workshop/aula-10/gitlab-values.yaml

# =============================================================================
# GitLab Helm Chart - Configuração Base para Hetzner CAX11
# =============================================================================
#
# Esta configuração:
#   - Usa NGINX Ingress Controller externo (instalado na aula-08)
#   - Define ~5GB de recursos distribuídos em 2 workers CAX11 (antiAffinity)
#   - Desabilita componentes não essenciais para economizar recursos
#   - Configura Registry para container images
#
# Valores dinâmicos (configurados via --set no setup.sh):
#   - global.hosts.domain
#   - global.hosts.gitlab.name
#   - global.hosts.registry.name
#   - global.hosts.minio.name
#   - global.hosts.https
#   - global.ingress.tls.enabled
#   - global.ingress.configureCertmanager
#
# Cenário CloudFlare (proxy ativo):
#   - global.ingress.tls.enabled=false
#   - global.hosts.https=true
#   - gitlab.webservice.workhorse.trustedCIDRsForXForwardedFor=[CloudFlare IPs]
#
# Cenário Let's Encrypt:
#   - global.ingress.tls.enabled=true
#   - global.hosts.https=true
#   - global.ingress.configureCertmanager=true
#   - global.ingress.annotations.cert-manager.io/cluster-issuer=letsencrypt-prod
#
# =============================================================================

global:
  # Usar Ingress Controller externo
  ingress:
    class: nginx
    # configureCertmanager é definido via --set no setup.sh (true para Let's Encrypt)
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
      nginx.ingress.kubernetes.io/proxy-connect-timeout: "900"
      nginx.ingress.kubernetes.io/proxy-buffering: "off"
      # cert-manager.io/cluster-issuer é adicionado via --set quando Let's Encrypt

  # Timezone
  time_zone: America/Sao_Paulo

  # Pod Security - evitar warnings de PodSecurity
  pod:
    securityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

  # Email (opcional - configurar depois)
  # email:
  #   from: gitlab@kube.quest
  #   display_name: GitLab
  #   reply_to: noreply@kube.quest

# =============================================================================
# NGINX BUNDLED - DESABILITAR (usamos o externo)
# =============================================================================
nginx-ingress:
  enabled: false

# =============================================================================
# CERT-MANAGER - DESABILITAR BUNDLED
# =============================================================================
# O cert-manager é instalado separadamente se Let's Encrypt for escolhido.
# global.ingress.configureCertmanager controla a integração.

# =============================================================================
# GITLAB COMPONENTS
# =============================================================================

gitlab:
  # Webservice (Rails app - UI e API)
  # NOTA: antiAffinity garante que webservice e sidekiq rodem em nós diferentes
  # Isso evita OOM quando ambos competem por memória no mesmo nó CAX11 (4GB)
  webservice:
    minReplicas: 1
    maxReplicas: 1
    resources:
      requests:
        memory: 2Gi
        cpu: 200m
      limits:
        memory: 2.5Gi
        cpu: 1
    workerProcesses: 1
    puma:
      threads:
        min: 1
        max: 2
    # Anti-affinity: não rodar no mesmo nó que sidekiq
    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app: sidekiq
            topologyKey: kubernetes.io/hostname

  # Sidekiq (background jobs)
  # Anti-affinity: não rodar no mesmo nó que webservice
  sidekiq:
    minReplicas: 1
    maxReplicas: 1
    resources:
      requests:
        memory: 1.5Gi
        cpu: 100m
      limits:
        memory: 2Gi
        cpu: 500m
    # Desabilitar memory watchdog interno do GitLab (deixa o OOM killer do K8s gerenciar)
    memoryKiller:
      maxRss: 2000000000  # 2GB - maior que o limite para evitar kills prematuros
    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app: webservice
            topologyKey: kubernetes.io/hostname

  # Gitaly (Git storage)
  gitaly:
    resources:
      requests:
        memory: 512Mi
        cpu: 100m
      limits:
        memory: 1Gi
        cpu: 500m
    persistence:
      size: 10Gi  # Mínimo Hetzner ($0.0484/GB)
      storageClass: hcloud-volumes

  # GitLab Shell (SSH)
  gitlab-shell:
    minReplicas: 1
    maxReplicas: 1
    service:
      type: ClusterIP  # TCP passthrough pelo NGINX
    resources:
      requests:
        memory: 64Mi
        cpu: 50m
      limits:
        memory: 128Mi
        cpu: 100m

  # Toolbox (backup, rake tasks)
  toolbox:
    enabled: true
    resources:
      requests:
        memory: 256Mi
        cpu: 50m
      limits:
        memory: 512Mi
        cpu: 200m

  # GitLab Exporter (métricas)
  gitlab-exporter:
    enabled: false  # Economiza recursos

  # Migrations
  migrations:
    resources:
      requests:
        memory: 256Mi
        cpu: 100m

  # KAS (Kubernetes Agent Server) - desabilitar
  kas:
    enabled: false

# =============================================================================
# POSTGRESQL
# =============================================================================
postgresql:
  install: true
  primary:
    resources:
      requests:
        memory: 512Mi
        cpu: 100m
      limits:
        memory: 1Gi
        cpu: 500m
    persistence:
      size: 10Gi  # Mínimo Hetzner ($0.0484/GB)
      storageClass: hcloud-volumes

# =============================================================================
# REDIS
# =============================================================================
redis:
  install: true
  master:
    resources:
      requests:
        memory: 256Mi
        cpu: 50m
      limits:
        memory: 512Mi
        cpu: 200m
    persistence:
      size: 10Gi  # Mínimo Hetzner ($0.0484/GB)
      storageClass: hcloud-volumes

# =============================================================================
# MINIO (Object Storage)
# =============================================================================
# NOTA: As imagens padrão do GitLab chart não suportam ARM64.
# Usamos as imagens oficiais multi-arch do MinIO.
minio:
  install: true
  image: minio/minio
  imageTag: RELEASE.2024-06-13T22-53-53Z
  minioMc:
    image: minio/mc
    tag: RELEASE.2024-06-12T14-34-03Z
  resources:
    requests:
      memory: 128Mi
      cpu: 50m
    limits:
      memory: 256Mi
      cpu: 200m
  persistence:
    size: 10Gi
    storageClass: hcloud-volumes

# Ou usar object storage externo (S3, etc):
# global:
#   minio:
#     enabled: false
#   appConfig:
#     object_store:
#       enabled: true
#       connection:
#         secret: gitlab-object-storage
#         key: connection

# =============================================================================
# REGISTRY (Container Registry)
# =============================================================================
registry:
  enabled: true
  hpa:
    minReplicas: 1
    maxReplicas: 1
  resources:
    requests:
      memory: 128Mi
      cpu: 50m
    limits:
      memory: 256Mi
      cpu: 200m
  # Storage usa MinIO bundled automaticamente quando minio.install=true

# =============================================================================
# COMPONENTES DESABILITADOS (economia de recursos)
# =============================================================================

# GitLab Runner - instalar separadamente se necessário
gitlab-runner:
  install: false

# Prometheus - usar Victoria Metrics da aula-05
prometheus:
  install: false

# Grafana
grafana:
  install: false

# GitLab Pages
gitlab-pages:
  enabled: false

# Praefect (Gitaly HA) - não necessário para instalação pequena
praefect:
  enabled: false

# Spamcheck
spamcheck:
  enabled: false

# =============================================================================
# UPGRADECHECK
# =============================================================================
upgradeCheck:
  enabled: false