# ============================================================================= # GitLab Helm Chart - Configuração Base para Hetzner CAX11 # ============================================================================= # # Esta configuração: # - Usa NGINX Ingress Controller externo (instalado na aula-08) # - Define ~5GB de recursos distribuídos em 2 workers CAX11 (antiAffinity) # - Desabilita componentes não essenciais para economizar recursos # - Configura Registry para container images # # Valores dinâmicos (configurados via --set no setup.sh): # - global.hosts.domain # - global.hosts.gitlab.name # - global.hosts.registry.name # - global.hosts.minio.name # - global.hosts.https # - global.ingress.tls.enabled # - global.ingress.configureCertmanager # # Cenário CloudFlare (proxy ativo): # - global.ingress.tls.enabled=false # - global.hosts.https=true # - gitlab.webservice.workhorse.trustedCIDRsForXForwardedFor=[CloudFlare IPs] # # Cenário Let's Encrypt: # - global.ingress.tls.enabled=true # - global.hosts.https=true # - global.ingress.configureCertmanager=true # - global.ingress.annotations.cert-manager.io/cluster-issuer=letsencrypt-prod # # ============================================================================= global: # Usar Ingress Controller externo ingress: class: nginx # configureCertmanager é definido via --set no setup.sh (true para Let's Encrypt) annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "900" nginx.ingress.kubernetes.io/proxy-connect-timeout: "900" nginx.ingress.kubernetes.io/proxy-buffering: "off" # cert-manager.io/cluster-issuer é adicionado via --set quando Let's Encrypt # Timezone time_zone: America/Sao_Paulo # Pod Security - evitar warnings de PodSecurity pod: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Email (opcional - configurar depois) # email: # from: gitlab@kube.quest # display_name: GitLab # reply_to: noreply@kube.quest # ============================================================================= # NGINX BUNDLED - DESABILITAR (usamos o externo) # ============================================================================= nginx-ingress: enabled: false # ============================================================================= # CERT-MANAGER - DESABILITAR BUNDLED # ============================================================================= # O cert-manager é instalado separadamente se Let's Encrypt for escolhido. # global.ingress.configureCertmanager controla a integração. # ============================================================================= # GITLAB COMPONENTS # ============================================================================= gitlab: # Webservice (Rails app - UI e API) # Anti-affinity preferencial: distribui se possível, mas não obriga # - 1 nó grande (8GB): tudo roda junto # - Múltiplos nós pequenos: distribui automaticamente # - Sem recursos: autoscaler cria nós novos webservice: minReplicas: 1 maxReplicas: 1 resources: requests: memory: 2Gi cpu: 200m limits: memory: 2.5Gi cpu: 1 workerProcesses: 1 puma: threads: min: 1 max: 2 # Anti-affinity preferencial: tenta separar de sidekiq, mas não obriga affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchLabels: app: sidekiq topologyKey: kubernetes.io/hostname # Sidekiq (background jobs) sidekiq: minReplicas: 1 maxReplicas: 1 resources: requests: memory: 1.5Gi cpu: 100m limits: memory: 2Gi cpu: 500m # Desabilitar memory watchdog interno do GitLab (deixa o OOM killer do K8s gerenciar) memoryKiller: maxRss: 2000000000 # 2GB - maior que o limite para evitar kills prematuros # Anti-affinity preferencial: tenta separar de webservice, mas não obriga affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchLabels: app: webservice topologyKey: kubernetes.io/hostname # Gitaly (Git storage) gitaly: resources: requests: memory: 512Mi cpu: 100m limits: memory: 1Gi cpu: 500m persistence: size: 10Gi # Mínimo Hetzner ($0.0484/GB) storageClass: hcloud-volumes # GitLab Shell (SSH) gitlab-shell: minReplicas: 1 maxReplicas: 1 service: type: ClusterIP # TCP passthrough pelo NGINX resources: requests: memory: 64Mi cpu: 50m limits: memory: 128Mi cpu: 100m # Toolbox (backup, rake tasks) toolbox: enabled: true resources: requests: memory: 256Mi cpu: 50m limits: memory: 512Mi cpu: 200m # GitLab Exporter (métricas) gitlab-exporter: enabled: false # Economiza recursos # Migrations migrations: resources: requests: memory: 256Mi cpu: 100m # KAS (Kubernetes Agent Server) - desabilitar kas: enabled: false # ============================================================================= # POSTGRESQL # ============================================================================= postgresql: install: true primary: resources: requests: memory: 512Mi cpu: 100m limits: memory: 1Gi cpu: 500m persistence: size: 10Gi # Mínimo Hetzner ($0.0484/GB) storageClass: hcloud-volumes # ============================================================================= # REDIS # ============================================================================= redis: install: true master: resources: requests: memory: 256Mi cpu: 50m limits: memory: 512Mi cpu: 200m persistence: size: 10Gi # Mínimo Hetzner ($0.0484/GB) storageClass: hcloud-volumes # ============================================================================= # OBJECT STORAGE (Hetzner Object Storage - S3 compatible) # ============================================================================= # Usamos o Hetzner Object Storage ao invés do MinIO bundled. # Vantagens: # - Sem volume persistente (economia de $0.50/mês) # - Sem pod MinIO (economia de recursos) # - Storage ilimitado (paga por uso: €0.006/GB) # - Alta disponibilidade gerenciada pela Hetzner # # Pré-requisito: criar bucket e credenciais na Hetzner Console # O setup.sh cria o Secret gitlab-object-storage automaticamente minio: install: false global: minio: enabled: false appConfig: object_store: enabled: true proxy_download: true connection: secret: gitlab-object-storage key: connection # ============================================================================= # REGISTRY (Container Registry) # ============================================================================= registry: enabled: true hpa: minReplicas: 1 maxReplicas: 1 resources: requests: memory: 128Mi cpu: 50m limits: memory: 256Mi cpu: 200m # Storage usa Hetzner Object Storage (configurado via global.appConfig.object_store) storage: secret: gitlab-registry-storage key: config # ============================================================================= # COMPONENTES DESABILITADOS (economia de recursos) # ============================================================================= # GitLab Runner - instalar separadamente se necessário gitlab-runner: install: false # Prometheus - usar Victoria Metrics da aula-05 prometheus: install: false # Grafana grafana: install: false # GitLab Pages gitlab-pages: enabled: false # Praefect (Gitaly HA) - não necessário para instalação pequena praefect: enabled: false # Spamcheck spamcheck: enabled: false # ============================================================================= # UPGRADECHECK # ============================================================================= upgradeCheck: enabled: false