From 811cd3ce8decbfe8a8f08f53c7cbce21ffb1ff63 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 22 Nov 2024 14:55:08 -0500 Subject: [PATCH 01/16] fix: added gitaly cgroups init image to package --- values/registry1-values.yaml | 5 +++++ values/unicorn-values.yaml | 5 +++++ values/upstream-values.yaml | 5 +++++ zarf.yaml | 3 +++ 4 files changed, 18 insertions(+) diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml index 17ce6cc9..19826878 100644 --- a/values/registry1-values.yaml +++ b/values/registry1-values.yaml @@ -22,6 +22,11 @@ gitlab: image: repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly tag: 17.5.2 + cgroups: + initContainer: + image: + repository: registry.com/gitlab-org/build/cng/gitaly-init-cgroups + tag: v17.5.2 gitlab-exporter: image: repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter diff --git a/values/unicorn-values.yaml b/values/unicorn-values.yaml index a55bae9c..b69ce9de 100644 --- a/values/unicorn-values.yaml +++ b/values/unicorn-values.yaml @@ -22,6 +22,11 @@ gitlab: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly tag: v17.5.2 + cgroups: + initContainer: + image: + repository: registry.com/gitlab-org/build/cng/gitaly-init-cgroups + tag: v17.5.2 gitlab-exporter: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml index a55bae9c..b69ce9de 100644 --- a/values/upstream-values.yaml +++ b/values/upstream-values.yaml @@ -22,6 +22,11 @@ gitlab: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly tag: v17.5.2 + cgroups: + initContainer: + image: + repository: registry.com/gitlab-org/build/cng/gitaly-init-cgroups + tag: v17.5.2 gitlab-exporter: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter diff --git a/zarf.yaml b/zarf.yaml index d99e9185..4e77666c 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -58,6 +58,7 @@ components: - "registry1.dso.mil/ironbank/gitlab/gitlab/certificates:17.5.2" - "registry1.dso.mil/ironbank/gitlab/gitlab/cfssl-self-sign:1.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitaly:17.5.2" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.5.2" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry:17.5.2" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages:17.5.2" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell:17.5.2" @@ -88,6 +89,7 @@ components: - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.5.2" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.5.2" @@ -118,6 +120,7 @@ components: - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.5.2" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.5.2" - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.5.2" From 222320f74453d468adaf513d391f38292fdc222a Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 22 Nov 2024 15:32:38 -0500 Subject: [PATCH 02/16] fixed urls in values files for cgroups init container --- values/registry1-values.yaml | 2 +- values/unicorn-values.yaml | 2 +- values/upstream-values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml index 19826878..f7493028 100644 --- a/values/registry1-values.yaml +++ b/values/registry1-values.yaml @@ -25,7 +25,7 @@ gitlab: cgroups: initContainer: image: - repository: registry.com/gitlab-org/build/cng/gitaly-init-cgroups + repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups tag: v17.5.2 gitlab-exporter: image: diff --git a/values/unicorn-values.yaml b/values/unicorn-values.yaml index b69ce9de..184872e8 100644 --- a/values/unicorn-values.yaml +++ b/values/unicorn-values.yaml @@ -25,7 +25,7 @@ gitlab: cgroups: initContainer: image: - repository: registry.com/gitlab-org/build/cng/gitaly-init-cgroups + repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups tag: v17.5.2 gitlab-exporter: image: diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml index b69ce9de..184872e8 100644 --- a/values/upstream-values.yaml +++ b/values/upstream-values.yaml @@ -25,7 +25,7 @@ gitlab: cgroups: initContainer: image: - repository: registry.com/gitlab-org/build/cng/gitaly-init-cgroups + repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups tag: v17.5.2 gitlab-exporter: image: From 4dffcc4a780fdf4e166904fdbb2cd489d517ff21 Mon Sep 17 00:00:00 2001 From: Rob McElvenny Date: Wed, 4 Dec 2024 12:57:45 -0500 Subject: [PATCH 03/16] updated images to 17.6.1 --- zarf.yaml | 80 +++++++++++++++++++++++++++---------------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/zarf.yaml b/zarf.yaml index a1832b1b..26b036ba 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -57,18 +57,18 @@ components: images: - "registry1.dso.mil/ironbank/gitlab/gitlab/certificates:17.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/cfssl-self-sign:1.6.1" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitaly:17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base:17.5.2" - - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter:17.5.2" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitaly:17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base:17.6.1" + - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter:17.6.1" # Note: upstream flavor is experimental - name: gitlab @@ -86,20 +86,20 @@ components: valuesFiles: - values/upstream-values.yaml images: - - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.5.2" + - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.6.1" # Note: unicorn flavor is experimental - name: gitlab @@ -117,17 +117,17 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.5.2" - - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.5.2" + - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.1" + - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.6.1" From be54385031c0483e49e63d87c8cc065afa0e541d Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Wed, 4 Dec 2024 22:17:19 -0500 Subject: [PATCH 04/16] The hacky yaml that's supposed to work --- values/common-values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/values/common-values.yaml b/values/common-values.yaml index c98c2d54..d626e94d 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -186,6 +186,14 @@ gitlab: enabled: true serviceMonitor: enabled: true + cgroups: + enabled: false + initContainer: + securityContext: + runAsUser: | + 0 + privileged: true + runAsGroup: 0 gitlab-shell: # override to enable ssh From 6d815ad68827e05fb3c6e767fdde855275966a0d Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Wed, 4 Dec 2024 22:18:08 -0500 Subject: [PATCH 05/16] Added note to clarify that "false" is "" not `false` --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index 822d148a..296921ca 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -83,7 +83,7 @@ By default, the application is configured to work with `uds-package-minio-operat If you are not using in-cluster MinIO, but rather are using an external cloud providers object storage, you have two options. You can either create an object storage secret manually and disable the generation of the secret or have the helm chart generate one for you based on a set of input values. > [!NOTE] -> If you would like to opt out of the in-chart secret generation process, you may disable it by setting the zarf variable GENERATE_STORAGE_SECRET to false. Then you can provide your own object store secret, named gitlab-object-store, as needed following GitLab's documentation. +> If you would like to opt out of the in-chart secret generation process, you may disable it by setting the zarf variable `GENERATE_STORAGE_SECRET` to false. As with any Zarf variable, "false" is the empty string `""`. If set to `"false"` it will evaluate to `true` in the Helm template causing the storage secret to still be generated. With `GENERATE_STORAGE_SECRET=""`, you can now provide your own object store secret, named `gitlab-object-store`. When configuring the GitLab to connect to S3 storage in AWS, it is assumed IRSA will be used to connect to the buckets. The prerequisites for this are the buckets created with the appropriate iam roles and policies. Once those are created, two values need to be overridden in the config chart for secret generation: `storage.createSecret.provider` needs to be set to `aws` and `storage.createSecret.region` needs to be set to your AWS regions (i.e `us-gov-west-1`). From there, additional overrides are required in the gitlab chart to finish this setup. Specifically, the gitlab service accounts need to be overridden to have the annotations that are required for IRSA. Below is an example of how you would define the variable overrides where you would then pass in the IAM role ARNs on deploy. From 471fa929ae9a77d89c330876c60201401674da1d Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Wed, 4 Dec 2024 23:24:20 -0500 Subject: [PATCH 06/16] Added note to help the next guy --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index 296921ca..685d4ca1 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -83,7 +83,7 @@ By default, the application is configured to work with `uds-package-minio-operat If you are not using in-cluster MinIO, but rather are using an external cloud providers object storage, you have two options. You can either create an object storage secret manually and disable the generation of the secret or have the helm chart generate one for you based on a set of input values. > [!NOTE] -> If you would like to opt out of the in-chart secret generation process, you may disable it by setting the zarf variable `GENERATE_STORAGE_SECRET` to false. As with any Zarf variable, "false" is the empty string `""`. If set to `"false"` it will evaluate to `true` in the Helm template causing the storage secret to still be generated. With `GENERATE_STORAGE_SECRET=""`, you can now provide your own object store secret, named `gitlab-object-store`. +> If you would like to opt out of the in-chart secret generation process, you may disable it by setting the zarf variable `GENERATE_STORAGE_SECRET` to false. As with any Zarf variable, "false" is the empty string `""`. If set to `"false"` it will evaluate to `true` in the Helm template causing the storage secret to still be generated. With `GENERATE_STORAGE_SECRET=""`, you can now provide your own object store secret, named `gitlab-object-store`. If this doesn't work, you can always override `storage.createSecret.enabled` in the config chart. When configuring the GitLab to connect to S3 storage in AWS, it is assumed IRSA will be used to connect to the buckets. The prerequisites for this are the buckets created with the appropriate iam roles and policies. Once those are created, two values need to be overridden in the config chart for secret generation: `storage.createSecret.provider` needs to be set to `aws` and `storage.createSecret.region` needs to be set to your AWS regions (i.e `us-gov-west-1`). From there, additional overrides are required in the gitlab chart to finish this setup. Specifically, the gitlab service accounts need to be overridden to have the annotations that are required for IRSA. Below is an example of how you would define the variable overrides where you would then pass in the IAM role ARNs on deploy. From c89e949d7bd373a8f4b77abf90eefe862d30a733 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Thu, 5 Dec 2024 10:25:26 -0500 Subject: [PATCH 07/16] bumbed versions back up --- values/registry1-values.yaml | 4 ++-- values/unicorn-values.yaml | 4 ++-- values/upstream-values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml index 8f483462..76272b03 100644 --- a/values/registry1-values.yaml +++ b/values/registry1-values.yaml @@ -21,12 +21,12 @@ gitlab: gitaly: image: repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly - tag: 17.5.2 + tag: 17.6.1 cgroups: initContainer: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups - tag: v17.5.2 + tag: v17.6.1 gitlab-exporter: image: repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter diff --git a/values/unicorn-values.yaml b/values/unicorn-values.yaml index b8d49fdd..c01b8b9b 100644 --- a/values/unicorn-values.yaml +++ b/values/unicorn-values.yaml @@ -21,12 +21,12 @@ gitlab: gitaly: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly - tag: v17.5.2 + tag: v17.6.1 cgroups: initContainer: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups - tag: v17.5.2 + tag: v17.6.1 gitlab-exporter: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml index b8d49fdd..c01b8b9b 100644 --- a/values/upstream-values.yaml +++ b/values/upstream-values.yaml @@ -21,12 +21,12 @@ gitlab: gitaly: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly - tag: v17.5.2 + tag: v17.6.1 cgroups: initContainer: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups - tag: v17.5.2 + tag: v17.6.1 gitlab-exporter: image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter From 0fe6ccbbb1cc2e7c9213368bad3663883bcc14d1 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Thu, 5 Dec 2024 10:29:20 -0500 Subject: [PATCH 08/16] Added comment clarifying purpose of multi-line oddity --- values/common-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/values/common-values.yaml b/values/common-values.yaml index d626e94d..b06cb55e 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -190,6 +190,7 @@ gitlab: enabled: false initContainer: securityContext: + # This multi-line oddity is a hacky way to bypass: https://gitlab.com/gitlab-org/gitlab/-/issues/507883 runAsUser: | 0 privileged: true From 59edf0a8819d4b09802e02ef200561b64c1e43a6 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Thu, 5 Dec 2024 10:57:39 -0500 Subject: [PATCH 09/16] backed out unrelated docs change --- docs/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.md b/docs/configuration.md index 685d4ca1..7b4530c2 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -83,7 +83,7 @@ By default, the application is configured to work with `uds-package-minio-operat If you are not using in-cluster MinIO, but rather are using an external cloud providers object storage, you have two options. You can either create an object storage secret manually and disable the generation of the secret or have the helm chart generate one for you based on a set of input values. > [!NOTE] -> If you would like to opt out of the in-chart secret generation process, you may disable it by setting the zarf variable `GENERATE_STORAGE_SECRET` to false. As with any Zarf variable, "false" is the empty string `""`. If set to `"false"` it will evaluate to `true` in the Helm template causing the storage secret to still be generated. With `GENERATE_STORAGE_SECRET=""`, you can now provide your own object store secret, named `gitlab-object-store`. If this doesn't work, you can always override `storage.createSecret.enabled` in the config chart. +> If you would like to opt out of the in-chart secret generation process, you may disable it by setting the zarf variable `GENERATE_STORAGE_SECRET` to false. Then you can provide your own object store secret, named `gitlab-object-store`, as needed following GitLab's documentation. When configuring the GitLab to connect to S3 storage in AWS, it is assumed IRSA will be used to connect to the buckets. The prerequisites for this are the buckets created with the appropriate iam roles and policies. Once those are created, two values need to be overridden in the config chart for secret generation: `storage.createSecret.provider` needs to be set to `aws` and `storage.createSecret.region` needs to be set to your AWS regions (i.e `us-gov-west-1`). From there, additional overrides are required in the gitlab chart to finish this setup. Specifically, the gitlab service accounts need to be overridden to have the annotations that are required for IRSA. Below is an example of how you would define the variable overrides where you would then pass in the IAM role ARNs on deploy. From b3f308e587ced98c6d6b84cd19adeeff58594e6c Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 10:22:17 -0500 Subject: [PATCH 10/16] dropped upstream image from ironbank flavor --- values/registry1-values.yaml | 6 +----- zarf.yaml | 1 - 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml index 76272b03..e5aa0254 100644 --- a/values/registry1-values.yaml +++ b/values/registry1-values.yaml @@ -22,11 +22,7 @@ gitlab: image: repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly tag: 17.6.1 - cgroups: - initContainer: - image: - repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups - tag: v17.6.1 + # Note, the registry1 flavor is missing the cgroups init image because it's not in ironbank gitlab-exporter: image: repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter diff --git a/zarf.yaml b/zarf.yaml index 26b036ba..1cbce058 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -58,7 +58,6 @@ components: - "registry1.dso.mil/ironbank/gitlab/gitlab/certificates:17.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/cfssl-self-sign:1.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitaly:17.6.1" - - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry:17.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages:17.6.1" - "registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell:17.6.1" From 6d301f416f81d4109af39527528df5b8653a65d1 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 10:37:55 -0500 Subject: [PATCH 11/16] added docs for gitaly custom cgroups --- docs/configuration.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/configuration.md b/docs/configuration.md index 7b4530c2..335d5e2d 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -327,3 +327,15 @@ This will configure a bot account named `renovatebot` and create a PAT with scop > [!NOTE] > If the GitLab instance is configured with a license for Premium or Ultimate, [Gitlab Service Accounts](https://docs.gitlab.com/ee/user/profile/service_accounts.html) will be created. Otherwise, standard user accounts will be created. + + +## Gitaly HA + +To use [custom cgroup sizes for Gitaly](https://docs.gitlab.com/ee/administration/gitaly/kubernetes.html#constrain-git-processes-resource-usage): + +1. Set `gitlab.gitaly.cgroups.enabled` to `true` in the `gitlab` chart. +2. Set the cgroup permissions under the pod's resource limits as shown in the [GitLab docs](https://docs.gitlab.com/ee/administration/gitaly/kubernetes.html#constrain-git-processes-resource-usage). +3. Set `gitaly-cgroups-init.enabled` to `true` in the `uds-gitlab-config` chart. This causes a policy exemption to be created allowing the init container privileged access to the host nodes, required to customize the cgroups. + +> [!NOTE] +> Only the `upstream` and `unicorn` flavors include the Gitaly init container required for this configuration. It will not work if using the `registry1` flavor. From 4feb3f173ecccd474beadb598e7b6bbce96a62a6 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 10:41:02 -0500 Subject: [PATCH 12/16] Added exemptions --- .../templates/gitaly-cgroups-exemption.yaml | 22 +++++++++++++++++++ charts/config/values.yaml | 4 ++++ 2 files changed, 26 insertions(+) create mode 100644 charts/config/templates/gitaly-cgroups-exemption.yaml diff --git a/charts/config/templates/gitaly-cgroups-exemption.yaml b/charts/config/templates/gitaly-cgroups-exemption.yaml new file mode 100644 index 00000000..f029a3c8 --- /dev/null +++ b/charts/config/templates/gitaly-cgroups-exemption.yaml @@ -0,0 +1,22 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +{{- if .Values.gitaly-cgroups-init.enabled }} +apiVersion: uds.dev/v1alpha1 +kind: Exemption +metadata: + name: gitaly-cgroups-init-container + namespace: uds-policy-exemptions +spec: + exemptions: + - policies: + - RestrictHostPathWrite + - RestrictVolumeTypes + - RequireNonRootUser + - DisallowPrivileged + matcher: + namespace: {{ .Release.Namespace }} + name: "gitlab-gitaly.*" + title: "gitlab gitaly exemptions" + description: "Exemption allows cgroup modification by init container. See https://docs.gitlab.com/ee/administration/gitaly/kubernetes.html#constrain-git-processes-resource-usage" +{{- end }} \ No newline at end of file diff --git a/charts/config/values.yaml b/charts/config/values.yaml index ccccba94..384174bf 100644 --- a/charts/config/values.yaml +++ b/charts/config/values.yaml @@ -81,6 +81,10 @@ mirroring: ports: - 443 +# Add the exemption for the gitaly cgroups init container +gitaly-cgroups-init: + enabled: false + # custom: # # Notice no `remoteGenerated` field here on custom internal rule # - direction: Ingress From c9d4b728eb8bd1e1aa4d85da63ac4c2a3c71d55e Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 10:41:40 -0500 Subject: [PATCH 13/16] removed hardcoded namespace paths --- charts/config/templates/gitlab-object-store-secret.yaml | 2 +- charts/settings/templates/settings-secret.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/config/templates/gitlab-object-store-secret.yaml b/charts/config/templates/gitlab-object-store-secret.yaml index 80e02c26..b12ce4ae 100644 --- a/charts/config/templates/gitlab-object-store-secret.yaml +++ b/charts/config/templates/gitlab-object-store-secret.yaml @@ -6,7 +6,7 @@ apiVersion: v1 kind: Secret metadata: name: gitlab-object-store - namespace: gitlab + {{ .Release.Namespace }} type: kubernetes.io/opaque stringData: {{- $awsAccessKey := "" }} diff --git a/charts/settings/templates/settings-secret.yaml b/charts/settings/templates/settings-secret.yaml index 57d9dde4..d9ea3b09 100644 --- a/charts/settings/templates/settings-secret.yaml +++ b/charts/settings/templates/settings-secret.yaml @@ -6,7 +6,7 @@ apiVersion: v1 kind: Secret metadata: name: gitlab-settings-secret - namespace: gitlab + {{ .Release.Namespace }} type: Opaque stringData: application.json: {{ .Values.settingsJob.application | toJson | quote }} From 6d627b266669d5d56e95873aea152d4e8a0e0072 Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 10:43:19 -0500 Subject: [PATCH 14/16] added missing newline --- charts/config/templates/gitaly-cgroups-exemption.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/config/templates/gitaly-cgroups-exemption.yaml b/charts/config/templates/gitaly-cgroups-exemption.yaml index f029a3c8..3f818184 100644 --- a/charts/config/templates/gitaly-cgroups-exemption.yaml +++ b/charts/config/templates/gitaly-cgroups-exemption.yaml @@ -19,4 +19,4 @@ spec: name: "gitlab-gitaly.*" title: "gitlab gitaly exemptions" description: "Exemption allows cgroup modification by init container. See https://docs.gitlab.com/ee/administration/gitaly/kubernetes.html#constrain-git-processes-resource-usage" -{{- end }} \ No newline at end of file +{{- end }} From 04ec39e7245c48dda6d1460fc0590bef2af5594f Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 10:45:10 -0500 Subject: [PATCH 15/16] fixed the oopsies --- charts/config/templates/gitlab-object-store-secret.yaml | 2 +- charts/settings/templates/settings-secret.yaml | 2 +- docs/configuration.md | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/charts/config/templates/gitlab-object-store-secret.yaml b/charts/config/templates/gitlab-object-store-secret.yaml index b12ce4ae..e73a131e 100644 --- a/charts/config/templates/gitlab-object-store-secret.yaml +++ b/charts/config/templates/gitlab-object-store-secret.yaml @@ -6,7 +6,7 @@ apiVersion: v1 kind: Secret metadata: name: gitlab-object-store - {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} type: kubernetes.io/opaque stringData: {{- $awsAccessKey := "" }} diff --git a/charts/settings/templates/settings-secret.yaml b/charts/settings/templates/settings-secret.yaml index d9ea3b09..93462704 100644 --- a/charts/settings/templates/settings-secret.yaml +++ b/charts/settings/templates/settings-secret.yaml @@ -6,7 +6,7 @@ apiVersion: v1 kind: Secret metadata: name: gitlab-settings-secret - {{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} type: Opaque stringData: application.json: {{ .Values.settingsJob.application | toJson | quote }} diff --git a/docs/configuration.md b/docs/configuration.md index 335d5e2d..15766f8d 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -328,7 +328,6 @@ This will configure a bot account named `renovatebot` and create a PAT with scop > [!NOTE] > If the GitLab instance is configured with a license for Premium or Ultimate, [Gitlab Service Accounts](https://docs.gitlab.com/ee/user/profile/service_accounts.html) will be created. Otherwise, standard user accounts will be created. - ## Gitaly HA To use [custom cgroup sizes for Gitaly](https://docs.gitlab.com/ee/administration/gitaly/kubernetes.html#constrain-git-processes-resource-usage): From a873371137450d3073d9bd75ff90cde7e790cf6b Mon Sep 17 00:00:00 2001 From: Joe Richardson Date: Fri, 6 Dec 2024 11:48:07 -0500 Subject: [PATCH 16/16] bug fixes --- charts/config/templates/gitaly-cgroups-exemption.yaml | 3 ++- charts/config/values.yaml | 2 +- docs/configuration.md | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/charts/config/templates/gitaly-cgroups-exemption.yaml b/charts/config/templates/gitaly-cgroups-exemption.yaml index 3f818184..9f30ac02 100644 --- a/charts/config/templates/gitaly-cgroups-exemption.yaml +++ b/charts/config/templates/gitaly-cgroups-exemption.yaml @@ -1,7 +1,8 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -{{- if .Values.gitaly-cgroups-init.enabled }} +{{- if .Values.gitalyCgroupsInit.enabled }} + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/charts/config/values.yaml b/charts/config/values.yaml index 384174bf..b5c7d246 100644 --- a/charts/config/values.yaml +++ b/charts/config/values.yaml @@ -82,7 +82,7 @@ mirroring: - 443 # Add the exemption for the gitaly cgroups init container -gitaly-cgroups-init: +gitalyCgroupsInit: enabled: false # custom: diff --git a/docs/configuration.md b/docs/configuration.md index 15766f8d..b22055e2 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -334,7 +334,7 @@ To use [custom cgroup sizes for Gitaly](https://docs.gitlab.com/ee/administratio 1. Set `gitlab.gitaly.cgroups.enabled` to `true` in the `gitlab` chart. 2. Set the cgroup permissions under the pod's resource limits as shown in the [GitLab docs](https://docs.gitlab.com/ee/administration/gitaly/kubernetes.html#constrain-git-processes-resource-usage). -3. Set `gitaly-cgroups-init.enabled` to `true` in the `uds-gitlab-config` chart. This causes a policy exemption to be created allowing the init container privileged access to the host nodes, required to customize the cgroups. +3. Set `gitalyCgroupsInit` to `true` in the `uds-gitlab-config` chart. This causes a policy exemption to be created allowing the init container privileged access to the host nodes, required to customize the cgroups. > [!NOTE] > Only the `upstream` and `unicorn` flavors include the Gitaly init container required for this configuration. It will not work if using the `registry1` flavor.