feat(gitlab): Move secrets to proper secret manifests

This commit is contained in:
Tanguy Herbron 2023-02-07 09:53:52 +01:00
parent bdf97dbfc3
commit 1dbbdb498b
3 changed files with 30 additions and 69 deletions

View File

@ -1,60 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab-config
namespace: gitlab
data:
gitlab.rb: |
external_url 'https://git.beta.halia.dev'
gitlab_rails['gitlab_default_theme'] = 2
registry_external_url 'https://git.beta.halia.dev'
puma['worker_processes'] = 0
sidekiq['max_concurrency'] = 5
nginx['listen_port'] = 80
nginx['listen_https'] = false
gitlab_kas['enable'] = true
registry_nginx['enable'] = true
registry_nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
registry_nginx['listen_port'] = 5050
registry_nginx['listen_https'] = false
prometheus['enable'] = false
gitaly['env'] = {
'GITALY_COMMAND_SPAWN_MAX_PARALLEL' => '2'
}
gitaly['ruby_max_rss'] = 200_000_000
gitaly['concurrency'] = [
{
'rpc' => "/gitaly.SmartHTTPService/PostReceivePack",
'max_per_repo' => 3
}, {
'rpc' => "/gitaly.SSHService/SSHUploadPack",
'max_per_repo' => 3
}
]
node_exporter['listen_address'] = '0.0.0.0:9100'
gitlab_workhorse['prometheus_listen_addr'] = '0.0.0.0:9229'
gitlab_exporter['listen_address'] = '0.0.0.0'
gitlab_exporter['listen_port'] = '9168'
sidekiq['listen_address'] = '0.0.0.0'
redis_exporter['listen_address'] = '0.0.0.0:9121'
postgres_exporter['listen_address'] = '0.0.0.0:9187'
gitaly['prometheus_listen_addr'] = '0.0.0.0:9236'
gitlab_rails['monitoring_whitelist'] = ['0.0.0.0']
gitlab_rails['prometheus_address'] = '0.0.0.0:9090'
nginx['status']['options'] = {
"server_tokens" => "off",
"access_log" => "off",
"allow" => "0.0.0.0",
"deny" => "all",
}
postgresql['enable'] = false
gitlab_rails['db_adapter'] = 'postgresql'
gitlab_rails['db_encoding'] = 'unicode'
gitlab_rails['db_host'] = 'localhost'
gitlab_rails['db_password'] = 'aberation'
gitlab_rails['manage_backup_path'] = true
gitlab_rails['backup_path'] = "/backups"

View File

@ -19,12 +19,22 @@ spec:
containers:
- name: gitlab
image: git.halia.dev/athens-school/gitlab:15.5.0-amd64
lifecycle:
postStart:
exec:
command: [
'/bin/sh',
'-c',
'cp /etc/gitlab/gitlab-secrets.reference /etc/gitlab/gitlab-secrets.json && cp /etc/gitlab/reference.rb /etc/gitlab/gitlab.rb && chmod 600 /etc/gitlab/gitlab.rb']
ports:
- containerPort: 80
volumeMounts:
- mountPath: "/etc/gitlab/gitlab.rb"
name: gitlab-config-volume
subPath: gitlab.rb
- mountPath: "/etc/gitlab/reference.rb"
name: gitlab-config-secret
subPath: reference.rb
- mountPath: "/etc/gitlab/gitlab-secrets.reference"
name: gitlab-secrets
subPath: gitlab-secrets.reference
- mountPath: "/var/opt/gitlab"
name: gitlab-pv
- name: gitlab-db
@ -45,15 +55,18 @@ spec:
name: gitlab-backup
subPath: backups
volumes:
- name: gitlab-db-pv
hostPath:
path: "/mnt/gitlab/db"
- name: gitlab-pv
hostPath:
path: "/mnt/gitlab/data"
- name: gitlab-config-volume
configMap:
name: gitlab-config
- name: gitlab-config-secret
secret:
secretName: gitlab-config
- name: gitlab-secrets
secret:
secretName: gitlab-secrets
- name: gitlab-db-pv
hostPath:
path: "/mnt/gitlab/db"
- name: gitlab-backup
persistentVolumeClaim:
claimName: gitlab-backup-pvc

View File

@ -0,0 +1,8 @@
apiVersion: v1
data:
reference.rb: ZXh0ZXJuYWxfdXJsICdodHRwczovL2dpdC5iZXRhLmhhbGlhLmRldicKZ2l0bGFiX3JhaWxzWydnaXRsYWJfZGVmYXVsdF90aGVtZSddID0gMgpyZWdpc3RyeV9leHRlcm5hbF91cmwgJ2h0dHBzOi8vZ2l0LmJldGEuaGFsaWEuZGV2JwpwdW1hWyd3b3JrZXJfcHJvY2Vzc2VzJ10gPSAwCnNpZGVraXFbJ21heF9jb25jdXJyZW5jeSddID0gNQpuZ2lueFsnbGlzdGVuX3BvcnQnXSA9IDgwCm5naW54WydsaXN0ZW5faHR0cHMnXSA9IGZhbHNlCmdpdGxhYl9rYXNbJ2VuYWJsZSddID0gdHJ1ZQpyZWdpc3RyeV9uZ2lueFsnZW5hYmxlJ10gPSB0cnVlCnJlZ2lzdHJ5X25naW54Wydwcm94eV9zZXRfaGVhZGVycyddID0gewogICJYLUZvcndhcmRlZC1Qcm90byIgPT4gImh0dHBzIiwKICAiWC1Gb3J3YXJkZWQtU3NsIiA9PiAib24iCn0KcmVnaXN0cnlfbmdpbnhbJ2xpc3Rlbl9wb3J0J10gPSA1MDUwCnJlZ2lzdHJ5X25naW54WydsaXN0ZW5faHR0cHMnXSA9IGZhbHNlCnByb21ldGhldXNbJ2VuYWJsZSddID0gZmFsc2UKZ2l0YWx5WydlbnYnXSA9IHsKICAnR0lUQUxZX0NPTU1BTkRfU1BBV05fTUFYX1BBUkFMTEVMJyA9PiAnMicKfQpnaXRhbHlbJ3J1YnlfbWF4X3JzcyddID0gMjAwXzAwMF8wMDAKZ2l0YWx5Wydjb25jdXJyZW5jeSddID0gWwogIHsKICAgICdycGMnID0+ICIvZ2l0YWx5LlNtYXJ0SFRUUFNlcnZpY2UvUG9zdFJlY2VpdmVQYWNrIiwKICAgICdtYXhfcGVyX3JlcG8nID0+IDMKICB9LCB7CiAgICAncnBjJyA9PiAiL2dpdGFseS5TU0hTZXJ2aWNlL1NTSFVwbG9hZFBhY2siLAogICAgJ21heF9wZXJfcmVwbycgPT4gMwogIH0KXQpub2RlX2V4cG9ydGVyWydsaXN0ZW5fYWRkcmVzcyddID0gJzAuMC4wLjA6OTEwMCcKZ2l0bGFiX3dvcmtob3JzZVsncHJvbWV0aGV1c19saXN0ZW5fYWRkciddID0gJzAuMC4wLjA6OTIyOScKZ2l0bGFiX2V4cG9ydGVyWydsaXN0ZW5fYWRkcmVzcyddID0gJzAuMC4wLjAnCmdpdGxhYl9leHBvcnRlclsnbGlzdGVuX3BvcnQnXSA9ICc5MTY4JwpzaWRla2lxWydsaXN0ZW5fYWRkcmVzcyddID0gJzAuMC4wLjAnCnJlZGlzX2V4cG9ydGVyWydsaXN0ZW5fYWRkcmVzcyddID0gJzAuMC4wLjA6OTEyMScKcG9zdGdyZXNfZXhwb3J0ZXJbJ2xpc3Rlbl9hZGRyZXNzJ10gPSAnMC4wLjAuMDo5MTg3JwpnaXRhbHlbJ3Byb21ldGhldXNfbGlzdGVuX2FkZHInXSA9ICcwLjAuMC4wOjkyMzYnCmdpdGxhYl9yYWlsc1snbW9uaXRvcmluZ193aGl0ZWxpc3QnXSA9IFsnMC4wLjAuMCddCmdpdGxhYl9yYWlsc1sncHJvbWV0aGV1c19hZGRyZXNzJ10gPSAnMC4wLjAuMDo5MDkwJwpuZ2lueFsnc3RhdHVzJ11bJ29wdGlvbnMnXSA9IHsKICAic2VydmVyX3Rva2VucyIgPT4gIm9mZiIsCiAgImFjY2Vzc19sb2ciID0+ICJvZmYiLAogICJhbGxvdyIgPT4gIjAuMC4wLjAiLAogICJkZW55IiA9PiAiYWxsIiwKfQpwb3N0Z3Jlc3FsWydlbmFibGUnXSA9IGZhbHNlCmdpdGxhYl9yYWlsc1snZGJfYWRhcHRlciddID0gJ3Bvc3RncmVzcWwnCmdpdGxhYl9yYWlsc1snZGJfZW5jb2RpbmcnXSA9ICd1bmljb2RlJwpnaXRsYWJfcmFpbHNbJ2RiX2hvc3QnXSA9ICdsb2NhbGhvc3QnCmdpdGxhYl9yYWlsc1snZGJfcGFzc3dvcmQnXSA9ICdhYmVyYXRpb24nCmdpdGxhYl9yYWlsc1snbWFuYWdlX2JhY2t1cF9wYXRoJ10gPSB0cnVlCmdpdGxhYl9yYWlsc1snYmFja3VwX3BhdGgnXSA9ICIvYmFja3VwcyIK
kind: Secret
metadata:
creationTimestamp: null
name: gitlab-config
namespace: gitlab