From 4aacc19070cbb7ff957e9e0d8c99726183da0b68 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Thu, 13 Jan 2022 12:18:13 +0100 Subject: [PATCH 01/12] allow to use a custom secret --- .../dependabot-gitlab/templates/_helpers.tpl | 8 ++++++++ .../templates/deployment-web.yaml | 4 ++++ .../templates/deployment-worker.yaml | 4 ++++ .../templates/migration-job.yaml | 8 ++++++++ .../templates/registration-job.yaml | 4 ++++ .../dependabot-gitlab/templates/secrets.yaml | 4 +++- charts/dependabot-gitlab/values.yaml | 19 +++++++++++++++++++ 7 files changed, 50 insertions(+), 1 deletion(-) diff --git a/charts/dependabot-gitlab/templates/_helpers.tpl b/charts/dependabot-gitlab/templates/_helpers.tpl index 9ac0bfd0..18433e4f 100644 --- a/charts/dependabot-gitlab/templates/_helpers.tpl +++ b/charts/dependabot-gitlab/templates/_helpers.tpl @@ -128,7 +128,11 @@ Migration job wait container - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} {{- end }} @@ -149,5 +153,9 @@ Redis wait container - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} {{- end }} diff --git a/charts/dependabot-gitlab/templates/deployment-web.yaml b/charts/dependabot-gitlab/templates/deployment-web.yaml index 86f0084f..28d87467 100644 --- a/charts/dependabot-gitlab/templates/deployment-web.yaml +++ b/charts/dependabot-gitlab/templates/deployment-web.yaml @@ -51,7 +51,11 @@ spec: - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/charts/dependabot-gitlab/templates/deployment-worker.yaml b/charts/dependabot-gitlab/templates/deployment-worker.yaml index 327c10d4..b3a85715 100644 --- a/charts/dependabot-gitlab/templates/deployment-worker.yaml +++ b/charts/dependabot-gitlab/templates/deployment-worker.yaml @@ -67,7 +67,11 @@ spec: - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} {{- if .Values.metrics.enabled }} ports: - name: metrics diff --git a/charts/dependabot-gitlab/templates/migration-job.yaml b/charts/dependabot-gitlab/templates/migration-job.yaml index 18ec5978..734d6dcc 100644 --- a/charts/dependabot-gitlab/templates/migration-job.yaml +++ b/charts/dependabot-gitlab/templates/migration-job.yaml @@ -28,7 +28,11 @@ spec: - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} containers: - name: {{ .Chart.Name }}-migration-job {{- include "dependabot-gitlab.image" . | nindent 10 }} @@ -43,7 +47,11 @@ spec: - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} {{- with .Values.migrationJob.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/dependabot-gitlab/templates/registration-job.yaml b/charts/dependabot-gitlab/templates/registration-job.yaml index ef855a96..52477536 100644 --- a/charts/dependabot-gitlab/templates/registration-job.yaml +++ b/charts/dependabot-gitlab/templates/registration-job.yaml @@ -32,7 +32,11 @@ spec: - configMapRef: name: {{ include "dependabot-gitlab.fullname" . }} - secretRef: + {{- if .Values.credentials.existingSecret }} + name: {{ .Values.credentials.existingSecret }} + {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} + {{- end }} {{- with .Values.createProjectsJob.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/dependabot-gitlab/templates/secrets.yaml b/charts/dependabot-gitlab/templates/secrets.yaml index dca85871..e06763ec 100644 --- a/charts/dependabot-gitlab/templates/secrets.yaml +++ b/charts/dependabot-gitlab/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if (not .Values.credentials.existingSecret) }} apiVersion: v1 kind: Secret metadata: @@ -20,8 +21,9 @@ data: {{- else if .Values.env.mongoDbUri }} MONGODB_URI: {{ .Values.env.mongoDbUri | b64enc | quote }} {{- else if and (not .Values.mongodb.enabled) .Values.mongodb.auth.enabled }} - MONGODB_PASSWORD: {{ required "MongoDB password must be provided" .Values.mongodb.auth.password | b64enc | quote }} + MONGODB_PASSWORD: {{ required "MongoDB password must be provided" .Values.mongodb.auth.password | b64enc | quote }} {{- end }} {{- range $key, $val := .Values.registriesCredentials }} {{ $key }}: {{ $val | b64enc | quote }} {{- end }} +{{- end }} diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index a65180a9..758b04bc 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -220,6 +220,19 @@ credentials: github_access_token: "" # -- Gitlab auth token for webhook authentication gitlab_auth_token: "" + # set a secret name here if you want to manage secrets on your own + # best way is then to also use existingSecret for redis and mongodb + # necessary keys are: + # - SETTINGS__GITLAB_ACCESS_TOKEN + # - REDIS_PASSWORD + # - MONGODB_PASSWORD (necessary for the dependabot chart, should be the same as mongodb-password) + # - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) + # optional keys are: + # - SETTINGS__GITHUB_ACCESS_TOKEN + # - SETTINGS__GITLAB_AUTH_TOKEN + # - MONGODB_URI + + existingSecret: # -- Credentials for private registries # Example: PRIVATE_DOCKERHUB_TOKEN: token @@ -247,6 +260,10 @@ redis: enabled: true # -- Redis password password: "" + # set the name of an existing secret to be used (optional, will ignore other password setting when used) + existingSecret: + # set the name of the key when using an existing secret, to avoid duplication we set this to + existingSecretPasswordKey: REDIS_PASSWORD # ref: https://github.com/bitnami/charts/tree/master/bitnami/mongodb mongodb: @@ -261,6 +278,8 @@ mongodb: usernames: ["dependabot-gitlab"] # -- MongoDB custom user passwords passwords: [] + # set the name of an existing secret to be used (optional, will ignore other password setting when used) + existingSecret: service: # -- Mongodb service port port: 27017 -- GitLab From 890ae4a35757293837c79f3b93ceb8ca343c5835 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Thu, 13 Jan 2022 12:27:02 +0100 Subject: [PATCH 02/12] better documentation (hopefully correct format) --- charts/dependabot-gitlab/values.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index 758b04bc..ff167fbc 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -220,7 +220,7 @@ credentials: github_access_token: "" # -- Gitlab auth token for webhook authentication gitlab_auth_token: "" - # set a secret name here if you want to manage secrets on your own + # -- dependabot chart: set a secret name here if you want to manage secrets on your own # best way is then to also use existingSecret for redis and mongodb # necessary keys are: # - SETTINGS__GITLAB_ACCESS_TOKEN @@ -231,7 +231,6 @@ credentials: # - SETTINGS__GITHUB_ACCESS_TOKEN # - SETTINGS__GITLAB_AUTH_TOKEN # - MONGODB_URI - existingSecret: # -- Credentials for private registries @@ -260,9 +259,9 @@ redis: enabled: true # -- Redis password password: "" - # set the name of an existing secret to be used (optional, will ignore other password setting when used) + # -- Redis name of an existing secret to be used (optional, will ignore other password setting when used) existingSecret: - # set the name of the key when using an existing secret, to avoid duplication we set this to + # -- Redis name of the key when using an existing secret, to avoid duplication we set this to existingSecretPasswordKey: REDIS_PASSWORD # ref: https://github.com/bitnami/charts/tree/master/bitnami/mongodb @@ -278,7 +277,7 @@ mongodb: usernames: ["dependabot-gitlab"] # -- MongoDB custom user passwords passwords: [] - # set the name of an existing secret to be used (optional, will ignore other password setting when used) + # -- MongoDB name of an existing secret to be used (optional, will ignore other password setting when used) existingSecret: service: # -- Mongodb service port -- GitLab From b021dc7ee043ca5e12bd9c6c2fb28ee5f5bdd2d7 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Thu, 13 Jan 2022 12:33:39 +0100 Subject: [PATCH 03/12] fix readme --- README.md | 4 + charts/dependabot-gitlab/output.yaml | 983 +++++++++++++++++++++++++++ charts/dependabot-gitlab/values.yaml | 2 +- 3 files changed, 988 insertions(+), 1 deletion(-) create mode 100644 charts/dependabot-gitlab/output.yaml diff --git a/README.md b/README.md index 9fac57da..7e6297a4 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ For more information on `mongodb` and `redis` chart configuration options, consu | credentials.github_access_token | string | `""` | Github access token | | credentials.gitlab_access_token | string | `"test"` | Gitlab access token, required | | credentials.gitlab_auth_token | string | `""` | Gitlab auth token for webhook authentication | +| credentials.existingSecret | string | `nil` | dependabot chart: set a secret name here if you want to manage secrets on your own best way is then to also use existingSecret for redis and mongodb necessary keys are: - SETTINGS__GITLAB_ACCESS_TOKEN - REDIS_PASSWORD - MONGODB_PASSWORD (necessary for the dependabot chart, should be the same as mongodb-password) - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) optional keys are: - SETTINGS__GITHUB_ACCESS_TOKEN - SETTINGS__GITLAB_AUTH_TOKEN - MONGODB_URI | | env.appConfigPath | string | `"kube/config"` | Configuration path | | env.appRootPath | string | `"/home/dependabot/app"` | App root | | env.commandsPrefix | string | `""` | Dependabot comment command prefix | @@ -98,6 +99,7 @@ For more information on `mongodb` and `redis` chart configuration options, consu | migrationJob.resources | object | `{}` | Migration job resource definitions | | mongodb.auth.databases | list | `["dependabot_gitab"]` | MongoDB custom database | | mongodb.auth.enabled | bool | `true` | Enable authentication | +| mongodb.auth.existingSecret | string | `nil` | MongoDB name of an existing secret to be used (optional, will ignore other password setting when used) | | mongodb.auth.passwords | list | `[]` | MongoDB custom user passwords | | mongodb.auth.usernames | list | `["dependabot-gitlab"]` | MongoDB custom user username | | mongodb.enabled | bool | `true` | Enable mongodb installation | @@ -110,6 +112,8 @@ For more information on `mongodb` and `redis` chart configuration options, consu | projects | list | `[]` | List of projects to create/update on deployment | | redis.architecture | string | `"standalone"` | Redis architecture. Allowed values: `standalone` or `replication` | | redis.auth.enabled | bool | `true` | Enable authentication | +| redis.auth.existingSecret | string | `nil` | Redis name of an existing secret to be used (optional, will ignore other password setting when used) | +| redis.auth.existingSecretPasswordKey | string | `"REDIS_PASSWORD"` | Redis name of the key when using an existing secret, to avoid duplication we set this to REDIS_PASSWORD | | redis.auth.password | string | `""` | Redis password | | redis.enabled | bool | `true` | Enable redis installation | | registriesCredentials | object | `{}` | Credentials for private registries Example: PRIVATE_DOCKERHUB_TOKEN: token | diff --git a/charts/dependabot-gitlab/output.yaml b/charts/dependabot-gitlab/output.yaml new file mode 100644 index 00000000..d1ac6d14 --- /dev/null +++ b/charts/dependabot-gitlab/output.yaml @@ -0,0 +1,983 @@ +--- +# Source: dependabot-gitlab/charts/mongodb/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: RELEASE-NAME-mongodb + namespace: default + labels: + app.kubernetes.io/name: mongodb + helm.sh/chart: mongodb-10.29.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +secrets: + - name: RELEASE-NAME-mongodb +--- +# Source: dependabot-gitlab/charts/redis/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: RELEASE-NAME-redis + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +--- +# Source: dependabot-gitlab/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: RELEASE-NAME-dependabot-gitlab + namespace: "default" + labels: + app.kubernetes.io/name: dependabot-gitlab + helm.sh/chart: dependabot-gitlab-0.2.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +--- +# Source: dependabot-gitlab/charts/mongodb/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: RELEASE-NAME-mongodb + namespace: default + labels: + app.kubernetes.io/name: mongodb + helm.sh/chart: mongodb-10.29.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: mongodb +type: Opaque +data: + mongodb-root-password: "a2h0YUVPUzBzdA==" + mongodb-passwords: "dGVzdCx0ZXN0Mg==" +--- +# Source: dependabot-gitlab/charts/redis/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: RELEASE-NAME-redis + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +type: Opaque +data: + redis-password: "b3NKbmFRMVhhaA==" +--- +# Source: dependabot-gitlab/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: RELEASE-NAME-dependabot-gitlab +data: + SETTINGS__GITLAB_ACCESS_TOKEN: "dGVzdA==" +--- +# Source: dependabot-gitlab/charts/redis/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: RELEASE-NAME-redis-configuration + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +data: + redis.conf: |- + # User-supplied common configuration: + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + # End of common configuration + master.conf: |- + dir /data + # User-supplied master configuration: + rename-command FLUSHDB "" + rename-command FLUSHALL "" + # End of master configuration + replica.conf: |- + dir /data + slave-read-only yes + # User-supplied replica configuration: + rename-command FLUSHDB "" + rename-command FLUSHALL "" + # End of replica configuration +--- +# Source: dependabot-gitlab/charts/redis/templates/health-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: RELEASE-NAME-redis-health + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +data: + ping_readiness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ + -p $REDIS_PORT \ + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ + -p $REDIS_PORT \ + ping + ) + if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then + echo "$response" + exit 1 + fi + ping_readiness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ + ping + ) + if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then + echo "$response" + exit 1 + fi + ping_readiness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? + "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? + exit $exit_status + ping_liveness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? + "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? + exit $exit_status +--- +# Source: dependabot-gitlab/charts/redis/templates/scripts-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: RELEASE-NAME-redis-scripts + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +data: + start-master.sh: | + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + ARGS=("--port" "${REDIS_PORT}") + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_PASSWORD}") + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + exec redis-server "${ARGS[@]}" +--- +# Source: dependabot-gitlab/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: RELEASE-NAME-dependabot-gitlab +data: + RAILS_ENV: production + RAILS_SERVE_STATIC_FILES: "true" + SECRET_KEY_BASE: key + PORT: "3000" + SETTINGS__GITLAB_URL: "https://gitlab.com" + SETTINGS__UPDATE_RETRY: "2" + SETTINGS__LOG_LEVEL: info + SETTINGS__METRICS: "false" + SETTINGS__PROJECT_REGISTRATION: "manual" + REDIS_URL: redis://RELEASE-NAME-redis-master.default.svc.cluster.local + MONGODB_DATABASE: dependabot_gitab + MONGODB_USER: dependabot-gitlab + MONGODB_URL: RELEASE-NAME-mongodb.default.svc.cluster.local:27017 +--- +# Source: dependabot-gitlab/charts/mongodb/templates/standalone/pvc.yaml +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: RELEASE-NAME-mongodb + namespace: default + labels: + app.kubernetes.io/name: mongodb + helm.sh/chart: mongodb-10.29.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: mongodb +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "8Gi" +--- +# Source: dependabot-gitlab/charts/mongodb/templates/standalone/svc.yaml +apiVersion: v1 +kind: Service +metadata: + name: RELEASE-NAME-mongodb + namespace: default + labels: + app.kubernetes.io/name: mongodb + helm.sh/chart: mongodb-10.29.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: mongodb +spec: + type: ClusterIP + ports: + - name: mongodb + port: 27017 + targetPort: mongodb + nodePort: null + selector: + app.kubernetes.io/name: mongodb + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: mongodb +--- +# Source: dependabot-gitlab/charts/redis/templates/headless-svc.yaml +apiVersion: v1 +kind: Service +metadata: + name: RELEASE-NAME-redis-headless + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-redis + port: 6379 + targetPort: redis + selector: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: RELEASE-NAME +--- +# Source: dependabot-gitlab/charts/redis/templates/master/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: RELEASE-NAME-redis-master + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master +spec: + type: ClusterIP + + ports: + - name: tcp-redis + port: 6379 + targetPort: redis + nodePort: null + selector: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: master +--- +# Source: dependabot-gitlab/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: RELEASE-NAME-dependabot-gitlab + labels: + app.kubernetes.io/component: web + app.kubernetes.io/name: dependabot-gitlab + helm.sh/chart: dependabot-gitlab-0.2.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/component: web + app.kubernetes.io/name: dependabot-gitlab + app.kubernetes.io/instance: RELEASE-NAME +--- +# Source: dependabot-gitlab/charts/mongodb/templates/standalone/dep-sts.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: RELEASE-NAME-mongodb + namespace: default + labels: + app.kubernetes.io/name: mongodb + helm.sh/chart: mongodb-10.29.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: mongodb +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: mongodb + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: mongodb + template: + metadata: + labels: + app.kubernetes.io/name: mongodb + helm.sh/chart: mongodb-10.29.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: mongodb + spec: + + serviceAccountName: RELEASE-NAME-mongodb + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: mongodb + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: mongodb + namespaces: + - "default" + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 1001 + sysctls: [] + containers: + - name: mongodb + image: docker.io/bitnami/mongodb:4.4.10-debian-10-r20 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsNonRoot: true + runAsUser: 1001 + env: + - name: BITNAMI_DEBUG + value: "false" + - name: MONGODB_EXTRA_USERNAMES + value: "dependabot-gitlab" + - name: MONGODB_EXTRA_DATABASES + value: "dependabot_gitab" + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + - name: MONGODB_ROOT_USER + value: "root" + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-root-password + - name: ALLOW_EMPTY_PASSWORD + value: "no" + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: "0" + - name: MONGODB_DISABLE_SYSTEM_LOG + value: "no" + - name: MONGODB_DISABLE_JAVASCRIPT + value: "no" + - name: MONGODB_ENABLE_JOURNAL + value: "yes" + - name: MONGODB_ENABLE_IPV6 + value: "no" + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: "no" + ports: + - name: mongodb + containerPort: 27017 + livenessProbe: + exec: + command: + - mongo + - --disableImplicitSessions + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + readinessProbe: + exec: + command: + - bash + - -ec + - | + # Run the proper check depending on the version + [[ $(mongo --version | grep "MongoDB shell") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + if [[ "$VERSION_MAJOR" -ge 4 ]] && [[ "$VERSION_MINOR" -ge 4 ]] && [[ "$VERSION_PATCH" -ge 2 ]]; then + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep -q 'true' + else + mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep -q 'true' + fi + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + resources: + limits: {} + requests: {} + volumeMounts: + - name: datadir + mountPath: /bitnami/mongodb + subPath: + volumes: + - name: datadir + persistentVolumeClaim: + claimName: RELEASE-NAME-mongodb +--- +# Source: dependabot-gitlab/templates/deployment-web.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: RELEASE-NAME-dependabot-gitlab-web + labels: + app.kubernetes.io/name: dependabot-gitlab + helm.sh/chart: dependabot-gitlab-0.2.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +spec: + strategy: + type: RollingUpdate + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: dependabot-gitlab + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: web + template: + metadata: + labels: + app.kubernetes.io/name: dependabot-gitlab + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: web + annotations: + checksum/secrets: d18334f19a52e374b6d19454947ebfdde2ef1251766f83c2fa59b28f5ae01089 + checksum/config: 151c414837639c5933ba61a6d4f329e7ad7948c5f8485d82be3856a48ecd826c + checksum/redis-password: dea1597a8a3f720ee11f08c83aeb674f37fcca3239ea4c530623a8dad3ed372c + checksum/mongodb-password: 56a557f0f100ffdaf93f61df82a9e205fc9cc43b4afc885579f1bc2c8aa1f689 + spec: + serviceAccountName: RELEASE-NAME-dependabot-gitlab + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: wait-migrations + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rake" + - "dependabot:check_migrations" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + - name: wait-redis + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rake" + - "dependabot:check_redis" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + containers: + - name: dependabot-gitlab-web + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rails" + - "server" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + ports: + - name: http + containerPort: 3000 + protocol: TCP + livenessProbe: + httpGet: + path: /healthcheck + port: http + failureThreshold: 5 + periodSeconds: 10 + timeoutSeconds: 2 + startupProbe: + httpGet: + path: /healthcheck + port: http + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 3 + initialDelaySeconds: 10 +--- +# Source: dependabot-gitlab/templates/deployment-worker.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: RELEASE-NAME-dependabot-gitlab-worker + labels: + app.kubernetes.io/name: dependabot-gitlab + helm.sh/chart: dependabot-gitlab-0.2.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +spec: + strategy: + type: RollingUpdate + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: dependabot-gitlab + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: worker + template: + metadata: + labels: + app.kubernetes.io/name: dependabot-gitlab + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: worker + annotations: + checksum/secrets: d18334f19a52e374b6d19454947ebfdde2ef1251766f83c2fa59b28f5ae01089 + checksum/config: 151c414837639c5933ba61a6d4f329e7ad7948c5f8485d82be3856a48ecd826c + checksum/redis-password: 98b7d4363e86548cca69e028fd95fa1f6d9b1655c22ee073d5c7ed3333c0e664 + checksum/mongodb-password: 70d8e026c1be68fbc2425f7fe0255f20b3fc4be9032b263f6ec676d492962f08 + spec: + serviceAccountName: RELEASE-NAME-dependabot-gitlab + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: wait-migrations + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rake" + - "dependabot:check_migrations" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + - name: wait-redis + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rake" + - "dependabot:check_redis" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + containers: + - name: dependabot-gitlab-worker + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "sidekiq" + env: + - name: SIDEKIQ_ALIVE_PORT + value: "7433" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + livenessProbe: + httpGet: + path: /healthcheck + port: 7433 + failureThreshold: 2 + periodSeconds: 120 + timeoutSeconds: 3 + startupProbe: + httpGet: + path: /healthcheck + port: 7433 + failureThreshold: 12 + periodSeconds: 5 + timeoutSeconds: 3 + initialDelaySeconds: 10 + lifecycle: + preStop: + exec: + # SIGTERM triggers a quick exit; gracefully terminate instead + command: ["kube/sidekiq-quiet.sh"] + terminationGracePeriodSeconds: 300 # Large dependency files or docker images can take long time to process +--- +# Source: dependabot-gitlab/charts/redis/templates/master/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: RELEASE-NAME-redis-master + namespace: "default" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: master + serviceName: RELEASE-NAME-redis-headless + updateStrategy: + rollingUpdate: {} + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-15.5.5 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master + annotations: + checksum/configmap: 3b208ca5749150806ba3983e5f960bbaf8d4ae16b56451c76a2208ea455bb6eb + checksum/health: aae7be14b10db19f5715d6c0868c0ce8fc9a6ea57191c98f62914880a570d128 + checksum/scripts: 392289b1aca3725e20472b3d9d246a34c6c5b1bd87f5293ec29e4ceddcc56178 + checksum/secret: 46fa9781127f9cfff2b1d2edc9520cbc67bcbda0dd58df94fca10352d87d5828 + spec: + + securityContext: + fsGroup: 1001 + serviceAccountName: RELEASE-NAME-redis + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: master + namespaces: + - "default" + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + terminationGracePeriodSeconds: 30 + containers: + - name: redis + image: docker.io/bitnami/redis:6.2.6-debian-10-r21 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 1001 + command: + - /bin/bash + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-master.sh + env: + - name: BITNAMI_DEBUG + value: "false" + - name: REDIS_REPLICATION_MODE + value: master + - name: ALLOW_EMPTY_PASSWORD + value: "no" + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: REDIS_TLS_ENABLED + value: "no" + - name: REDIS_PORT + value: "6379" + ports: + - name: redis + containerPort: 6379 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 5 + # One second longer than command timeout should prevent generation of zombie processes. + timeoutSeconds: 6 + successThreshold: 1 + failureThreshold: 5 + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh 5 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 5 + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh 1 + resources: + limits: {} + requests: {} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + - name: redis-data + mountPath: /data + subPath: + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc/ + - name: tmp + mountPath: /tmp + volumes: + - name: start-scripts + configMap: + name: RELEASE-NAME-redis-scripts + defaultMode: 0755 + - name: health + configMap: + name: RELEASE-NAME-redis-health + defaultMode: 0755 + - name: config + configMap: + name: RELEASE-NAME-redis-configuration + - name: redis-tmp-conf + emptyDir: {} + - name: tmp + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: master + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "8Gi" +--- +# Source: dependabot-gitlab/templates/migration-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: RELEASE-NAME-dependabot-gitlab-migration-0.12.0 + labels: + app.kubernetes.io/name: dependabot-gitlab + helm.sh/chart: dependabot-gitlab-0.2.4 + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm +spec: + ttlSecondsAfterFinished: 3600 + backoffLimit: 4 + activeDeadlineSeconds: 300 + template: + spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: wait-db + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rake" + - "dependabot:check_db" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + containers: + - name: dependabot-gitlab-migration-job + image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" + imagePullPolicy: IfNotPresent + args: + - "rake" + - "db:migrate" + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-redis + key: redis-password + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-mongodb + key: mongodb-passwords + envFrom: + - configMapRef: + name: RELEASE-NAME-dependabot-gitlab + - secretRef: + name: RELEASE-NAME-dependabot-gitlab + restartPolicy: Never diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index ff167fbc..73d84f07 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -261,7 +261,7 @@ redis: password: "" # -- Redis name of an existing secret to be used (optional, will ignore other password setting when used) existingSecret: - # -- Redis name of the key when using an existing secret, to avoid duplication we set this to + # -- Redis name of the key when using an existing secret, to avoid duplication we set this to REDIS_PASSWORD existingSecretPasswordKey: REDIS_PASSWORD # ref: https://github.com/bitnami/charts/tree/master/bitnami/mongodb -- GitLab From 44d2c2de1c700d1e87e2517cdc6052e6822d32ce Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Thu, 13 Jan 2022 12:37:27 +0100 Subject: [PATCH 04/12] fix readme again --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7e6297a4..b58224cb 100644 --- a/README.md +++ b/README.md @@ -56,10 +56,10 @@ For more information on `mongodb` and `redis` chart configuration options, consu | createProjectsJob.activeDeadlineSeconds | int | `240` | Job Active Deadline | | createProjectsJob.backoffLimit | int | `1` | Job Back off limit | | createProjectsJob.resources | object | `{}` | Create projects job resource definitions | +| credentials.existingSecret | string | `nil` | dependabot chart: set a secret name here if you want to manage secrets on your own best way is then to also use existingSecret for redis and mongodb necessary keys are: - SETTINGS__GITLAB_ACCESS_TOKEN - REDIS_PASSWORD - MONGODB_PASSWORD (necessary for the dependabot chart, should be the same as mongodb-password) - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) optional keys are: - SETTINGS__GITHUB_ACCESS_TOKEN - SETTINGS__GITLAB_AUTH_TOKEN - MONGODB_URI | | credentials.github_access_token | string | `""` | Github access token | | credentials.gitlab_access_token | string | `"test"` | Gitlab access token, required | | credentials.gitlab_auth_token | string | `""` | Gitlab auth token for webhook authentication | -| credentials.existingSecret | string | `nil` | dependabot chart: set a secret name here if you want to manage secrets on your own best way is then to also use existingSecret for redis and mongodb necessary keys are: - SETTINGS__GITLAB_ACCESS_TOKEN - REDIS_PASSWORD - MONGODB_PASSWORD (necessary for the dependabot chart, should be the same as mongodb-password) - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) optional keys are: - SETTINGS__GITHUB_ACCESS_TOKEN - SETTINGS__GITLAB_AUTH_TOKEN - MONGODB_URI | | env.appConfigPath | string | `"kube/config"` | Configuration path | | env.appRootPath | string | `"/home/dependabot/app"` | App root | | env.commandsPrefix | string | `""` | Dependabot comment command prefix | -- GitLab From b56d1853196be1dea00c6baf12a673ecedf81bcf Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Fri, 14 Jan 2022 09:49:23 +0100 Subject: [PATCH 05/12] remove accidentally committed output.yaml --- charts/dependabot-gitlab/output.yaml | 983 --------------------------- 1 file changed, 983 deletions(-) delete mode 100644 charts/dependabot-gitlab/output.yaml diff --git a/charts/dependabot-gitlab/output.yaml b/charts/dependabot-gitlab/output.yaml deleted file mode 100644 index d1ac6d14..00000000 --- a/charts/dependabot-gitlab/output.yaml +++ /dev/null @@ -1,983 +0,0 @@ ---- -# Source: dependabot-gitlab/charts/mongodb/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: RELEASE-NAME-mongodb - namespace: default - labels: - app.kubernetes.io/name: mongodb - helm.sh/chart: mongodb-10.29.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -secrets: - - name: RELEASE-NAME-mongodb ---- -# Source: dependabot-gitlab/charts/redis/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: RELEASE-NAME-redis - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm ---- -# Source: dependabot-gitlab/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: RELEASE-NAME-dependabot-gitlab - namespace: "default" - labels: - app.kubernetes.io/name: dependabot-gitlab - helm.sh/chart: dependabot-gitlab-0.2.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm ---- -# Source: dependabot-gitlab/charts/mongodb/templates/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: RELEASE-NAME-mongodb - namespace: default - labels: - app.kubernetes.io/name: mongodb - helm.sh/chart: mongodb-10.29.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: mongodb -type: Opaque -data: - mongodb-root-password: "a2h0YUVPUzBzdA==" - mongodb-passwords: "dGVzdCx0ZXN0Mg==" ---- -# Source: dependabot-gitlab/charts/redis/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: RELEASE-NAME-redis - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -type: Opaque -data: - redis-password: "b3NKbmFRMVhhaA==" ---- -# Source: dependabot-gitlab/templates/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: RELEASE-NAME-dependabot-gitlab -data: - SETTINGS__GITLAB_ACCESS_TOKEN: "dGVzdA==" ---- -# Source: dependabot-gitlab/charts/redis/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: RELEASE-NAME-redis-configuration - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -data: - redis.conf: |- - # User-supplied common configuration: - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" - # End of common configuration - master.conf: |- - dir /data - # User-supplied master configuration: - rename-command FLUSHDB "" - rename-command FLUSHALL "" - # End of master configuration - replica.conf: |- - dir /data - slave-read-only yes - # User-supplied replica configuration: - rename-command FLUSHDB "" - rename-command FLUSHALL "" - # End of replica configuration ---- -# Source: dependabot-gitlab/charts/redis/templates/health-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: RELEASE-NAME-redis-health - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -data: - ping_readiness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ - -p $REDIS_PORT \ - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ - -p $REDIS_PORT \ - ping - ) - if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then - echo "$response" - exit 1 - fi - ping_readiness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ - ping - ) - if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then - echo "$response" - exit 1 - fi - ping_readiness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? - "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? - exit $exit_status - ping_liveness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? - "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? - exit $exit_status ---- -# Source: dependabot-gitlab/charts/redis/templates/scripts-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: RELEASE-NAME-redis-scripts - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -data: - start-master.sh: | - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - ARGS=("--port" "${REDIS_PORT}") - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_PASSWORD}") - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - exec redis-server "${ARGS[@]}" ---- -# Source: dependabot-gitlab/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: RELEASE-NAME-dependabot-gitlab -data: - RAILS_ENV: production - RAILS_SERVE_STATIC_FILES: "true" - SECRET_KEY_BASE: key - PORT: "3000" - SETTINGS__GITLAB_URL: "https://gitlab.com" - SETTINGS__UPDATE_RETRY: "2" - SETTINGS__LOG_LEVEL: info - SETTINGS__METRICS: "false" - SETTINGS__PROJECT_REGISTRATION: "manual" - REDIS_URL: redis://RELEASE-NAME-redis-master.default.svc.cluster.local - MONGODB_DATABASE: dependabot_gitab - MONGODB_USER: dependabot-gitlab - MONGODB_URL: RELEASE-NAME-mongodb.default.svc.cluster.local:27017 ---- -# Source: dependabot-gitlab/charts/mongodb/templates/standalone/pvc.yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: RELEASE-NAME-mongodb - namespace: default - labels: - app.kubernetes.io/name: mongodb - helm.sh/chart: mongodb-10.29.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: mongodb -spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" ---- -# Source: dependabot-gitlab/charts/mongodb/templates/standalone/svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: RELEASE-NAME-mongodb - namespace: default - labels: - app.kubernetes.io/name: mongodb - helm.sh/chart: mongodb-10.29.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: mongodb -spec: - type: ClusterIP - ports: - - name: mongodb - port: 27017 - targetPort: mongodb - nodePort: null - selector: - app.kubernetes.io/name: mongodb - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: mongodb ---- -# Source: dependabot-gitlab/charts/redis/templates/headless-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: RELEASE-NAME-redis-headless - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp-redis - port: 6379 - targetPort: redis - selector: - app.kubernetes.io/name: redis - app.kubernetes.io/instance: RELEASE-NAME ---- -# Source: dependabot-gitlab/charts/redis/templates/master/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: RELEASE-NAME-redis-master - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: master -spec: - type: ClusterIP - - ports: - - name: tcp-redis - port: 6379 - targetPort: redis - nodePort: null - selector: - app.kubernetes.io/name: redis - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: master ---- -# Source: dependabot-gitlab/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: RELEASE-NAME-dependabot-gitlab - labels: - app.kubernetes.io/component: web - app.kubernetes.io/name: dependabot-gitlab - helm.sh/chart: dependabot-gitlab-0.2.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 3000 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/component: web - app.kubernetes.io/name: dependabot-gitlab - app.kubernetes.io/instance: RELEASE-NAME ---- -# Source: dependabot-gitlab/charts/mongodb/templates/standalone/dep-sts.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: RELEASE-NAME-mongodb - namespace: default - labels: - app.kubernetes.io/name: mongodb - helm.sh/chart: mongodb-10.29.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: mongodb -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/name: mongodb - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: mongodb - template: - metadata: - labels: - app.kubernetes.io/name: mongodb - helm.sh/chart: mongodb-10.29.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: mongodb - spec: - - serviceAccountName: RELEASE-NAME-mongodb - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: mongodb - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: mongodb - namespaces: - - "default" - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 1001 - sysctls: [] - containers: - - name: mongodb - image: docker.io/bitnami/mongodb:4.4.10-debian-10-r20 - imagePullPolicy: "IfNotPresent" - securityContext: - runAsNonRoot: true - runAsUser: 1001 - env: - - name: BITNAMI_DEBUG - value: "false" - - name: MONGODB_EXTRA_USERNAMES - value: "dependabot-gitlab" - - name: MONGODB_EXTRA_DATABASES - value: "dependabot_gitab" - - name: MONGODB_EXTRA_PASSWORDS - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - - name: MONGODB_ROOT_USER - value: "root" - - name: MONGODB_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-root-password - - name: ALLOW_EMPTY_PASSWORD - value: "no" - - name: MONGODB_SYSTEM_LOG_VERBOSITY - value: "0" - - name: MONGODB_DISABLE_SYSTEM_LOG - value: "no" - - name: MONGODB_DISABLE_JAVASCRIPT - value: "no" - - name: MONGODB_ENABLE_JOURNAL - value: "yes" - - name: MONGODB_ENABLE_IPV6 - value: "no" - - name: MONGODB_ENABLE_DIRECTORY_PER_DB - value: "no" - ports: - - name: mongodb - containerPort: 27017 - livenessProbe: - exec: - command: - - mongo - - --disableImplicitSessions - - --eval - - "db.adminCommand('ping')" - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - readinessProbe: - exec: - command: - - bash - - -ec - - | - # Run the proper check depending on the version - [[ $(mongo --version | grep "MongoDB shell") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} - . /opt/bitnami/scripts/libversion.sh - VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" - VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" - VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" - if [[ "$VERSION_MAJOR" -ge 4 ]] && [[ "$VERSION_MINOR" -ge 4 ]] && [[ "$VERSION_PATCH" -ge 2 ]]; then - mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep -q 'true' - else - mongo --disableImplicitSessions $TLS_OPTIONS --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep -q 'true' - fi - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - resources: - limits: {} - requests: {} - volumeMounts: - - name: datadir - mountPath: /bitnami/mongodb - subPath: - volumes: - - name: datadir - persistentVolumeClaim: - claimName: RELEASE-NAME-mongodb ---- -# Source: dependabot-gitlab/templates/deployment-web.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: RELEASE-NAME-dependabot-gitlab-web - labels: - app.kubernetes.io/name: dependabot-gitlab - helm.sh/chart: dependabot-gitlab-0.2.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -spec: - strategy: - type: RollingUpdate - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: dependabot-gitlab - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: web - template: - metadata: - labels: - app.kubernetes.io/name: dependabot-gitlab - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: web - annotations: - checksum/secrets: d18334f19a52e374b6d19454947ebfdde2ef1251766f83c2fa59b28f5ae01089 - checksum/config: 151c414837639c5933ba61a6d4f329e7ad7948c5f8485d82be3856a48ecd826c - checksum/redis-password: dea1597a8a3f720ee11f08c83aeb674f37fcca3239ea4c530623a8dad3ed372c - checksum/mongodb-password: 56a557f0f100ffdaf93f61df82a9e205fc9cc43b4afc885579f1bc2c8aa1f689 - spec: - serviceAccountName: RELEASE-NAME-dependabot-gitlab - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 - initContainers: - - name: wait-migrations - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rake" - - "dependabot:check_migrations" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - - name: wait-redis - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rake" - - "dependabot:check_redis" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - containers: - - name: dependabot-gitlab-web - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rails" - - "server" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - ports: - - name: http - containerPort: 3000 - protocol: TCP - livenessProbe: - httpGet: - path: /healthcheck - port: http - failureThreshold: 5 - periodSeconds: 10 - timeoutSeconds: 2 - startupProbe: - httpGet: - path: /healthcheck - port: http - failureThreshold: 12 - periodSeconds: 10 - timeoutSeconds: 3 - initialDelaySeconds: 10 ---- -# Source: dependabot-gitlab/templates/deployment-worker.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: RELEASE-NAME-dependabot-gitlab-worker - labels: - app.kubernetes.io/name: dependabot-gitlab - helm.sh/chart: dependabot-gitlab-0.2.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -spec: - strategy: - type: RollingUpdate - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: dependabot-gitlab - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: worker - template: - metadata: - labels: - app.kubernetes.io/name: dependabot-gitlab - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: worker - annotations: - checksum/secrets: d18334f19a52e374b6d19454947ebfdde2ef1251766f83c2fa59b28f5ae01089 - checksum/config: 151c414837639c5933ba61a6d4f329e7ad7948c5f8485d82be3856a48ecd826c - checksum/redis-password: 98b7d4363e86548cca69e028fd95fa1f6d9b1655c22ee073d5c7ed3333c0e664 - checksum/mongodb-password: 70d8e026c1be68fbc2425f7fe0255f20b3fc4be9032b263f6ec676d492962f08 - spec: - serviceAccountName: RELEASE-NAME-dependabot-gitlab - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 - initContainers: - - name: wait-migrations - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rake" - - "dependabot:check_migrations" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - - name: wait-redis - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rake" - - "dependabot:check_redis" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - containers: - - name: dependabot-gitlab-worker - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "sidekiq" - env: - - name: SIDEKIQ_ALIVE_PORT - value: "7433" - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - livenessProbe: - httpGet: - path: /healthcheck - port: 7433 - failureThreshold: 2 - periodSeconds: 120 - timeoutSeconds: 3 - startupProbe: - httpGet: - path: /healthcheck - port: 7433 - failureThreshold: 12 - periodSeconds: 5 - timeoutSeconds: 3 - initialDelaySeconds: 10 - lifecycle: - preStop: - exec: - # SIGTERM triggers a quick exit; gracefully terminate instead - command: ["kube/sidekiq-quiet.sh"] - terminationGracePeriodSeconds: 300 # Large dependency files or docker images can take long time to process ---- -# Source: dependabot-gitlab/charts/redis/templates/master/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: RELEASE-NAME-redis-master - namespace: "default" - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: master -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: redis - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: master - serviceName: RELEASE-NAME-redis-headless - updateStrategy: - rollingUpdate: {} - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/name: redis - helm.sh/chart: redis-15.5.5 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: master - annotations: - checksum/configmap: 3b208ca5749150806ba3983e5f960bbaf8d4ae16b56451c76a2208ea455bb6eb - checksum/health: aae7be14b10db19f5715d6c0868c0ce8fc9a6ea57191c98f62914880a570d128 - checksum/scripts: 392289b1aca3725e20472b3d9d246a34c6c5b1bd87f5293ec29e4ceddcc56178 - checksum/secret: 46fa9781127f9cfff2b1d2edc9520cbc67bcbda0dd58df94fca10352d87d5828 - spec: - - securityContext: - fsGroup: 1001 - serviceAccountName: RELEASE-NAME-redis - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: redis - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: master - namespaces: - - "default" - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - terminationGracePeriodSeconds: 30 - containers: - - name: redis - image: docker.io/bitnami/redis:6.2.6-debian-10-r21 - imagePullPolicy: "IfNotPresent" - securityContext: - runAsUser: 1001 - command: - - /bin/bash - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-master.sh - env: - - name: BITNAMI_DEBUG - value: "false" - - name: REDIS_REPLICATION_MODE - value: master - - name: ALLOW_EMPTY_PASSWORD - value: "no" - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: REDIS_TLS_ENABLED - value: "no" - - name: REDIS_PORT - value: "6379" - ports: - - name: redis - containerPort: 6379 - livenessProbe: - initialDelaySeconds: 20 - periodSeconds: 5 - # One second longer than command timeout should prevent generation of zombie processes. - timeoutSeconds: 6 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/ping_liveness_local.sh 5 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 2 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/ping_readiness_local.sh 1 - resources: - limits: {} - requests: {} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - - name: redis-data - mountPath: /data - subPath: - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc/ - - name: tmp - mountPath: /tmp - volumes: - - name: start-scripts - configMap: - name: RELEASE-NAME-redis-scripts - defaultMode: 0755 - - name: health - configMap: - name: RELEASE-NAME-redis-health - defaultMode: 0755 - - name: config - configMap: - name: RELEASE-NAME-redis-configuration - - name: redis-tmp-conf - emptyDir: {} - - name: tmp - emptyDir: {} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: - app.kubernetes.io/name: redis - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/component: master - spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" ---- -# Source: dependabot-gitlab/templates/migration-job.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: RELEASE-NAME-dependabot-gitlab-migration-0.12.0 - labels: - app.kubernetes.io/name: dependabot-gitlab - helm.sh/chart: dependabot-gitlab-0.2.4 - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm -spec: - ttlSecondsAfterFinished: 3600 - backoffLimit: 4 - activeDeadlineSeconds: 300 - template: - spec: - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 - initContainers: - - name: wait-db - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rake" - - "dependabot:check_db" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - containers: - - name: dependabot-gitlab-migration-job - image: "docker.io/andrcuns/dependabot-gitlab:0.12.0" - imagePullPolicy: IfNotPresent - args: - - "rake" - - "db:migrate" - env: - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-redis - key: redis-password - - name: MONGODB_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-mongodb - key: mongodb-passwords - envFrom: - - configMapRef: - name: RELEASE-NAME-dependabot-gitlab - - secretRef: - name: RELEASE-NAME-dependabot-gitlab - restartPolicy: Never -- GitLab From 0411b75126852d7d02cd8e459b8b1e1e8f3939df Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Fri, 14 Jan 2022 10:00:32 +0100 Subject: [PATCH 06/12] cleanup unnecessary variable documenation --- charts/dependabot-gitlab/values.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index 73d84f07..d9a66f8c 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -224,13 +224,11 @@ credentials: # best way is then to also use existingSecret for redis and mongodb # necessary keys are: # - SETTINGS__GITLAB_ACCESS_TOKEN - # - REDIS_PASSWORD - # - MONGODB_PASSWORD (necessary for the dependabot chart, should be the same as mongodb-password) + # - redis-password (if you want you can change the name of this key via setting existingSecretPasswordKey in redis.auth) # - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) # optional keys are: # - SETTINGS__GITHUB_ACCESS_TOKEN # - SETTINGS__GITLAB_AUTH_TOKEN - # - MONGODB_URI existingSecret: # -- Credentials for private registries @@ -261,8 +259,6 @@ redis: password: "" # -- Redis name of an existing secret to be used (optional, will ignore other password setting when used) existingSecret: - # -- Redis name of the key when using an existing secret, to avoid duplication we set this to REDIS_PASSWORD - existingSecretPasswordKey: REDIS_PASSWORD # ref: https://github.com/bitnami/charts/tree/master/bitnami/mongodb mongodb: -- GitLab From 35b50e95ad5df90e4c2f74325adb01c45be83810 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Fri, 21 Jan 2022 09:16:38 +0100 Subject: [PATCH 07/12] first part of extracting registriescredentials into an own secret, currently they are not referenced --- .../templates/registries-credentials.yaml | 8 ++++++++ charts/dependabot-gitlab/templates/secrets.yaml | 3 --- 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 charts/dependabot-gitlab/templates/registries-credentials.yaml diff --git a/charts/dependabot-gitlab/templates/registries-credentials.yaml b/charts/dependabot-gitlab/templates/registries-credentials.yaml new file mode 100644 index 00000000..03cd0e94 --- /dev/null +++ b/charts/dependabot-gitlab/templates/registries-credentials.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "dependabot-gitlab.fullname" . }}-registries +data: + {{- range $key, $val := .Values.registriesCredentials }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end }} diff --git a/charts/dependabot-gitlab/templates/secrets.yaml b/charts/dependabot-gitlab/templates/secrets.yaml index e06763ec..0d993bb2 100644 --- a/charts/dependabot-gitlab/templates/secrets.yaml +++ b/charts/dependabot-gitlab/templates/secrets.yaml @@ -23,7 +23,4 @@ data: {{- else if and (not .Values.mongodb.enabled) .Values.mongodb.auth.enabled }} MONGODB_PASSWORD: {{ required "MongoDB password must be provided" .Values.mongodb.auth.password | b64enc | quote }} {{- end }} - {{- range $key, $val := .Values.registriesCredentials }} - {{ $key }}: {{ $val | b64enc | quote }} - {{- end }} {{- end }} -- GitLab From a57514395aa13efb1703dda6c25eea6d810f6118 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Fri, 21 Jan 2022 09:35:56 +0100 Subject: [PATCH 08/12] update values.yaml and documentation according to MR review --- README.md | 4 ++-- charts/dependabot-gitlab/values.yaml | 11 +++-------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index b58224cb..6cd79544 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ For more information on `mongodb` and `redis` chart configuration options, consu | createProjectsJob.activeDeadlineSeconds | int | `240` | Job Active Deadline | | createProjectsJob.backoffLimit | int | `1` | Job Back off limit | | createProjectsJob.resources | object | `{}` | Create projects job resource definitions | -| credentials.existingSecret | string | `nil` | dependabot chart: set a secret name here if you want to manage secrets on your own best way is then to also use existingSecret for redis and mongodb necessary keys are: - SETTINGS__GITLAB_ACCESS_TOKEN - REDIS_PASSWORD - MONGODB_PASSWORD (necessary for the dependabot chart, should be the same as mongodb-password) - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) optional keys are: - SETTINGS__GITHUB_ACCESS_TOKEN - SETTINGS__GITLAB_AUTH_TOKEN - MONGODB_URI | +| credentials.existingSecret | string | `nil` | dependabot chart: set a secret name here if you want to manage secrets on your own required keys: [SETTINGS__GITLAB_ACCESS_TOKEN], optional: [SETTINGS__GITHUB_ACCESS_TOKEN, SETTINGS__GITLAB_AUTH_TOKEN] | | credentials.github_access_token | string | `""` | Github access token | | credentials.gitlab_access_token | string | `"test"` | Gitlab access token, required | | credentials.gitlab_auth_token | string | `""` | Gitlab auth token for webhook authentication | @@ -113,7 +113,7 @@ For more information on `mongodb` and `redis` chart configuration options, consu | redis.architecture | string | `"standalone"` | Redis architecture. Allowed values: `standalone` or `replication` | | redis.auth.enabled | bool | `true` | Enable authentication | | redis.auth.existingSecret | string | `nil` | Redis name of an existing secret to be used (optional, will ignore other password setting when used) | -| redis.auth.existingSecretPasswordKey | string | `"REDIS_PASSWORD"` | Redis name of the key when using an existing secret, to avoid duplication we set this to REDIS_PASSWORD | +| redis.auth.existingSecretPasswordKey | string | `nil` | Redis name of the key in the existing secret where the password is stored (optional, will only be used when existingSecret is set) | | redis.auth.password | string | `""` | Redis password | | redis.enabled | bool | `true` | Enable redis installation | | registriesCredentials | object | `{}` | Credentials for private registries Example: PRIVATE_DOCKERHUB_TOKEN: token | diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index d9a66f8c..f0d197e5 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -221,14 +221,7 @@ credentials: # -- Gitlab auth token for webhook authentication gitlab_auth_token: "" # -- dependabot chart: set a secret name here if you want to manage secrets on your own - # best way is then to also use existingSecret for redis and mongodb - # necessary keys are: - # - SETTINGS__GITLAB_ACCESS_TOKEN - # - redis-password (if you want you can change the name of this key via setting existingSecretPasswordKey in redis.auth) - # - mongodb-passwords (necessary for the mongodb subchart, should be the same as MONGODB_PASSWORD) - # optional keys are: - # - SETTINGS__GITHUB_ACCESS_TOKEN - # - SETTINGS__GITLAB_AUTH_TOKEN + # required keys: [SETTINGS__GITLAB_ACCESS_TOKEN], optional: [SETTINGS__GITHUB_ACCESS_TOKEN, SETTINGS__GITLAB_AUTH_TOKEN] existingSecret: # -- Credentials for private registries @@ -259,6 +252,8 @@ redis: password: "" # -- Redis name of an existing secret to be used (optional, will ignore other password setting when used) existingSecret: + # -- Redis name of the key in the existing secret where the password is stored (optional, will only be used when existingSecret is set) + existingSecretPasswordKey: # ref: https://github.com/bitnami/charts/tree/master/bitnami/mongodb mongodb: -- GitLab From 4ab1357dfa6bf2ff826b750b6d0374a0010a57b7 Mon Sep 17 00:00:00 2001 From: andrejs Date: Mon, 24 Jan 2022 08:59:38 +0000 Subject: [PATCH 09/12] also add possibility to have an existing registriescredential and reference the secret in deployments --- charts/dependabot-gitlab/templates/deployment-web.yaml | 5 +++++ charts/dependabot-gitlab/templates/deployment-worker.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/charts/dependabot-gitlab/templates/deployment-web.yaml b/charts/dependabot-gitlab/templates/deployment-web.yaml index 28d87467..cb146523 100644 --- a/charts/dependabot-gitlab/templates/deployment-web.yaml +++ b/charts/dependabot-gitlab/templates/deployment-web.yaml @@ -56,6 +56,11 @@ spec: {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} {{- end }} + {{- if .Values.registriesCredentials.existingSecret }} + name: {{ .Values.registriesCredentials.existingSecret }} + {{- else }} + name: {{ include "dependabot-gitlab.fullname" . }}-registries + {{- end }} ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/charts/dependabot-gitlab/templates/deployment-worker.yaml b/charts/dependabot-gitlab/templates/deployment-worker.yaml index b3a85715..6a0a06e4 100644 --- a/charts/dependabot-gitlab/templates/deployment-worker.yaml +++ b/charts/dependabot-gitlab/templates/deployment-worker.yaml @@ -72,6 +72,11 @@ spec: {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} {{- end }} + {{- if .Values.registriesCredentials.existingSecret }} + name: {{ .Values.registriesCredentials.existingSecret }} + {{- else }} + name: {{ include "dependabot-gitlab.fullname" . }}-registries + {{- end }} {{- if .Values.metrics.enabled }} ports: - name: metrics -- GitLab From baadaa9abd771be6884526abcf7e48a58f739ee5 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Mon, 24 Jan 2022 10:12:01 +0100 Subject: [PATCH 10/12] add if condition for creating registries credentials secret --- README.md | 3 ++- .../dependabot-gitlab/templates/registries-credentials.yaml | 2 ++ charts/dependabot-gitlab/values.yaml | 6 ++++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6cd79544..aacaf8d7 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,8 @@ For more information on `mongodb` and `redis` chart configuration options, consu | redis.auth.existingSecretPasswordKey | string | `nil` | Redis name of the key in the existing secret where the password is stored (optional, will only be used when existingSecret is set) | | redis.auth.password | string | `""` | Redis password | | redis.enabled | bool | `true` | Enable redis installation | -| registriesCredentials | object | `{}` | Credentials for private registries Example: PRIVATE_DOCKERHUB_TOKEN: token | +| registriesCredentials | object | `{"existingSecret":null}` | Credentials for private registries Example: PRIVATE_DOCKERHUB_TOKEN: token | +| registriesCredentials.existingSecret | string | `nil` | set a secret name here if you want to manage registries credentials on your own | | service.annotations | object | `{}` | Service annotations | | service.port | int | `3000` | Service pot | | service.type | string | `"ClusterIP"` | Service type | diff --git a/charts/dependabot-gitlab/templates/registries-credentials.yaml b/charts/dependabot-gitlab/templates/registries-credentials.yaml index 03cd0e94..35ebaef7 100644 --- a/charts/dependabot-gitlab/templates/registries-credentials.yaml +++ b/charts/dependabot-gitlab/templates/registries-credentials.yaml @@ -1,3 +1,4 @@ +{{- if (not .Values.registriesCredentials.existingSecret) }} apiVersion: v1 kind: Secret metadata: @@ -6,3 +7,4 @@ data: {{- range $key, $val := .Values.registriesCredentials }} {{ $key }}: {{ $val | b64enc | quote }} {{- end }} +{{- end}} diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index f0d197e5..a637592b 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -224,9 +224,11 @@ credentials: # required keys: [SETTINGS__GITLAB_ACCESS_TOKEN], optional: [SETTINGS__GITHUB_ACCESS_TOKEN, SETTINGS__GITLAB_AUTH_TOKEN] existingSecret: -# -- Credentials for private registries +# -- Credentials for private registries, or just the key for the existingSecret # Example: PRIVATE_DOCKERHUB_TOKEN: token -registriesCredentials: {} +registriesCredentials: + # -- set a secret name here if you want to manage registries credentials on your own + existingSecret: project_registration: # -- Project registration mode -- GitLab From 004b3ccced5cc2474a4418e978727b3dbd3ef332 Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Mon, 24 Jan 2022 10:32:11 +0100 Subject: [PATCH 11/12] don't put existingSecret into the registriesCredentials object --- charts/dependabot-gitlab/templates/registries-credentials.yaml | 2 ++ charts/dependabot-gitlab/values.yaml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/dependabot-gitlab/templates/registries-credentials.yaml b/charts/dependabot-gitlab/templates/registries-credentials.yaml index 35ebaef7..eac9ccfe 100644 --- a/charts/dependabot-gitlab/templates/registries-credentials.yaml +++ b/charts/dependabot-gitlab/templates/registries-credentials.yaml @@ -5,6 +5,8 @@ metadata: name: {{ include "dependabot-gitlab.fullname" . }}-registries data: {{- range $key, $val := .Values.registriesCredentials }} + {{- if ne $key "existingSecret" }} {{ $key }}: {{ $val | b64enc | quote }} {{- end }} + {{- end }} {{- end}} diff --git a/charts/dependabot-gitlab/values.yaml b/charts/dependabot-gitlab/values.yaml index a637592b..1fc2db8f 100644 --- a/charts/dependabot-gitlab/values.yaml +++ b/charts/dependabot-gitlab/values.yaml @@ -224,7 +224,7 @@ credentials: # required keys: [SETTINGS__GITLAB_ACCESS_TOKEN], optional: [SETTINGS__GITHUB_ACCESS_TOKEN, SETTINGS__GITLAB_AUTH_TOKEN] existingSecret: -# -- Credentials for private registries, or just the key for the existingSecret +# -- Credentials for private registries # Example: PRIVATE_DOCKERHUB_TOKEN: token registriesCredentials: # -- set a secret name here if you want to manage registries credentials on your own -- GitLab From f32c073d3779e7302e9da5035078cd0cdc3c64cc Mon Sep 17 00:00:00 2001 From: Thomas Stieglmaier Date: Fri, 28 Jan 2022 15:24:33 +0100 Subject: [PATCH 12/12] fix deployment secret key ref --- charts/dependabot-gitlab/templates/deployment-web.yaml | 1 + charts/dependabot-gitlab/templates/deployment-worker.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/dependabot-gitlab/templates/deployment-web.yaml b/charts/dependabot-gitlab/templates/deployment-web.yaml index cb146523..ebe2033c 100644 --- a/charts/dependabot-gitlab/templates/deployment-web.yaml +++ b/charts/dependabot-gitlab/templates/deployment-web.yaml @@ -56,6 +56,7 @@ spec: {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} {{- end }} + - secretRef: {{- if .Values.registriesCredentials.existingSecret }} name: {{ .Values.registriesCredentials.existingSecret }} {{- else }} diff --git a/charts/dependabot-gitlab/templates/deployment-worker.yaml b/charts/dependabot-gitlab/templates/deployment-worker.yaml index 6a0a06e4..d7602b86 100644 --- a/charts/dependabot-gitlab/templates/deployment-worker.yaml +++ b/charts/dependabot-gitlab/templates/deployment-worker.yaml @@ -72,6 +72,7 @@ spec: {{- else }} name: {{ include "dependabot-gitlab.fullname" . }} {{- end }} + - secretRef: {{- if .Values.registriesCredentials.existingSecret }} name: {{ .Values.registriesCredentials.existingSecret }} {{- else }} -- GitLab