| Giorgi Lekveishvili | 285ab62 | 2023-11-22 13:50:45 +0400 | [diff] [blame] | 1 | # Gerrit replica on Kubernetes |
| 2 | |
| 3 | Gerrit is a web-based code review tool, which acts as a Git server. On large setups |
| 4 | Gerrit servers can see a sizable amount of traffic from git operations performed by |
| 5 | developers and build servers. The major part of requests are read-only requests |
| 6 | (e.g. by `git fetch` operations). To take some load of the Gerrit server, |
| 7 | Gerrit replicas can be deployed to serve read-only requests. |
| 8 | |
| 9 | This helm chart provides a Gerrit replica setup that can be deployed on Kubernetes. |
| 10 | The Gerrit replica is capable of receiving replicated git repositories from a |
| 11 | Gerrit. The Gerrit replica can then serve authenticated read-only requests. |
| 12 | |
| 13 | ***note |
| 14 | Gerrit versions before 3.0 are no longer supported, since the support of ReviewDB |
| 15 | was removed. |
| 16 | *** |
| 17 | |
| 18 | ## Prerequisites |
| 19 | |
| 20 | - Helm (>= version 3.0) |
| 21 | |
| 22 | (Check out [this guide](https://docs.helm.sh/using_helm/#quickstart-guide) |
| 23 | how to install and use helm.) |
| 24 | |
| 25 | - Access to a provisioner for persistent volumes with `Read Write Many (RWM)`- |
| 26 | capability. |
| 27 | |
| 28 | A list of applicaple volume types can be found |
| 29 | [here](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes). |
| 30 | This project was developed using the |
| 31 | [NFS-server-provisioner helm chart](https://github.com/helm/charts/tree/master/stable/nfs-server-provisioner), |
| 32 | a NFS-provisioner deployed in the Kubernetes cluster itself. Refer to |
| 33 | [this guide](/helm-charts/gerrit-replica/docs/nfs-provisioner.md) of how to |
| 34 | deploy it in context of this project. |
| 35 | |
| 36 | - A domain name that is configured to point to the IP address of the node running |
| 37 | the Ingress controller on the kubernetes cluster (as described |
| 38 | [here](http://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster/)). |
| 39 | |
| 40 | - (Optional: Required, if SSL is configured) |
| 41 | A [Java keystore](https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#httpd.sslKeyStore) |
| 42 | to be used by Gerrit. |
| 43 | |
| 44 | ## Installing the Chart |
| 45 | |
| 46 | ***note |
| 47 | **ATTENTION:** The value for `ingress.host` is required for rendering |
| 48 | the chart's templates. The nature of the value does not allow defaults. |
| 49 | Thus a custom `values.yaml`-file setting this value is required! |
| 50 | *** |
| 51 | |
| 52 | To install the chart with the release name `gerrit-replica`, execute: |
| 53 | |
| 54 | ```sh |
| 55 | cd $(git rev-parse --show-toplevel)/helm-charts |
| 56 | helm install \ |
| 57 | gerrit-replica \ # release name |
| 58 | ./gerrit-replica \ # path to chart |
| 59 | -f <path-to-custom-values>.yaml |
| 60 | ``` |
| 61 | |
| 62 | The command deploys the Gerrit replica on the current Kubernetes cluster. The |
| 63 | [configuration section](#Configuration) lists the parameters that can be |
| 64 | configured during installation. |
| 65 | |
| 66 | The Gerrit replica requires the replicated `All-Projects.git`- and `All-Users.git`- |
| 67 | repositories to be present in the `/var/gerrit/git`-directory. The `gerrit-init`- |
| 68 | InitContainer will wait for this being the case. A way to do this is to access |
| 69 | the Gerrit replica pod and to clone the repositories from the primary Gerrit (Make |
| 70 | sure that you have the correct access rights do so.): |
| 71 | |
| 72 | ```sh |
| 73 | kubectl exec -it <gerrit-replica-pod> -c gerrit-init ash |
| 74 | gerrit@<gerrit-replica-pod>:/var/tools$ cd /var/gerrit/git |
| 75 | gerrit@<gerrit-replica-pod>:/var/gerrit/git$ git clone "http://gerrit.com/All-Projects" --mirror |
| 76 | Cloning into bare repository 'All-Projects.git'... |
| 77 | gerrit@<gerrit-replica-pod>:/var/gerrit/git$ git clone "http://gerrit.com/All-Users" --mirror |
| 78 | Cloning into bare repository 'All-Users.git'... |
| 79 | ``` |
| 80 | |
| 81 | ## Configuration |
| 82 | |
| 83 | The following sections list the configurable values in `values.yaml`. To configure |
| 84 | a Gerrit replica setup, make a copy of the `values.yaml`-file and change the |
| 85 | parameters as needed. The configuration can be applied by installing the chart as |
| 86 | described [above](#Installing-the-chart). |
| 87 | |
| 88 | In addition, single options can be set without creating a custom `values.yaml`: |
| 89 | |
| 90 | ```sh |
| 91 | cd $(git rev-parse --show-toplevel)/helm-charts |
| 92 | helm install \ |
| 93 | gerrit-replica \ # release name |
| 94 | ./gerrit-replica \ # path to chart |
| 95 | --set=gitRepositoryStorage.size=100Gi,gitBackend.replicas=2 |
| 96 | ``` |
| 97 | |
| 98 | ### Container images |
| 99 | |
| 100 | | Parameter | Description | Default | |
| 101 | |-----------|-------------|---------| |
| 102 | | `images.busybox.registry` | The registry to pull the busybox container images from | `docker.io` | |
| 103 | | `images.busybox.tag` | The busybox image tag to use | `latest` | |
| 104 | | `images.registry.name` | The image registry to pull the container images from | `` | |
| 105 | | `images.registry.ImagePullSecret.name` | Name of the ImagePullSecret | `image-pull-secret` (if empty no image pull secret will be deployed) | |
| 106 | | `images.registry.ImagePullSecret.create` | Whether to create an ImagePullSecret | `false` | |
| 107 | | `images.registry.ImagePullSecret.username` | The image registry username | `nil` | |
| 108 | | `images.registry.ImagePullSecret.password` | The image registry password | `nil` | |
| 109 | | `images.version` | The image version (image tag) to use | `latest` | |
| 110 | | `images.imagePullPolicy` | Image pull policy | `Always` | |
| 111 | | `images.additionalImagePullSecrets` | Additional image pull policies that pods should use | `[]` | |
| 112 | |
| 113 | ### Labels |
| 114 | |
| 115 | | Parameter | Description | Default | |
| 116 | |-----------|-------------|---------| |
| 117 | | `additionalLabels` | Additional labels for resources managed by this Helm chart | `{}` | |
| 118 | |
| 119 | ### Storage classes |
| 120 | |
| 121 | For information of how a `StorageClass` is configured in Kubernetes, read the |
| 122 | [official Documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#introduction). |
| 123 | |
| 124 | | Parameter | Description | Default | |
| 125 | |-----------|-------------|---------| |
| 126 | | `storageClasses.default.name` | The name of the default StorageClass (RWO) | `default` | |
| 127 | | `storageClasses.default.create` | Whether to create the StorageClass | `false` | |
| 128 | | `storageClasses.default.provisioner` | Provisioner of the StorageClass | `kubernetes.io/aws-ebs` | |
| 129 | | `storageClasses.default.reclaimPolicy` | Whether to `Retain` or `Delete` volumes, when they become unbound | `Delete` | |
| 130 | | `storageClasses.default.parameters` | Parameters for the provisioner | `parameters.type: gp2`, `parameters.fsType: ext4` | |
| 131 | | `storageClasses.default.mountOptions` | The mount options of the default StorageClass | `[]` | |
| 132 | | `storageClasses.default.allowVolumeExpansion` | Whether to allow volume expansion. | `false` | |
| 133 | | `storageClasses.shared.name` | The name of the shared StorageClass (RWM) | `shared-storage` | |
| 134 | | `storageClasses.shared.create` | Whether to create the StorageClass | `false` | |
| 135 | | `storageClasses.shared.provisioner` | Provisioner of the StorageClass | `nfs` | |
| 136 | | `storageClasses.shared.reclaimPolicy` | Whether to `Retain` or `Delete` volumes, when they become unbound | `Delete` | |
| 137 | | `storageClasses.shared.parameters` | Parameters for the provisioner | `parameters.mountOptions: vers=4.1` | |
| 138 | | `storageClasses.shared.mountOptions` | The mount options of the shared StorageClass | `[]` | |
| 139 | | `storageClasses.shared.allowVolumeExpansion` | Whether to allow volume expansion. | `false` | |
| 140 | |
| 141 | ### CA certificate |
| 142 | |
| 143 | Some application may require TLS verification. If the default CA built into the |
| 144 | containers is not enough a custom CA certificate can be given to the deployment. |
| 145 | Note, that Gerrit will require its CA in a JKS keytore, which is described below. |
| 146 | |
| 147 | | Parameter | Description | Default | |
| 148 | |-----------|-------------|---------| |
| 149 | | `caCert` | CA certificate for TLS verification (if not set, the default will be used) | `None` | |
| 150 | |
| 151 | ### Workaround for NFS |
| 152 | |
| 153 | Kubernetes will not always be able to adapt the ownership of the files within NFS |
| 154 | volumes. Thus, a workaround exists that will add init-containers to |
| 155 | adapt file ownership. Note, that only the ownership of the root directory of the |
| 156 | volume will be changed. All data contained within will be expected to already be |
| 157 | owned by the user used by Gerrit. Also the ID-domain will be configured to ensure |
| 158 | correct ID-mapping. |
| 159 | |
| 160 | | Parameter | Description | Default | |
| 161 | |-----------|-------------|---------| |
| 162 | | `nfsWorkaround.enabled` | Whether the volume used is an NFS-volume | `false` | |
| 163 | | `nfsWorkaround.chownOnStartup` | Whether to chown the volume on pod startup | `false` | |
| 164 | | `nfsWorkaround.idDomain` | The ID-domain that should be used to map user-/group-IDs for the NFS mount | `localdomain.com` | |
| 165 | |
| 166 | ### Network policies |
| 167 | |
| 168 | | Parameter | Description | Default | |
| 169 | |-----------|-------------|---------| |
| 170 | | `networkPolicies.enabled` | Whether to enable preconfigured NetworkPolicies | `false` | |
| 171 | | `networkPolicies.dnsPorts` | List of ports used by DNS-service (e.g. KubeDNS) | `[53, 8053]` | |
| 172 | |
| 173 | The NetworkPolicies provided here are quite strict and do not account for all |
| 174 | possible scenarios. Thus, custom NetworkPolicies have to be added, e.g. for |
| 175 | connecting to a database. On the other hand some defaults may be not restrictive |
| 176 | enough. By default, the ingress traffic of the git-backend pod is not restricted. |
| 177 | Thus, every source (with the right credentials) could push to the git-backend. |
| 178 | To add an additional layer of security, the ingress rule could be defined more |
| 179 | finegrained. The chart provides the possibility to define custom rules for ingress- |
| 180 | traffic of the git-backend pod under `gitBackend.networkPolicy.ingress`. |
| 181 | Depending on the scenario, there are different ways to restrict the incoming |
| 182 | connections. |
| 183 | |
| 184 | If the replicator (e.g. Gerrit) is running in a pod on the same cluster, |
| 185 | a podSelector (and namespaceSelector, if the pod is running in a different |
| 186 | namespace) can be used to whitelist the traffic: |
| 187 | |
| 188 | ```yaml |
| 189 | gitBackend: |
| 190 | networkPolicy: |
| 191 | ingress: |
| 192 | - from: |
| 193 | - podSelector: |
| 194 | matchLabels: |
| 195 | app: gerrit |
| 196 | ``` |
| 197 | |
| 198 | If the replicator is outside the cluster, the IP of the replicator can also be |
| 199 | whitelisted, e.g.: |
| 200 | |
| 201 | ```yaml |
| 202 | gitBackend: |
| 203 | networkPolicy: |
| 204 | ingress: |
| 205 | - from: |
| 206 | - ipBlock: |
| 207 | cidr: xxx.xxx.0.0/16 |
| 208 | ``` |
| 209 | |
| 210 | The same principle also applies to other use cases, e.g. connecting to a database. |
| 211 | For more information about the NetworkPolicy resource refer to the |
| 212 | [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/). |
| 213 | |
| 214 | ### Storage for Git repositories |
| 215 | |
| 216 | | Parameter | Description | Default | |
| 217 | |-----------|-------------|---------| |
| 218 | | `gitRepositoryStorage.externalPVC.use` | Whether to use a PVC deployed outside the chart | `false` | |
| 219 | | `gitRepositoryStorage.externalPVC.name` | Name of the external PVC | `git-repositories-pvc` | |
| 220 | | `gitRepositoryStorage.size` | Size of the volume storing the Git repositories | `5Gi` | |
| 221 | |
| 222 | If the git repositories should be persisted even if the chart is deleted and in |
| 223 | a way that the volume containing them can be mounted by the reinstalled chart, |
| 224 | the PVC claiming the volume has to be created independently of the chart. To use |
| 225 | the external PVC, set `gitRepositoryStorage.externalPVC.enabled` to `true` and |
| 226 | give the name of the PVC under `gitRepositoryStorage.externalPVC.name`. |
| 227 | |
| 228 | ### Storage for Logs |
| 229 | |
| 230 | In addition to collecting logs with a log collection tool like Promtail, the logs |
| 231 | can also be stored in a persistent volume. This volume has to be a read-write-many |
| 232 | volume to be able to be used by multiple pods. |
| 233 | |
| 234 | | Parameter | Description | Default | |
| 235 | |-----------|-------------|---------| |
| 236 | | `logStorage.enabled` | Whether to enable persistence of logs | `false` | |
| 237 | | `logStorage.externalPVC.use` | Whether to use a PVC deployed outside the chart | `false` | |
| 238 | | `logStorage.externalPVC.name` | Name of the external PVC | `gerrit-logs-pvc` | |
| 239 | | `logStorage.size` | Size of the volume | `5Gi` | |
| 240 | | `logStorage.cleanup.enabled` | Whether to regularly delete old logs | `false` | |
| 241 | | `logStorage.cleanup.schedule` | Cron schedule defining when to run the cleanup job | `0 0 * * *` | |
| 242 | | `logStorage.cleanup.retentionDays` | Number of days to retain the logs | `14` | |
| 243 | | `logStorage.cleanup.resources` | Resources the container is allowed to use | `requests.cpu: 100m` | |
| 244 | | `logStorage.cleanup.additionalPodLabels` | Additional labels for pods | `{}` | |
| 245 | | | | `requests.memory: 256Mi` | |
| 246 | | | | `limits.cpu: 100m` | |
| 247 | | | | `limits.memory: 256Mi` | |
| 248 | |
| 249 | Each pod will create a separate folder for its logs, allowing to trace logs to |
| 250 | the respective pods. |
| 251 | |
| 252 | ### Istio |
| 253 | |
| 254 | Istio can be used as an alternative to Kubernetes Ingresses to manage the traffic |
| 255 | into the cluster and also inside the cluster. This requires istio to be installed |
| 256 | beforehand. Some guidance on how to set up istio can be found [here](/Documentation/istio.md). |
| 257 | The helm chart expects `istio-injection` to be enabled in the namespace, in which |
| 258 | it will be installed. |
| 259 | |
| 260 | In the case istio is used, all configuration for ingresses in the chart will be |
| 261 | ignored. |
| 262 | |
| 263 | | Parameter | Description | Default | |
| 264 | |-----------|-------------|---------| |
| 265 | | `istio.enabled` | Whether istio should be used (requires istio to be installed) | `false` | |
| 266 | | `istio.host` | Hostname (CNAME must point to istio ingress gateway loadbalancer service) | `nil` | |
| 267 | | `istio.tls.enabled` | Whether to enable TLS | `false` | |
| 268 | | `istio.tls.secret.create` | Whether to create TLS certificate secret | `true` | |
| 269 | | `istio.tls.secret.name` | Name of external secret containing TLS certificates | `nil` | |
| 270 | | `istio.tls.cert` | TLS certificate | `-----BEGIN CERTIFICATE-----` | |
| 271 | | `istio.tls.key` | TLS key | `-----BEGIN RSA PRIVATE KEY-----` | |
| 272 | | `istio.ssh.enabled` | Whether to enable SSH | `false` | |
| 273 | |
| 274 | ### Ingress |
| 275 | |
| 276 | As an alternative to istio the Nginx Ingress controller can be used to manage |
| 277 | ingress traffic. |
| 278 | |
| 279 | | Parameter | Description | Default | |
| 280 | |-----------|-------------|---------| |
| 281 | | `ingress.enabled` | Whether to deploy an Ingress | `false` | |
| 282 | | `ingress.host` | Host name to use for the Ingress (required for Ingress) | `nil` | |
| 283 | | `ingress.maxBodySize` | Maximum request body size allowed (Set to 0 for an unlimited request body size) | `50m` | |
| 284 | | `ingress.additionalAnnotations` | Additional annotations for the Ingress | `nil` | |
| 285 | | `ingress.tls.enabled` | Whether to enable TLS termination in the Ingress | `false` | |
| 286 | | `ingress.tls.secret.create` | Whether to create a TLS-secret | `true` | |
| 287 | | `ingress.tls.secret.name` | Name of an external secret that will be used as a TLS-secret | `nil` | |
| 288 | | `ingress.tls.cert` | Public SSL server certificate | `-----BEGIN CERTIFICATE-----` | |
| 289 | | `ingress.tls.key` | Private SSL server certificate | `-----BEGIN RSA PRIVATE KEY-----` | |
| 290 | |
| 291 | ***note |
| 292 | For graceful shutdown to work with an ingress, the ingress controller has to be |
| 293 | configured to gracefully close the connections as well. |
| 294 | *** |
| 295 | |
| 296 | ### Promtail Sidecar |
| 297 | |
| 298 | To collect Gerrit logs, a Promtail sidecar can be deployed into the Gerrit replica |
| 299 | pods. This can for example be used together with the [gerrit-monitoring](https://gerrit-review.googlesource.com/admin/repos/gerrit-monitoring) |
| 300 | project. |
| 301 | |
| 302 | | Parameter | Description | Default | |
| 303 | |-----------|-------------|---------| |
| 304 | | `promtailSidecar.enabled` | Whether to install the Promatil sidecar container | `false` | |
| 305 | | `promtailSidecar.image` | The promtail container image to use | `grafana/promtail` | |
| 306 | | `promtailSidecar.version` | The promtail container image version | `1.3.0` | |
| 307 | | `promtailSidecar.resources` | Configure the amount of resources the container requests/is allowed | `requests.cpu: 100m` | |
| 308 | | | | `requests.memory: 128Mi` | |
| 309 | | | | `limits.cpu: 200m` | |
| 310 | | | | `limits.memory: 128Mi` | |
| 311 | | `promtailSidecar.tls.skipverify` | Whether to skip TLS verification | `true` | |
| 312 | | `promtailSidecar.tls.caCert` | CA certificate for TLS verification | `-----BEGIN CERTIFICATE-----` | |
| 313 | | `promtailSidecar.loki.url` | URL to reach Loki | `loki.example.com` | |
| 314 | | `promtailSidecar.loki.user` | Loki user | `admin` | |
| 315 | | `promtailSidecar.loki.password` | Loki password | `secret` | |
| 316 | |
| 317 | |
| 318 | ### Apache-Git-HTTP-Backend (Git-Backend) |
| 319 | |
| 320 | | Parameter | Description | Default | |
| 321 | |-----------|-------------|---------| |
| 322 | | `gitBackend.image` | Image name of the Apache-git-http-backend container image | `k8sgerrit/apache-git-http-backend` | |
| 323 | | `gitBackend.additionalPodLabels` | Additional labels for Pods | `{}` | |
| 324 | | `gitBackend.tolerations` | Taints and tolerations work together to ensure that pods are not scheduled onto inappropriate nodes. For more information, please refer to the following documents. [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) | [] | |
| 325 | | `gitBackend.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains. For more information, please refer to the following documents. [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints) | {} | |
| 326 | | `gitBackend.nodeSelector` | Assigns a Pod to the specified Nodes. For more information, please refer to the following documents. [Assign Pods to Nodes](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/). [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | {} | |
| 327 | | `gitBackend.affinity` | Assigns a Pod to the specified Nodes | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight: 100 | |
| 328 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey: "topology.kubernetes.io/zone" | |
| 329 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key: app | |
| 330 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator: In | |
| 331 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]: git-backend | |
| 332 | | `gitBackend.replicas` | Number of pod replicas to deploy | `1` | |
| 333 | | `gitBackend.maxSurge` | Max. percentage or number of pods allowed to be scheduled above the desired number | `25%` | |
| 334 | | `gitBackend.maxUnavailable` | Max. percentage or number of pods allowed to be unavailable at a time | `100%` | |
| 335 | | `gitBackend.networkPolicy.ingress` | Custom ingress-network policy for git-backend pods | `[{}]` (allow all) | |
| 336 | | `gitBackend.networkPolicy.egress` | Custom egress-network policy for git-backend pods | `nil` | |
| 337 | | `gitBackend.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 100m` | |
| 338 | | | | `requests.memory: 256Mi` | |
| 339 | | | | `limits.cpu: 100m` | |
| 340 | | | | `limits.memory: 256Mi` | |
| 341 | | `gitBackend.livenessProbe` | Configuration of the liveness probe timings | `{initialDelaySeconds: 10, periodSeconds: 5}` | |
| 342 | | `gitBackend.readinessProbe` | Configuration of the readiness probe timings | `{initialDelaySeconds: 5, periodSeconds: 1}` | |
| 343 | | `gitBackend.credentials.htpasswd` | `.htpasswd`-file containing username/password-credentials for accessing git | `git:$apr1$O/LbLKC7$Q60GWE7OcqSEMSfe/K8xU.` (user: git, password: secret) | |
| 344 | | `gitBackend.service.additionalAnnotations` | Additional annotations for the Service | `{}` | |
| 345 | | `gitBackend.service.loadBalancerSourceRanges` | The list of allowed IPs for the Service | `[]` | |
| 346 | | `gitBackend.service.type` | Which kind of Service to deploy | `LoadBalancer` | |
| 347 | | `gitBackend.service.externalTrafficPolicy` | Specify how traffic from external is handled | `Cluster` | |
| 348 | | `gitBackend.service.http.enabled` | Whether to serve HTTP-requests (needed for Ingress) | `true` | |
| 349 | | `gitBackend.service.http.port` | Port over which to expose HTTP | `80` | |
| 350 | | `gitBackend.service.https.enabled` | Whether to serve HTTPS-requests | `false` | |
| 351 | | `gitBackend.service.https.port` | Port over which to expose HTTPS | `443` | |
| 352 | |
| 353 | ***note |
| 354 | At least one endpoint (HTTP and/or HTTPS) has to be enabled in the service! |
| 355 | *** |
| 356 | |
| 357 | Project creation, project deletion and HEAD update can also replicated. To enable |
| 358 | this feature configure the replication plugin to use an adminUrl using the format |
| 359 | `gerrit+https://<apache-git-http-backend host>`. |
| 360 | |
| 361 | ### Git garbage collection |
| 362 | |
| 363 | | Parameter | Description | Default | |
| 364 | |-----------|-------------|---------| |
| 365 | | `gitGC.image` | Image name of the Git-GC container image | `k8sgerrit/git-gc` | |
| 366 | | `gitGC.schedule` | Cron-formatted schedule with which to run Git garbage collection | `0 6,18 * * *` | |
| 367 | | `gitGC.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 100m` | |
| 368 | | | | `requests.memory: 256Mi` | |
| 369 | | | | `limits.cpu: 100m` | |
| 370 | | | | `limits.memory: 256Mi` | |
| 371 | | `gitGC.tolerations` | Taints and tolerations work together to ensure that pods are not scheduled onto inappropriate nodes. For more information, please refer to the following documents. [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) | [] | |
| 372 | | `gitGC.nodeSelector` | Assigns a Pod to the specified Nodes. For more information, please refer to the following documents. [Assign Pods to Nodes](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/). [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | {} | |
| 373 | | `gitGC.affinity` | Assigns a Pod to the specified Nodes. For more information, please refer to the following documents. [Assign Pods to Nodes using Node Affinity](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/). [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | {} | |
| 374 | | `gitGC.additionalPodLabels` | Additional labels for Pods | `{}` | |
| 375 | |
| 376 | ### Gerrit replica |
| 377 | |
| 378 | ***note |
| 379 | The way the Jetty servlet used by Gerrit works, the Gerrit replica component of the |
| 380 | gerrit-replica chart actually requires the URL to be known, when the chart is installed. |
| 381 | The suggested way to do that is to use the provided Ingress resource. This requires |
| 382 | that a URL is available and that the DNS is configured to point the URL to the |
| 383 | IP of the node the Ingress controller is running on! |
| 384 | *** |
| 385 | |
| 386 | ***note |
| 387 | Setting the canonical web URL in the gerrit.config to the host used for the Ingress |
| 388 | is mandatory, if access to the Gerrit replica is required! |
| 389 | *** |
| 390 | |
| 391 | | Parameter | Description | Default | |
| 392 | |-----------|-------------|---------| |
| 393 | | `gerritReplica.images.gerritInit` | Image name of the Gerrit init container image | `k8sgerrit/gerrit-init` | |
| 394 | | `gerritReplica.images.gerritReplica` | Image name of the Gerrit replica container image | `k8sgerrit/gerrit` | |
| 395 | | `gerritReplica.tolerations` | Taints and tolerations work together to ensure that pods are not scheduled onto inappropriate nodes. For more information, please refer to the following documents. [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration) | [] | |
| 396 | | `gerritReplica.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains. For more information, please refer to the following documents. [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints) | {} | |
| 397 | | `gerritReplica.nodeSelector` | Assigns a Pod to the specified Nodes. For more information, please refer to the following documents. [Assign Pods to Nodes](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/). [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | {} | |
| 398 | | `gerritReplica.affinity` | Assigns a Pod to the specified Nodes. By default, gerrit-replica is evenly distributed on `topology.kubernetes.io/zone`. For more information, please refer to the following documents. [Assign Pods to Nodes using Node Affinity](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/). [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight: 100 | |
| 399 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey: "topology.kubernetes.io/zone" | |
| 400 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key: app | |
| 401 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator: In | |
| 402 | | | | podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0]: gerrit-replica | |
| 403 | | `gerritReplica.replicas` | Number of pod replicas to deploy | `1` | |
| 404 | | `gerritReplica.additionalAnnotations` | Additional annotations for the Pods | {} | |
| 405 | | `gerritReplica.additionalPodLabels` | Additional labels for the Pods | `{}` | |
| 406 | | `gerritReplica.maxSurge` | Max. percentage or number of pods allowed to be scheduled above the desired number | `25%` | |
| 407 | | `gerritReplica.maxUnavailable` | Max. percentage or number of pods allowed to be unavailable at a time | `100%` | |
| 408 | | `gerritReplica.livenessProbe` | Configuration of the liveness probe timings | `{initialDelaySeconds: 60, periodSeconds: 5}` | |
| 409 | | `gerritReplica.readinessProbe` | Configuration of the readiness probe timings | `{initialDelaySeconds: 10, periodSeconds: 10}` | |
| 410 | | `gerritReplica.startupProbe` | Configuration of the startup probe timings | `{initialDelaySeconds: 10, periodSeconds: 5}` | |
| 411 | | `gerritReplica.gracefulStopTimeout` | Time in seconds Kubernetes will wait until killing the pod during termination (has to be longer then Gerrit's httpd.gracefulStopTimeout to allow graceful shutdown of Gerrit) | `90` | |
| 412 | | `gerritReplica.resources` | Configure the amount of resources the pod requests/is allowed | `requests.cpu: 1` | |
| 413 | | | | `requests.memory: 5Gi` | |
| 414 | | | | `limits.cpu: 1` | |
| 415 | | | | `limits.memory: 6Gi` | |
| 416 | | `gerritReplica.networkPolicy.ingress` | Custom ingress-network policy for gerrit-replica pods | `nil` | |
| 417 | | `gerritReplica.networkPolicy.egress` | Custom egress-network policy for gerrit-replica pods | `nil` | |
| 418 | | `gerritReplica.service.additionalAnnotations` | Additional annotations for the Service | `{}` | |
| 419 | | `gerritReplica.service.loadBalancerSourceRanges` | The list of allowed IPs for the Service | `[]` | |
| 420 | | `gerritReplica.service.type` | Which kind of Service to deploy | `NodePort` | |
| 421 | | `gerritReplica.service.externalTrafficPolicy` | Specify how traffic from external is handled | `Cluster` | |
| 422 | | `gerritReplica.service.http.port` | Port over which to expose HTTP | `80` | |
| 423 | | `gerritReplica.service.ssh.enabled` | Whether to enable SSH for the Gerrit replica | `false` | |
| 424 | | `gerritReplica.service.ssh.port` | Port for SSH | `29418` | |
| 425 | | `gerritReplica.keystore` | base64-encoded Java keystore (`cat keystore.jks \| base64`) to be used by Gerrit, when using SSL | `nil` | |
| 426 | | `gerritReplica.pluginManagement.plugins` | List of Gerrit plugins to install | `[]` | |
| 427 | | `gerritReplica.pluginManagement.plugins[0].name` | Name of plugin | `nil` | |
| 428 | | `gerritReplica.pluginManagement.plugins[0].url` | Download url of plugin. If given the plugin will be downloaded, otherwise it will be installed from the gerrit.war-file. | `nil` | |
| 429 | | `gerritReplica.pluginManagement.plugins[0].sha1` | SHA1 sum of plugin jar used to ensure file integrity and version (optional) | `nil` | |
| 430 | | `gerritReplica.pluginManagement.plugins[0].installAsLibrary` | Whether the plugin should be symlinked to the lib-dir in the Gerrit site. | `nil` | |
| 431 | | `gerritReplica.pluginManagement.libs` | List of Gerrit library modules to install | `[]` | |
| 432 | | `gerritReplica.pluginManagement.libs[0].name` | Name of the lib module | `nil` | |
| 433 | | `gerritReplica.pluginManagement.libs[0].url` | Download url of lib module. | `nil` | |
| 434 | | `gerritReplica.pluginManagement.libs[0].sha1` | SHA1 sum of plugin jar used to ensure file integrity and version | `nil` | |
| 435 | | `gerritReplica.pluginManagement.cache.enabled` | Whether to cache downloaded plugins | `false` | |
| 436 | | `gerritReplica.pluginManagement.cache.size` | Size of the volume used to store cached plugins | `1Gi` | |
| 437 | | `gerritReplica.priorityClassName` | Name of the PriorityClass to apply to replica pods | `nil` | |
| 438 | | `gerritReplica.etc.config` | Map of config files (e.g. `gerrit.config`) that will be mounted to `$GERRIT_SITE/etc`by a ConfigMap | `{gerrit.config: ..., replication.config: ...}`[see here](#Gerrit-config-files) | |
| 439 | | `gerritReplica.etc.secret` | Map of config files (e.g. `secure.config`) that will be mounted to `$GERRIT_SITE/etc`by a Secret | `{secure.config: ...}` [see here](#Gerrit-config-files) | |
| 440 | | `gerritReplica.additionalConfigMaps` | Allows to mount additional ConfigMaps into a subdirectory of `$SITE/data` | `[]` | |
| 441 | | `gerritReplica.additionalConfigMaps[*].name` | Name of the ConfigMap | `nil` | |
| 442 | | `gerritReplica.additionalConfigMaps[*].subDir` | Subdirectory under `$SITE/data` into which the files should be symlinked | `nil` | |
| 443 | | `gerritReplica.additionalConfigMaps[*].data` | Data of the ConfigMap. If not set, ConfigMap has to be created manually | `nil` | |
| 444 | |
| 445 | ### Gerrit config files |
| 446 | |
| 447 | The gerrit-replica chart provides a ConfigMap containing the configuration files |
| 448 | used by Gerrit, e.g. `gerrit.config` and a Secret containing sensitive configuration |
| 449 | like the `secure.config` to configure the Gerrit installation in the Gerrit |
| 450 | component. The content of the config files can be set in the `values.yaml` under |
| 451 | the keys `gerritReplica.etc.config` and `gerritReplica.etc.secret` respectively. |
| 452 | The key has to be the filename (eg. `gerrit.config`) and the file's contents |
| 453 | the value. This way an arbitrary number of configuration files can be loaded into |
| 454 | the `$GERRIT_SITE/etc`-directory, e.g. for plugins. |
| 455 | All configuration options for Gerrit are described in detail in the |
| 456 | [official documentation of Gerrit](https://gerrit-review.googlesource.com/Documentation/config-gerrit.html). |
| 457 | Some options however have to be set in a specified way for Gerrit to work as |
| 458 | intended with the chart: |
| 459 | |
| 460 | - `gerrit.basePath` |
| 461 | |
| 462 | Path to the directory containing the repositories. The chart mounts this |
| 463 | directory from a persistent volume to `/var/gerrit/git` in the container. For |
| 464 | Gerrit to find the correct directory, this has to be set to `git`. |
| 465 | |
| 466 | - `gerrit.serverId` |
| 467 | |
| 468 | In Gerrit-version higher than 2.14 Gerrit needs a server ID, which is used by |
| 469 | NoteDB. Gerrit would usually generate a random ID on startup, but since the |
| 470 | gerrit.config file is read only, when mounted as a ConfigMap this fails. |
| 471 | Thus the server ID has to be set manually! |
| 472 | |
| 473 | - `gerrit.canonicalWebUrl` |
| 474 | |
| 475 | The canonical web URL has to be set to the Ingress host. |
| 476 | |
| 477 | - `httpd.listenURL` |
| 478 | |
| 479 | This has to be set to `proxy-http://*:8080/` or `proxy-https://*:8080`, |
| 480 | depending of TLS is enabled in the Ingress or not, otherwise the Jetty |
| 481 | servlet will run into an endless redirect loop. |
| 482 | |
| 483 | - `httpd.gracefulStopTimeout` / `sshd.gracefulStopTimeout` |
| 484 | |
| 485 | To enable graceful shutdown of the embedded jetty server and SSHD, a timeout |
| 486 | has to be set with this option. This will be the maximum time, Gerrit will wait |
| 487 | for HTTP requests to finish before shutdown. |
| 488 | |
| 489 | - `container.user` |
| 490 | |
| 491 | The technical user in the Gerrit replica container is called `gerrit`. Thus, this |
| 492 | value is required to be `gerrit`. |
| 493 | |
| 494 | - `container.replica` |
| 495 | |
| 496 | Since this chart is meant to install a Gerrit replica, this naturally has to be |
| 497 | `true`. |
| 498 | |
| 499 | - `container.javaHome` |
| 500 | |
| 501 | This has to be set to `/usr/lib/jvm/java-11-openjdk-amd64`, since this is |
| 502 | the path of the Java installation in the container. |
| 503 | |
| 504 | - `container.javaOptions` |
| 505 | |
| 506 | The maximum heap size has to be set. And its value has to be lower than the |
| 507 | memory resource limit set for the container (e.g. `-Xmx4g`). In your calculation |
| 508 | allow memory for other components running in the container. |
| 509 | |
| 510 | To enable liveness- and readiness probes, the healthcheck plugin will be installed |
| 511 | by default. Note, that by configuring to use a packaged or downloaded version of |
| 512 | the healthcheck plugin, the configured version will take precedence over the default |
| 513 | version. The plugin is by default configured to disable the `querychanges` and |
| 514 | `auth` healthchecks, since the Gerrit replica does not index changes and a new |
| 515 | Gerrit server will not yet necessarily have an user to validate authentication. |
| 516 | |
| 517 | The default configuration can be overwritten by adding the `healthcheck.config` |
| 518 | file as a key-value pair to `gerritReplica.etc.config` as for every other configuration. |
| 519 | |
| 520 | SSH keys should be configured via the helm-chart using the `gerritReplica.etc.secret` |
| 521 | map. Gerrit will create its own keys, if none are present in the site, but if |
| 522 | multiple Gerrit pods are running, each Gerrit instance would have its own keys. |
| 523 | Users accessing Gerrit via a load balancer would get issues due to changing |
| 524 | host keys. |
| 525 | |
| 526 | ## Upgrading the Chart |
| 527 | |
| 528 | To upgrade an existing installation of the gerrit-replica chart, e.g. to install |
| 529 | a newer chart version or to use an updated custom `values.yaml`-file, execute |
| 530 | the following command: |
| 531 | |
| 532 | ```sh |
| 533 | cd $(git rev-parse --show-toplevel)/helm-charts |
| 534 | helm upgrade \ |
| 535 | <release-name> \ |
| 536 | ./gerrit-replica \ # path to chart |
| 537 | -f <path-to-custom-values>.yaml \ |
| 538 | ``` |
| 539 | |
| 540 | ## Uninstalling the Chart |
| 541 | |
| 542 | To delete the chart from the cluster, use: |
| 543 | |
| 544 | ```sh |
| 545 | helm delete <release-name> |
| 546 | ``` |