diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 2ca04ad1de..162c2abd1a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,6 +3,14 @@ 0.60.0 ------ +This release removes the Gitlab omnibus Helm chart that we created and used to have as a dependency +of the Renku Helm chart. We have been discouraging anyone from using +this chart in production and we specified this in our documentation as well. + +If you are using the internal Gitlab Helm chart then ensure to migrate to a separate +Gitlab deployment as specified in our `documentation `_. +before installing this or any subsequent Renku version. Gitlab publishes an official Helm chart and +that is what should be used for deploying Gitlab with Helm. 0.59.0 @@ -117,6 +125,10 @@ User-facing Changes Internal Changes ~~~~~~~~~~~~~~~~ +**Features** + +- **Helm chart**: remove the custom-made Gitlab Omnibus Helm chart from Renku dependencies + **Bug Fixes** - **Gateway**: Fix path rewrite middleware when the path contains escaped characters (`#726 `__). diff --git a/docs/how-to-guides/admin/gitlab.rst b/docs/how-to-guides/admin/gitlab.rst index be3ef7cab1..9f1b76f3c6 100644 --- a/docs/how-to-guides/admin/gitlab.rst +++ b/docs/how-to-guides/admin/gitlab.rst @@ -81,19 +81,8 @@ and existing GitLab users can use Renku without creating a separate Renku accoun GitLab deployed as part of Renku -------------------------------- -We do *not* recommend deploying the Renku-bundled GitLab as part of a production Renku deployment, -and instead suggest deploying GitLab using the `official GitLab cloud-native Kubernetes chart -`_. Deploying GitLab as part of Renku may be deprecated in the future. - -If your Renku deployment includes GitLab you need to follow some additional steps to configure an admin user on GitLab. - -To grant a GitLab user the GitLab admin role without having access to the GitLab Web UI, the following steps can be taken in the GitLab container console. - -#. Run ``gitlab-rails console -e production`` (this might take a while). -#. Find the user you would like to grant the admin role, for example by running ``user = User.find_by(email: 'renku@renkulab.io')`` or ``user = User.find_by(username: 'renku')``. -#. Grant the user the administrator role by running ``user.admin = true``. -#. Save the user's profile by running ``user.save!``. -#. Leave the console by running ``exit``. +Deploying the GitLab Helm chart as part of the Renku Helm chart has been deprecated. If you have a Renku deployment that uses +the Gitlab version that used to come bundled with Renku, then please follow the instructions below to migrate. Migrate from Renku-bundled Omnibus GitLab to cloud-native Gitlab Helm chart --------------------------------------------------------------------------- diff --git a/helm-chart/gitlab/.helmignore b/helm-chart/gitlab/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/helm-chart/gitlab/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/helm-chart/gitlab/Chart.yaml b/helm-chart/gitlab/Chart.yaml deleted file mode 100644 index 596260baa4..0000000000 --- a/helm-chart/gitlab/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for the Renku Gitlab server -name: gitlab -version: 0.8.0 diff --git a/helm-chart/gitlab/requirements.yaml b/helm-chart/gitlab/requirements.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/helm-chart/gitlab/templates/_gitlab.rb.tpl b/helm-chart/gitlab/templates/_gitlab.rb.tpl deleted file mode 100644 index 6c9d8880a5..0000000000 --- a/helm-chart/gitlab/templates/_gitlab.rb.tpl +++ /dev/null @@ -1,133 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -GitLab Omnibus configuration -*/}} -{{- define "gitlab.config" -}} -## GitLab configuration settings -##! Check out the latest version of this file to know about the different -##! settings that can be configured by this file, which may be found at: -##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template - - -## GitLab URL -##! URL on which GitLab will be reachable. -##! For more details on configuring external_url see: -##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab -external_url '{{ template "renku.http" . }}://{{ .Values.global.renku.domain }}/gitlab' - -##! **Override only if you use a reverse proxy** -##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port -nginx['listen_port'] = 80 - -##! **Override only if your reverse proxy internally communicates over HTTP** -##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl -nginx['listen_https'] = false - -## Configure SSH port to be displayed correctly -gitlab_rails['gitlab_shell_ssh_port'] = {{ default 22 .Values.ssh.externalPort }} - -### OmniAuth Settings -###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html -gitlab_rails['omniauth_enabled'] = true -{{- if .Values.oauth.autoSignIn }} -gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'oauth2_generic' -{{- end }} -gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic'] -gitlab_rails['omniauth_block_auto_created_users'] = false -gitlab_rails['omniauth_providers'] = [ - { - 'name' => 'oauth2_generic', - 'app_id' => 'gitlab', - 'app_secret' => ENV['GITLAB_CLIENT_SECRET'], - 'args' => { - client_options: { - # Traefik maps keycloak to the URL below - # CAREFUL: This must be accessible from inside the keycloak container - # for server-to-server communication. - 'site' => '{{ template "renku.http" . }}://{{ .Values.global.renku.domain }}/auth/', - 'authorize_url' => '/auth/realms/Renku/protocol/openid-connect/auth', - 'user_info_url' => '/auth/realms/Renku/protocol/openid-connect/userinfo', - 'token_url' => '/auth/realms/Renku/protocol/openid-connect/token' - }, - user_response_structure: { - attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username' - id_path: 'sub' - }, - authorize_params: { - scope: "openid profile email" - } - }, - label: 'Renku Login' - } - ] - -gitlab_rails['initial_root_password'] = ENV['GITLAB_PASSWORD'] - -### GitLab database settings -###! Docs: https://docs.gitlab.com/omnibus/settings/database.html -###! **Only needed if you use an external database.** -postgresql['enable'] = false -gitlab_rails['db_adapter'] = "postgresql" -gitlab_rails['db_encoding'] = "utf-8" -gitlab_rails['db_database'] = ENV['POSTGRES_DATABASE'] -gitlab_rails['db_username'] = ENV['POSTGRES_USER'] -gitlab_rails['db_password'] = ENV['PGPASSWORD'] -gitlab_rails['db_host'] = '{{ template "postgresql.fullname" . }}' -gitlab_rails['db_port'] = 5432 - -### GitLab Redis settings -###! Connect to your own Redis instance -###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html - -#### Redis TCP connection -# gitlab_rails['redis_host'] = localhost -# gitlab_rails['redis_port'] = 6379 -# gitlab_rails['redis_password'] = nil -# gitlab_rails['redis_database'] = 0 - -### GitLab LFS object store -### Docs: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html -{{ if .Values.lfsObjects.enabled -}} -gitlab_rails['lfs_object_store_enabled'] = true -gitlab_rails['lfs_object_store_remote_directory'] = "{{ .Values.lfsObjects.bucketName }}" -gitlab_rails['lfs_object_store_direct_upload'] = {{ .Values.lfsObjects.directUpload }} -gitlab_rails['lfs_object_store_background_upload'] = {{ .Values.lfsObjects.backgroundUpload }} -gitlab_rails['lfs_object_store_proxy_download'] = {{ .Values.lfsObjects.proxyDownload }} -gitlab_rails['lfs_object_store_connection'] = eval(ENV['GITLAB_LFS_CONNECTION']) -{{- end }} - -prometheus['enable'] = false -gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '10.0.0.0/8'] -gitlab_rails['env'] = { 'prometheus_multiproc_dir' => '/dev/shm' } - -### GitLab Registry settings -registry_external_url '{{ .Values.registry.externalUrl }}' -gitlab_rails['registry_enabled'] = {{ .Values.registry.enabled }} -registry_nginx['enable'] = false -registry['registry_http_addr'] = '0.0.0.0:8105' -### Registry backend storage -###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver -{{- if .Values.registry.storage }} -registry['storage'] = eval(ENV['GITLAB_REGISTRY_STORAGE']) -{{- end }} -registry['health_storagedriver_enabled'] = {{ .Values.registry.backendHealthcheck }} - -### GitLab rack-attack -### See: https://docs.gitlab.com/ce/security/rack_attack.html -### Disabled, as it is banning ingress controller IPs -gitlab_rails['rack_attack_git_basic_auth'] = { - 'enabled' => false -} - -{{ if .Values.logging.useJson -}} -gitaly['logging_format'] = 'json' -gitlab_shell['log_format'] = 'json' -gitlab_workhorse['log_format'] = 'json' -registry['log_formatter'] = 'json' -sidekiq['log_format'] = 'json' -gitlab_pages['log_format'] = 'json' -{{- end }} - -{{ .Values.extraConfig }} - -{{- end -}} diff --git a/helm-chart/gitlab/templates/_helpers.tpl b/helm-chart/gitlab/templates/_helpers.tpl deleted file mode 100644 index 4244a185db..0000000000 --- a/helm-chart/gitlab/templates/_helpers.tpl +++ /dev/null @@ -1,24 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "gitlab.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gitlab.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Hack for calling templates in a fake scope (until this is solved https://github.com/helm/helm/issues/4535) -*/}} -{{- define "call-nested" }} -{{- $dot := index . 0 }} -{{- $subchart := index . 1 }} -{{- $template := index . 2 }} -{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }} -{{- end }} diff --git a/helm-chart/gitlab/templates/configmap.yaml b/helm-chart/gitlab/templates/configmap.yaml deleted file mode 100644 index 6ab6774837..0000000000 --- a/helm-chart/gitlab/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "gitlab.fullname" . }}-config - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - gitlab.rb: |- -{{ include "gitlab.config" . | indent 4 }} diff --git a/helm-chart/gitlab/templates/deployment.yaml b/helm-chart/gitlab/templates/deployment.yaml deleted file mode 100644 index 271a586665..0000000000 --- a/helm-chart/gitlab/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: POSTGRES_DATABASE - value: {{ .Values.global.gitlab.postgresDatabase }} - - name: POSTGRES_USER - value: {{ .Values.global.gitlab.postgresUser }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }}-postgres - key: gitlab-postgres-password - - name: GITLAB_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-client-secret - - name: GITLAB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-password - - name: RENKU_DOMAIN - value: {{ .Values.global.renku.domain }} - - name: GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: shared-runners-registration-token - {{- if .Values.lfsObjects.enabled }} - - name: GITLAB_LFS_CONNECTION - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-lfs-connection - {{- end }} - {{- if .Values.registry.storage }} - - name: GITLAB_REGISTRY_STORAGE - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-registry-storage - {{- end }} - ports: - - name: ssh - containerPort: 22 - - name: http - containerPort: 80 - - name: registry - containerPort: 8105 - livenessProbe: - httpGet: - path: /gitlab/help - port: http - # This pod takes a very long time to start up. Be cautious when - # lowering this value to avoid Pod death during startup. - initialDelaySeconds: 600 - timeoutSeconds: 15 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - path: /gitlab/help - port: http - initialDelaySeconds: 60 - timeoutSeconds: 15 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_data.mountPath }} - subPath: {{ .Values.persistence.gitlab_data.subPath }} - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_config.mountPath }} - subPath: {{ .Values.persistence.gitlab_config.subPath }} - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_logs.mountPath }} - subPath: {{ .Values.persistence.gitlab_logs.subPath }} - - name: config - mountPath: /etc/gitlab/gitlab.rb - subPath: gitlab.rb - volumes: - - name: gitlab-persistence - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (include "gitlab.fullname" .) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config - configMap: - name: {{ template "gitlab.fullname" . }}-config - - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/helm-chart/gitlab/templates/metrics-service.yaml b/helm-chart/gitlab/templates/metrics-service.yaml deleted file mode 100644 index 7c3cb5cf5f..0000000000 --- a/helm-chart/gitlab/templates/metrics-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.service.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if.Values.service.metrics.annotations }} - annotations: -{{ toYaml .Values.service.metrics.annotations | indent 4 }} -{{- end }} - name: {{ template "gitlab.fullname" . }}-metrics - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/helm-chart/gitlab/templates/pvc.yaml b/helm-chart/gitlab/templates/pvc.yaml deleted file mode 100644 index b508c61c3d..0000000000 --- a/helm-chart/gitlab/templates/pvc.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end -}} diff --git a/helm-chart/gitlab/templates/registry-ingress.yaml b/helm-chart/gitlab/templates/registry-ingress.yaml deleted file mode 100644 index 4f542363b2..0000000000 --- a/helm-chart/gitlab/templates/registry-ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if not (empty .Values.registry.exposedAs) -}} -{{- if eq .Values.registry.exposedAs "Ingress" -}} -{{- $gitlabFullname := include "gitlab.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "gitlab.fullname" . }}-registry - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: -{{- range $key, $value := .Values.registry.ingress.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} -spec: -{{- if .Values.registry.ingress.tls }} - tls: - {{- range .Values.registry.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.registry.ingress.hosts }} - - host: {{ . }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ $gitlabFullname }} - port: - number: {{ 8105 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/helm-chart/gitlab/templates/registry-service.yaml b/helm-chart/gitlab/templates/registry-service.yaml deleted file mode 100644 index a5ca95c13f..0000000000 --- a/helm-chart/gitlab/templates/registry-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if not (empty .Values.registry.exposedAs) -}} -{{- if eq .Values.registry.exposedAs "NodePort" -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }}-registry - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - clusterIP: 10.100.123.45 - type: NodePort - ports: - - port: 8105 - nodePort: 30105 - targetPort: registry - protocol: TCP - name: registry - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/helm-chart/gitlab/templates/secret.yaml b/helm-chart/gitlab/templates/secret.yaml deleted file mode 100644 index 69d18b1284..0000000000 --- a/helm-chart/gitlab/templates/secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - gitlab-password: {{ required "Fill in .Values.password with `openssl rand -hex 16`" .Values.password | b64enc | quote }} - gitlab-client-secret: {{ required "Fill in .Values.global.gitlab.clientSecret with `uuidgen -r`" .Values.global.gitlab.clientSecret | b64enc | quote }} - shared-runners-registration-token: {{ required "Fill in .Values.sharedRunnersRegistrationToken with `openssl rand -hex 32`" .Values.sharedRunnersRegistrationToken | b64enc | quote }} - -{{- if .Values.lfsObjects.enabled }} - gitlab-lfs-connection: {{ .Values.lfsObjects.connection | b64enc | quote }} -{{- end }} - -{{- if .Values.registry.storage }} - gitlab-registry-storage: {{ .Values.registry.storage | b64enc | quote }} -{{- end }} diff --git a/helm-chart/gitlab/templates/service.yaml b/helm-chart/gitlab/templates/service.yaml deleted file mode 100644 index 1fbe666f88..0000000000 --- a/helm-chart/gitlab/templates/service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - - port: 22 - targetPort: ssh - protocol: TCP - name: ssh - - port: 8105 - targetPort: registry - protocol: TCP - name: registry - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} diff --git a/helm-chart/gitlab/templates/ssh-nodeport-service.yaml b/helm-chart/gitlab/templates/ssh-nodeport-service.yaml deleted file mode 100644 index 0a41ef4ce4..0000000000 --- a/helm-chart/gitlab/templates/ssh-nodeport-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if not (empty .Values.ssh.nodePortService) -}} -{{- if .Values.ssh.nodePortService.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }}-ssh - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: NodePort - ports: - - port: 22 - nodePort: {{ .Values.ssh.nodePortService.nodePort }} - targetPort: ssh - protocol: TCP - name: ssh - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/helm-chart/gitlab/values.yaml b/helm-chart/gitlab/values.yaml deleted file mode 100644 index b57f908fb9..0000000000 --- a/helm-chart/gitlab/values.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# Default values for gitlab. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - repository: gitlab/gitlab-ce - tag: 14.10.5-ce.0 - pullPolicy: IfNotPresent - -ssh: - externalPort: 22 - nodePortService: - enabled: false - nodePort: 30022 - -oauth: - autoSignIn: false - -## LFS objects in remote object storage -## Follows: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage -lfsObjects: - enabled: false - bucketName: lfs-objects - directUpload: false - backgroundUpload: true - proxyDownload: false - # connection: |- - # { - # 'provider' => 'AWS', - # 'region' => 'eu-central-1', - # 'aws_access_key_id' => '1ABCD2EFGHI34JKLM567N', - # 'aws_secret_access_key' => 'abcdefhijklmnopQRSTUVwxyz0123456789ABCDE', - # # The below options configure an S3 compatible host instead of AWS - # 'host' => 'localhost', - # 'endpoint' => 'http://127.0.0.1:9000', - # 'path_style' => true - # } - -service: - type: ClusterIP - port: 80 - metrics: - enabled: true - annotations: - prometheus.io/scrape: "true" - prometheus.io/path: /gitlab/-/metrics - prometheus.io/port: "80" - -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - # storageClass: "-" - accessMode: ReadWriteOnce - size: 30Gi - - gitlab_data: - subPath: data - mountPath: /var/opt/gitlab - gitlab_config: - subPath: config - mountPath: /etc/gitlab - gitlab_logs: - subPath: logs - mountPath: /var/log/gitlab - - -registry: - enabled: false - exposedAs: Ingress - # exposedAs: NodePort - backendHealthcheck: true - # storage: |- - # { - # 's3' => { - # 'accesskey' => 's3-access-key', - # 'secretkey' => 's3-secret-key-for-access-key', - # 'bucket' => 'your-s3-bucket', - # 'region' => 'your-s3-region' - # } - # } - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Enable json logs for all services -logging: - useJson: true - -## Add some extra configuration to gitlab.rb -# extraConfig: | -# ## Fix number of unicorn workers -# unicorn['worker_processes'] = 7 - -# ## Fix something else -# ... diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 7a214673d5..781c6a4d23 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -1,8 +1,4 @@ dependencies: - - name: gitlab - repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: 0.8.0 - condition: gitlab.enabled - name: postgresql version: "14.2.4" repository: "oci://registry-1.docker.io/bitnamicharts" diff --git a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml index 3fc1b30214..1950083500 100644 --- a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml @@ -41,7 +41,7 @@ spec: initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - - name: gateway + - name: gateway image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}" imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} securityContext: @@ -56,7 +56,7 @@ spec: secretKeyRef: name: {{ .Values.global.redis.existingSecret }} key: {{ .Values.global.redis.existingSecretPasswordKey }} - - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET valueFrom: secretKeyRef: name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} @@ -130,4 +130,3 @@ spec: - name: public-config configMap: name: {{ template "renku.fullname" . }}-gateway - diff --git a/helm-chart/renku/templates/gateway/secret.yaml b/helm-chart/renku/templates/gateway/secret.yaml index 02feb32174..189c0638b4 100644 --- a/helm-chart/renku/templates/gateway/secret.yaml +++ b/helm-chart/renku/templates/gateway/secret.yaml @@ -2,11 +2,7 @@ {{- $oidcClientSecret := .Values.gateway.oidcClientSecret | default .Values.global.gateway.clientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $gitlabClientSecret := "" -}} -{{- if .Values.gitlab.enabled -}} -{{- $gitlabClientSecret = .Values.gateway.gitlabClientSecret | default .Values.global.gateway.gitlabClientSecret | default (randAlphaNum 64) | b64enc | quote }} -{{- else -}} {{- $gitlabClientSecret = required "Fill in .Values.gateway.gitlabClientSecret or .Values.global.gateway.gitlabClientSecret with the OIDC client secret you created in Gitlab" (.Values.gateway.gitlabClientSecret | default .Values.global.gateway.gitlabClientSecret) | b64enc | quote -}} -{{- end -}} {{- $gatewaySecret := .Values.gateway.secretKey | default (randAlphaNum 64) | b64enc | quote }} {{- $cliClientSecret := .Values.gateway.cliClientSecret | default .Values.global.gateway.cliClientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $notebooksClientSecret := .Values.notebooks.oidc.clientSecret | default (randAlphaNum 64) | b64enc | quote }} @@ -58,15 +54,6 @@ {{- end -}} {{- end -}} -{{- if .Values.gitlab.enabled -}} -{{- if not .Values.global.gitlab.clientSecret -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} -{{- if $secret }} -{{- $gitlabClientInKeycloakSecret = index $secret.data "gitlabClientInKeycloakSecret" }} -{{- end -}} -{{- end -}} -{{- end }} - {{- $tokenEncryptionSecretKey := randAlphaNum 32 | b64enc | quote }} {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} {{- if $secret }} @@ -112,11 +99,6 @@ data: notebooksClientSecret: {{ $notebooksClientSecret }} # A secret for the UI server client in Keycloak uiserverClientSecret: {{ $uiserverClientSecret }} - {{- if .Values.gitlab.enabled }} - # A secret for the Gitlab client in Keycloak if an internal Gitlab is used - gitlabClientInKeycloakSecret: {{ $gitlabClientInKeycloakSecret }} - {{- end }} cookieEncodingKey: {{ $csrfCookieEncodingKey }} cookieHashKey: {{ $csrfCookieHashKey }} tokenEncryption: {{ $tokenEncryptionSecretKey }} - diff --git a/helm-chart/renku/templates/gitlab-postgres-secret.yaml b/helm-chart/renku/templates/gitlab-postgres-secret.yaml deleted file mode 100644 index b8ce7270e8..0000000000 --- a/helm-chart/renku/templates/gitlab-postgres-secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -{{- if .Values.gitlab.enabled }} -{{- $db_password := default (randAlphaNum 64) .Values.global.gitlab.postgresPassword.value | b64enc | quote }} - -{{- $renkuFullname := include "renku.fullname" . -}} - -{{- if not .Values.global.gitlab.postgresPassword.value -}} -{{- $secretName := cat $renkuFullname "-gitlab-postgres" | nospace }} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} -{{- if $secret }} -{{- $db_password = index $secret.data "gitlab-postgres-password" }} -{{- end -}} -{{- end -}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "renku.fullname" . }}-gitlab-postgres - labels: - app: {{ template "renku.name" . }} - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": "pre-install,pre-upgrade,pre-rollback" -type: Opaque -data: - gitlab-postgres-password: {{ $db_password }} -{{- end }} diff --git a/helm-chart/renku/templates/ingress.yaml b/helm-chart/renku/templates/ingress.yaml index 17cd9794ff..5f52d16be2 100644 --- a/helm-chart/renku/templates/ingress.yaml +++ b/helm-chart/renku/templates/ingress.yaml @@ -2,7 +2,6 @@ {{- $keycloakEnabled := .Values.keycloakx.enabled -}} {{- $keycloakFullname := include "keycloak.fullname" . -}} {{- $keycloakServicePort := .Values.keycloakx.ingress.servicePort -}} -{{- $gitlabEnabled := .Values.gitlab.enabled -}} {{- $gitlabFullname := include "gitlab.fullname" . -}} {{- $gitlabServicePort := 80 -}} {{- $uiFullname := include "ui.fullname" . -}} @@ -67,15 +66,9 @@ spec: pathType: Prefix backend: service: - {{- if $gitlabEnabled }} - name: {{ $gitlabFullname }} - port: - number: {{ $gitlabServicePort }} - {{ else }} name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - {{- end }} - path: /repos pathType: Prefix backend: diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 3aa0a88615..dc695fc3ce 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -25,20 +25,6 @@ spec: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} {{- end }} - {{- if .Values.gitlab.enabled }} - - podSelector: - matchLabels: - app: gitlab - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - - podSelector: - matchLabels: - app: post-install-gitlab - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - {{- end }} - podSelector: matchLabels: app: event-log diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 8c91721c55..1971f576a1 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -63,26 +63,17 @@ spec: - name: DEMO_USER_PASSWORD valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-kc-demo-user" | nospace }} + name: {{ cat (include "renku.fullname" .) "-kc-demo-user" | nospace }} key: keycloakDemoUserPassword {{- end }} - name: INTERNAL_GITLAB_ENABLED - value: {{ .Values.gitlab.enabled | toString | lower | quote }} - {{- if .Values.gitlab.enabled }} - - name: INTERNAL_GITLAB_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} - key: gitlabClientInKeycloakSecret - - name: INTERNAL_GITLAB_OIDC_CLIENT_ID - value: "gitlab" - {{- end }} + value: "false" - name: RENKU_KC_CLIENT_ID value: renku - name: RENKU_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: oidcClientSecret - name: RENKU_KC_CLIENT_PUBLIC value: "false" diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 8a75fb54b8..37b6588f2b 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -508,146 +508,6 @@ solr: size: 8Gi zookeeper: enabled: false -## Gitlab configuration -gitlab: - ## Spawn a gitlab instance - enabled: true - ## Password for the `root` user - password: gitlabadmin - ## Gitlab image - image: - # pullPolicy: IfNotPresent - repository: gitlab/gitlab-ce - # Check out the gitlab docs on upgrading versions before changing the image tag. - # https://docs.gitlab.com/ee/update/#upgrade-paths - # in particular major versions https://docs.gitlab.com/ce/update/#upgrading-to-a-new-major-version - tag: 14.10.5-ce.0 - ## automatically log in to gitlab - oauth: - autoSignIn: true - ## Pod affinity for Gitlab deployment - # affinity: {} - ## Node selector for Gitlab deployment - # nodeSelector: {} - ## Pod tolerations for Gitlab deployment - # tolerations: [] - - ## Resource requests/limits for Gitlab - # resources: {} - - ## Registration token for gitlab runners (initial value, can be regenerated from gitlab admin ui) - ## Generated using: `openssl rand -hex 32` - sharedRunnersRegistrationToken: - ## Set to true to make the user 'demo' a GitLab admin - demoUserIsAdmin: false - ## External port for git ssh protocol - ## This setting affects the copy-paste repo git+ssh URL - # sshPort: 22 - - ## LFS objects settings - ## Used to store git-lfs objects externally - ## Note: bucket must exist before use, GitLab won't do it - ## Follows: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage - # lfsObjects: - ## Set to true to enable remote LFS objects - # enabled: false - ## Bucket name - # bucketName: lfs-objects - # directUpload: false - # backgroundUpload: true - # proxyDownload: false - # connection: |- - # { - # 'provider' => 'AWS', - # 'region' => 'eu-central-1', - # 'aws_access_key_id' => '1ABCD2EFGHI34JKLM567N', - # 'aws_secret_access_key' => 'abcdefhijklmnopQRSTUVwxyz0123456789ABCDE', - # # The below options configure an S3 compatible host instead of AWS - # 'host' => 'localhost', - # 'endpoint' => 'http://127.0.0.1:9000', - # 'path_style' => true - # } - - ## Persistent Volume settings - persistence: - # accessMode: ReadWriteOnce - size: 30Gi - ## Mount points for the PV - ## Setup according to the volumes declared in the Gitlab image - # gitlab_data: - # subPath: data - # mountPath: /var/opt/gitlab - # gitlab_config: - # subPath: config - # mountPath: /etc/gitlab - # gitlab_logs: - # subPath: logs - # mountPath: /var/log/gitlab - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - ## Set to false to disable the use of Persistent Volume - ## The databases will be lost when the pod is terminated! - # enabled: true - - ## Service configuration for Gitlab - ## Modify service.type according to your setup - # service: - # port: 80 - # type: ClusterIP - - ## Container image registry settings - registry: - ## Set to true to enable Gitlab registry - enabled: false - ## The URL to access the registry - # externalUrl: - ## Set `exposedAs` to "NodePort" when deploying on minikube - ## Set `exposedAs` to "Ingress" to expose the registry on an alternate domain. - # exposedAs: NodePort - ## Storage driver configuration for the registry - ## See: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-storage-driver - # storage: |- - # { - # 's3' => { - # 'accesskey' => 's3-access-key', - # 'secretkey' => 's3-secret-key-for-access-key', - # 'bucket' => 'your-s3-bucket', - # 'region' => 'your-s3-region' - # } - # } - ## Registry ingress, when `exposedAs` is set to "Ingress" - ## Uses conventional settings for ingress - ## Find below an example of values - # ingress: - # annotations: - # cert-manager.io/cluster-issuer: letsencrypt-production - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-body-size: '0' - # hosts: - # - registry.example.com - # tls: - # - hosts: - # - registry.example.com - # secretName: registry-tls - ## Add some extra configuration to gitlab.rb - # extraConfig: | - # ## Fix number of unicorn workers - # unicorn['worker_processes'] = 7 -# ## Fix something else -# ... - ## Configuration for the UI service ui: client: diff --git a/scripts/generate-values/base-renku-values.yaml.template b/scripts/generate-values/base-renku-values.yaml.template index 731296e5b5..d78ac6d1b9 100644 --- a/scripts/generate-values/base-renku-values.yaml.template +++ b/scripts/generate-values/base-renku-values.yaml.template @@ -18,29 +18,9 @@ global: useHTTPS: true gateway: secretKey: -gitlab: - enabled: false - password: - sharedRunnersRegistrationToken: - lfsObjects: - enabled: false - connection: {{}} - registry: - enabled: false - externalUrl: https://registry.{renku_domain} - storage: {{}} - ingress: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/proxy-body-size: '0' - hosts: - - {gitlab_registry} - tls: - - hosts: - - {gitlab_registry} - secretName: registry-tls graph: + gitlab: + url: {gitlab_url} tokenRepository: tokenEncryption: secret: @@ -60,13 +40,11 @@ ingress: - hosts: - {renku_domain} secretName: {namespace}-renku-ch-tls -jena: - users: - admin: - password: - renku: - password: notebooks: + gitlab: + registry: + host: {gitlab_registry} + url: {gitlab_url} oidc: allowUnverifiedEmail: true authUrl: https://{renku_domain}/auth/realms/Renku/protocol/openid-connect/auth