apiVersion: v1
kind: Namespace
metadata:
  name: gitlab

---
# ─── NFS PersistentVolume für gitlab-data ─────────────────────────
apiVersion: v1
kind: PersistentVolume
metadata:
  name: gitlab-data-pv
spec:
  capacity:
    storage: 50Gi
  accessModes:
    - ReadWriteMany        # NFS unterstützt RWX
  persistentVolumeReclaimPolicy: Retain
  mountOptions:
    - hard
    - nfsvers=4.1
    - rsize=1048576
    - wsize=1048576
    - timeo=600
    - retrans=2
  nfs:
    server: 192.168.1.100  # ← deine NFS Server IP
    path: /exports/gitlab/data  # ← NFS Export Pfad

---
# ─── PVC für gitlab-data (NFS) ────────────────────────────────────
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: gitlab-data-pvc
  namespace: gitlab
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 50Gi
  volumeName: gitlab-data-pv   # direkte Bindung an den PV oben
  storageClassName: ""         # wichtig: verhindert dynamische Provisionierung

---
# ─── Lokale PVCs (Logs & Config bleiben lokal) ────────────────────
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: gitlab-logs-pvc
  namespace: gitlab
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: standard

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: gitlab-config-pvc
  namespace: gitlab
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: standard

---
# ─── Secret ───────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-secrets
  namespace: gitlab
type: Opaque
stringData:
  GITLAB_ROOT_PASSWORD: "ChangeMeSecurely123!"
  GITLAB_OMNIBUS_CONFIG: |
    external_url 'https://gitlab.example.com'
    gitlab_rails['gitlab_shell_ssh_port'] = 22
    nginx['listen_port'] = 80
    nginx['listen_https'] = false
    prometheus_monitoring['enable'] = false

---
# ─── ConfigMap ────────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitlab-config
  namespace: gitlab
data:
  GITLAB_TIMEZONE: "Europe/Berlin"

---
# ─── Deployment ───────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitlab
  namespace: gitlab
  labels:
    app: gitlab
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitlab
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: gitlab
    spec:
      initContainers:
        - name: fix-permissions
          image: busybox
          command:
            - sh
            - -c
            - |
              chown -R 998:998 /var/opt/gitlab /var/log/gitlab /etc/gitlab
              # NFS: sicherstellen dass das Verzeichnis existiert
              mkdir -p /var/opt/gitlab/git-data
          volumeMounts:
            - name: gitlab-data
              mountPath: /var/opt/gitlab
            - name: gitlab-logs
              mountPath: /var/log/gitlab
            - name: gitlab-config
              mountPath: /etc/gitlab

      containers:
        - name: gitlab
          image: gitlab/gitlab-ce:16.9.0-ce.0
          imagePullPolicy: IfNotPresent

          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
            - name: ssh
              containerPort: 22

          envFrom:
            - configMapRef:
                name: gitlab-config
            - secretRef:
                name: gitlab-secrets

          resources:
            requests:
              memory: "4Gi"
              cpu: "1000m"
            limits:
              memory: "8Gi"
              cpu: "4000m"

          # ─── Mounts ─────────────────────────────────────────────
          volumeMounts:
            - name: gitlab-data    # → NFS
              mountPath: /var/opt/gitlab
            - name: gitlab-logs    # → lokal
              mountPath: /var/log/gitlab
            - name: gitlab-config  # → lokal
              mountPath: /etc/gitlab
            - name: shm
              mountPath: /dev/shm

          readinessProbe:
            httpGet:
              path: /-/readiness
              port: 80
            initialDelaySeconds: 60
            periodSeconds: 10
            failureThreshold: 30

          livenessProbe:
            httpGet:
              path: /-/liveness
              port: 80
            initialDelaySeconds: 120
            periodSeconds: 30
            failureThreshold: 5

      # ─── Volumes ──────────────────────────────────────────────────
      volumes:
        - name: gitlab-data        # NFS via PVC
          persistentVolumeClaim:
            claimName: gitlab-data-pvc

        - name: gitlab-logs        # lokal via PVC
          persistentVolumeClaim:
            claimName: gitlab-logs-pvc

        - name: gitlab-config      # lokal via PVC
          persistentVolumeClaim:
            claimName: gitlab-config-pvc

        - name: shm
          emptyDir:
            medium: Memory
            sizeLimit: 256Mi

---
# ─── Service ──────────────────────────────────────────────────────
apiVersion: v1
kind: Service
metadata:
  name: gitlab
  namespace: gitlab
spec:
  selector:
    app: gitlab
  ports:
    - name: http
      port: 80
      targetPort: 80
    - name: https
      port: 443
      targetPort: 443
    - name: ssh
      port: 22
      targetPort: 22
  type: ClusterIP

---
# ─── Ingress ──────────────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gitlab
  namespace: gitlab
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "512m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - gitlab.example.com
      secretName: gitlab-tls
  rules:
    - host: gitlab.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: gitlab
                port:
                  number: 80