Commit 1155ecf5 authored by Ian Baum's avatar Ian Baum Committed by DJ Mountney

Split workhorse to a separate container

parent b52730bf
---
title: Move gitlab-workhorse to a separate container
merge_request: 397
author: Ian Baum
type: added
......@@ -28,10 +28,6 @@ data:
production:
# Redis (single instance)
url: redis://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" }}
workhorse-config.toml.erb: |
[redis]
URL = "tcp://{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" }}"
Password = "<%= File.read("/etc/gitlab/redis/password") %>"
unicorn.rb: |
worker_processes {{ .Values.workerProcesses }}
working_directory "/srv/gitlab"
......@@ -60,6 +56,7 @@ data:
ENV['GITLAB_UNICORN_MEMORY_MIN'] = (400 * 1 << 20).to_s
ENV['GITLAB_UNICORN_MEMORY_MAX'] = (650 * 1 << 20).to_s
gitlab.yml.erb: |
production: &base
gitlab:
......@@ -208,6 +205,7 @@ data:
upload_pack: true
receive_pack: true
workhorse:
secret_file: /etc/gitlab/gitlab-workhorse/secret
git:
bin_path: /usr/bin/git
webpack:
......@@ -235,30 +233,49 @@ data:
key: /etc/gitlab/registry/gitlab-registry.key
issuer: {{ .Values.registry.tokenIssuer }}
configure: |
set -e
mkdir -p /init-secrets/redis /init-secrets/shell /init-secrets/gitaly \
/init-secrets/registry /init-secrets/postgres /init-secrets/rails-secrets
cp /init-config/redis/password /init-secrets/redis/password
cp /init-config/shell/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret
cp /init-config/gitaly/gitaly_token /init-secrets/gitaly/gitaly_token
cp /init-config/registry/gitlab-registry.key /init-secrets/registry/gitlab-registry.key
cp /init-config/postgres/psql-password /init-secrets/postgres/psql-password
cp /init-config/rails-secrets/secrets.yml /init-secrets/rails-secrets/secrets.yml
if [ -e /init-config/minio ]; then
mkdir -p /init-secrets/minio
cp /init-config/minio/* /init-secrets/minio/
fi
if [ -e /init-config/objectstorage ]; then
mkdir -p /init-secrets/objectstorage
cp /init-config/objectstorage/* /init-secrets/objectstorage/
fi
if [ -e /init-config/omniauth ]; then
mkdir -p /init-secrets/omniauth
cp -r /init-config/omniauth/* /init-secrets/omniauth/
fi
if [ -e /init-config/smtp/smtp-password ]; then
mkdir -p /init-secrets/smtp
cp /init-config/smtp/smtp-password /init-secrets/smtp/
fi
set -e
config_dir="/init-config"
secret_dir="/init-secrets-unicorn"
for secret in redis shell gitaly registry postgres rails-secrets gitlab-workhorse ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
if [ -e "${config_dir}/minio" ]; then
mkdir -p "${secret_dir}/minio"
cp -v -r "${config_dir}/minio/." "${secret_dir}/minio/"
fi
if [ -e "${config_dir}/objectstorage" ]; then
mkdir -p "${secret_dir}/objectstorage"
cp -v -r "${config_dir}/objectstorage/." "${secret_dir}/objectstorage/"
fi
if [ -e "${config_dir}/omniauth" ]; then
mkdir -p "${secret_dir}/omniauth"
cp -v -r "${config_dir}/omniauth/." "${secret_dir}/omniauth/"
fi
if [ -e "${config_dir}/smtp/smtp-password" ]; then
mkdir -p "${secret_dir}/smtp"
cp -v -r "${config_dir}/smtp/smtp-password" "${secret_dir}/smtp/"
fi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{.Release.Name }}-workhorse-config
labels:
{{ include "gitlab.standardLabels" . | indent 4 }}
data:
installation_type: |
gitlab-helm-chart
workhorse-config.toml.erb: |
[redis]
URL = "tcp://{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" }}"
Password = "<%= File.read("/etc/gitlab/redis/password") %>"
configure: |
set -e
mkdir -p /init-secrets-workhorse/gitlab-workhorse
cp /init-config/gitlab-workhorse/secret /init-secrets-workhorse/gitlab-workhorse/secret
mkdir -p /init-secrets-workhorse/redis
cp /init-config/redis/password /init-secrets-workhorse/redis/
# Leave this here - This line denotes end of block to the parser.
{{- end }}
......@@ -49,17 +49,24 @@ spec:
initContainers:
{{ include "gitlab.certificates.initContainer" . | indent 8 }}
- name: configure
command: ['sh', '/config/configure']
command: ['sh']
args: [ '-c', 'sh -x /config-unicorn/configure ; sh -x /config-workhorse/configure']
image: {{ .Values.init.image }}:{{ .Values.init.tag }}
volumeMounts:
- name: unicorn-config
mountPath: /config
mountPath: /config-unicorn
readOnly: true
- name: workhorse-config
mountPath: /config-workhorse
readOnly: true
- name: init-unicorn-secrets
mountPath: /init-config
readOnly: true
- name: unicorn-secrets
mountPath: /init-secrets
mountPath: /init-secrets-unicorn
readOnly: false
- name: workhorse-secrets
mountPath: /init-secrets-workhorse
readOnly: false
resources:
{{ toYaml .Values.init.resources | indent 12 }}
......@@ -93,13 +100,9 @@ spec:
ports:
- containerPort: {{ .Values.service.internalPort }}
name: unicorn
- containerPort: {{ .Values.service.workhorseInternalPort }}
name: workhorse
env:
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: GITLAB_WORKHORSE_EXTRA_ARGS
value: {{ .Values.workhorse.extraArgs | quote }}
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
......@@ -131,6 +134,12 @@ spec:
- name: unicorn-config
mountPath: '/srv/gitlab/INSTALLATION_TYPE'
subPath: installation_type
- name: shared-upload-directory
mountPath: /srv/gitlab/public/uploads/tmp
readOnly: false
- name: shared-artifact-directory
mountPath: /srv/gitlab/shared
readOnly: false
{{ include "gitlab.certificates.volumeMount" . | indent 12 }}
livenessProbe:
exec:
......@@ -149,6 +158,45 @@ spec:
command: ["/bin/bash", "-c", "pkill -SIGQUIT -f 'unicorn master'"]
resources:
{{ toYaml .Values.resources | indent 12 }}
- name: gitlab-workhorse
image: "{{ .Values.workhorse.image }}:{{ coalesce .Values.workhorse.tag (include "gitlab.versionTag" . ) }}"
{{ template "gitlab.imagePullPolicy" . }}
ports:
- containerPort: {{ .Values.service.workhorseInternalPort }}
name: workhorse
env:
- name: GITLAB_WORKHORSE_EXTRA_ARGS
value: {{ .Values.workhorse.extraArgs | quote }}
- name: CONFIG_TEMPLATE_DIRECTORY
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/var/opt/gitlab/config/gitlab/'
volumeMounts:
- name: workhorse-config
mountPath: '/var/opt/gitlab/templates'
- name: workhorse-secrets
mountPath: '/etc/gitlab'
readOnly: true
- name: shared-upload-directory
mountPath: /srv/gitlab/public/uploads/tmp
readOnly: false
- name: shared-artifact-directory
mountPath: /srv/gitlab/shared
readOnly: false
{{ include "gitlab.certificates.volumeMount" . | indent 12 }}
livenessProbe:
exec:
command:
- /scripts/healthcheck
initialDelaySeconds: 20
timeoutSeconds: 30
periodSeconds: 60
readinessProbe:
exec:
command:
- /scripts/healthcheck
resources:
{{ toYaml .Values.workhorse.resources | indent 12 }}
volumes:
{{- if .Values.metrics.enabled }}
- name: unicorn-metrics
......@@ -158,6 +206,9 @@ spec:
- name: unicorn-config
configMap:
name: {{ template "fullname" . }}
- name: workhorse-config
configMap:
name: {{ .Release.Name }}-workhorse-config
- name: init-unicorn-secrets
projected:
defaultMode: 0400
......@@ -192,6 +243,11 @@ spec:
items:
- key: registry-auth.key
path: registry/gitlab-registry.key
- secret:
name: {{ template "gitlab.workhorse.secret" . }}
items:
- key: {{ template "gitlab.workhorse.key" . }}
path: gitlab-workhorse/secret
{{- if .Values.global.minio.enabled }}
- secret:
name: {{ template "gitlab.minio.credentials.secret" . }}
......@@ -241,6 +297,15 @@ spec:
- name: unicorn-secrets
emptyDir:
medium: "Memory"
- name: workhorse-secrets
emptyDir:
medium: "Memory"
- name: shared-upload-directory
emptyDir:
medium: "Memory"
- name: shared-artifact-directory
emptyDir:
medium: "Memory"
{{ include "gitlab.certificates.volumes" . | indent 6 }}
{{- if .Values.nodeSelector }}
nodeSelector:
......
......@@ -39,8 +39,13 @@ workerTimeout: 60
hpa:
targetAverageValue: 400m
workhorse:
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee
sentryDSN: ""
extraArgs: ""
resources:
requests:
cpu: 100m
memory: 100M
ldap:
servers: {}
# 'main' is the GitLab 'provider ID' of this LDAP server
......@@ -161,8 +166,8 @@ resources:
# cpu: 1
# memory: 2G
requests:
cpu: 200m
memory: 1.5G
cpu: 100m
memory: 1.4G
maxUnavailable: 1
minReplicas: 2
maxReplicas: 10
......@@ -79,3 +79,6 @@ ssh-keygen -A
mkdir -p host_keys
cp /etc/ssh/ssh_host_* host_keys/
generate_secret_if_needed {{ template "gitlab.gitlab-shell.hostKeys.secret" . }} --from-file host_keys
# Gitlab-workhorse secret
generate_secret_if_needed {{ template "gitlab.workhorse.secret" . }} --from-literal={{ template "gitlab.workhorse.key" . }}=$(gen_random 'a-zA-Z0-9' 32 | base64)
{{/* ######### gitlab-workhorse related templates */}}
{{/*
Return the gitlab-workhorse secret
*/}}
{{- define "gitlab.workhorse.secret" -}}
{{- default (printf "%s-gitlab-workhorse-secret" .Release.Name) .Values.global.workhorse.secret | quote -}}
{{- end -}}
{{- define "gitlab.workhorse.key" -}}
{{- default "shared_secret" .Values.global.workhorse.key | quote -}}
{{- end -}}
......@@ -98,6 +98,7 @@ global:
service:
annotations: {}
antiAffinity: soft
workhorse: {}
# configuration of certificates container & custom CA injection
certificates:
image:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment