depaula/workshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ef121ba96c14fa59f5ba97898a478b6342a77ab
workshop/aula-10/gitlab-values.yaml
ArgoCD Setup 12f6f48c64 feat(aula-10): migrar para Hetzner Object Storage + melhorias 
Mudanças principais:
- Substituir MinIO bundled por Hetzner Object Storage (S3)
- Secrets YAML com envsubst para credenciais S3
- Anti-affinity preferencial (adapta a qualquer topologia)
- Detecção automática de cert-manager existente
- Menu TLS simplificado (Let's Encrypt/CloudFlare/HTTP)
- Perguntar hostname do registry separadamente
- Exibição unificada de TLS (não mais CloudFlare: true/false)
2026-01-23 22:52:43 -03:00

301 lines
8.3 KiB
YAML
Raw Blame History

# =============================================================================
# GitLab Helm Chart - Configuração Base para Hetzner CAX11
# =============================================================================
#
# Esta configuração:
# - Usa NGINX Ingress Controller externo (instalado na aula-08)
# - Define ~5GB de recursos distribuídos em 2 workers CAX11 (antiAffinity)
# - Desabilita componentes não essenciais para economizar recursos
# - Configura Registry para container images
#
# Valores dinâmicos (configurados via --set no setup.sh):
# - global.hosts.domain
# - global.hosts.gitlab.name
# - global.hosts.registry.name
# - global.hosts.minio.name
# - global.hosts.https
# - global.ingress.tls.enabled
# - global.ingress.configureCertmanager
#
# Cenário CloudFlare (proxy ativo):
# - global.ingress.tls.enabled=false
# - global.hosts.https=true
# - gitlab.webservice.workhorse.trustedCIDRsForXForwardedFor=[CloudFlare IPs]
#
# Cenário Let's Encrypt:
# - global.ingress.tls.enabled=true
# - global.hosts.https=true
# - global.ingress.configureCertmanager=true
# - global.ingress.annotations.cert-manager.io/cluster-issuer=letsencrypt-prod
#
# =============================================================================
global:
# Usar Ingress Controller externo
ingress:
class: nginx
# configureCertmanager é definido via --set no setup.sh (true para Let's Encrypt)
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "900"
nginx.ingress.kubernetes.io/proxy-buffering: "off"
# cert-manager.io/cluster-issuer é adicionado via --set quando Let's Encrypt
# Timezone
time_zone: America/Sao_Paulo
# Pod Security - evitar warnings de PodSecurity
pod:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Email (opcional - configurar depois)
# email:
# from: gitlab@kube.quest
# display_name: GitLab
# reply_to: noreply@kube.quest
# =============================================================================
# NGINX BUNDLED - DESABILITAR (usamos o externo)
# =============================================================================
nginx-ingress:
enabled: false
# =============================================================================
# CERT-MANAGER - DESABILITAR BUNDLED
# =============================================================================
# O cert-manager é instalado separadamente se Let's Encrypt for escolhido.
# global.ingress.configureCertmanager controla a integração.
# =============================================================================
# GITLAB COMPONENTS
# =============================================================================
gitlab:
# Webservice (Rails app - UI e API)
# Anti-affinity preferencial: distribui se possível, mas não obriga
# - 1 nó grande (8GB): tudo roda junto
# - Múltiplos nós pequenos: distribui automaticamente
# - Sem recursos: autoscaler cria nós novos
webservice:
minReplicas: 1
maxReplicas: 1
resources:
requests:
memory: 2Gi
cpu: 200m
limits:
memory: 2.5Gi
cpu: 1
workerProcesses: 1
puma:
threads:
min: 1
max: 2
# Anti-affinity preferencial: tenta separar de sidekiq, mas não obriga
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: sidekiq
topologyKey: kubernetes.io/hostname
# Sidekiq (background jobs)
sidekiq:
minReplicas: 1
maxReplicas: 1
resources:
requests:
memory: 1.5Gi
cpu: 100m
limits:
memory: 2Gi
cpu: 500m
# Desabilitar memory watchdog interno do GitLab (deixa o OOM killer do K8s gerenciar)
memoryKiller:
maxRss: 2000000000 # 2GB - maior que o limite para evitar kills prematuros
# Anti-affinity preferencial: tenta separar de webservice, mas não obriga
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: webservice
topologyKey: kubernetes.io/hostname
# Gitaly (Git storage)
gitaly:
resources:
requests:
memory: 512Mi
cpu: 100m
limits:
memory: 1Gi
cpu: 500m
persistence:
size: 10Gi # Mínimo Hetzner ($0.0484/GB)
storageClass: hcloud-volumes
# GitLab Shell (SSH)
gitlab-shell:
minReplicas: 1
maxReplicas: 1
service:
type: ClusterIP # TCP passthrough pelo NGINX
resources:
requests:
memory: 64Mi
cpu: 50m
limits:
memory: 128Mi
cpu: 100m
# Toolbox (backup, rake tasks)
toolbox:
enabled: true
resources:
requests:
memory: 256Mi
cpu: 50m
limits:
memory: 512Mi
cpu: 200m
# GitLab Exporter (métricas)
gitlab-exporter:
enabled: false # Economiza recursos
# Migrations
migrations:
resources:
requests:
memory: 256Mi
cpu: 100m
# KAS (Kubernetes Agent Server) - desabilitar
kas:
enabled: false
# =============================================================================
# POSTGRESQL
# =============================================================================
postgresql:
install: true
primary:
resources:
requests:
memory: 512Mi
cpu: 100m
limits:
memory: 1Gi
cpu: 500m
persistence:
size: 10Gi # Mínimo Hetzner ($0.0484/GB)
storageClass: hcloud-volumes
# =============================================================================
# REDIS
# =============================================================================
redis:
install: true
master:
resources:
requests:
memory: 256Mi
cpu: 50m
limits:
memory: 512Mi
cpu: 200m
persistence:
size: 10Gi # Mínimo Hetzner ($0.0484/GB)
storageClass: hcloud-volumes
# =============================================================================
# OBJECT STORAGE (Hetzner Object Storage - S3 compatible)
# =============================================================================
# Usamos o Hetzner Object Storage ao invés do MinIO bundled.
# Vantagens:
# - Sem volume persistente (economia de $0.50/mês)
# - Sem pod MinIO (economia de recursos)
# - Storage ilimitado (paga por uso: €0.006/GB)
# - Alta disponibilidade gerenciada pela Hetzner
#
# Pré-requisito: criar bucket e credenciais na Hetzner Console
# O setup.sh cria o Secret gitlab-object-storage automaticamente
minio:
install: false
global:
minio:
enabled: false
appConfig:
object_store:
enabled: true
proxy_download: true
connection:
secret: gitlab-object-storage
key: connection
# =============================================================================
# REGISTRY (Container Registry)
# =============================================================================
registry:
enabled: true
hpa:
minReplicas: 1
maxReplicas: 1
resources:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 256Mi
cpu: 200m
# Storage usa Hetzner Object Storage (configurado via global.appConfig.object_store)
storage:
secret: gitlab-registry-storage
key: config
# =============================================================================
# COMPONENTES DESABILITADOS (economia de recursos)
# =============================================================================
# GitLab Runner - instalar separadamente se necessário
gitlab-runner:
install: false
# Prometheus - usar Victoria Metrics da aula-05
prometheus:
install: false
# Grafana
grafana:
install: false
# GitLab Pages
gitlab-pages:
enabled: false
# Praefect (Gitaly HA) - não necessário para instalação pequena
praefect:
enabled: false
# Spamcheck
spamcheck:
enabled: false
# =============================================================================
# UPGRADECHECK
# =============================================================================
upgradeCheck:
enabled: false
Reference in New Issue View Git Blame Copy Permalink