Skip to content

Commit 92d87da

Browse files
Pythoner6Pythoner6
committedDec 31, 2023
Add gitlab helm
1 parent 1b22c79 commit 92d87da

File tree

6 files changed

+193
-84
lines changed

6 files changed

+193
-84
lines changed
 

‎cue.mod/usr/k8s.io/api/core/v1/types.cue

+5
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,8 @@ package v1
44
apiVersion: "v1"
55
kind: "Namespace"
66
}
7+
8+
#ServiceAccount: {
9+
apiVersion: "v1"
10+
kind: "ServiceAccount"
11+
}

‎cue.mod/usr/k8s.io/api/rbac/v1/types.cue

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
package v1
2+
3+
#Role: {
4+
apiVersion: "rbac.authorization.k8s.io/v1"
5+
kind: "Role"
6+
}
7+
8+
#RoleBinding: {
9+
apiVersion: "rbac.authorization.k8s.io/v1"
10+
kind: "RoleBinding"
11+
}

‎flake.nix

+5
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,11 @@
108108
url = "https://cloudnative-pg.github.io/charts/cloudnative-pg-0.20.0.tgz";
109109
digest = "44d55c35d46a08b79c4b158005363ae9b4f07640afede9133c4776000893f786";
110110
};
111+
gitlab.src = utils.fetchurlHexDigest {
112+
# renovate: helm=https://charts.gitlab.io package=gitlab version=7.7.0
113+
url = "https://gitlab-charts.s3.amazonaws.com/gitlab-7.7.0.tgz";
114+
digest = "0b832d1e53997d2556adb2bac9fd1b4c7c63ac481bf930a15a34a0352c962136";
115+
};
111116
};
112117
in {
113118
packages.${system} = rec {

‎k8s/democratic-csi/democratic-csi.cue

+1-1
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ kustomizations: helm: "release": {
5252
storageClasses: [{
5353
name: localHostpath
5454
defaultClass: false
55-
reclaimPolicy: "Delete"
55+
reclaimPolicy: "Retain"
5656
volumeBindingMode: "WaitForFirstConsumer"
5757
allowVolumeExpansion: true
5858
}]

‎k8s/gitlab/buckets.cue

+65
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
package netserv
2+
3+
import (
4+
"strconv"
5+
rook "pythoner6.dev/netserv/k8s/rook:netserv"
6+
bucketclaims "objectbucket.io/objectbucketclaim/v1alpha1"
7+
externalsecrets "external-secrets.io/externalsecret/v1beta1"
8+
)
9+
10+
#BucketClaim: this=(bucketclaims.#ObjectBucketClaim & {
11+
spec: {
12+
bucketName: this.metadata.name
13+
storageClassName: rook.kustomizations.cluster.manifest.bucketStorageClass.metadata.name
14+
}
15+
})
16+
17+
let objectStoreUrl = "http://\(rook.objectStoreHost):\(strconv.FormatInt(rook.objectStorePort,10))"
18+
19+
#BucketSecret: externalsecrets.#ExternalSecret & {
20+
#bucket: _
21+
#store: _
22+
metadata: name: #bucket.metadata.name
23+
spec: {
24+
secretStoreRef: {
25+
name: #store.metadata.name
26+
kind: #store.kind
27+
}
28+
refreshInterval: "0"
29+
target: {
30+
name: metadata.name
31+
deletionPolicy: "Merge"
32+
creationPolicy: "Merge"
33+
template: {
34+
engineVersion: "v2"
35+
data:
36+
connection: """
37+
provider: AWS
38+
path_style: true
39+
host: \(strconv.Quote(rook.objectStoreHost))
40+
endpoint: \(strconv.Quote(objectStoreUrl))
41+
region: ""
42+
aws_signature_version: 4
43+
aws_access_key_id: {{ .aws_access_key_id | quote }}
44+
aws_secret_access_key: {{ .aws_secret_access_key | quote }}
45+
"""
46+
}
47+
}
48+
data: [
49+
{
50+
secretKey: "aws_access_key_id"
51+
remoteRef: {
52+
key: metadata.name
53+
property: "AWS_ACCESS_KEY_ID"
54+
}
55+
},
56+
{
57+
secretKey: "aws_secret_access_key"
58+
remoteRef: {
59+
key: metadata.name
60+
property: "AWS_SECRET_ACCESS_KEY"
61+
}
62+
},
63+
]
64+
}
65+
}

‎k8s/gitlab/gitlab.cue

+106-83
Original file line numberDiff line numberDiff line change
@@ -1,81 +1,33 @@
11
package netserv
22

33
import (
4-
"strconv"
54
dcsi "pythoner6.dev/netserv/k8s/democratic-csi:netserv"
65
cnpg "pythoner6.dev/netserv/k8s/cnpg:netserv"
76
rook "pythoner6.dev/netserv/k8s/rook:netserv"
87
clusters "postgresql.cnpg.io/cluster/v1"
9-
bucketclaims "objectbucket.io/objectbucketclaim/v1alpha1"
108
//secretstores "external-secrets.io/secretstore/v1beta1"
11-
externalsecrets "external-secrets.io/externalsecret/v1beta1"
9+
helmrelease "helm.toolkit.fluxcd.io/helmrelease/v2beta2"
1210
corev1 "k8s.io/api/core/v1"
1311
rbacv1 "k8s.io/api/rbac/v1"
1412
)
1513

1614
appName: "gitlab"
1715
#Charts: _
1816

19-
#BucketClaim: this=(bucketclaims.#ObjectBucketClaim & {
20-
spec: {
21-
bucketName: this.metadata.name
22-
storageClassName: rook.kustomizations.cluster.manifest.bucketStorageClass.metadata.name
23-
}
24-
})
25-
26-
#BucketSecret: externalsecrets.#ExternalSecret & {
27-
#bucket: _
28-
#store: _
29-
metadata: name: #bucket.metadata.name
30-
spec: {
31-
secretStoreRef: {
32-
name: #store.metadata.name
33-
kind: #store.kind
34-
}
35-
refreshInterval: "0"
36-
target: {
37-
name: metadata.name
38-
deletionPolicy: "Merge"
39-
creationPolicy: "Merge"
40-
template: {
41-
engineVersion: "v2"
42-
data:
43-
connection: """
44-
provider: AWS
45-
path_style: true
46-
host: \(strconv.Quote(rook.objectStoreHost))
47-
endpoint: \(strconv.Quote("http://" + rook.objectStoreHost + ":" + strconv.FormatInt(rook.objectStorePort, 10)))
48-
region: ""
49-
aws_signature_version: 4
50-
aws_access_key_id: {{ .aws_access_key_id | quote }}
51-
aws_secret_access_key: {{ .aws_secret_access_key | quote }}
52-
"""
53-
}
54-
}
55-
data: [
56-
{
57-
secretKey: "aws_access_key_id"
58-
remoteRef: {
59-
key: metadata.name
60-
property: "AWS_ACCESS_KEY_ID"
61-
}
62-
},
63-
{
64-
secretKey: "aws_secret_access_key"
65-
remoteRef: {
66-
key: metadata.name
67-
property: "AWS_SECRET_ACCESS_KEY"
68-
}
69-
},
70-
]
71-
}
17+
let nodeAffinity = {
18+
nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [{
19+
matchExpressions: [{
20+
key: "storage"
21+
operator: "In"
22+
values: ["yes"]
23+
}]
24+
}]
7225
}
7326

7427
kustomizations: $default: #dependsOn: [dcsi.kustomizations.helm, cnpg.kustomizations.helm, rook.kustomizations.cluster]
7528
kustomizations: $default: manifest: {
7629
ns: #AppNamespace
77-
db: clusters.#Cluster & {
78-
metadata: name: "gitlab"
30+
"gitlab-db": clusters.#Cluster & {
7931
spec: {
8032
instances: 3
8133
maxSyncReplicas: 2
@@ -84,17 +36,10 @@ kustomizations: $default: manifest: {
8436
storageClass: dcsi.localHostpath
8537
size: "10Gi"
8638
}
87-
affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [{
88-
matchExpressions: [{
89-
key: "storage"
90-
operator: "In"
91-
values: ["yes"]
92-
}]
93-
}]
39+
affinity: nodeAffinity
9440
}
9541
}
96-
praefectDb: clusters.#Cluster & {
97-
metadata: name: "praefect"
42+
"praefect-db": clusters.#Cluster & {
9843
spec: {
9944
instances: 3
10045
maxSyncReplicas: 2
@@ -103,24 +48,14 @@ kustomizations: $default: manifest: {
10348
storageClass: dcsi.localHostpath
10449
size: "1Gi"
10550
}
106-
affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: [{
107-
matchExpressions: [{
108-
key: "storage"
109-
operator: "In"
110-
values: ["yes"]
111-
}]
112-
}]
51+
affinity: nodeAffinity
11352
}
11453
}
11554
storeServiceAccount: corev1.#ServiceAccount & {
116-
apiVersion: "v1"
117-
kind: "ServiceAccount"
11855
metadata: name: "bucket-secrets-store"
11956
}
12057
// TODO restrict to specific secrets
12158
storeRole: rbacv1.#Role & {
122-
apiVersion: "rbac.authorization.k8s.io/v1"
123-
kind: "Role"
12459
metadata: name: "bucket-secrets-store"
12560
rules: [{
12661
apiGroups: [""]
@@ -129,8 +64,6 @@ kustomizations: $default: manifest: {
12964
}]
13065
}
13166
storeRoleBinding: rbacv1.#RoleBinding & {
132-
apiVersion: "rbac.authorization.k8s.io/v1"
133-
kind: "RoleBinding"
13467
metadata: name: "bucket-secrets-store"
13568
subjects: [{
13669
kind: storeServiceAccount.kind
@@ -144,6 +77,7 @@ kustomizations: $default: manifest: {
14477
}
14578
}
14679
store="bucket-secrets-store": {
80+
// CUE MaxFields is broken so the ES CRD doesn't validate right now
14781
apiVersion: "external-secrets.io/v1beta1"
14882
kind: "SecretStore"
14983
spec: provider: kubernetes: {
@@ -170,6 +104,95 @@ kustomizations: $default: manifest: {
170104
packagesSecret: #BucketSecret & { #bucket: packagesBucket, #store: store }
171105
}
172106

173-
//kustomizations: helm: #dependsOn: [kustomizations["$default"]]
174-
//kustomizations: helm: manifest: {
175-
//}
107+
let gitlabDbRw = kustomizations["$default"].manifest["gitlab-db"].metadata.name + "-rw"
108+
let gitlabDbPass = kustomizations["$default"].manifest["gitlab-db"].metadata.name + "-app"
109+
let praefectDbRw = kustomizations["$default"].manifest["praefect-db"].metadata.name + "-rw"
110+
let praefectDbPass = kustomizations["$default"].manifest["praefect-db"].metadata.name + "-app"
111+
112+
kustomizations: helm: #dependsOn: [kustomizations["$default"]]
113+
kustomizations: helm: manifest: {
114+
(appName): helmrelease.#HelmRelease & {
115+
spec: {
116+
chart: spec: #Charts[appName]
117+
interval: "10m0s"
118+
values: {
119+
global: {
120+
hosts: domain: "home.josephmartin.org"
121+
nodeSelector: storage: "yes"
122+
gitaly: enabled: true
123+
minio: enabled: false
124+
ingress: configureCertmanager: false
125+
pages: enabled: false
126+
psql: {
127+
host: gitlabDbRw
128+
database: "app"
129+
username: "app"
130+
password: {
131+
secret: gitlabDbPass
132+
key: "password"
133+
}
134+
}
135+
praefect: {
136+
enabled: true
137+
dbSecret: {
138+
secret: praefectDbPass
139+
key: "password"
140+
}
141+
psql: {
142+
user: "app"
143+
dbName: "app"
144+
host: praefectDbRw
145+
}
146+
virtualStorages: [{
147+
name: "default"
148+
gitalyReplicas: 3
149+
maxUnavailable: 1
150+
persistence: {
151+
enabled: true
152+
size: "50Gi"
153+
accessMode: "ReadWriteOnce"
154+
storageClass: dcsi.localHostpath
155+
defaultReplicationFactor: 3
156+
}
157+
}]
158+
}
159+
appConfig: {
160+
lfs: {
161+
enabled: true
162+
proxy_download: true
163+
bucket: kustomizations["$default"].manifest.lfsBucket.spec.bucketName
164+
connection: secret: kustomizations["$default"].manifest.lfsSecret.metadata.name
165+
}
166+
artifacts: {
167+
enabled: true
168+
proxy_download: true
169+
bucket: kustomizations["$default"].manifest.artifactsBucket.spec.bucketName
170+
connection: secret: kustomizations["$default"].manifest.artifactsSecret.metadata.name
171+
}
172+
uploads: {
173+
enabled: true
174+
proxy_download: true
175+
bucket: kustomizations["$default"].manifest.uploadsBucket.spec.bucketName
176+
connection: secret: kustomizations["$default"].manifest.uploadsSecret.metadata.name
177+
}
178+
packages: {
179+
enabled: true
180+
proxy_download: true
181+
//bucket: kustomizations["default"].manifest.packagesBucket.spec.bucketName
182+
connection: secret: kustomizations["$default"].manifest.packagesSecret.metadata.name
183+
}
184+
}
185+
}
186+
"certmanager-issuer": install: false
187+
prometheus: install: false
188+
postgresql: install: false
189+
"gitlab-runner": install: false
190+
gitlab: toolbox: enabled: false
191+
redis: {
192+
master: nodeSelector: storage: "yes"
193+
global: storageClass: dcsi.localHostpath
194+
}
195+
}
196+
}
197+
}
198+
}

0 commit comments

Comments
 (0)
Please sign in to comment.