...
 
Commits (36)
......@@ -335,7 +335,7 @@ check_docs_lint:
# Lint Markdown
# https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md
- bundle exec mdl content/charts/**/*.md --rules \
MD001,MD004,MD029,MD032,MD034
MD001,MD003,MD004,MD011,MD023,MD029,MD032,MD034,MD037,MD039
# Build HTML from Markdown
- bundle exec nanoc
# Check the internal links
......@@ -446,6 +446,7 @@ check_docs_lint:
--set ci.job.url="$CI_JOB_URL" \
--set ci.pipeline.url="$CI_PIPELINE_URL" \
--set releaseOverride="$CI_ENVIRONMENT_SLUG" \
--set global.imagePullPolicy="Always" \
--set global.hosts.hostSuffix="$HOST_SUFFIX" \
--set global.hosts.domain="$KUBE_INGRESS_BASE_DOMAIN" \
--set global.ingress.annotations."external-dns\.alpha\.kubernetes\.io/ttl"="10" \
......
......@@ -2,6 +2,97 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 2.1.7
### Other (1 change)
- Update GitLab Version to 12.1.6.
## 2.1.6
### Fixed (1 change, 1 of them is from the community)
- Disable client-side validation of kubectl apply to fix #1497. !885 (Semjon Bibow)
### Other (1 change)
- Update GitLab Version to 12.1.4.
## 2.1.5
### Fixed (1 change)
- Generated Random Secrets Should Not Wrap. !875
### Other (1 change)
- Update GitLab Version to 12.1.4.
## 2.1.4
### Other (1 change)
- Update GitLab Version to 12.1.4.
## 2.1.3
### Other (1 change)
- Update GitLab Version to 12.1.3.
## 2.1.2
### Other (1 change)
- Update GitLab Version to 12.1.2.
## 2.1.1
### Other (1 change)
- Update GitLab Version to 12.1.1.
## 2.1.0
### Fixed (8 changes, 2 of them are from the community)
- Mailroom: fix redis without passsword. !816 (arthur13)
- Add ability to specify extrernal objectStorage for task-runner backup. !821 (Matthew Cascio)
- Fix ability to set internal port of gitlab-workhorse. !840
- Use sort to compare versions in upgrade logic. !846
- Freeze the version of redis exporter image. !850
- Fixed shared secrets whitespace templating #1410. !861
- Escape and quote all passwords in ERB templates. !869
- Set pullPolicy for CI to Always #1460. !873
### Changed (2 changes)
- Add prometheus metrics debug configuration. !838
- Make version changes to chart files only if incoming version is higher. !859
### Added (5 changes, 3 of them are from the community)
- Make the Task Runner backup backend configurable. !707 (Vic Iglesias)
- Support Git over SSH on OpenShift. !824
- Registry: Add service port for Prometheus metrics. !842
- Support for optional extra arguments for the cron based backup on Kubernetes. !854 (Gerard Boor)
- Document global.appConfig.defaultProjectsFeatures.containerRegistry #1456. !871 (Mike Rennie)
### Other (4 changes)
- CI: add CI vars to helm properties. !851
- Run before_fork only once on boot for Unicorn. !852
- Update gitlab-runner to 0.7.0/12.1.0. !878
- Update GitLab Version to 12.1.0.
## 2.0.3 (2019-07-03)
### Other (1 change)
......
---
apiVersion: v1
name: gitlab
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: Web-based Git-repository manager with wiki and issue-tracking features.
keywords:
- gitlab
......
---
title: Add ability to specify extrernal objectStorage for task-runner backup
merge_request: 821
author: Matthew Cascio
type: fixed
---
title: Fix ability to set internal port of gitlab-workhorse
merge_request: 840
author:
type: fixed
---
title: Freeze the version of redis exporter image
merge_request: 850
author:
type: fixed
---
title: 'Fixed shared secrets whitespace templating #1410'
merge_request: 861
author:
type: fixed
---
title: 'Mailroom: fix redis without passsword'
merge_request: 816
author: arthur13
type: fixed
\ No newline at end of file
---
title: Support Git over SSH on OpenShift
merge_request: 824
author:
type: added
---
title: Run before_fork only once on boot for Unicorn
merge_request: 852
author:
type: other
---
title: Support for optional extra arguments for the cron based backup on Kubernetes
merge_request: 854
author: Gerard Boor
type: added
---
title: 'CI: add CI vars to helm properties'
merge_request: 851
author:
type: other
---
title: Chart pull policies syntax restored to previous and documented names
merge_request: 904
author:
type: fixed
---
title: "Use sort to compare versions in upgrade logic"
merge_request: 846
author:
type: fixed
---
title: Add prometheus metrics debug configuration
merge_request: 838
author:
type: changed
---
title: 'Registry: Add service port for Prometheus metrics'
merge_request: 842
author:
type: added
---
title: Make version changes to chart files only if incoming version is higher
merge_request: 859
author:
type: changed
---
title: Make the Task Runner backup backend configurable
merge_request: 707
author: Vic Iglesias
type: added
---
apiVersion: v1
name: gitaly
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 1.53.2
description: Git RPC service for handling all the git calls made by GitLab
keywords:
- gitlab
......
......@@ -33,7 +33,7 @@ data:
<% raise Exception, "Storage for node #{@index} is not present in the storageNames array. Did you use kubectl to scale up ? You need to solely use helm for this purpose" %>
<% end %>
[auth]
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token') %>"
token = "<%= File.read('/etc/gitlab-secrets/gitaly/gitaly_token').strip.dump[1..-2] %>"
[gitaly-ruby]
# The directory where gitaly-ruby is installed
......@@ -63,7 +63,7 @@ data:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password") %>"
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password").strip.dump[1..-2] %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
---
apiVersion: v1
name: gitlab-monitor
version: 2.0.3
version: 2.1.7
appVersion: 4.0.0
description: Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors)
keywords:
......
......@@ -17,7 +17,7 @@ data:
methods:
- probe_db
opts:
connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read("/etc/gitlab/postgres/psql-password") %>'
connection_string: dbname={{ template "gitlab.psql.database" . }} user={{ template "gitlab.psql.username" . }} host={{ template "gitlab.psql.host" . }} port={{ template "gitlab.psql.port" . }} password='<%= File.read("/etc/gitlab/postgres/psql-password").strip.gsub(/[\'\\]/) { |esc| '\\' + esc } %>'
database:
multiple: true
ci_builds:
......
---
apiVersion: v1
name: gitlab-shell
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 9.3.0
description: sshd for Gitlab
keywords:
- gitlab
......
......@@ -32,7 +32,7 @@ data:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/password") %>"
pass: "<%= File.read("/etc/gitlab-secrets/redis/password").strip.dump[1..-2] %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
---
apiVersion: v1
name: mailroom
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: Handling incoming emails
keywords:
- gitlab
......
......@@ -16,7 +16,7 @@ data:
:ssl: {{ .ssl }}
:start_tls: {{ .startTls }}
:email: {{ .user }}
:password: "<%= File.read("/etc/gitlab/mailroom/password") %>"
:password: "<%= File.read("/etc/gitlab/mailroom/password").strip.dump[1..-2] %>"
:idle_timeout: {{ .idleTimeout }}
:name: {{ .mailbox }}
:delete_after_delivery: true
......
---
apiVersion: v1
name: migrations
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: Database migrations and other versioning tasks for upgrading Gitlab
keywords:
- gitlab
......
......@@ -14,7 +14,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......
---
apiVersion: v1
name: operator
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: Gitlab operator for managing upgrades
keywords:
- gitlab
......
---
apiVersion: v1
name: sidekiq
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: Gitlab Sidekiq for asynchronous task processing in rails
keywords:
- gitlab
......
......@@ -16,7 +16,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......
---
apiVersion: v1
name: task-runner
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: For manually running rake tasks through kubectl
keywords:
- gitlab
......
......@@ -14,7 +14,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
{{- include "gitlab.psql.ssl.config" . | indent 6 }}
......@@ -107,6 +107,7 @@ data:
default_mime_type = binary/octet-stream
enable_multipart = True
multipart_max_chunks = 10000
multipart_chunk_size_mb = 128
recursive = True
recv_chunk = 65536
send_chunk = 65536
......
---
apiVersion: v1
name: unicorn
version: 2.0.3
appVersion: master
version: 2.1.7
appVersion: 12.1.6
description: HTTP server for Gitlab
keywords:
- gitlab
......
......@@ -16,7 +16,7 @@ data:
database: {{ template "gitlab.psql.database" . }}
pool: 10
username: {{ template "gitlab.psql.username" . }}
password: "<%= File.read("/etc/gitlab/postgres/psql-password") %>"
password: "<%= File.read("/etc/gitlab/postgres/psql-password").strip.dump[1..-2] %>"
host: {{ template "gitlab.psql.host" . }}
port: {{ template "gitlab.psql.port" . }}
# load_balancing:
......@@ -190,7 +190,7 @@ data:
[redis]
URL = "{{ template "gitlab.redis.scheme" . }}://{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}"
{{- if .Values.global.redis.password.enabled }}
Password = "<%= File.read("/etc/gitlab/redis/password") %>"
Password = "<%= File.read("/etc/gitlab/redis/password").strip.dump[1..-2] %>"
{{- end }}
configure: |
set -e
......
{{- define "gitlab.appConfig.gitaly" -}}
gitaly:
client_path: /home/git/gitaly/bin
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token') %>"
token: "<%= File.read('/etc/gitlab/gitaly/gitaly_token').strip.dump[1..-2] %>"
{{- end -}}
{{- define "gitlab.appConfig.repositories" -}}
......
......@@ -25,7 +25,7 @@ Usage example:
{{- $.name }}:
{{- toYaml (omit $.config "password") | trimSuffix "\n" | nindent 2 -}}
{{- if and $.config.password (not (kindIs "string" $.config.password ))}}
password: "<%= File.read('/etc/gitlab/ldap/{{ $.name }}/password') %>"
password: "<%= File.read('/etc/gitlab/ldap/{{ $.name }}/password').strip.dump[1..-2] %>"
{{- end -}}
{{- end -}}{{/* gitlab.appConfig.ldap.servers.configuration */}}
......
......@@ -22,8 +22,8 @@ object_store:
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey') %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey') %>"
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: {{ template "gitlab.minio.hostname" .context }}
endpoint: {{ template "gitlab.minio.endpoint" .context }}
path_style: true
......
......@@ -13,8 +13,8 @@ pseudonymizer:
connection:
provider: AWS
region: us-east-1
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey') %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey') %>"
aws_access_key_id: "<%= File.read('/etc/gitlab/minio/accesskey').strip.dump[1..-2] %>"
aws_secret_access_key: "<%= File.read('/etc/gitlab/minio/secretkey').strip.dump[1..-2] %>"
host: {{ template "gitlab.minio.hostname" $ }}
endpoint: {{ template "gitlab.minio.endpoint" $ }}
path_style: true
......
......@@ -40,5 +40,5 @@ Return the redis scheme, or redis. Allowing people to use rediss clusters
Return the redis url.
*/}}
{{- define "gitlab.redis.url" -}}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= File.read("/etc/gitlab/redis/password") %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= URI.escape(File.read("/etc/gitlab/redis/password").strip) %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{- end -}}
......@@ -18,7 +18,7 @@ ActionMailer::Base.smtp_settings = {
{{ if has .Values.global.smtp.authentication (list "login" "plain" "cram_md5") }}
authentication: :{{.Values.global.smtp.authentication}},
user_name: {{ .Values.global.smtp.user_name | quote }},
password: File.read("/etc/gitlab/smtp/smtp-password"),
password: File.read("/etc/gitlab/smtp/smtp-password").strip,
{{- end }}
{{- if .Values.global.smtp.starttls_auto }}
enable_starttls_auto: true,
......
......@@ -108,7 +108,7 @@ stringData:
openid_connect_signing_key: |
$(echo "${openid_connect_signing_key}" | awk '{print " " $0}')
EOF
kubectl --namespace=$namespace apply -f rails-secrets.yml
kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml
label_secret $rails_secret
fi
......@@ -122,4 +122,4 @@ generate_secret_if_needed {{ template "gitlab.gitlab-shell.hostKeys.secret" . }}
generate_secret_if_needed {{ template "gitlab.workhorse.secret" . }} --from-literal={{ template "gitlab.workhorse.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64)
# Registry http.secret secret
generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} --from-literal={{ template "gitlab.registry.httpSecret.key" . }}=$(gen_random 'a-z0-9' 128 | base64)
generate_secret_if_needed {{ template "gitlab.registry.httpSecret.secret" . }} --from-literal={{ template "gitlab.registry.httpSecret.key" . }}=$(gen_random 'a-z0-9' 128 | base64 -w 0)
......@@ -310,6 +310,7 @@ global:
wiki: true
snippets: true
builds: true
containerRegistry: true
webhookTimeout:
gravatar:
plainUrl:
......@@ -394,6 +395,7 @@ defaultProjectsFeatures:
wiki: true
snippets: true
builds: true
containerRegistry: true
```
### Gravatar/Libravatar settings
......
......@@ -70,16 +70,13 @@ installations on OpenShift:
```bash
oc project ${YOUR_NAMESPACE}
oc adm policy add-scc-to-group anyuid -z default
oc adm policy add-scc-to-user anyuid -z default -n ${YOUR_NAMESPACE}
oc adm policy add-scc-to-user anyuid -z gitlab-runner -n ${YOUR_NAMESPACE}
```
CAUTION: **Warning**:
This setting will be applied across the namespace in which it's applied
and will result in Docker images that does not explicitly specify USER
running as `root` user.
[Issue #895](https://gitlab.com/charts/gitlab/issues/895) is open to
document different service accounts required and to describe adding scc to
those service accounts only, so the impact can be limited.
This setting will be applied across the specified namespace and will result
in Docker images that does not explicitly specify user running as `root`.
1. Create the service account and `rolebinding` for RBAC and [install Tiller](../tools.md#helm):
......
......@@ -70,6 +70,17 @@ Tables below contain all the possible charts configurations that can be supplied
| global.appConfig.incomingEmail.mailbox | Mailbox where incoming mail will end up. | inbox |
| global.appConfig.incomingEmail.idleTimeout | The IDLE command timeout | 60 |
## Default Project Features configuration
| Parameter | Description | Default |
| --- | --- | --- |
| global.appConfig.defaultProjectsFeatures.issues | Enable project issues | true |
| global.appConfig.defaultProjectsFeatures.mergeRequests | Enable project merge requests | true |
| global.appConfig.defaultProjectsFeatures.wiki | Enable project wikis | true |
| global.appConfig.defaultProjectsFeatures.snippets | Enable project snippets | true |
| global.appConfig.defaultProjectsFeatures.builds | Enable project builds | true |
| global.appConfig.defaultProjectsFeatures.containerRegistry | Enable container registy project features | true |
## GitLab Shell
| Parameter | Description | Default |
......
......@@ -7,6 +7,8 @@ RBAC affects a few different aspects of GitLab:
* [Installation of GitLab using Helm](tools.md#preparing-for-helm-with-rbac)
* Prometheus monitoring
* GitLab Runner
* In-cluster PostgreSQL database (when RBAC is enabled for it)
* Certificate manager
## Checking that RBAC is enabled
......@@ -15,3 +17,35 @@ Try listing the current cluster roles, if it fails then `RBAC` is disabled
This command will output `false` if `RBAC` is disabled and `true` otherwise
`kubectl get clusterroles > /dev/null 2>&1 && echo true || echo false`
## Service accounts
GitLab chart uses Service accounts to perform certain tasks. These accounts and their associated roles
are created and managed by the chart.
The service accounts are described in the following table. For each service account the table shows:
* The name suffix (the prefix is the release name).
* A short description, e.g. where it is used, what it is used for.
* Associated roles and what level of access it has on which resources. Access level is either read-only (R),
write-only (W), or read-write (RW). Note that group name of resources are omitted.
* The scope of the roles, which is either the cluster (C) or the namespace (NS). In some instances the scope
of the roles can be configured with values (indicated by NS/C)
| Name suffix | Description | Roles | Scope
| --- | --- | --- | ---
| gitlab-runner | The GitLab runner is executed with this account. | Any resource (RW) | NS/C
| nginx-ingress | Used by Nginx ingress to control service access points. | Secret, Pod, Endpoint, Ingress (R); Event (W); ConfigMap, Service (RW) | NS/C
| shared-secrets | The job that creates shared secrets runs with this account. (in pre-install/upgrade hook) | Secret (RW) | NS
| operator | Used by GitLab Operator to monitor and control GitLab resources, run migrations and shared secret jobs. Only used when Operator is enabled. | ConfigMap, Secret, Pod, Deployment, StatefulSet, DaemonSet, Job, ServiceAccount, \[Cluster\]Role, \[Cluster\]RoleBinding, GitLabs (RW) | NS/C
| certmanager-issuer | The job that controls certificate manager runs with this account. | Issuer (RW) | NS
GitLab chart depends on other charts that they also use RBAC and create their own service accounts and role binding. Here is an overview:
* Prometheus monitoring creates multiple own service accounts by default. They are all associated to cluster level roles. For more information see [Prometheus chart documentation](https://github.com/helm/charts/tree/master/stable/prometheus#rbac-configuration).
* Certificate manager creates a service account by default to manage its custom resources along with native resources at the cluster level. For more information see [cert-manager chart RBAC template](https://github.com/helm/charts/blob/master/stable/cert-manager/templates/rbac.yaml).
* When you use in-cluster PostgreSQL database (this is the default) the service account is not enabled. You can enable it but it is only used to run PostgreSQL service and is not associated to any specific role. For more information see [Postgresql chart](https://github.com/helm/charts/tree/master/stable/postgresql).
NOTE: **Note:** Please keep in mind that for OpenShift deployment you need to assign `anyuid` SCC to `default` and `gitlab-runner`
service account of your project. For more details see [OpenShift installation](./cloud/openshift.md).
......@@ -104,4 +104,4 @@ accessible services. The secrets containing these will be `RELEASE-wildcard-tls`
The `RELEASE-wildcard-tls-ca` contains the public CA certificate that can be distributed to users and systems that
will access the deployed GitLab instance.
[cm-annotations]: https://github.com/jetstack/cert-manager/blob/master/docs/reference/ingress-shim.rst#supported-annotations
[cm-annotations]: https://github.com/jetstack/cert-manager/blob/master/docs/tasks/issuing-certificates/ingress-shim.rst#supported-annotations
......@@ -4,6 +4,14 @@ The table below maps some of the key previous chart versions and GitLab versions
| Chart version | GitLab version |
|---------------|----------------|
| 2.1.7 | 12.1.6 |
| 2.1.6 | 12.1.4 |
| 2.1.5 | 12.1.4 |
| 2.1.4 | 12.1.4 |
| 2.1.3 | 12.1.3 |
| 2.1.2 | 12.1.2 |
| 2.1.1 | 12.1.1 |
| 2.1.0 | 12.1.0 |
| 2.0.3 | 12.0.3 |
| 2.0.2 | 12.0.2 |
| 2.0.1 | 12.0.1 |
......
......@@ -13,6 +13,6 @@ dependencies:
repository: https://kubernetes-charts.storage.googleapis.com/
condition: postgresql.install
- name: gitlab-runner
version: 0.6.0
version: 0.7.0
repository: https://charts.gitlab.io/
condition: gitlab-runner.install
......@@ -104,8 +104,8 @@ Global gitlab imagePullPolicy
{{- define "gitlab.imagePullPolicy" -}}
{{- $imageObj := default (dict) .Values.image -}}
{{- if or $imageObj.imagePullPolicy .Values.global.imagePullPolicy -}}
imagePullPolicy: {{ coalesce $imageObj.imagePullPolicy .Values.global.imagePullPolicy | quote }}
{{- if or $imageObj.pullPolicy .Values.global.imagePullPolicy -}}
imagePullPolicy: {{ coalesce $imageObj.pullPolicy .Values.global.imagePullPolicy | quote }}
{{- end -}}
{{- end -}}
......