Workshop completo: aulas 08-10 com Talos, n8n e GitLab na Hetzner

Aula 08 - Cluster Kubernetes HA:
- Setup interativo com OpenTofu para Talos na Hetzner
- CCM, CSI Driver, Cluster Autoscaler, Metrics Server
- NGINX Ingress com LoadBalancer (HTTP/HTTPS/SSH)

Aula 09 - n8n na Hetzner:
- Deploy via Helm com PostgreSQL e Redis
- Suporte multi-tenant com add-client.sh
- Integração com Hetzner CSI para volumes persistentes

Aula 10 - GitLab na Hetzner:
- Setup agnóstico: CloudFlare (trusted proxies) ou Let's Encrypt
- Anti-affinity para distribuir webservice/sidekiq em nós diferentes
- Container Registry e SSH via TCP passthrough
- Documentação do erro 422 e solução com trustedCIDRsForXForwardedFor

Melhorias gerais:
- READMEs atualizados com arquitetura e troubleshooting
- Scripts cleanup.sh para todas as aulas
- CLAUDE.md atualizado com contexto do projeto

aula-10/gitlab-values.yaml

@@ -0,0 +1,298 @@
+# =============================================================================
+# GitLab Helm Chart - Configuração Base para Hetzner CAX11
+# =============================================================================
+#
+# Esta configuração:
+#   - Usa NGINX Ingress Controller externo (instalado na aula-08)
+#   - Define ~5GB de recursos distribuídos em 2 workers CAX11 (antiAffinity)
+#   - Desabilita componentes não essenciais para economizar recursos
+#   - Configura Registry para container images
+#
+# Valores dinâmicos (configurados via --set no setup.sh):
+#   - global.hosts.domain
+#   - global.hosts.gitlab.name
+#   - global.hosts.registry.name
+#   - global.hosts.minio.name
+#   - global.hosts.https
+#   - global.ingress.tls.enabled
+#   - global.ingress.configureCertmanager
+#
+# Cenário CloudFlare (proxy ativo):
+#   - global.ingress.tls.enabled=false
+#   - global.hosts.https=true
+#   - gitlab.webservice.workhorse.trustedCIDRsForXForwardedFor=[CloudFlare IPs]
+#
+# Cenário Let's Encrypt:
+#   - global.ingress.tls.enabled=true
+#   - global.hosts.https=true
+#   - global.ingress.configureCertmanager=true
+#   - global.ingress.annotations.cert-manager.io/cluster-issuer=letsencrypt-prod
+#
+# =============================================================================
+
+global:
+  # Usar Ingress Controller externo
+  ingress:
+    class: nginx
+    # configureCertmanager é definido via --set no setup.sh (true para Let's Encrypt)
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "900"
+      nginx.ingress.kubernetes.io/proxy-buffering: "off"
+      # cert-manager.io/cluster-issuer é adicionado via --set quando Let's Encrypt
+
+  # Timezone
+  time_zone: America/Sao_Paulo
+
+  # Pod Security - evitar warnings de PodSecurity
+  pod:
+    securityContext:
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+
+  # Email (opcional - configurar depois)
+  # email:
+  #   from: gitlab@kube.quest
+  #   display_name: GitLab
+  #   reply_to: noreply@kube.quest
+
+# =============================================================================
+# NGINX BUNDLED - DESABILITAR (usamos o externo)
+# =============================================================================
+nginx-ingress:
+  enabled: false
+
+# =============================================================================
+# CERT-MANAGER - DESABILITAR BUNDLED
+# =============================================================================
+# O cert-manager é instalado separadamente se Let's Encrypt for escolhido.
+# global.ingress.configureCertmanager controla a integração.
+
+# =============================================================================
+# GITLAB COMPONENTS
+# =============================================================================
+
+gitlab:
+  # Webservice (Rails app - UI e API)
+  # NOTA: antiAffinity garante que webservice e sidekiq rodem em nós diferentes
+  # Isso evita OOM quando ambos competem por memória no mesmo nó CAX11 (4GB)
+  webservice:
+    minReplicas: 1
+    maxReplicas: 1
+    resources:
+      requests:
+        memory: 2Gi
+        cpu: 200m
+      limits:
+        memory: 2.5Gi
+        cpu: 1
+    workerProcesses: 1
+    puma:
+      threads:
+        min: 1
+        max: 2
+    # Anti-affinity: não rodar no mesmo nó que sidekiq
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app: sidekiq
+            topologyKey: kubernetes.io/hostname
+
+  # Sidekiq (background jobs)
+  # Anti-affinity: não rodar no mesmo nó que webservice
+  sidekiq:
+    minReplicas: 1
+    maxReplicas: 1
+    resources:
+      requests:
+        memory: 1.5Gi
+        cpu: 100m
+      limits:
+        memory: 2Gi
+        cpu: 500m
+    # Desabilitar memory watchdog interno do GitLab (deixa o OOM killer do K8s gerenciar)
+    memoryKiller:
+      maxRss: 2000000000  # 2GB - maior que o limite para evitar kills prematuros
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app: webservice
+            topologyKey: kubernetes.io/hostname
+
+  # Gitaly (Git storage)
+  gitaly:
+    resources:
+      requests:
+        memory: 512Mi
+        cpu: 100m
+      limits:
+        memory: 1Gi
+        cpu: 500m
+    persistence:
+      size: 10Gi  # Mínimo Hetzner ($0.0484/GB)
+      storageClass: hcloud-volumes
+
+  # GitLab Shell (SSH)
+  gitlab-shell:
+    minReplicas: 1
+    maxReplicas: 1
+    service:
+      type: ClusterIP  # TCP passthrough pelo NGINX
+    resources:
+      requests:
+        memory: 64Mi
+        cpu: 50m
+      limits:
+        memory: 128Mi
+        cpu: 100m
+
+  # Toolbox (backup, rake tasks)
+  toolbox:
+    enabled: true
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 50m
+      limits:
+        memory: 512Mi
+        cpu: 200m
+
+  # GitLab Exporter (métricas)
+  gitlab-exporter:
+    enabled: false  # Economiza recursos
+
+  # Migrations
+  migrations:
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 100m
+
+  # KAS (Kubernetes Agent Server) - desabilitar
+  kas:
+    enabled: false
+
+# =============================================================================
+# POSTGRESQL
+# =============================================================================
+postgresql:
+  install: true
+  primary:
+    resources:
+      requests:
+        memory: 512Mi
+        cpu: 100m
+      limits:
+        memory: 1Gi
+        cpu: 500m
+    persistence:
+      size: 10Gi  # Mínimo Hetzner ($0.0484/GB)
+      storageClass: hcloud-volumes
+
+# =============================================================================
+# REDIS
+# =============================================================================
+redis:
+  install: true
+  master:
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 50m
+      limits:
+        memory: 512Mi
+        cpu: 200m
+    persistence:
+      size: 10Gi  # Mínimo Hetzner ($0.0484/GB)
+      storageClass: hcloud-volumes
+
+# =============================================================================
+# MINIO (Object Storage)
+# =============================================================================
+# NOTA: As imagens padrão do GitLab chart não suportam ARM64.
+# Usamos as imagens oficiais multi-arch do MinIO.
+minio:
+  install: true
+  image: minio/minio
+  imageTag: RELEASE.2024-06-13T22-53-53Z
+  minioMc:
+    image: minio/mc
+    tag: RELEASE.2024-06-12T14-34-03Z
+  resources:
+    requests:
+      memory: 128Mi
+      cpu: 50m
+    limits:
+      memory: 256Mi
+      cpu: 200m
+  persistence:
+    size: 10Gi
+    storageClass: hcloud-volumes
+
+# Ou usar object storage externo (S3, etc):
+# global:
+#   minio:
+#     enabled: false
+#   appConfig:
+#     object_store:
+#       enabled: true
+#       connection:
+#         secret: gitlab-object-storage
+#         key: connection
+
+# =============================================================================
+# REGISTRY (Container Registry)
+# =============================================================================
+registry:
+  enabled: true
+  hpa:
+    minReplicas: 1
+    maxReplicas: 1
+  resources:
+    requests:
+      memory: 128Mi
+      cpu: 50m
+    limits:
+      memory: 256Mi
+      cpu: 200m
+  # Storage usa MinIO bundled automaticamente quando minio.install=true
+
+# =============================================================================
+# COMPONENTES DESABILITADOS (economia de recursos)
+# =============================================================================
+
+# GitLab Runner - instalar separadamente se necessário
+gitlab-runner:
+  install: false
+
+# Prometheus - usar Victoria Metrics da aula-05
+prometheus:
+  install: false
+
+# Grafana
+grafana:
+  install: false
+
+# GitLab Pages
+gitlab-pages:
+  enabled: false
+
+# Praefect (Gitaly HA) - não necessário para instalação pequena
+praefect:
+  enabled: false
+
+# Spamcheck
+spamcheck:
+  enabled: false
+
+# =============================================================================
+# UPGRADECHECK
+# =============================================================================
+upgradeCheck:
+  enabled: false