files changed, 335 insertions(+), 91 deletions(-)
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 11d51c6c53..d6cd644705 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -3,93 +3,79 @@ Thank you for supporting PlatformOne!
{{ if $.Values.addons.gitlab.enabled }}
Gitlab is enabled.
Please follow the Gitlab online documentation for proper configuration.
-Here is an example of how to configure external perstistent storage for postgres DB and object storage.
+This BigBang chart provides convenient enhancements to the Gitlab Package helm chart.
+If you enable these features certain settings will be defaulted for you and any required secrets will be automatically created.
+You should point to your cloud provider's RDS and object storage.
+Gitlab will not provision storage for you. You will need to provision the database and the S3 buckets.
+Here is an example of how to configure your deployment.
addons:
gitlab:
enabled: true
- values:
- postgresql:
- install: false
- global:
- minio:
- enabled: false
- psql:
- host: postgres-postgresql-headless.postgres.svc.cluster.local
- port: 5432
- username: postgres
- database: postgres
- password:
- secret: db-credentials
- key: PGPASSWORD
- registry:
- bucket: gitlab-registry-storage
- appConfig:
- lfs:
- bucket: gitlab-lfs
- connection:
- secret: gitlab-object-storage
- key: rails
- artifacts:
- bucket: gitlab-artifacts
- connection:
- secret: gitlab-object-storage
- key: rails
- uploads:
- bucket: gitlab-uploads
- connection:
- secret: gitlab-object-storage
- key: rails
- packages:
- bucket: gitlab-packages
- connection:
- secret: gitlab-object-storage
- key: rails
- externalDiffs:
- bucket: gitlab-mr-diffs
- connection:
- secret: gitlab-object-storage
- key: rails
- terraformState:
- enabled: false
- bucket: gitlab-terraform-state
- connection:
- secret: gitlab-object-storage
- key: rails
- backups:
- bucket: gitlab-backup
- tmpBucket: gitlab-backup-tmp
- gitlab:
- task-runner:
- psql:
- host: postgres-postgresql-headless.postgres.svc.cluster.local
- port: 5432
- username: postgres
- database: postgres
- password:
- secret: db-credentials
- key: PGPASSWORD
- backups:
- objectStorage:
- config:
- secret: gitlab-object-storage
- key: backups
- registry:
- storage:
- secret: gitlab-object-storage
- key: registry
+ hostnames:
+ gitlab: gitlab.example.mil
+ registry: registry.example.mil
+ sso:
+ enabled: true
+ label: "Platform One SSO"
+ client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-gitlab"
+ client_secret: ""
+ database:
+ host: postgres.example.mil
+ port: 5432
+ username: gitlab
+ database: gitlab
+ password: mysecretpassword
+ objectstorage:
+ type: s3
+ endpoint: https://s3.us-gov-west-1.amazonaws.com
+ region: us-gov-west-1
+ accessKey: myaccesskey
+ accessSecret: mysecretkey
+ bucketPrefix: prod
+{{ if $.Values.addons.gitlab.objectstorage.endpoint }}
+GITLAB: You have enabled Gitlab external object storage.
+Here is the list of buckets that you must provision in your s3 service:
+{{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-registry
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-lfs
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-artifacts
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-uploads
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-packages
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-mr-diffs
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-terraform-state
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-dependency-proxy
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-pseudo
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-backup
+{{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-backup-tmp
+{{- else }}
+gitlab-registry
+gitlab-lfs
+gitlab-artifacts
+gitlab-uploads
+gitlab-packages
+gitlab-mr-diffs
+gitlab-terraform-state
+gitlab-dependency-proxy
+gitlab-pseudo
+gitlab-backup
+gitlab-backup-tmp
+{{- end }}
+{{- end }}
-{{- if $.Values.addons.gitlab.values.postgresql.install }}
+{{ if $.Values.addons.gitlab.database.host }}
+{{ else }}
PLATFORM ONE GITLAB WARNING:
- You have enabled an internal postgres database in the values configuration.
+ You have enabled an internal postgres database in the BigBang configuration.
PlatformOne does not support this option for production deployments because your persistent data can be permanently lost.
This option should only be used for development or CI pipelines.
{{- end -}}
-{{- if $.Values.addons.gitlab.values.global.minio.enabled }}
+{{ if $.Values.addons.gitlab.objectstorage.endpoint }}
+{{ else }}
PLATFORM ONE GITLAB WARNING:
- You have enabled a MinIO internal service in the values configuration.
+ You have enabled a MinIO internal service in the BigBang configuration.
PlatformOne does not support this option for production deployments because your persistent data can be permanently lost.
This option should only be used for development or CI pipelines.
{{- end }}
diff --git a/chart/templates/gitlab/helmrelease.yaml b/chart/templates/gitlab/helmrelease.yaml
index 75d2b8a218..cbcf664bd6 100644
--- a/chart/templates/gitlab/helmrelease.yaml
+++ b/chart/templates/gitlab/helmrelease.yaml
@@ -48,8 +48,10 @@ spec:
enabled: {{ .Values.istio.enabled }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
-{{- if ( include "imagePullSecret" . ) }}
- ## values for image pull secrets
+ {{- if .Values.addons.gitlab.database.host }}
+ postgresql:
+ install: false
+ {{- end }}
redis:
metrics:
image:
@@ -59,6 +61,11 @@ spec:
pullSecrets:
- private-registry
registry:
+ {{- if .Values.addons.gitlab.objectstorage.endpoint }}
+ storage:
+ secret: gitlab-object-storage
+ key: registry
+ {{- end }}
image:
pullSecrets:
- name: private-registry
@@ -69,6 +76,13 @@ spec:
- name: private-registry
gitlab:
task-runner:
+ {{- if .Values.addons.gitlab.objectstorage.endpoint }}
+ backups:
+ objectStorage:
+ config:
+ secret: gitlab-object-storage
+ key: backups
+ {{- end }}
image:
pullSecrets:
- name: private-registry
@@ -102,16 +116,143 @@ spec:
minio:
pullSecrets:
- name: private-registry
- {{- end }}
global:
hosts:
- domain: code.{{ .Values.hostname }}
+ domain: {{ .Values.hostname }}
gitlab:
- name: code.{{ .Values.hostname }}
+ name: {{ .Values.addons.gitlab.hostnames.gitlab }}
registry:
- name: registry.{{ .Values.hostname }}
-{{- if ( include "imagePullSecret" . ) }}
- ## values for image pull secrets
+ name: {{ .Values.addons.gitlab.hostnames.registry }}
+ {{- if .Values.addons.gitlab.objectstorage.endpoint }}
+ minio:
+ enabled: false
+ {{- end }}
+ {{- if .Values.addons.gitlab.database.host }}
+ psql:
+ host: {{ .Values.addons.gitlab.database.host }}
+ port: {{ .Values.addons.gitlab.database.port }}
+ username: {{ .Values.addons.gitlab.database.username }}
+ database: {{ .Values.addons.gitlab.database.database }}
+ password:
+ secret: gitlab-database
+ key: PGPASSWORD
+ {{- end }}
+ {{- if .Values.addons.gitlab.objectstorage.endpoint }}
+ registry:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-registry
+ {{- else }}
+ bucket: gitlab-registry
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.addons.gitlab.sso.enabled .Values.addons.gitlab.objectstorage.endpoint }}
+ appConfig:
+ {{- end }}
+ {{- if .Values.addons.gitlab.sso.enabled }}
+ omniauth:
+ enabled: true
+ {{- $global := .Values.addons.gitlab.values.global | default dict }}
+ {{- $appConfig := $global.appConfig | default dict }}
+ {{- $omniauth := $appConfig.omniauth | default dict }}
+ {{- if hasKey $omniauth "allowSingleSignOn" }}
+ allowSingleSignOn: {{ .Values.addons.gitlab.values.global.appConfig.omniauth.allowSingleSignOn }}
+ {{- else }}
+ allowSingleSignOn: ['openid_connect']
+ {{- end }}
+ {{- if hasKey $omniauth "blockAutoCreatedUsers" }}
+ blockAutoCreatedUsers: {{ .Values.addons.gitlab.values.global.appConfig.omniauth.blockAutoCreatedUsers }}
+ {{- else }}
+ blockAutoCreatedUsers: false
+ {{- end }}
+ providers:
+ - secret: gitlab-sso-provider
+ key: gitlab-sso.json
+ {{- end }}
+ {{- if .Values.addons.gitlab.objectstorage.endpoint }}
+ lfs:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-lfs
+ {{- else }}
+ bucket: gitlab-lfs
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ artifacts:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-artifacts
+ {{- else }}
+ bucket: gitlab-artifacts
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ uploads:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-uploads
+ {{- else }}
+ bucket: gitlab-uploads
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ packages:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-packages
+ {{- else }}
+ bucket: gitlab-packages
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ externalDiffs:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-mr-diffs
+ {{- else }}
+ bucket: gitlab-mr-diffs
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ terraformState:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-terraform-state
+ {{- else }}
+ bucket: gitlab-terraform-state
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ dependencyProxy:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-dependency-proxy
+ {{- else }}
+ bucket: gitlab-dependency-proxy
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ pseudonymizer:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-pseudo
+ {{- else }}
+ bucket: gitlab-pseudo
+ {{- end }}
+ connection:
+ secret: gitlab-object-storage
+ key: rails
+ backups:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-backup
+ {{- else }}
+ bucket: gitlab-backup
+ {{- end }}
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ tmpBucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-backup-tmp
+ {{- else }}
+ tmpBucket: gitlab-backup-tmp
+ {{- end }}
+ {{- end }}
certificates:
image:
pullSecrets:
@@ -120,7 +261,6 @@ spec:
image:
pullSecrets:
- name: private-registry
- {{ end }}
{{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.monitoring.enabled }}
dependsOn:
diff --git a/chart/templates/gitlab/namespace.yaml b/chart/templates/gitlab/namespace.yaml
index f521cc953d..5203159cef 100644
--- a/chart/templates/gitlab/namespace.yaml
+++ b/chart/templates/gitlab/namespace.yaml
@@ -22,4 +22,97 @@ type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecret" . }}
{{- end }}
+---
+# create sso secret. The assumption is OIDC
+{{- if .Values.addons.gitlab.sso.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-sso-provider
+ namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+ gitlab-sso.json: |-
+ {
+ "name": "openid_connect",
+ "label": "{{ .Values.addons.gitlab.sso.label }}",
+ "args": {
+ "name": "openid_connect",
+ "scope": [
+ "Gitlab"
+ ],
+ "response_type": "code",
+ "issuer": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}",
+ "client_auth_method": "query",
+ "discovery": true,
+ "uid_field": "preferred_username",
+ "client_options": {
+ "identifier": "{{ .Values.addons.gitlab.sso.client_id | default .Values.sso.client_id }}",
+ "secret": "{{ .Values.addons.gitlab.sso.client_secret | default .Values.sso.client_secret }}",
+ "redirect_uri": "https://{{ .Values.addons.gitlab.hostnames.gitlab }}/users/auth/openid_connect/callback",
+ "end_session_endpoint": "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/logout"
+ }
+ }
+ }
+{{- end }}
+---
+# create database secret
+{{- if .Values.addons.gitlab.database.host }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-database
+ namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+ PGPASSWORD: {{ .Values.addons.gitlab.database.password }}
+{{- end }}
+---
+# create object storage secret
+{{- if .Values.addons.gitlab.objectstorage.endpoint }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-object-storage
+ namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+ rails: |-
+ provider: AWS
+ region: {{ .Values.addons.gitlab.objectstorage.region }}
+ aws_access_key_id: {{ .Values.addons.gitlab.objectstorage.accessKey }}
+ aws_secret_access_key: {{ .Values.addons.gitlab.objectstorage.accessSecret }}
+ {{- if eq .Values.addons.gitlab.objectstorage.type "minio" }}
+ aws_signature_version: 4
+ host: {{ regexReplaceAll "http(s{0,1})://(.*):(\\d+)" .Values.addons.gitlab.objectstorage.endpoint "${2}" }}
+ endpoint: "{{ .Values.addons.gitlab.objectstorage.endpoint }}"
+ path_style: true
+ {{- end }}
+ registry: |-
+ s3:
+ {{- if .Values.addons.gitlab.objectstorage.bucketPrefix }}
+ bucket: {{ .Values.addons.gitlab.objectstorage.bucketPrefix }}-gitlab-registry
+ {{- else }}
+ bucket: gitlab-registry
+ {{- end }}
+ accesskey: {{ .Values.addons.gitlab.objectstorage.accessKey }}
+ secretkey: {{ .Values.addons.gitlab.objectstorage.accessSecret }}
+ region: {{ .Values.addons.gitlab.objectstorage.region }}
+ {{- if eq .Values.addons.gitlab.objectstorage.type "s3" }}
+ v4auth: true
+ {{- end }}
+ {{- if eq .Values.addons.gitlab.objectstorage.type "minio" }}
+ aws_signature_version: 4
+ host: {{ regexReplaceAll "http(s{0,1})://(.*):(\\d+)" .Values.addons.gitlab.objectstorage.endpoint "${2}" }}
+ regionendpoint: "{{ .Values.addons.gitlab.objectstorage.endpoint }}"
+ path_style: true
+ {{- end }}
+ backups: |-
+ [default]
+ access_key = {{ .Values.addons.gitlab.objectstorage.accessKey }}
+ secret_key = {{ .Values.addons.gitlab.objectstorage.accessSecret }}
+ bucket_location = {{ .Values.addons.gitlab.objectstorage.region }}
+ host_bucket = %(bucket)s.{{ regexReplaceAll "http(s*)://" .Values.addons.gitlab.objectstorage.endpoint "" }}
+{{- end }}
+
{{- end }}
\ No newline at end of file
diff --git a/chart/values.yaml b/chart/values.yaml
index cb71954b31..c6b36f89f2 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -216,10 +216,38 @@ addons:
gitlab:
enabled: false
+ hostnames:
+ gitlab: gitlab.bigbang.dev
+ registry: registry.bigbang.dev
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
path: "./chart"
- tag: "4.2.0-bb.1"
+ tag: "4.7.2-bb.0"
+ sso:
+ # enabling this option will auto-create any required secrets.
+ # The defaults assume an OIDC provider.
+ enabled: false
+ label: "" # the text next to the login button
+ client_id: ""
+ client_secret: ""
+ database:
+ # entering connection info will enable external database and will auto-create any required secrets.
+ # Gitlab will not provison the database when using an external service
+ host: "" # example: postgres.bigbang.dev
+ port: "" # example: 5432
+ username: "" # example: gitlab
+ database: "" # example: gitlab
+ password: "" # unencoded string data. This should be placed in the secret values and then encrypted
+ objectstorage:
+ # entering connection info will enable this option and will auto-create any required secrets
+ # Gitlab will not provision the S3 buckets when using an external service
+ type: "" # supported types are "s3" or "minio"
+ endpoint: "" # examples: "https://s3.amazonaws.com" "https://s3.us-gov-west-1.amazonaws.com" "http://minio.minio.svc.cluster.local:9000"
+ region: "" # example: us-gov-west-1
+ accessKey: "" # unencoded string data
+ accessSecret: "" # unencoded string data. This should be placed in the secret values and then encrypted
+ bucketPrefix: "" # optional. example: "prod"
+ values: {}
haproxy:
enabled: false
diff --git a/tests/ci/k3d/values.yaml b/tests/ci/k3d/values.yaml
index e34790bfac..0167a07270 100644
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -63,9 +63,6 @@ addons:
callback_uri: "https://minimal.bigbang.dev"
gitlab:
enabled: true
- values:
- postgresql:
- install: true
- global:
- minio:
- enabled: true
+ sso:
+ enabled: false
+
--
GitLab