# ============================================================================= # GitLab Helm Chart - Configuração Base para Hetzner CAX11 # ============================================================================= # # Esta configuração: # - Usa NGINX Ingress Controller externo (instalado na aula-08) # - Define ~5GB de recursos distribuídos em 2 workers CAX11 (antiAffinity) # - Desabilita componentes não essenciais para economizar recursos # - Configura Registry para container images # # Valores dinâmicos (configurados via --set no setup.sh): # - global.hosts.domain # - global.hosts.gitlab.name # - global.hosts.registry.name # - global.hosts.minio.name # - global.hosts.https # - global.ingress.tls.enabled # - global.ingress.configureCertmanager # # Cenário CloudFlare (proxy ativo): # - global.ingress.tls.enabled=false # - global.hosts.https=true # - gitlab.webservice.workhorse.trustedCIDRsForXForwardedFor=[CloudFlare IPs] # # Cenário Let's Encrypt: # - global.ingress.tls.enabled=true # - global.hosts.https=true # - global.ingress.configureCertmanager=true # - global.ingress.annotations.cert-manager.io/cluster-issuer=letsencrypt-prod # # ============================================================================= global: # Usar Ingress Controller externo ingress: class: nginx # configureCertmanager é definido via --set no setup.sh (true para Let's Encrypt) annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "900" nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" nginx.ingress.kubernetes.io/proxy-buffering: "off" # cert-manager.io/cluster-issuer é adicionado via --set quando Let's Encrypt # Timezone time_zone: America/Sao_Paulo # Pod Security - evitar warnings de PodSecurity pod: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Email (opcional - configurar depois) # email: # from: gitlab@kube.quest # display_name: GitLab # reply_to: noreply@kube.quest # ============================================================================= # NGINX BUNDLED - DESABILITAR (usamos o externo) # ============================================================================= nginx-ingress: enabled: false # ============================================================================= # CERT-MANAGER - DESABILITAR BUNDLED # ============================================================================= # O cert-manager é instalado separadamente se Let's Encrypt for escolhido. # global.ingress.configureCertmanager controla a integração. # ============================================================================= # GITLAB COMPONENTS # ============================================================================= gitlab: # Webservice (Rails app - UI e API) # NOTA: antiAffinity garante que webservice e sidekiq rodem em nós diferentes # Isso evita OOM quando ambos competem por memória no mesmo nó CAX11 (4GB) webservice: minReplicas: 1 maxReplicas: 1 resources: requests: memory: 2Gi cpu: 200m limits: memory: 2.5Gi cpu: 1 workerProcesses: 1 puma: threads: min: 1 max: 2 # Anti-affinity: não rodar no mesmo nó que sidekiq affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: sidekiq topologyKey: kubernetes.io/hostname # Sidekiq (background jobs) # Anti-affinity: não rodar no mesmo nó que webservice sidekiq: minReplicas: 1 maxReplicas: 1 resources: requests: memory: 1.5Gi cpu: 100m limits: memory: 2Gi cpu: 500m # Desabilitar memory watchdog interno do GitLab (deixa o OOM killer do K8s gerenciar) memoryKiller: maxRss: 2000000000 # 2GB - maior que o limite para evitar kills prematuros affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: webservice topologyKey: kubernetes.io/hostname # Gitaly (Git storage) gitaly: resources: requests: memory: 512Mi cpu: 100m limits: memory: 1Gi cpu: 500m persistence: size: 10Gi # Mínimo Hetzner ($0.0484/GB) storageClass: hcloud-volumes # GitLab Shell (SSH) gitlab-shell: minReplicas: 1 maxReplicas: 1 service: type: ClusterIP # TCP passthrough pelo NGINX resources: requests: memory: 64Mi cpu: 50m limits: memory: 128Mi cpu: 100m # Toolbox (backup, rake tasks) toolbox: enabled: true resources: requests: memory: 256Mi cpu: 50m limits: memory: 512Mi cpu: 200m # GitLab Exporter (métricas) gitlab-exporter: enabled: false # Economiza recursos # Migrations migrations: resources: requests: memory: 256Mi cpu: 100m # KAS (Kubernetes Agent Server) - desabilitar kas: enabled: false # ============================================================================= # POSTGRESQL # ============================================================================= postgresql: install: true primary: resources: requests: memory: 512Mi cpu: 100m limits: memory: 1Gi cpu: 500m persistence: size: 10Gi # Mínimo Hetzner ($0.0484/GB) storageClass: hcloud-volumes # ============================================================================= # REDIS # ============================================================================= redis: install: true master: resources: requests: memory: 256Mi cpu: 50m limits: memory: 512Mi cpu: 200m persistence: size: 10Gi # Mínimo Hetzner ($0.0484/GB) storageClass: hcloud-volumes # ============================================================================= # MINIO (Object Storage) # ============================================================================= # NOTA: As imagens padrão do GitLab chart não suportam ARM64. # Usamos as imagens oficiais multi-arch do MinIO. minio: install: true image: minio/minio imageTag: RELEASE.2024-06-13T22-53-53Z minioMc: image: minio/mc tag: RELEASE.2024-06-12T14-34-03Z resources: requests: memory: 128Mi cpu: 50m limits: memory: 256Mi cpu: 200m persistence: size: 10Gi storageClass: hcloud-volumes # Ou usar object storage externo (S3, etc): # global: # minio: # enabled: false # appConfig: # object_store: # enabled: true # connection: # secret: gitlab-object-storage # key: connection # ============================================================================= # REGISTRY (Container Registry) # ============================================================================= registry: enabled: true hpa: minReplicas: 1 maxReplicas: 1 resources: requests: memory: 128Mi cpu: 50m limits: memory: 256Mi cpu: 200m # Storage usa MinIO bundled automaticamente quando minio.install=true # ============================================================================= # COMPONENTES DESABILITADOS (economia de recursos) # ============================================================================= # GitLab Runner - instalar separadamente se necessário gitlab-runner: install: false # Prometheus - usar Victoria Metrics da aula-05 prometheus: install: false # Grafana grafana: install: false # GitLab Pages gitlab-pages: enabled: false # Praefect (Gitaly HA) - não necessário para instalação pequena praefect: enabled: false # Spamcheck spamcheck: enabled: false # ============================================================================= # UPGRADECHECK # ============================================================================= upgradeCheck: enabled: false