From 2ea9f3973fc5d47df4789454721c60b9676ec8a3 Mon Sep 17 00:00:00 2001 From: Henry Winkel Date: Thu, 12 Mar 2026 14:23:02 +0100 Subject: [PATCH] ADD: addend gitlab --- .../manifest/collabora-clusterip.yaml | 13 + .../manifest/nextcloud-deployment.yaml | 8 +- k3s/apps/gitLab/manifest.yaml | 262 ++++++++++++++++++ .../gitLab/manifest/gitlab-deployment.yaml | 118 ++++++++ k3s/apps/gitLab/manifest/namespace.yaml | 4 + k3s/apps/gitLab/manifest/pv-pvc.yaml | 98 +++++++ k3s/apps/gitLab/manifest/secret.yaml | 58 ++++ k3s/apps/gitLab/manifest/service.yaml | 52 ++++ 8 files changed, 612 insertions(+), 1 deletion(-) create mode 100644 k3s/apps/Nextcloud/manifest/collabora-clusterip.yaml create mode 100644 k3s/apps/gitLab/manifest.yaml create mode 100644 k3s/apps/gitLab/manifest/gitlab-deployment.yaml create mode 100644 k3s/apps/gitLab/manifest/namespace.yaml create mode 100644 k3s/apps/gitLab/manifest/pv-pvc.yaml create mode 100644 k3s/apps/gitLab/manifest/secret.yaml create mode 100644 k3s/apps/gitLab/manifest/service.yaml diff --git a/k3s/apps/Nextcloud/manifest/collabora-clusterip.yaml b/k3s/apps/Nextcloud/manifest/collabora-clusterip.yaml new file mode 100644 index 0000000..bc66d35 --- /dev/null +++ b/k3s/apps/Nextcloud/manifest/collabora-clusterip.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: collabora + namespace: nextcloud +spec: + selector: + app: collabora + ports: + - port: 9980 + targetPort: 9980 + protocol: TCP + type: ClusterIP diff --git a/k3s/apps/Nextcloud/manifest/nextcloud-deployment.yaml b/k3s/apps/Nextcloud/manifest/nextcloud-deployment.yaml index 62bae71..87086c0 100644 --- a/k3s/apps/Nextcloud/manifest/nextcloud-deployment.yaml +++ b/k3s/apps/Nextcloud/manifest/nextcloud-deployment.yaml @@ -16,6 +16,12 @@ spec: # fsGroup sorgt dafür, dass gemountete Volumes die Gruppe www-data (33) bekommen securityContext: fsGroup: 33 + # hostAliases mappt die öffentliche Domain intern auf die Service-ClusterIP, + # damit der Pod henryathome.home64.de direkt intern erreicht (vermeidet externe Loopback/Firewall/403) + hostAliases: + - ip: "10.43.107.87" + hostnames: + - "henryathome.home64.de" containers: - name: nextcloud image: nextcloud:33-apache @@ -50,7 +56,7 @@ spec: resources: requests: memory: "512Mi" - cpu: "250m" + cpu: "500m" limits: memory: "4Gi" cpu: "3000m" diff --git a/k3s/apps/gitLab/manifest.yaml b/k3s/apps/gitLab/manifest.yaml new file mode 100644 index 0000000..0a21cff --- /dev/null +++ b/k3s/apps/gitLab/manifest.yaml @@ -0,0 +1,262 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gitlab + +--- +# ─── NFS PersistentVolume für gitlab-data ───────────────────────── +apiVersion: v1 +kind: PersistentVolume +metadata: + name: gitlab-data-pv +spec: + capacity: + storage: 50Gi + accessModes: + - ReadWriteMany # NFS unterstützt RWX + persistentVolumeReclaimPolicy: Retain + mountOptions: + - hard + - nfsvers=4.1 + - rsize=1048576 + - wsize=1048576 + - timeo=600 + - retrans=2 + nfs: + server: 192.168.1.100 # ← deine NFS Server IP + path: /exports/gitlab/data # ← NFS Export Pfad + +--- +# ─── PVC für gitlab-data (NFS) ──────────────────────────────────── +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitlab-data-pvc + namespace: gitlab +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Gi + volumeName: gitlab-data-pv # direkte Bindung an den PV oben + storageClassName: "" # wichtig: verhindert dynamische Provisionierung + +--- +# ─── Lokale PVCs (Logs & Config bleiben lokal) ──────────────────── +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitlab-logs-pvc + namespace: gitlab +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: standard + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitlab-config-pvc + namespace: gitlab +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: standard + +--- +# ─── Secret ─────────────────────────────────────────────────────── +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-secrets + namespace: gitlab +type: Opaque +stringData: + GITLAB_ROOT_PASSWORD: "ChangeMeSecurely123!" + GITLAB_OMNIBUS_CONFIG: | + external_url 'https://gitlab.example.com' + gitlab_rails['gitlab_shell_ssh_port'] = 22 + nginx['listen_port'] = 80 + nginx['listen_https'] = false + prometheus_monitoring['enable'] = false + +--- +# ─── ConfigMap ──────────────────────────────────────────────────── +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitlab-config + namespace: gitlab +data: + GITLAB_TIMEZONE: "Europe/Berlin" + +--- +# ─── Deployment ─────────────────────────────────────────────────── +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitlab + namespace: gitlab + labels: + app: gitlab +spec: + replicas: 1 + selector: + matchLabels: + app: gitlab + strategy: + type: Recreate + template: + metadata: + labels: + app: gitlab + spec: + initContainers: + - name: fix-permissions + image: busybox + command: + - sh + - -c + - | + chown -R 998:998 /var/opt/gitlab /var/log/gitlab /etc/gitlab + # NFS: sicherstellen dass das Verzeichnis existiert + mkdir -p /var/opt/gitlab/git-data + volumeMounts: + - name: gitlab-data + mountPath: /var/opt/gitlab + - name: gitlab-logs + mountPath: /var/log/gitlab + - name: gitlab-config + mountPath: /etc/gitlab + + containers: + - name: gitlab + image: gitlab/gitlab-ce:16.9.0-ce.0 + imagePullPolicy: IfNotPresent + + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + - name: ssh + containerPort: 22 + + envFrom: + - configMapRef: + name: gitlab-config + - secretRef: + name: gitlab-secrets + + resources: + requests: + memory: "4Gi" + cpu: "1000m" + limits: + memory: "8Gi" + cpu: "4000m" + + # ─── Mounts ───────────────────────────────────────────── + volumeMounts: + - name: gitlab-data # → NFS + mountPath: /var/opt/gitlab + - name: gitlab-logs # → lokal + mountPath: /var/log/gitlab + - name: gitlab-config # → lokal + mountPath: /etc/gitlab + - name: shm + mountPath: /dev/shm + + readinessProbe: + httpGet: + path: /-/readiness + port: 80 + initialDelaySeconds: 60 + periodSeconds: 10 + failureThreshold: 30 + + livenessProbe: + httpGet: + path: /-/liveness + port: 80 + initialDelaySeconds: 120 + periodSeconds: 30 + failureThreshold: 5 + + # ─── Volumes ────────────────────────────────────────────────── + volumes: + - name: gitlab-data # NFS via PVC + persistentVolumeClaim: + claimName: gitlab-data-pvc + + - name: gitlab-logs # lokal via PVC + persistentVolumeClaim: + claimName: gitlab-logs-pvc + + - name: gitlab-config # lokal via PVC + persistentVolumeClaim: + claimName: gitlab-config-pvc + + - name: shm + emptyDir: + medium: Memory + sizeLimit: 256Mi + +--- +# ─── Service ────────────────────────────────────────────────────── +apiVersion: v1 +kind: Service +metadata: + name: gitlab + namespace: gitlab +spec: + selector: + app: gitlab + ports: + - name: http + port: 80 + targetPort: 80 + - name: https + port: 443 + targetPort: 443 + - name: ssh + port: 22 + targetPort: 22 + type: ClusterIP + +--- +# ─── Ingress ────────────────────────────────────────────────────── +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitlab + namespace: gitlab + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "512m" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" +spec: + ingressClassName: nginx + tls: + - hosts: + - gitlab.example.com + secretName: gitlab-tls + rules: + - host: gitlab.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitlab + port: + number: 80 \ No newline at end of file diff --git a/k3s/apps/gitLab/manifest/gitlab-deployment.yaml b/k3s/apps/gitLab/manifest/gitlab-deployment.yaml new file mode 100644 index 0000000..2729cc6 --- /dev/null +++ b/k3s/apps/gitLab/manifest/gitlab-deployment.yaml @@ -0,0 +1,118 @@ +# ─── Deployment ─────────────────────────────────────────────────── +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitlab + namespace: gitlab + labels: + app: gitlab +spec: + replicas: 1 + selector: + matchLabels: + app: gitlab + strategy: + type: Recreate + template: + metadata: + labels: + app: gitlab + spec: + initContainers: + - name: fix-permissions + image: busybox + command: + - sh + - -c + - mkdir -p /var/opt/gitlab/git-data + volumeMounts: + - name: gitlab-data + mountPath: /var/opt/gitlab + - name: gitlab-git + mountPath: /var/opt/gitlab/git-data + - name: gitlab-config + mountPath: /etc/gitlab + + containers: + - name: gitlab + image: gitlab/gitlab-ce:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + add: + - SYS_RESOURCE + + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + - name: ssh + containerPort: 22 + + envFrom: + - configMapRef: + name: gitlab-config + - secretRef: + name: gitlab-secrets + + resources: + requests: + memory: "4Gi" + cpu: "1000m" + limits: + memory: "8Gi" + cpu: "4000m" + + # ─── Mounts ───────────────────────────────────────────── + volumeMounts: + - name: gitlab-data # → lokal (postgresql, redis, etc.) + mountPath: /var/opt/gitlab + - name: gitlab-git # → NFS (Git-Repositories) + mountPath: /var/opt/gitlab/git-data + - name: gitlab-config # → lokal + mountPath: /etc/gitlab + - name: gitlab-logs # → ephemeral + mountPath: /var/log/gitlab + - name: shm + mountPath: /dev/shm + + startupProbe: + exec: + command: ["curl", "-sf", "http://localhost/-/health"] + failureThreshold: 40 + periodSeconds: 15 + + readinessProbe: + exec: + command: ["curl", "-sf", "http://localhost/-/health"] + periodSeconds: 15 + failureThreshold: 3 + + livenessProbe: + exec: + command: ["curl", "-sf", "http://localhost/-/health"] + periodSeconds: 30 + failureThreshold: 5 + + # ─── Volumes ────────────────────────────────────────────────── + volumes: + - name: gitlab-data # lokal (postgresql, redis, etc.) + persistentVolumeClaim: + claimName: gitlab-data-pvc + + - name: gitlab-git # NFS (Git-Repositories) + persistentVolumeClaim: + claimName: gitlab-git-pvc + + - name: gitlab-config # lokal + persistentVolumeClaim: + claimName: gitlab-config-pvc + + - name: gitlab-logs # ephemeral + emptyDir: {} + + - name: shm + emptyDir: + medium: Memory + sizeLimit: 256Mi diff --git a/k3s/apps/gitLab/manifest/namespace.yaml b/k3s/apps/gitLab/manifest/namespace.yaml new file mode 100644 index 0000000..05c6da4 --- /dev/null +++ b/k3s/apps/gitLab/manifest/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gitlab diff --git a/k3s/apps/gitLab/manifest/pv-pvc.yaml b/k3s/apps/gitLab/manifest/pv-pvc.yaml new file mode 100644 index 0000000..67d25ab --- /dev/null +++ b/k3s/apps/gitLab/manifest/pv-pvc.yaml @@ -0,0 +1,98 @@ +# ─── NFS PV für git-data (Repositories) ────────────────────────── +apiVersion: v1 +kind: PersistentVolume +metadata: + name: gitlab-git-pv +spec: + capacity: + storage: 50Gi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: nfs + mountOptions: + - hard + - rsize=1048576 + - wsize=1048576 + - timeo=600 + - retrans=2 + nfs: + server: 192.168.178.166 + path: /export/gitlab + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitlab-git-pvc + namespace: gitlab +spec: + accessModes: + - ReadWriteMany + storageClassName: nfs + resources: + requests: + storage: 50Gi + volumeName: gitlab-git-pv + +--- +# ─── Lokaler PV für /var/opt/gitlab (postgresql, redis, etc.) ───── +apiVersion: v1 +kind: PersistentVolume +metadata: + name: gitlab-data-pv +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: local-path + hostPath: + path: /var/lib/gitlab/data + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitlab-data-pvc + namespace: gitlab +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 20Gi + volumeName: gitlab-data-pv + +--- +# ─── Lokaler PV für /etc/gitlab (Konfiguration) ─────────────────── +apiVersion: v1 +kind: PersistentVolume +metadata: + name: gitlab-config-pv +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: local-path + hostPath: + path: /var/lib/gitlab/config + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitlab-config-pvc + namespace: gitlab +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 1Gi + volumeName: gitlab-config-pv diff --git a/k3s/apps/gitLab/manifest/secret.yaml b/k3s/apps/gitLab/manifest/secret.yaml new file mode 100644 index 0000000..7b8712e --- /dev/null +++ b/k3s/apps/gitLab/manifest/secret.yaml @@ -0,0 +1,58 @@ +# ─── Secret ─────────────────────────────────────────────────────── +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-secrets + namespace: gitlab +type: Opaque +stringData: + GITLAB_ROOT_PASSWORD: "NewPassword123!" + GITLAB_OMNIBUS_CONFIG: | + external_url 'https://gitlab.henryathome.home64.de' + gitlab_rails['gitlab_shell_ssh_port'] = 31022 + nginx['listen_port'] = 80 + nginx['listen_https'] = false + nginx['proxy_set_headers'] = { + 'X-Forwarded-Proto' => 'https', + 'X-Forwarded-Ssl' => 'on' + } + prometheus_monitoring['enable'] = false + + # Authentik SSO (OpenID Connect) + gitlab_rails['omniauth_enabled'] = true + gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] + gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect' + gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect'] + gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name'] + gitlab_rails['omniauth_block_auto_created_users'] = false + gitlab_rails['omniauth_providers'] = [ + { + name: "openid_connect", + label: "Authentik", + args: { + name: "openid_connect", + scope: ["openid", "profile", "email"], + response_type: "code", + issuer: "https://authentik.henryathome.home64.de/application/o/gitlab/", + discovery: true, + client_auth_method: "query", + uid_field: "sub", + pkce: true, + client_options: { + identifier: "HaKYx5sj767TYywPOekXD99ylk4NdPEX85UWa9Jo", + secret: "9AazToYtgYdfaAgZauR8FMNJVj0qF8qePz0Gq5TPYK9fiE45QUDoEM1v3CEROiSI2BngXJVRqSEgBszSyieHe283w8Ube0yWXzesLNS84qR3fDWWSpbJ3sLZBlJMKMUj", + redirect_uri: "https://gitlab.henryathome.home64.de/users/auth/openid_connect/callback" + } + } + } + ] + +--- +# ─── ConfigMap ──────────────────────────────────────────────────── +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitlab-config + namespace: gitlab +data: + GITLAB_TIMEZONE: "Europe/Berlin" diff --git a/k3s/apps/gitLab/manifest/service.yaml b/k3s/apps/gitLab/manifest/service.yaml new file mode 100644 index 0000000..a8b2171 --- /dev/null +++ b/k3s/apps/gitLab/manifest/service.yaml @@ -0,0 +1,52 @@ +# ─── Service ────────────────────────────────────────────────────── +apiVersion: v1 +kind: Service +metadata: + name: gitlab + namespace: gitlab +spec: + selector: + app: gitlab + ports: + - name: http + port: 80 + targetPort: 80 + nodePort: 31080 + - name: https + port: 443 + targetPort: 443 + nodePort: 31443 + - name: ssh + port: 31022 + targetPort: 31022 + nodePort: 31022 + type: NodePort + +# --- +# ─── Ingress ────────────────────────────────────────────────────── +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: gitlab +# namespace: gitlab +# annotations: +# nginx.ingress.kubernetes.io/proxy-body-size: "512m" +# nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" +# nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" +# spec: +# ingressClassName: nginx +# tls: +# - hosts: +# - gitlab.example.com +# secretName: gitlab-tls +# rules: +# - host: gitlab.example.com +# http: +# paths: +# - path: / +# pathType: Prefix +# backend: +# service: +# name: gitlab +# port: +# number: 80