...
 
Commits (30)
......@@ -760,8 +760,8 @@ production_specs_eks:
retry: 1
allow_failure: true
sync_images:
image: registry.gitlab.com/gitlab-org/gitlab-omnibus-builder:ruby_docker-0.0.7
wait_for_images:
image: registry.gitlab.com/gitlab-org/gitlab-omnibus-builder/ruby_docker:0.0.41
stage: prepare
services:
- docker:dind
......@@ -770,11 +770,11 @@ sync_images:
DOCKER_DRIVER: overlay2
DOCKER_HOST: tcp://docker:2375
script:
- bundle install
- bundle exec rake images:sync[ee]
- bundle exec rake images:sync[ce]
- bash scripts/wait_for_images.sh
only:
- tags@gitlab/charts/gitlab
- tags@charts/gitlab
- /.*-stable/
release_package:
stage: package
......@@ -786,7 +786,7 @@ release_package:
only:
- tags@gitlab/charts/gitlab
dependencies:
- sync_images
- wait_for_images
.qa_branch:
extends: .qa
......
......@@ -2,6 +2,84 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 2.0.5
### Other (1 change)
- Update GitLab Version to 12.0.6.
## 2.0.4
### Fixed (4 changes)
- Use sort to compare versions in upgrade logic. !846
- Freeze the version of redis exporter image. !850
- Fixed shared secrets whitespace templating #1410. !861
- Escape and quote all passwords in ERB templates. !869
### Other (1 change)
- Update GitLab Version to 12.0.4.
## 2.0.3 (2019-07-03)
### Other (1 change)
- Update GitLab Version to 12.0.3.
## 2.0.2 (2019-06-26)
### Changed (1 change)
- Updated the gitlab-monitor tags to properly match its upstream release.
### Other (2 changes)
- Update gitlab-runner to 0.6.0/12.0.0. !832
- Update GitLab Version to 12.0.2.
## 2.0.1 (2019-06-25)
### Other (1 change)
- Update GitLab Version to 12.0.1.
## 2.0.0 (2019-06-22)
### Fixed (6 changes)
- Ensure unicorn.rb issues appropriate lifecycle hooks. !791
- Add missing object storage settings in task-runner. !793
- Disable storage redirect of Registry when the internal Minio is used. !797
- Port over https://github.com/helm/charts/pull/13646. !804
- Add SMTP and other missing settings for task-runner. !809
- Fix example smtp settings. !810
### Changed (2 changes)
- Prioritize the external object storage connection settings before the global minio configuration. !802
- Updated supported Kubernetes to 1.10 and Helm to 2.12. !808
### Added (6 changes, 2 of them are from the community)
- Cron based backup support using Kubernetes and task runner. !548 (Thomas Miller)
- Add support for tolerations. !553 (Mike Rennie)
- Add gitlab-monitor to Helm Chart. !787
- Add ability to specify network to use when creating a GKE cluster. !799
- Modified anyuid to reflect project level instead of cluster. !803
- Prevent upgrades from old chart versions. !828
### Other (2 changes, 1 of them is from the community)
- Default Registry replicas to minReplicas. !794 (skarbek)
- Update GitLab Version to 12.0.0.
## 1.9.3 (2019-06-10)
### Other (1 change)
......
---
apiVersion: v1
name: gitlab
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: Web-based Git-repository manager with wiki and issue-tracking features.
keywords:
- gitlab
......
---
title: Cron based backup support using Kubernetes and task runner.
merge_request: 548
author: Thomas Miller
type: added
---
title: Add support for tolerations
merge_request: 553
author: Mike Rennie
type: added
\ No newline at end of file
---
title: Prioritize the external object storage connection settings before the global
minio configuration
merge_request: 802
author:
type: changed
---
title: Disable storage redirect of Registry when the internal Minio is used
merge_request: 797
author:
type: fixed
---
title: Ensure unicorn.rb issues appropriate lifecycle hooks
merge_request: 791
author:
type: fixed
---
title: Fix example smtp settings
merge_request: 810
author:
type: fixed
---
title: Default Registry replicas to minReplicas
merge_request: 794
author: skarbek
type: other
---
title: Port over https://github.com/helm/charts/pull/13646
merge_request: 804
author:
type: fixed
---
title: "Modified anyuid to reflect project level instead of cluster"
merge_request: 803
type: added
---
title: Add ability to specify network to use when creating a GKE cluster
merge_request: 799
author:
type: added
---
title: Add gitlab-monitor to Helm Chart
merge_request: 787
author:
type: added
---
title: Add missing object storage settings in task-runner
merge_request: 793
author:
type: fixed
---
title: Add SMTP and other missing settings for task-runner
merge_request: 809
author:
type: fixed
---
title: Updated supported Kubernetes to 1.10 and Helm to 2.12
merge_request: 808
author:
type: changed
---
apiVersion: v1
name: gitaly
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 1.47.2
description: Git RPC service for handling all the git calls made by GitLab
keywords:
- gitlab
......
......@@ -33,7 +33,7 @@ data:
<% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %>
<% end %>
[auth]
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token') %>"
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token').strip.dump[1..-2] %>"
[gitaly-ruby]
# The directory where gitaly-ruby is installed
......@@ -63,7 +63,7 @@ data:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password") %>"
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password").strip.dump[1..-2] %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
---
apiVersion: v1
name: gitlab-monitor
version: 4.0.0
appVersion: master
version: 2.0.5
appVersion: 4.0.0
description: Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors)
keywords:
- gitlab
......
......@@ -17,7 +17,7 @@ data:
methods:
- probe_db
opts:
connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read("/etc/gitlab/postgres/psql-password") %>'
connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read("/etc/gitlab/postgres/psql-password").strip.gsub(/[\'\\]/) { |esc| '\\' + esc } %>'
database:
multiple: true
ci_builds:
......
......@@ -71,7 +71,7 @@ spec:
containers:
{{ include "gitlab.extraContainers" . | indent 8 }}
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}"
image: "{{ .Values.image.repository }}:{{ coalesce .Values.image.tag .Chart.AppVersion }}"
{{ template "gitlab.imagePullPolicy" . }}
env:
- name: CONFIG_TEMPLATE_DIRECTORY
......
---
apiVersion: v1
name: gitlab-shell
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 9.3.0
description: sshd for Gitlab
keywords:
- gitlab
......
......@@ -32,7 +32,7 @@ data:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/password") %>"
pass: "<%= File.read("/etc/gitlab-secrets/redis/password").strip.dump[1..-2] %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
---
apiVersion: v1
name: mailroom
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: Handling incoming emails
keywords:
- gitlab
......
......@@ -16,7 +16,7 @@ data:
:ssl: {{ .ssl }}
:start_tls: {{ .startTls }}
:email: {{ .user }}
:password: "<%= File.read("/etc/gitlab/mailroom/password") %>"
:password: "<%= File.read("/etc/gitlab/mailroom/password").strip.dump[1..-2] %>"
:idle_timeout: {{ .idleTimeout }}
:name: {{ .mailbox }}
:delete_after_delivery: true
......
---
apiVersion: v1
name: migrations
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: Database migrations and other versioning tasks for upgrading Gitlab
keywords:
- gitlab
......
......@@ -14,7 +14,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......
---
apiVersion: v1
name: operator
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: Gitlab operator for managing upgrades
keywords:
- gitlab
......
---
apiVersion: v1
name: sidekiq
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: Gitlab Sidekiq for asynchronous task processing in rails
keywords:
- gitlab
......
......@@ -16,7 +16,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......
---
apiVersion: v1
name: task-runner
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: For manually running rake tasks through kubectl
keywords:
- gitlab
......
......@@ -14,7 +14,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
{{- include "gitlab.psql.ssl.config" . | indent 6 }}
......
---
apiVersion: v1
name: unicorn
version: 1.9.3
appVersion: master
version: 2.0.5
appVersion: 12.0.6
description: HTTP server for Gitlab
keywords:
- gitlab
......
......@@ -16,7 +16,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......@@ -179,7 +179,7 @@ data:
[redis]
URL = "{{ template "gitlab.redis.scheme" . }}://{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}"
{{- if .Values.global.redis.password.enabled }}
Password = "<%= File.read("/etc/gitlab/redis/password") %>"
Password = "<%= File.read("/etc/gitlab/redis/password").strip.dump[1..-2] %>"
{{- end }}
configure: |
set -e
......
{{- define "gitlab.appConfig.gitaly" -}}
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token') %>"
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
{{- end -}}
{{- define "gitlab.appConfig.repositories" -}}
......
......@@ -25,7 +25,7 @@ Usage example:
{{- $.name }}:
{{- toYaml (omit $.config "password") | trimSuffix "\n" | nindent 2 -}}
{{- if and $.config.password (not (kindIs "string" $.config.password ))}}
password: "<%= File.read('/etc/gitlab/ldap/{{ $.name }}/password') %>"
password: "<%= File.read('/etc/gitlab/ldap/{{ $.name }}/password').strip.dump[1..-2] %>"
{{- end -}}
{{- end -}}{{/* gitlab.appConfig.ldap.servers.configuration */}}
......
......@@ -22,8 +22,8 @@ object_store:
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey') %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey') %>"
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: {{ template "gitlab.minio.hostname" .context }}
endpoint: {{ template "gitlab.minio.endpoint" .context }}
path_style: true
......
......@@ -13,8 +13,8 @@ pseudonymizer:
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey') %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey') %>"
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: {{ template "gitlab.minio.hostname" $ }}
endpoint: {{ template "gitlab.minio.endpoint" $ }}
path_style: true
......
......@@ -40,5 +40,5 @@ Return the redis scheme, or redis. Allowing people to use rediss clusters
Return the redis url.
*/}}
{{- define "gitlab.redis.url" -}}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= File.read("/etc/gitlab/redis/password") %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= URI.escape(File.read("/etc/gitlab/redis/password").strip) %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{- end -}}
......@@ -18,7 +18,7 @@ ActionMailer::Base.smtp_settings = {
{{ if has .Values.global.smtp.authentication (list "login" "plain" "cram_md5") }}
authentication: :{{.Values.global.smtp.authentication}},
user_name: {{ .Values.global.smtp.user_name | quote }},
password: File.read("/etc/gitlab/smtp/smtp-password"),
password: File.read("/etc/gitlab/smtp/smtp-password").strip,
{{- end }}
{{- if .Values.global.smtp.starttls_auto }}
enable_starttls_auto: true,
......
......@@ -49,7 +49,7 @@ metrics:
enabled: true
port: 9121
image: oliver006/redis_exporter
imageTag: latest
imageTag: v0.34.1-alpine
imagePullPolicy: IfNotPresent
resources: {}
annotations:
......
......@@ -37,7 +37,7 @@ metrics:
enabled: true
port: 9121
image: oliver006/redis_exporter
imageTag: latest
imageTag: v0.34.1-alpine
imagePullPolicy: IfNotPresent
resources: {}
annotations:
......
......@@ -19,11 +19,11 @@ function fetch_rails_value(){
# Args: secretname
function label_secret(){
local secret_name=$1
{{- if not .Values.global.application.create }}
{{ if not .Values.global.application.create -}}
# Remove application labels if they exist
kubectl --namespace=$namespace label \
secret $secret_name $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g')
{{- end }}
{{ end }}
kubectl --namespace=$namespace label \
--overwrite \
secret $secret_name {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\n" " " }}
......@@ -44,12 +44,12 @@ function generate_secret_if_needed(){
# Initial root password
generate_secret_if_needed {{ template "gitlab.migrations.initialRootPassword.secret" . }} --from-literal={{ template "gitlab.migrations.initialRootPassword.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
{{ if .Values.global.redis.password.enabled -}}
# Redis password
{{if .Values.global.redis.password.enabled -}}
generate_secret_if_needed {{ template "gitlab.redis.password.secret" . }} --from-literal={{ template "gitlab.redis.password.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
{{ end }}
{{if not .Values.global.psql.host -}}
{{ if not .Values.global.psql.host -}}
# Postgres password
generate_secret_if_needed {{ template "gitlab.psql.password.secret" . }} --from-literal=postgres-password=$(gen_random 'a-zA-Z0-9' 64)
{{ end }}
......@@ -60,10 +60,10 @@ generate_secret_if_needed {{ template "gitlab.gitlab-shell.authToken.secret" . }
# Gitaly secret
generate_secret_if_needed {{ template "gitlab.gitaly.authToken.secret" . }} --from-literal={{ template "gitlab.gitaly.authToken.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
{{- if .Values.global.minio.enabled -}}
{{ if .Values.global.minio.enabled -}}
# Minio secret
generate_secret_if_needed {{ template "gitlab.minio.credentials.secret" . }} --from-literal=accesskey=$(gen_random 'a-zA-Z0-9' 64) --from-literal=secretkey=$(gen_random 'a-zA-Z0-9' 64)
{{- end -}}
{{ end }}
# Gitlab runner secret
generate_secret_if_needed {{ template "gitlab.gitlab-runner.registrationToken.secret" . }} --from-literal=runner-registration-token=$(gen_random 'a-zA-Z0-9' 64) --from-literal=runner-token=""
......
......@@ -21,3 +21,8 @@ repos:
replace_in_files:
charts/minio/values.yaml: 'tag: "RELEASE.{version}"'
doc/charts/minio/index.md: '`RELEASE.{version}`'
# GitLab Monitor
- url: https://gitlab.com/gitlab-org/gitlab-monitor.git
installed: v4.0.0
replace_in_files:
charts/gitlab/charts/gitlab-monitor/Chart.yaml: 'appVersion: {version_clean}'
......@@ -70,5 +70,5 @@ run: gitaly: (pid 30562) 77637s; run: log: (pid 30561) 77637s
run: logrotate: (pid 4856) 1859s; run: log: (pid 31262) 77460s
```
[Omnibus GitLab]: https://about.gitlab.com/installation/#ubuntu
[Omnibus GitLab]: https://about.gitlab.com/install/#ubuntu
[gitaly-secret]: ../../installation/secrets.md#gitaly-secret
# Azure Minio Gateway
[Minio](https://minio.io/) is an object storage server that exposes S3-compatible APIs and it has a gateway feature that allows proxying requests to Azure Blob Storage. To setup our gateway, we will make use of Azure's Web App on Linux.
[Minio](https://min.io/) is an object storage server that exposes S3-compatible APIs and it has a gateway feature that allows proxying requests to Azure Blob Storage. To setup our gateway, we will make use of Azure's Web App on Linux.
To get started, make sure you have installed Azure CLI and you are logged in (`az login`). Proceed to create a [Resource group](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#resource-groups), if you don't have one already:
To get started, make sure you have installed Azure CLI and you are logged in (`az login`). Proceed to create a [Resource group](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#resource-groups), if you don't have one already:
```
az group create --name "gitlab-azure-minio" --location "WestUS"
......@@ -79,7 +79,9 @@ az webapp config set \
```
## Conclusion
You can proceed to use this gateway with any client with s3-compability. Your webapp url will be the `s3 endpoint`, storage account name will be your `accesskey` and storage account key will be your `secretkey`.
## Reference
This guide was adapted for posterity from [Alessandro Segala's blog post on same topic.](https://withblue.ink/2017/10/29/how-to-use-s3cmd-and-any-other-amazon-s3-compatible-app-with-azure-blob-storage.html)
This guide was adapted for posterity from [Alessandro Segala's blog post on same topic.](https://withblue.ink/2017/10/29/how-to-use-s3cmd-and-any-other-amazon-s3-compatible-app-with-azure-blob-storage.html)
......@@ -19,7 +19,6 @@ Create a minimal `gitlab.rb` file to be placed at `/etc/gitlab/gitlab.rb`. Be _v
*Note*: This example is not intended to provide [Redis HA](https://docs.gitlab.com/ee/administration/high_availability/redis.html#configuring-redis-ha).
* `REDIS_PASSWORD` should be replaced with the value in the [`gitlab-redis` secret](../../installation/secrets.md#redis-password).
```Ruby
......@@ -50,4 +49,4 @@ run: logrotate: (pid 4856) 1859s; run: log: (pid 31262) 77460s
run: redis: (pid 30562) 77637s; run: log: (pid 30561) 77637s
```
[Omnibus GitLab]: https://about.gitlab.com/installation/#ubuntu
[Omnibus GitLab]: https://about.gitlab.com/install/#ubuntu
......@@ -3,7 +3,7 @@
To reduce configuration duplication when installing our wrapper Helm chart, several
configuration settings are available to be set in the `global` section of `values.yml`.
These global settings are used across several charts, while all other settings are scoped
within their chart. See the [Helm documentation on globals](https://docs.helm.sh/developing_charts/#global-values)
within their chart. See the [Helm documentation on globals](https://helm.sh/docs/developing_charts/#global-values)
for more information on how the global variables work.
- [Hosts](#configure-host-settings)
......@@ -163,6 +163,7 @@ global:
secret: gitlab-redis
key: redis-password
```
## Configure Registry settings
The global Registry settings are located under the `global.registry` key. For more
......
# Using Minio for Object storage
This chart is based on [`stable/minio`](https://github.com/kubernetes/charts/tree/master/stable/minio)
version [`0.4.3`](https://github.com/kubernetes/charts/tree/aaaf98b5d25c26cc2d483925f7256f2ce06be080/stable/minio),
version [`0.4.3`](https://github.com/helm/charts/tree/aaaf98b5d25c26cc2d483925f7256f2ce06be080/stable/minio),
and inherits most settings from there.
## Design Choices
Design choices related to the [upstream chart](https://github.com/kubernetes/charts/tree/master/stable/minio)
Design choices related to the [upstream chart](https://github.com/helm/charts/tree/master/stable/minio)
can be found in the project's README.
GitLab chose to alter that chart in order to simplify configuration of the secrets,
......@@ -102,6 +102,7 @@ pullSecrets:
```
### tolerations
`tolerations` allow you schedule pods on tainted worker nodes
Below is an example use of `tolerations`:
......
# Redis-ha subchart
[Redis](http://redis.io/) is an advanced key-value cache and store. It is often referred
[Redis](https://redis.io/) is an advanced key-value cache and store. It is often referred
to as a data structure server since keys can contain strings, hashes, lists, sets,
sorted sets, bitmaps and hyperloglogs.
......@@ -26,7 +26,7 @@ default values.
| `image.repository` | `registry.gitlab.com/gitlab-org/build/cng/gitlab-redis-ha`| Redis image. |
| `image.tag` | `latest` | Version of the Redis image to use. |
| `init.image` | `busybox` | initContainer image. |
| `init.tag ` | `latest` | initContainer image tag. |
| `init.tag` | `latest` | initContainer image tag. |
| `metrics.enabled` | `true` | Toggle Prometheus Redis exporter sidecar container. |
| `nodeSelector` | `{}` | Node labels for pod assignment. |
| `rbac.create` | `true` | Whether RBAC resources should be created. |
......
......@@ -8,7 +8,7 @@ is composed of 3 primary parts: [Service](https://gitlab.com/charts/gitlab/blob/
[Deployment](https://gitlab.com/charts/gitlab/blob/master/charts/registry/templates/deployment.yaml),
and [ConfigMap](https://gitlab.com/charts/gitlab/blob/master/charts/registry/templates/configmap.yaml).
All configuration is handled according to the official [Registry configuration documentation](https://docs.docker.com/registry/configuration)
All configuration is handled according to the official [Registry configuration documentation](https://docs.docker.com/registry/configuration/)
using `/etc/docker/registry/config.yml` variables provided to the `Deployment` populated
from the `ConfigMap`. The `ConfigMap` overrides the upstream defaults, but is
[based on them](https://github.com/docker/distribution-library-image/blob/master/config-example.yml).
......@@ -21,7 +21,7 @@ See below for more details:
A Kubernetes `Deployment` was chosen as the deployment method for this chart to allow
for simple scaling of instances, while allowing for
[rolling updates](https://kubernetes.io/docs/tutorials/kubernetes-basics/update-intro/).
[rolling updates](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/).
This chart makes use of only two secrets:
......@@ -122,6 +122,7 @@ image:
```
### tolerations
`tolerations` allow you schedule pods on tainted worker nodes
Below is an example use of `tolerations`:
......
......@@ -4,7 +4,7 @@ GitLab operator is an implementation of the [Operator pattern](https://coreos.co
## Operator chart
We provide an [operator chart](https://gitlab.com/charts/gitlab/tree/master/charts/gitlab/charts/operator) for installing the operator. If enabled, the operator will assume control of the upgrade process that was previously managed via [Helm hooks](https://docs.helm.sh/developing_charts/#hooks).
We provide an [operator chart](https://gitlab.com/charts/gitlab/tree/master/charts/gitlab/charts/operator) for installing the operator. If enabled, the operator will assume control of the upgrade process that was previously managed via [Helm hooks](https://helm.sh/docs/developing_charts/#hooks).
### Enabling the operator
......@@ -14,8 +14,8 @@ We provide the flag `global.operator.enabled`, when set to true it enables the o
The operator makes use of Kubernetes CustomResourceDefinitions (CRD). Since Helm will be used for the installation, we need to ensure that this CRD is in place prior to attempting to use it. In order to do this, we have to run an additional command prior to use.
1. `helm upgrade --install <release-name> . --set global.operator.enabled=true --set global.operator.bootstrap=true ... ` where `...` shall be replaced by the rest of the values you would like to set.
2. `helm upgrade <release-name> . --set global.operator.enabled=true --set global.operator.bootstrap=false ...`.
1. `helm upgrade --install <release-name> . --set global.operator.enabled=true --set global.operator.bootstrap=true ...` where `...` shall be replaced by the rest of the values you would like to set.
1. `helm upgrade <release-name> . --set global.operator.enabled=true --set global.operator.bootstrap=false ...`.
The first command will install only the `CRD` but will not actually attempt to deploy the operator. The second command will deploy the operator itself, now that the CRD is in place.
......@@ -25,4 +25,4 @@ The first command will install only the `CRD` but will not actually attempt to d
**NOTE:** The operator is transitioning from a ClusterRole to a regular Role that operates within a namespace. Operator containers after version 0.4 will have this new behavior by default.
**NOTE:** The versions prior to 1.9.0 use the release name as a prefix for CRD name. This feature has been removed and the CRD does not have a prefix. This can cause Helm complain about missing `GitLab` type while upgrading from an older version. To solve this issue you can use `gitlab.operator.crdPrefix` value and pass the release name for upgrade.
\ No newline at end of file
**NOTE:** The versions prior to 1.9.0 use the release name as a prefix for CRD name. This feature has been removed and the CRD does not have a prefix. This can cause Helm complain about missing `GitLab` type while upgrading from an older version. To solve this issue you can use `gitlab.operator.crdPrefix` value and pass the release name for upgrade.
# Role Based Access Control
Until Kubernetes 1.7, there were no permissions within a cluster. With the launch of 1.7, there is now a role based access control system ([RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)) which determines what services can perform actions within a cluster.
Until Kubernetes 1.7, there were no permissions within a cluster. With the launch of 1.7, there is now a role based access control system ([RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)) which determines what services can perform actions within a cluster.
RBAC affects a few different aspects of GitLab:
......
......@@ -4,10 +4,10 @@
The following applications within the GitLab chart require persistent storage to maintain state.
- [gitaly](../charts/gitlab/gitaly/index.md) (persists the git repositories)
- [postgres](https://github.com/kubernetes/charts/tree/master/stable/postgresql) (persists the gitlab database data)
- [redis](../charts/redis/index.md) (persists gitlab job data)
- [minio](../charts/minio/index.md) (persists the object storage data)
- [gitaly](../charts/gitlab/gitaly/index.md) (persists the git repositories)
- [postgres](https://github.com/helm/charts/tree/master/stable/postgresql) (persists the gitlab database data)
- [redis](../charts/redis/index.md) (persists gitlab job data)
- [minio](../charts/minio/index.md) (persists the object storage data)
The administrator may choose to provision this storage using [dynamic][] or [static][] volume provisioning.
......
......@@ -104,4 +104,4 @@ accessible services. The secrets containing these will be `RELEASE-wildcard-tls`
The `RELEASE-wildcard-tls-ca` contains the public CA certificate that can be distributed to users and systems that
will access the deployed GitLab instance.
[cm-annotations]: https://github.com/jetstack/cert-manager/blob/master/docs/reference/ingress-shim.rst#supported-annotations
[cm-annotations]: https://github.com/jetstack/cert-manager/blob/master/docs/tasks/issuing-certificates/ingress-shim.rst#supported-annotations
......@@ -6,6 +6,11 @@ corresponding to the specific release you want to upgrade to and look for any
[release notes](../releases/index.md) that might pertain to the new GitLab chart
version.
Warning: **Warning:**
If you are upgrading from the `1.x` version of the chart to the latest, you need
to first update to the latest `1.9.x` patch release in order for the upgrade to work.
The [2.0 release notes](../releases/2_0.md) describe the supported upgrade path.
We also recommend that you take a [backup](../backup-restore/index.md) first.
Also note that you need to provide all values using `helm upgrade --set key=value` syntax or `-f values.yml` instead of using `--reuse-values` because some of the current values might be deprecated.
......
......@@ -4,6 +4,12 @@ The table below maps some of the key previous chart versions and GitLab versions
| Chart version | GitLab version |
|---------------|----------------|
| 2.0.5 | 12.0.6 |
| 2.0.4 | 12.0.4 |
| 2.0.3 | 12.0.3 |
| 2.0.2 | 12.0.2 |
| 2.0.1 | 12.0.1 |
| 2.0.0 | 12.0.0 |
| 1.9.3 | 11.11.3 |
| 1.9.2 | 11.11.2 |
| 1.9.1 | 11.11.1 |
......
# GitLab Cloud Native Chart 2.0
Along with the 12.0 release of GitLab, we have bumped the chart version to 2.0
## Upgrade path from 1.x
The GitLab version has been updated to 12.x, which has [strict requirements](https://docs.gitlab.com/ee/update/upgrading_from_source.html#1200)
on it's migration path from previous versions.
This means that in order to upgrade to the 2.0 version of the chart, you first need to upgrade to the latest `1.9.x`
release of the chart. Check the [version mapping details](../installation/version_mappings.md) for the latest patch.
If you don't first upgrade to the latest `1.9.x` patch, you will see the following error from `helm upgrade`
```bash
Error: UPGRADE FAILED: Job failed: BackoffLimitExceeded
```
You can then confirm you are in this situation by looking for pods in error with the text `gitlab-upgrade-check` in the name.
If you check the logs for those pods will see the version upgrade error message.
```
It seems you are attempting an unsupported upgrade path.
Please follow the upgrade documentation at https://docs.gitlab.com/ee/policy/maintenance.html#upgrade-recommendations
and upgrade to 11.11 before upgrading to 12.0.0.
```
## Known issues and limitations
The chart and containers are a work in progress, and not all features are fully functional. Below is a list of the known issues and limitations, although it may not be exhaustive. We recommend also reviewing the [open issues](https://gitlab.com/charts/gitlab/issues).
Helm Chart Issues/Limitations:
* No in-cluster HA database https://gitlab.com/charts/gitlab/issues/48
* No GitLab Pages support https://gitlab.com/charts/gitlab/issues/37
* No GitLab Geo support https://gitlab.com/charts/gitlab/issues/8
* Restoring backups taken from install types other than this GitLab chart require you to migrate the original instance to object storage first https://gitlab.com/charts/gitlab/issues/646
Features that are currently out of scope:
* Relative URL as the GitLab Endpoint https://gitlab.com/charts/gitlab/issues/406
## Release cadence
We will be releasing a new version of the chart with each new GitLab patch.
More information on how we are versioning the chart can be found in the [release documentation](../development/release.md).
Along with the issues and merge requests in this repo, a [changelog](https://gitlab.com/charts/gitlab/blob/master/CHANGELOG.md) is available to more easily follow along with updates.
## Kubernetes deployment support
GitLab is tested against:
* [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/)
* [Amazon EKS](https://aws.amazon.com/eks/)
Other Kubernetes deployments should also work. In the event of a specific non-GKE deployment issue, please raise an issue.
We are currently using Kubernetes version 1.11.8 in our automated tests, and 1.12.8 for development.
## Technical support
Before opening an issue please review the [known issues and limitations](#known-issues-and-limitations), and [search](https://gitlab.com/charts/gitlab/issues) to see if a similar issue already exists.
We greatly appreciate the wider testing of the community, and encourage [detailed issues to be reported](https://gitlab.com/charts/gitlab/issues/new) so we can address them.
We welcome any improvements contributed in the form of [Merge Requests](https://gitlab.com/charts/gitlab/merge_requests).
# Release
- [2.0](2_0.md)
- [1.0](1_0.md)
- [Beta](beta.md)
- [Alpha](alpha.md)
......@@ -13,6 +13,6 @@ dependencies:
repository: https://kubernetes-charts.storage.googleapis.com/
condition: postgresql.install
- name: gitlab-runner
version: 0.5.2
version: 0.6.0
repository: https://charts.gitlab.io/
condition: gitlab-runner.install
......@@ -40,10 +40,17 @@ class VersionFetcher
new_version
end
# GitLab Monitor Version
def gitlab_monitor
# Don't edit the appVersion, it get's set manually as monitor isn't released by release-tools
nil
end
def fetch(chart_name)
chart_name = chart_name.tr('-', '_').to_sym
return @version unless respond_to?(chart_name)
Version.new(send(chart_name)) if @version
chart_version = send(chart_name) if @version
Version.new(chart_version) if chart_version
end
private
......
#!/usr/bin/env ruby
require 'docker'
require 'yaml'
require 'net/http'
require 'json'
require 'cgi'
require 'zip'
class CNGImageSync
CI_API_V4_URL = ENV['CI_API_V4_URL'] || "https://dev.gitlab.org/api/v4".freeze
DEV_REGISTRY_URL = "dev.gitlab.org:5005".freeze
COM_REGISTRY_URL = "registry.gitlab.com".freeze
DEV_PROJECT_PATH = ENV['DEV_CNG_PROJECT'] || "gitlab/charts/components/images".freeze
COM_PROJECT_PATH = ENV['COM_CNG_PROJECT'] || "gitlab-org/build/cng".freeze
DEV_PROJECT_REGISTRY = ENV['DEV_CNG_REGISTRY'] || "#{DEV_REGISTRY_URL}/#{DEV_PROJECT_PATH}".freeze
COM_PROJECT_REGISTRY = ENV['COM_CNG_REGISTRY'] || "#{COM_REGISTRY_URL}/#{COM_PROJECT_PATH}".freeze
DEV_REGISTRY_PASSWORD = ENV['FETCH_DEV_ARTIFACTS_PAT'] || ENV['CI_JOB_TOKEN']
COM_REGISTRY_PASSWORD = ENV['PUSH_IMAGES_PAT']
DEV_API_TOKEN = ENV['FETCH_DEV_ARTIFACTS_PAT']
GITLAB_VERSION = YAML.load_file('Chart.yaml')['appVersion'].strip.freeze
class << self
def get_api(uri, token = DEV_API_TOKEN)
req = Net::HTTP::Get.new(uri)
req['PRIVATE-TOKEN'] = token
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(req)
end
res
end
def get_components(version)
artifact_uri = URI("#{CI_API_V4_URL}/projects/#{CGI.escape(DEV_PROJECT_PATH)}/jobs/artifacts/v#{version}/raw/artifacts/image_versions.txt?job=component-details")
puts "Fetching component list from #{artifact_uri}"
res = get_api(artifact_uri)
components = res.body.split("\n")
components.map { |c| c.split(":") }.to_h
end
def authenticate_registry(registry, password)
# `CI_REGISTRY_USER` variable translates to `gitlab-ci-token` internally,
# which will work with GitLab's container registry authentication as long
# as the password is a valid PAT. In other words, as long as the password
# is a valid PAT, we need not bother about a username and can simply use
# `gitlab-ci-token`, which is what we are doing here.
Docker.authenticate!(username: ENV['CI_REGISTRY_USER'], password: password, serveraddress: registry)
end
def pull_and_tag_images(initial_registry, new_registry, components)
components.each do |component, version|
initial_ref = "#{initial_registry}/#{component}:#{version}".downcase
target_repo = "#{new_registry}/#{component}".downcase
puts "Pulling #{initial_ref}"
STDOUT.flush
image = Docker::Image.create(fromImage: initial_ref)
image.tag(repo: target_repo, tag: version)
end
end
def push_images(registry, components)
components.each do |component, version|
ref = "#{registry}/#{component}:#{version}".downcase
puts "Pushing #{ref}"
STDOUT.flush
image = Docker::Image.get(ref)
image.push(nil, repo_tag: ref)
end
end
def check_auth
message = <<~MESSAGE
Login credentials for registries are missing. Make sure the following environment variables are set
PUSH_IMAGES_PAT - PAT with access to gitlab.com API
MESSAGE
raise message if COM_REGISTRY_PASSWORD.nil?
end
def execute(edition: 'ee')
check_auth
version = edition == 'ce' ? GITLAB_VERSION : "#{GITLAB_VERSION}-ee"
puts "Syncing images for version #{version}"
components = get_components(version)
authenticate_registry(DEV_REGISTRY_URL, DEV_REGISTRY_PASSWORD)
pull_and_tag_images(DEV_PROJECT_REGISTRY, COM_PROJECT_REGISTRY, components)
authenticate_registry(COM_REGISTRY_URL, COM_REGISTRY_PASSWORD)
push_images(COM_PROJECT_REGISTRY, components)
puts "Sync completed"
end
end
end
#!/bin/bash
CNG_REGISTRY=${CNG_REGISTRY:-"registry.gitlab.com/gitlab-org/build/cng"}
GITLAB_VERSION=$(awk '/^appVersion:/ {print $2}' Chart.yaml)
if [ "${GITLAB_VERSION}" == "master" ]; then
echo "Chart specifies master as GitLab version. Hence not waiting for images."
exit 0
fi
#TODO: Get all the components and their corresponding versions
components=(gitlab-rails-ee gitlab-unicorn-ee gitlab-workhorse-ee gitlab-sidekiq-ee gitlab-task-runner-ee)
for component in "${components[@]}"; do
image="${CNG_REGISTRY}/${component}:v${GITLAB_VERSION}"
echo -n "Waiting for ${image}: "
while ! $(DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect "${image}" > /dev/null 2>&1 ) ; do
echo -n ".";
sleep 1m;
done
echo "Found"
done
......@@ -74,7 +74,7 @@ describe "Restoring a backup" do
object_storage.get_object(
response_target: '/tmp/original_backup.tar',
bucket: 'gitlab-backups',
key: '0_11.6.0-pre_gitlab_backup.tar'
key: '0_11.11.3_gitlab_backup.tar'
)
cmd = 'mkdir -p /tmp/original_backup && tar -xf /tmp/original_backup.tar -C /tmp/original_backup'
......
......@@ -83,7 +83,7 @@ module Gitlab
end
def restore_from_backup
backup = ENV['BACKUP_TIMESTAMP'] || '0_11.6.0-pre'
backup = ENV['BACKUP_TIMESTAMP'] || '0_11.11.3'
cmd = full_command("backup-utility --restore -t #{backup}")
stdout, status = Open3.capture2e(cmd)
......@@ -159,7 +159,7 @@ module Gitlab
def ensure_backups_on_object_storage
storage_url = 'https://storage.googleapis.com/gitlab-charts-ci/test-backups'
backup_file_names = ['11.6.0-pre_gitlab_backup.tar']
backup_file_names = ['11.11.3_gitlab_backup.tar']
backup_file_names.each do |file_name|
file = open("#{storage_url}/#{file_name}").read
object_storage.put_object(
......
......@@ -103,8 +103,9 @@ Global gitlab imagePullPolicy
*/}}
{{- define "gitlab.imagePullPolicy" -}}
{{- if or .Values.image.pullPolicy .Values.global.imagePullPolicy -}}
imagePullPolicy: {{ coalesce .Values.image.pullPolicy .Values.global.imagePullPolicy | quote }}
{{- $imageObj := default (dict) .Values.image -}}
{{- if or $imageObj.imagePullPolicy .Values.global.imagePullPolicy -}}
imagePullPolicy: {{ coalesce $imageObj.imagePullPolicy .Values.global.imagePullPolicy | quote }}
{{- end -}}
{{- end -}}
......
#!/bin/sh
notify() {
echo "$1"
echo -n "$1 " >> /dev/termination-log
}
greater_version()
{
test "$(printf '%s\n' "$@" | sort -V | tail -n 1)" = "$1";
}
MIN_VERSION=11.11
# Only run check for semver releases
if ! awk 'BEGIN{exit(!(ARGV[1] ~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/))}' "$GITLAB_VERSION"; then
exit 0
fi
NEW_MAJOR_VERSION=$(echo $GITLAB_VERSION | awk -F "." '{print $1}')
NEW_MINOR_VERSION=$(echo $GITLAB_VERSION | awk -F "." '{print $1"."$2}')
if [ ! -f /chart-info/gitlabVersion ]; then
notify "It seems you are attempting an unsupported upgrade path."
notify "Please follow the upgrade documentation at https://docs.gitlab.com/ee/policy/maintenance.html#upgrade-recommendations"
notify "and upgrade to 11.11.3 (Chart Version 1.9.4) before upgrading to ${GITLAB_VERSION}."
exit 1
fi
OLD_VERSION_STRING=$(cat /chart-info/gitlabVersion)
# Skip check if old version wasn't semver
if ! awk 'BEGIN{exit(!(ARGV[1] ~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/))}' "$OLD_VERSION_STRING"; then
exit 0
fi
OLD_MAJOR_VERSION=$(echo $OLD_VERSION_STRING | awk -F "." '{print $1}')
OLD_MINOR_VERSION=$(echo $OLD_VERSION_STRING | awk -F "." '{print $1"."$2}')
# Checking
# (i) if it is a major version jump
# (ii) if existing version is less than required minimum version
if test ${OLD_MAJOR_VERSION} -lt ${NEW_MAJOR_VERSION}; then
if ! greater_version $OLD_MINOR_VERSION $MIN_VERSION; then
notify "It seems you are upgrading from ${OLD_MAJOR_VERSION}.x version series to ${NEW_MAJOR_VERSION}.x series."
notify "It is recommended to upgrade to the last minor version in a major version series"
notify "first before jumping to the next major version."
notify "Please follow the upgrade documentation at https://docs.gitlab.com/ee/policy/maintenance.html#upgrade-recommendations"
notify "and upgrade to 11.11.3 (Chart Version 1.9.4) first."
exit 1
fi
fi
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fullname" . }}-chart-info
namespace: {{ $.Release.Namespace }}
labels:
{{ include "gitlab.standardLabels" . | indent 4 }}
data:
gitlabVersion: "{{ coalesce .Values.global.gitlabVersion .Chart.AppVersion }}"
{{- if .Values.upgradeCheck.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fullname" . }}-upgrade-check
namespace: {{ $.Release.Namespace }}
labels:
{{ include "gitlab.standardLabels" . | indent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-11"
"helm.sh/hook-delete-policy": before-hook-creation
data:
runcheck: |
{{ include (print $.Template.BasePath "/_runcheck.tpl") . | indent 4 }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "fullname" . }}-upgrade-check
namespace: {{ .Release.Namespace }}
labels:
{{ include "gitlab.standardLabels" . | indent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
backoffLimit: 2
template:
metadata:
labels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
spec:
{{- if .Values.upgradeCheck.tolerations }}
tolerations:
{{ toYaml .Values.upgradeCheck.tolerations | indent 8 }}
{{- end }}
restartPolicy: Never
{{- include "pullsecrets" .Values.upgradeCheck.image | indent 6}}
containers:
- name: run-check
image: "{{ .Values.upgradeCheck.image.repository }}:{{ .Values.upgradeCheck.image.tag }}"
command: ['/bin/sh', '/scripts/runcheck']
{{ template "gitlab.imagePullPolicy" . }}
env:
- name: GITLAB_VERSION
value: '{{ coalesce .Values.global.gitlabVersion .Chart.AppVersion }}'
volumeMounts:
- name: chart-info
mountPath: /chart-info
- name: scripts
mountPath: /scripts
resources:
{{ toYaml .Values.upgradeCheck.resources | indent 12 }}
volumes:
- name: chart-info
configMap:
name: {{ template "fullname" . }}-chart-info
optional: true
- name: scripts
configMap:
name: {{ template "fullname" . }}-upgrade-check
{{- end }}
......@@ -12,7 +12,7 @@
# - external Redis
# - external NGINX
# - PersistentVolume configuration
# - external Object Storage providers
# - external Object Storage providers
## The global properties are used to configure multiple charts at once.
## Extended documenation at doc/charts/globals.md
......@@ -229,7 +229,7 @@ global:
hostKeys: {}
# secret:
## Rails application secrets
## Rails application secrets
## Secret created according to doc/installation/secrets.md#gitlab-rails-secret
## If allowing shared-secrets generation, this is OPTIONAL.
railsSecrets: {}
......@@ -300,6 +300,16 @@ global:
# - secret: more-custom-CAs
## End of global
upgradeCheck:
enabled: true
image:
repository: busybox
tag: latest
tolerations: []
resources:
requests:
cpu: 50m
## Settings to for the Let's Encrypt ACME Issuer
# certmanager-issuer:
## The email address to register certificates requested from Let's Encrypt.
......@@ -445,13 +455,13 @@ gitlab-runner:
## doc/charts/gitlab/migrations
# migrations:
# enabled: false
## doc/charts/gitlab/unicorn
## doc/charts/gitlab/unicorn
# unicorn:
# enabled: false
## doc/charts/gitlab/sidekiq
## doc/charts/gitlab/sidekiq
# sidekiq:
# enabled: false
## doc/charts/gitlab/gitaly
## doc/charts/gitlab/gitaly
# gitaly:
# enabled: false
## doc/charts/gitlab/gitlab-shell
......