helm chart install with cloudflare - login always 422 Error
my values.yml
values.yml
## NOTICE
#
# Due to the scope and complexity of this chart, all possible values are
# not documented in this file. Extensive documentation is available.
#
# Please read the docs: https://docs.gitlab.com/charts/
#
# Because properties are regularly added, updated, or relocated, it is
# _strongly suggest_ to not "copy and paste" this YAML. Please provide
# Helm only those properties you need, and allow the defaults to be
# provided by the version of this chart at the time of deployment.
## Advanced Configuration
## https://docs.gitlab.com/charts/advanced
#
# Documentation for advanced configuration, such as
# - External PostgreSQL
# - External Gitaly
# - External Redis
# - External NGINX
# - External Object Storage providers
# - PersistentVolume configuration
## The global properties are used to configure multiple charts at once.
## https://docs.gitlab.com/charts/charts/globals
global:
common:
labels: {}
image: {}
# Registry value override is only available for the following Charts:
# - Spamcheck
# - Mailroom
# If specifying a value here, be sure to also configure
# `gitlab.<subchart>.image.repository` to a value that does not
# include the default registry domain `registry.gitlab.com`.
# Support for other charts is coming as an iterative rollout.
# See https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2859
# for more information.
# registry:
# pullPolicy: IfNotPresent
# pullSecrets: []
# tagSuffix: ""
## Supplemental Pod labels. Will not be used for selectors.
pod:
labels: {}
## https://docs.gitlab.com/charts/installation/deployment#deploy-the-community-edition
edition: ee
## https://docs.gitlab.com/charts/charts/globals#gitlab-version
gitlabVersion: "16.4.0"
## https://docs.gitlab.com/charts/charts/globals#application-resource
application:
create: false
links: []
allowClusterRoles: true
## https://docs.gitlab.com/charts/charts/globals#configure-host-settings
hosts:
domain: mydomain.hu
hostSuffix:
https: true
externalIP: gitlab.mydomain.hu
ssh: ~
gitlab: {}
minio: {}
registry: {}
tls: {}
smartcard: {}
kas: {}
pages: {}
## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings
ingress:
apiVersion: ""
configureCertmanager: true
provider: nginx
# class:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
enabled: true
tls: {}
# enabled: true
# secretName:
path: /
pathType: Prefix
# Override the API version to use for HorizontalPodAutoscaler
hpa:
apiVersion: ""
# Enable KEDA globally (https://keda.sh/)
keda:
enabled: false
# Override the API version to use for PodDisruptionBudget
pdb:
apiVersion: ""
# Override the API version to use for CronJob
batch:
cronJob:
apiVersion: ""
gitlab:
## Enterprise license for this GitLab installation
## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-enterprise-license
## If allowing shared-secrets generation, this is OPTIONAL.
license: {}
# secret: RELEASE-gitlab-license
# key: license
## Initial root password for this GitLab installation
## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-root-password
## If allowing shared-secrets generation, this is OPTIONAL.
initialRootPassword: {}
# secret: RELEASE-gitlab-initial-root-password
# key: password
## https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings
psql:
connectTimeout:
keepalives:
keepalivesIdle:
keepalivesInterval:
keepalivesCount:
tcpUserTimeout:
password: {}
# useSecret:
# secret:
# key:
# file:
# host: postgresql.hostedsomewhere.else
# port: 123
# username: gitlab
# database: gitlabhq_production
# applicationName:
# preparedStatements: false
# databaseTasks: true
## https://docs.gitlab.com/charts/charts/globals#configure-redis-settings
redis:
auth:
enabled: true
# secret:
# key:
# host: redis.hostedsomewhere.else
# port: 6379
# user: webservice
# sentinels:
# - host:
# port:
## https://docs.gitlab.com/charts/charts/globals#configure-gitaly-settings
gitaly:
enabled: true
authToken: {}
# secret:
# key:
# serviceName:
internal:
names: [default]
external: []
service:
name: gitaly
type: ClusterIP
externalPort: 8075
internalPort: 8075
tls:
externalPort: 8076
internalPort: 8076
tls:
enabled: false
# secretName:
praefect:
enabled: false
ntpHost: pool.ntp.org
replaceInternalGitaly: true
authToken: {}
autoMigrate: true
dbSecret: {}
virtualStorages:
- name: default
gitalyReplicas: 3
maxUnavailable: 1
psql:
sslMode: disable
# serviceName:
service:
name: praefect
type: ClusterIP
externalPort: 8075
internalPort: 8075
tls:
externalPort: 8076
internalPort: 8076
tls:
enabled: false
# secretName:
## https://docs.gitlab.com/charts/charts/globals#configure-minio-settings
minio:
enabled: true
credentials: {}
# secret:
## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings
## Rails based portions of this chart share many settings
appConfig:
## https://docs.gitlab.com/charts/charts/globals#general-application-settings
# cdnHost:
enableUsagePing: true
enableSeatLink: true
enableImpersonation:
applicationSettingsCacheSeconds: 60
usernameChangingEnabled: true
issueClosingPattern:
defaultTheme:
defaultProjectsFeatures:
issues: true
mergeRequests: true
wiki: true
snippets: true
builds: true
graphQlTimeout:
webhookTimeout:
maxRequestDurationSeconds:
## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings
cron_jobs: {}
## Flag stuck CI builds as failed
# stuck_ci_jobs_worker:
# cron: "0 * * * *"
## Schedule pipelines in the near future
# pipeline_schedule_worker:
# cron: "19 * * * *"
## Remove expired build artifacts
# expire_build_artifacts_worker:
# cron: "*/7 * * * *"
## Periodically run 'git fsck' on all repositories.
# repository_check_worker:
# cron: "20 * * * *"
## Send admin emails once a week
# admin_email_worker:
# cron: "0 0 * * 0"
## Remove outdated repository archives
# repository_archive_cache_worker:
# cron: "0 * * * *"
## Verify custom GitLab Pages domains
# pages_domain_verification_cron_worker:
# cron: "*/15 * * * *"
# schedule_migrate_external_diffs_worker:
# cron: "15 * * * *"
## Prune stale group runners on opted-in namespaces
# ci_runners_stale_group_runners_prune_worker_cron:
# cron: "30 * * * *"
## Periodically update ci_runner_versions table with up-to-date versions and status
# ci_runner_versions_reconciliation_worker:
# cron: "@daily"
## Periodically clean up stale ci_runner_machines records
# ci_runners_stale_machines_cleanup_worker:
# cron: "36 * * * *"
### GitLab Geo
# Geo Primary only!
# geo_prune_event_log_worker:
# cron: "*/5 * * * *"
## GitLab Geo repository sync worker
# geo_repository_sync_worker:
# cron: "*/5 * * * *"
## GitLab Geo file download dispatch worker
# geo_file_download_dispatch_worker:
# cron: "*/10 * * * *"
## GitLab Geo repository verification primary batch worker
# geo_repository_verification_primary_batch_worker:
# cron: "*/5 * * * *"
## GitLab Geo repository verification secondary scheduler worker
# geo_repository_verification_secondary_scheduler_worker:
# cron: "*/5 * * * *"
## GitLab Geo migrated local files clean up worker
# geo_migrated_local_files_clean_up_worker:
# cron: "15 */6 * * *"
### LDAP
# ldap_sync_worker:
# cron: "30 1 * * *"
# ldap_group_sync_worker:
# cron: "0 * * * *"
### Snapshot active user statistics
# historical_data_worker:
# cron: "0 12 * * *"
# loose_foreign_keys_cleanup_worker_cron:
# cron: "*/5 * * * *"
## https://docs.gitlab.com/charts/charts/globals#content-security-policy
contentSecurityPolicy:
enabled: false
report_only: true
# directives: {}
## https://docs.gitlab.com/charts/charts/globals#gravatarlibravatar-settings
gravatar:
plainUrl:
sslUrl:
## https://docs.gitlab.com/charts/charts/globals#hooking-analytics-services-to-the-gitlab-instance
extra:
googleAnalyticsId:
matomoUrl:
matomoSiteId:
matomoDisableCookies:
oneTrustId:
googleTagManagerNonceId:
bizible:
## https://docs.gitlab.com/charts/charts/globals#lfs-artifacts-uploads-packages-external-mr-diffs-and-dependency-proxy
object_store:
enabled: false
proxy_download: true
storage_options: {}
# server_side_encryption:
# server_side_encryption_kms_key_id
connection: {}
# secret:
# key:
lfs:
enabled: true
proxy_download: true
bucket: git-lfs
connection: {}
# secret:
# key:
artifacts:
enabled: true
proxy_download: true
bucket: gitlab-artifacts
connection: {}
# secret:
# key:
uploads:
enabled: true
proxy_download: true
bucket: gitlab-uploads
connection: {}
# secret:
# key:
packages:
enabled: true
proxy_download: true
bucket: gitlab-packages
connection: {}
externalDiffs:
enabled: false
when:
proxy_download: true
bucket: gitlab-mr-diffs
connection: {}
terraformState:
enabled: false
bucket: gitlab-terraform-state
connection: {}
ciSecureFiles:
enabled: false
bucket: gitlab-ci-secure-files
connection: {}
dependencyProxy:
enabled: false
proxy_download: true
bucket: gitlab-dependency-proxy
connection: {}
backups:
bucket: gitlab-backups
tmpBucket: tmp
## https://docs.gitlab.com/charts/charts/globals#outgoing-email
## Microsoft Graph Mailer settings
microsoft_graph_mailer:
enabled: false
user_id: ""
tenant: ""
client_id: ""
client_secret:
secret: ""
key: secret
azure_ad_endpoint: "https://login.microsoftonline.com"
graph_endpoint: "https://graph.microsoft.com"
## https://docs.gitlab.com/charts/installation/command-line-options.html#incoming-email-configuration
## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#incoming-email
incomingEmail:
enabled: false
address: ""
host: "imap.gmail.com"
port: 993
ssl: true
startTls: false
user: ""
password:
secret: ""
key: password
deleteAfterDelivery: true
expungeDeleted: false
logger:
logPath: "/dev/stdout"
mailbox: inbox
idleTimeout: 60
inboxMethod: "imap"
clientSecret:
key: secret
pollInterval: 60
deliveryMethod: webhook
authToken: {}
# secret:
# key:
## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#service-desk-email
serviceDeskEmail:
enabled: false
address: ""
host: "imap.gmail.com"
port: 993
ssl: true
startTls: false
user: ""
password:
secret: ""
key: password
deleteAfterDelivery: true
expungeDeleted: false
logger:
logPath: "/dev/stdout"
mailbox: inbox
idleTimeout: 60
inboxMethod: "imap"
clientSecret:
key: secret
pollInterval: 60
deliveryMethod: webhook
authToken: {}
# secret:
# key:
## https://docs.gitlab.com/charts/charts/globals#ldap
ldap:
# prevent the use of LDAP for sign-in via web.
preventSignin: false
servers: {}
## See documentation for complete example of a configured LDAP server
duoAuth:
enabled: false
# hostname:
# integrationKey:
# secretKey:
# secret:
# key:
## https://docs.gitlab.com/charts/charts/globals#kas-settings
gitlab_kas: {}
# secret:
# key:
# enabled:
# externalUrl:
# internalUrl:
## https://docs.gitlab.com/charts/charts/globals#suggested-reviewers-settings
suggested_reviewers: {}
# secret:
# key:
## https://docs.gitlab.com/charts/charts/globals#omniauth
omniauth:
enabled: false
autoSignInWithProvider:
syncProfileFromProvider: []
syncProfileAttributes: [email]
allowSingleSignOn: [saml]
blockAutoCreatedUsers: true
autoLinkLdapUser: false
autoLinkSamlUser: false
autoLinkUser: []
externalProviders: []
allowBypassTwoFactor: []
providers: []
# - secret: gitlab-google-oauth2
# key: provider
## https://docs.gitlab.com/charts/charts/globals#kerberos
kerberos:
enabled: false
keytab:
# secret:
key: keytab
servicePrincipalName: ""
krb5Config: ""
dedicatedPort:
enabled: false
port: 8443
https: true
simpleLdapLinkingAllowedRealms: []
## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings
sentry:
enabled: false
dsn:
clientside_dsn:
environment:
gitlab_docs:
enabled: false
host: ""
smartcard:
enabled: false
CASecret:
clientCertificateRequiredHost:
sanExtensions: false
requiredForGitAccess: false
sidekiq:
routingRules: []
# Config that only applies to the defaults on initial install
initialDefaults: {}
# signupEnabled:
## End of global.appConfig
oauth:
gitlab-pages: {}
# secret:
# appIdKey:
# appSecretKey:
# redirectUri:
# authScope:
## https://docs.gitlab.com/charts/advanced/geo/
geo:
enabled: false
# Valid values: primary, secondary
role: primary
## Geo Secondary only
# nodeName allows multiple instances behind a load balancer.
nodeName: # defaults to `gitlab.gitlab.host`
# ingressClass:
# PostgreSQL connection details only needed for `secondary`
psql:
password: {}
# secret:
# key:
# host: postgresql.hostedsomewhere.else
# port: 123
# username: gitlab_replicator
# database: gitlabhq_geo_production
# ssl:
# secret:
# clientKey:
# clientCertificate:
# serverCA:
registry:
replication:
enabled: false
primaryApiUrl:
## Consumes global.registry.notificationSecret
## https://docs.gitlab.com/charts/charts/gitlab/kas/
kas:
enabled: true
service:
apiExternalPort: 8153 # port for connections from the GitLab backend
tls:
enabled: false
verify: true
# secretName:
# caSecretName:
## https://docs.gitlab.com/charts/charts/gitlab/spamcheck/
spamcheck:
enabled: false
## https://docs.gitlab.com/charts/charts/globals#configure-gitlab-shell
shell:
authToken: {}
# secret:
# key:
hostKeys: {}
# secret:
## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol
tcp:
proxyProtocol: false
## Rails application secrets
## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret
## If allowing shared-secrets generation, this is OPTIONAL.
railsSecrets: {}
# secret:
## Rails generic setting, applicable to all Rails-based containers
rails:
bootsnap: # Enable / disable Shopify/Bootsnap cache
enabled: true
## https://docs.gitlab.com/charts/charts/globals#configure-registry-settings
registry:
bucket: registry
certificate: {}
# secret:
httpSecret: {}
# secret:
# key:
notificationSecret: {}
# secret:
# key:
tls:
enabled: false
# secretName:
redis:
cache:
password: {}
# https://docs.docker.com/registry/notifications/#configuration
notifications: {}
# endpoints:
# - name: FooListener
# url: https://foolistener.com/event
# timeout: 500ms
# threshold: 10
# backoff: 1s
# headers:
# FooBar: ['1', '2']
# Authorization:
# secret: gitlab-registry-authorization-header
# SpecificPassword:
# secret: gitlab-registry-specific-password
# key: password
# events: {}
# Settings utilized by other services referencing registry:
enabled: true
host:
# port: 443
api:
protocol: http
serviceName: registry
port: 5000
tokenIssuer: gitlab-issuer
pages:
enabled: false
accessControl: false
path:
host:
port:
https: # default true
externalHttp: []
externalHttps: []
artifactsServer: true
localStore:
enabled: false
# path: /srv/gitlab/shared/pages
objectStore:
enabled: true
bucket: gitlab-pages
# proxy_download: true
connection: {}
# secret:
# key:
apiSecret: {}
# secret:
# key:
authSecret: {}
# secret:
# key:
## GitLab Runner
## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret
## If allowing shared-secrets generation, this is OPTIONAL.
runner:
registrationToken: {}
# secret:
## https://docs.gitlab.com/charts/charts/globals#outgoing-email
## Outgoing email server settings
smtp:
enabled: false
address: smtp.mailgun.org
port: 2525
user_name: ""
## https://docs.gitlab.com/charts/installation/secrets#smtp-password
password:
secret: ""
key: password
# domain:
authentication: "plain"
starttls_auto: false
openssl_verify_mode: "peer"
open_timeout: 30
read_timeout: 60
pool: false
## https://docs.gitlab.com/charts/charts/globals#outgoing-email
## Email persona used in email sent by GitLab
email:
from: ""
display_name: GitLab
reply_to: ""
subject_suffix: ""
smime:
enabled: false
secretName: ""
keyName: "tls.key"
certName: "tls.crt"
## Timezone for containers.
time_zone: UTC
## Global Service Annotations and Labels
service:
labels: {}
annotations: {}
## Global Deployment Annotations
deployment:
annotations: {}
antiAffinity: soft
affinity:
podAntiAffinity:
topologyKey: "kubernetes.io/hostname"
# Priority class assigned to pods, may be overridden for individual components
# https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
priorityClassName: ""
## https://docs.gitlab.com/charts/charts/globals#configure-workhorse-settings
## Global settings related to Workhorse
workhorse:
serviceName: webservice-default
# scheme:
# host:
# port:
## https://docs.gitlab.com/charts/installation/secrets#gitlab-workhorse-secret
# secret:
# key:
tls:
enabled: false
## https://docs.gitlab.com/charts/charts/globals#configure-webservice
webservice:
workerTimeout: 60
## https://docs.gitlab.com/charts/charts/globals#custom-certificate-authorities
# configuration of certificates container & custom CA injection
certificates:
image:
repository: registry.gitlab.com/gitlab-org/build/cng/certificates
# Default tag is `global.gitlabVersion` or `master` if the former one is undefined.
# tag: master
# pullPolicy: IfNotPresent
# pullSecrets: []
customCAs: []
# - secret: custom-CA
# - secret: more-custom-CAs
# keys:
# - custom-ca-1.crt
# - configMap: custom-CA-cm
# - configMap: more-custom-CAs-cm
# keys:
# - custom-ca-2.crt
# - custom-ca-3.crt
## kubectl image used by hooks to carry out specific jobs
kubectl:
image:
repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
# Default tag is `global.gitlabVersion` or `master` if the former one is undefined.
# tag: master
# pullPolicy: IfNotPresent
# pullSecrets: []
securityContext:
# in most base images, this is `nobody:nogroup`
runAsUser: 65534
fsGroup: 65534
gitlabBase:
image:
repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base
# Default tag is `global.gitlabVersion` or `master` if the former one is undefined.
# Charts using this image as init container support further overrides with `init.image.tag`.
# tag: master
# pullPolicy: IfNotPresent
# pullSecrets: []
## https://docs.gitlab.com/charts/charts/globals#service-accounts
serviceAccount:
enabled: false
create: true
annotations: {}
## Name to be used for serviceAccount, otherwise defaults to chart fullname
# name:
## https://docs.gitlab.com/charts/charts/globals/#tracing
tracing:
connection:
string: ""
urlTemplate: ""
zoekt:
gateway:
basicAuth: {}
## https://docs.gitlab.com/charts/charts/globals
extraEnv: {}
# SOME_KEY: some_value
# SOME_OTHER_KEY: some_other_value
## https://docs.gitlab.com/charts/charts/globals
extraEnvFrom: {}
# MY_NODE_NAME:
# fieldRef:
# fieldPath: spec.nodeName
# MY_CPU_REQUEST:
# resourceFieldRef:
# containerName: test-container
# resource: requests.cpu
# SECRET_THING:
# secretKeyRef:
# name: special-secret
# key: special_token
# # optional: boolean
# CONFIG_STRING:
# configMapKeyRef:
# name: useful-config
# key: some-string
# # optional: boolean
## End of global
upgradeCheck:
enabled: true
image: {}
# repository:
# tag:
# pullPolicy: IfNotPresent
# pullSecrets: []
securityContext:
# in alpine/debian/busybox based images, this is `nobody:nogroup`
runAsUser: 65534
fsGroup: 65534
tolerations: []
annotations: {}
configMapAnnotations: {}
resources:
requests:
cpu: 50m
priorityClassName: ""
## Settings to for the Let's Encrypt ACME Issuer
certmanager-issuer:
# # The email address to register certificates requested from Let's Encrypt.
# # Required if using Let's Encrypt.
email: htsnorman@hotmail.com
## Installation & configuration of jetstack/cert-manager
## See requirements.yaml for current version
certmanager:
installCRDs: true
nameOverride: certmanager
# Install cert-manager chart. Set to false if you already have cert-manager
# installed or if you are not using cert-manager.
install: true
# Other cert-manager configurations from upstream
# See https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/README#configuration
rbac:
create: true
## https://docs.gitlab.com/charts/charts/nginx/
## https://docs.gitlab.com/charts/architecture/decisions#nginx-ingress
## Installation & configuration of charts/ingress-nginx:
nginx-ingress: &nginx-ingress
enabled: true
tcpExternalConfig: "true"
controller: &nginx-ingress-controller
addHeaders:
Referrer-Policy: strict-origin-when-cross-origin
config: &nginx-ingress-controller-config
annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""
hsts: "true"
hsts-include-subdomains: "false"
hsts-max-age: "63072000"
server-name-hash-bucket-size: "256"
use-http2: "true"
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl-protocols: "TLSv1.3 TLSv1.2"
server-tokens: "false"
# Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration
upstream-keepalive-connections: 100 # Limit of 100 held-open connections
upstream-keepalive-time: 30s # 30 second limit for connection reuse
upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections
upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling
service:
externalTrafficPolicy: "Local"
ingressClassByName: false
ingressClassResource:
name: '{{ include "ingress.class.name" $ | quote }}'
resources:
requests:
cpu: 100m
memory: 100Mi
publishService:
enabled: true
replicaCount: 2
minAvailable: 1
scope:
enabled: true
metrics:
enabled: true
service:
annotations:
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: "10254"
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
admissionWebhooks:
enabled: false
defaultBackend:
resources:
requests:
cpu: 5m
memory: 5Mi
rbac:
create: true
# Needed for k8s 1.20 and 1.21
# https://github.com/kubernetes/ingress-nginx/issues/7510
# https://github.com/kubernetes/ingress-nginx/issues/7519
scope: false
serviceAccount:
create: true
# Ingress controller to handle requests forwarded from other Geo sites.
# Configuration differences compared to the main nginx ingress:
# - Pass X-Forwarded-For headers as is
# - Use a different IngressClass name
nginx-ingress-geo:
<<: *nginx-ingress
enabled: false
controller:
<<: *nginx-ingress-controller
config:
<<: *nginx-ingress-controller-config
# Pass incoming X-Forwarded-* headers to upstream. Required to handle requests
# from other Geo sites.
# https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers
use-forwarded-headers: true
electionID: ingress-controller-leader-geo
ingressClassResource:
name: '{{ include "gitlab.geo.ingress.class.name" $ | quote }}'
controllerValue: 'k8s.io/nginx-ingress-geo'
haproxy:
install: false
controller:
service:
type: LoadBalancer
tcpPorts:
- name: ssh
port: 22
targetPort: 22
extraArgs:
- --configmap-tcp-services=$(POD_NAMESPACE)/$(POD_NAMESPACE)-haproxy-tcp
## Installation & configuration of stable/prometheus
## See requirements.yaml for current version
prometheus:
install: true
rbac:
create: true
alertmanager:
enabled: false
alertmanagerFiles:
alertmanager.yml: {}
kubeStateMetrics:
enabled: false
nodeExporter:
enabled: false
pushgateway:
enabled: false
server:
retention: 15d
strategy:
type: Recreate
image:
tag: v2.38.0
serverFiles:
prometheus.yml:
scrape_configs:
- job_name: prometheus
static_configs:
- targets:
- localhost:9090
- job_name: kubernetes-apiservers
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
[
__meta_kubernetes_namespace,
__meta_kubernetes_service_name,
__meta_kubernetes_endpoint_port_name,
]
action: keep
regex: default;kubernetes;https
- job_name: kubernetes-pods
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels:
[__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scrape]
action: keep
regex: true
- source_labels:
[__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scheme]
action: replace
regex: (https?)
target_label: __scheme__
- source_labels:
[__meta_kubernetes_pod_annotation_gitlab_com_prometheus_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels:
[
__address__,
__meta_kubernetes_pod_annotation_gitlab_com_prometheus_port,
]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: kubernetes_pod_name
- job_name: kubernetes-service-endpoints
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- action: keep
regex: true
source_labels:
- __meta_kubernetes_service_annotation_gitlab_com_prometheus_scrape
- action: replace
regex: (https?)
source_labels:
- __meta_kubernetes_service_annotation_gitlab_com_prometheus_scheme
target_label: __scheme__
- action: replace
regex: (.+)
source_labels:
- __meta_kubernetes_service_annotation_gitlab_com_prometheus_path
target_label: __metrics_path__
- action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
source_labels:
- __address__
- __meta_kubernetes_service_annotation_gitlab_com_prometheus_port
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- action: replace
source_labels:
- __meta_kubernetes_namespace
target_label: kubernetes_namespace
- action: replace
source_labels:
- __meta_kubernetes_service_name
target_label: kubernetes_name
- action: replace
source_labels:
- __meta_kubernetes_pod_node_name
target_label: kubernetes_node
- job_name: kubernetes-services
metrics_path: /probe
params:
module: [http_2xx]
kubernetes_sd_configs:
- role: service
relabel_configs:
- source_labels:
[
__meta_kubernetes_service_annotation_gitlab_com_prometheus_probe,
]
action: keep
regex: true
- source_labels: [__address__]
target_label: __param_target
- target_label: __address__
replacement: blackbox
- source_labels: [__param_target]
target_label: instance
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
target_label: kubernetes_name
## Configuration of Redis
## https://docs.gitlab.com/charts/architecture/decisions#redis
## https://docs.gitlab.com/charts/installation/deployment.html#redis
redis:
install: true
auth:
existingSecret: gitlab-redis-secret
existingSecretKey: redis-password
usePasswordFiles: true
architecture: standalone
cluster:
enabled: false
metrics:
enabled: true
## Installation & configuration of stable/prostgresql
## See requirements.yaml for current version
postgresql:
install: true
auth:
## These need to be set, for the sake of bitnami/postgresql upgrade patterns.
## They are overridden by use of `existingSecret`
password: bogus-satisfy-upgrade
postgresPassword: bogus-satisfy-upgrade
##
usePasswordFiles: false
existingSecret: '{{ include "gitlab.psql.password.secret" . }}'
secretKeys:
adminPasswordKey: postgresql-postgres-password
userPasswordKey: '{{ include "gitlab.psql.password.key" $ }}'
image:
tag: 13.6.0
primary:
initdb:
scriptsConfigMap: '{{ include "gitlab.psql.initdbscripts" $}}'
extraVolumeMounts:
- name: custom-init-scripts
mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh
subPath: init_revision.sh
podAnnotations:
postgresql.gitlab/init-revision: "1"
metrics:
enabled: true
service:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: "9187"
## Optionally define additional custom metrics
## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
## Installation & configuration charts/registry
## https://docs.gitlab.com/charts/architecture/decisions#registry
## https://docs.gitlab.com/charts/charts/registry/
# registry:
# enabled: false
## Automatic shared secret generation
## https://docs.gitlab.com/charts/installation/secrets
## https://docs.gitlab.com/charts/charts/shared-secrets.html
shared-secrets:
enabled: true
rbac:
create: true
selfsign:
image:
# pullPolicy: IfNotPresent
# pullSecrets: []
repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign
# Default tag is `master`, overridable by `global.gitlabVersion`.
# tag: master
keyAlgorithm: "rsa"
keySize: "4096"
expiry: "3650d"
caSubject: "GitLab Helm Chart"
env: production
serviceAccount:
enabled: true
create: true
name: # Specify a pre-existing ServiceAccount name
resources:
requests:
cpu: 50m
securityContext:
# in debian/alpine based images, this is `nobody:nogroup`
runAsUser: 65534
fsGroup: 65534
tolerations: []
podLabels: {}
annotations: {}
## Installation & configuration of gitlab/gitlab-runner
## See requirements.yaml for current version
gitlab-runner:
install: true
rbac:
create: true
runners:
locked: false
config: |
[[runners]]
[runners.kubernetes]
image = "ubuntu:22.04"
{{- if .Values.global.minio.enabled }}
[runners.cache]
Type = "s3"
Path = "gitlab-runner"
Shared = true
[runners.cache.s3]
ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
BucketName = "runner-cache"
BucketLocation = "us-east-1"
Insecure = false
{{ end }}
podAnnotations:
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: 9252
traefik:
install: false
ports:
gitlab-shell:
expose: true
port: 2222
exposedPort: 22
## Settings for individual sub-charts under GitLab
## Note: Many of these settings are configurable via globals
gitlab:
## https://docs.gitlab.com/charts/charts/gitlab/toolbox
toolbox:
replicas: 1
antiAffinityLabels:
matchLabels:
app: gitaly
## https://docs.gitlab.com/charts/charts/gitlab/migrations
# migrations:
# enabled: false
## https://docs.gitlab.com/charts/charts/gitlab/webservice
# webservice:
# enabled: false
## https://docs.gitlab.com/charts/charts/gitlab/sidekiq
# sidekiq:
# enabled: false
## https://docs.gitlab.com/charts/charts/gitlab/gitaly
# gitaly:
## https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell
# gitlab-shell:
# enabled: false
## https://docs.gitlab.com/charts/charts/gitlab/gitlab-pages
# gitlab-pages:
## https://docs.gitlab.com/charts/charts/gitlab/kas
# kas:
## https://docs.gitlab.com/charts/charts/gitlab/praefect
# praefect:
## Installation & configuration of gitlab/gitlab-zoekt
gitlab-zoekt:
install: false
gateway:
basicAuth:
enabled: true
secretName: '{{ include "gitlab.zoekt.gateway.basicAuth.secretName" $ }}'
this needed for cloudflare redirect loop problem: nginx.ingress.kubernetes.io/ssl-redirect: "false" after occurred 422 error
if set hostfile to localhost like 192.168.156.100 gitlab.mydomain.hu its okay not 422 only if CF access
it's as if the problem is that cloudflare goes to the http protocol and throws it away there. I tried hacking with https: false parameters, but no success, I always get 422 if I want to access my gitlab via CF.
Edited by Norbert Sófalvi