terraform-sparkfabrik-gke-gitlab

This module creates a reslient and fault tolerant GitLab installation using Google Kubernetes Engine (GKE) as the computing environment and the following services for storing data:

• CloudSQL for PostgreSQL
• Memorystore for Redis
• Cloud Storage

Usage

There are examples included in the examples folder but simple usage is as follows:

module "gke-gitlab" {
  source                     = "terraform-google-modules/gke-gitlab/google"
  project_id                 = "<PROJECT ID>"
  certmanager_email          = "[email protected]"
}

Then perform the following commands on the root folder:

• terraform init to get the plugins
• terraform plan to see the infrastructure plan
• terraform apply to apply the infrastructure build
• terraform destroy to destroy the built infrastructure

Inputs

Name	Description	Type	Default	Required
certmanager_email	Email used to retrieve SSL certificates from Let's Encrypt	string	n/a	yes
cloud_nat_dynamic_port_allocation	Enable Dynamic Port Allocation. If cloud_nat_min_ports_per_vm is set, cloud_nat_min_ports_per_vm must be set to a power of two greater than or equal to 32.	bool	false	no
cloud_nat_endpoint_independent_mapping	Specifies if endpoint independent mapping is enabled.	bool	false	no
cloud_nat_log_config_enable	Indicates whether or not to export logs.	bool	false	no
cloud_nat_log_config_filter	Specifies the desired filtering of logs on this NAT. Valid values are: 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'.	string	"ALL"	no
cloud_nat_max_ports_per_vm	Maximum number of ports allocated to a VM from this NAT. This field can only be set when cloud_nat_dynamic_port_allocation is enabled.This will be ignored if cloud_nat_dynamic_port_allocation is set to false.	string	null	no
cloud_nat_min_ports_per_vm	Minimum number of ports allocated to a VM from this NAT config.	string	"64"	no
domain	Domain for hosting gitlab functionality (ie mydomain.com would access gitlab at gitlab.mydomain.com)	string	""	no
gcp_existing_db_secret_name	Setup the GCP secret name where to retrieve the password value that will be used for postgres DB. In case an empty string is passed,a random value will be filled in a default gcp secret named gitlab-db-password	string	""	no
gcp_existing_incomingmail_secret_name	Only if Incoming Mail is enabled. Setup the GCP secret name where to retrieve the configuration that will be used for Incoming Mail Configuration.	string	""	no
gcp_existing_omniauth_secret_name	Only if Omniauth is enabled. Setup the GCP secret name where to retrieve the configuration that will be used for Omniauth Configuration.	string	""	no
gcp_existing_servicedesk_secret_name	Only if Service Desk is enabled. Setup the GCP secret name where to retrieve the configuration that will be used for Service Desk Configuration.	string	""	no
gcp_existing_smtp_secret_name	Only if STMP is enabled. Setup the GCP secret name where to retrieve the password value that will be used for Smtp Account.	string	""	no
gcs_bucket_age_backup_sc_change	When the backup lifecycle is enabled, set the number of days after the storage class changes	number	30	no
gcs_bucket_allow_force_destroy	Allows full cleanup of buckets by disabling any deletion safe guards	bool	false	no
gcs_bucket_backup_duration	When the backup lifecycle is enabled, set the number of days after which the backup files are deleted	number	120	no
gcs_bucket_enable_backup_lifecycle_rule	Enable lifecycle rule for backup bucket	bool	false	no
gcs_bucket_num_newer_version	When the bucket versioning is enabled, Delete noncurrent versions of objects if there are X newer versions of the object in the bucket. Objects subject to this rule are permanently deleted and cannot be recovered.	number	2	no
gcs_bucket_soft_delete_retention	The duration in seconds that soft-deleted objects in the bucket will be retained and cannot be permanently deleted.The value must be in between 604800(7 days) and 7776000(90 days). Note: To disable the soft delete policy on a bucket, This field must be set to 0	number	0	no
gcs_bucket_storage_class	Bucket storage class. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE	string	"STANDARD"	no
gcs_bucket_target_storage_class	The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.	string	"COLDLINE"	no
gcs_bucket_versioned_files_duration	When the bucket versioning is enabled, Delete noncurrent versions of objects after they've been noncurrent for X days. Objects subject to this rule are permanently deleted and cannot be recovered.	number	120	no
gcs_bucket_versioning	Setup Object Storage versioning for all Bucket created.	bool	true	no
gitab_enable_migrations	Enable migrations sub chart	bool	true	no
gitab_enable_prom_exporter	Enable gitlab prometheus exporter	bool	false	no
gitlab_address_name	Name of the address to use for GitLab ingress	string	""	no
gitlab_backup_extra_args	Add a string of extra arguments for the gitlab backup-utility.	string	""	no
gitlab_backup_pv_size	Set the size of the additional storage for Backup TAR Creation	number	100	no
gitlab_db_name	Instance name for the GitLab Postgres database.	string	"gitlab-db"	no
gitlab_enable_backup_pv	Enable additional storage for TAR backup creation of any appreciable size	bool	false	no
gitlab_enable_certmanager	Choose whether to Install certmanager through Gitlab Helm Chart. Default to true.	bool	true	no
gitlab_enable_cron_backup	Choose whether to enable Gitlab Scheduled Backups. Default to true.	bool	true	no
gitlab_enable_incoming_mail	Enable Gitlab Incoming Mail Service	bool	false	no
gitlab_enable_omniauth	Choose whether to enable Gitlab Omniauth integration. Default to false.	bool	false	no
gitlab_enable_registry	Choose whether to enable Gitlab Container registry. Default to false.	bool	false	no
gitlab_enable_restore_pv	Enable additional storage for TAR Restoration creation of any appreciable size	bool	false	no
gitlab_enable_service_desk	Enable Gitlab Service Desk	bool	false	no
gitlab_enable_service_ping	Enable Gitlab Service Ping	bool	true	no
gitlab_enable_smtp	Setup Gitlab email address to send email.	bool	false	no
gitlab_gitaly_disk_size	Setup persistent disk size for gitaly data in GB. Default 100 GB	number	100	no
gitlab_gitaly_max_unavailable	For PodDisruptionBudget, how many pods can be unavailable at one time for Gitaly StatefulSet	number	0	no
gitlab_hpa_max_replicas_kas	Set the maximum hpa pod replicas for the Gitlab Kas.	number	10	no
gitlab_hpa_max_replicas_registry	Set the maximum hpa pod replicas for the Gitlab Registry.	number	10	no
gitlab_hpa_max_replicas_shell	Set the maximum hpa pod replicas for the Gitlab Shell.	number	10	no
gitlab_hpa_max_replicas_sidekiq	Set the maximum hpa pod replicas for the Gitlab sidekiq.	number	10	no
gitlab_hpa_max_replicas_webservice	Set the maximum hpa pod replicas for the Gitlab webservice.	number	10	no
gitlab_hpa_min_replicas_kas	Set the minimum hpa pod replicas for the Gitlab Kas.	number	2	no
gitlab_hpa_min_replicas_registry	Set the minimum hpa pod replicas for the Gitlab Registry.	number	2	no
gitlab_hpa_min_replicas_shell	Set the minimum hpa pod replicas for the Gitlab Shell.	number	2	no
gitlab_hpa_min_replicas_sidekiq	Set the minimum hpa pod replicas for the Gitlab sidekiq.	number	1	no
gitlab_hpa_min_replicas_webservice	Set the minimum hpa pod replicas for the Gitlab webservice.	number	2	no
gitlab_incoming_imap_host	Imap server address for the Incoming Mail	string	""	no
gitlab_incoming_imap_port	Imap Port for the Incoming Mail Host	number	993	no
gitlab_incoming_imap_user	Imap server user for Incoming Mail Imap server	string	""	no
gitlab_incoming_mail_address	Email Address for Incoming Mail Service	string	""	no
gitlab_incoming_mail_k8s_secret	Kubernetes secret name for storing Incoming Mail account password	string	"gitlab-incomingmail-secret"	no
gitlab_install_grafana	Choose whether to install a Grafana instance using the Gitlab chart. Default to false.	bool	false	no
gitlab_install_ingress_nginx	Choose whether to install the ingress nginx controller in the cluster. Default to true.	bool	true	no
gitlab_install_kas	Choose whether to install the Gitlab agent server in the cluster. Default to false. If enabled with gitlab_kas_hostname variable empty, kas address will be defaulted to kas.<domain_variable_value> (i.e. for domain set to example.com, kas will be enabled to kas.example.com)	bool	false	no
gitlab_install_prometheus	Choose whether to install a Prometheus instance using the Gitlab chart. Default to false.	bool	false	no
gitlab_install_runner	Choose whether to install the gitlab runner in the cluster	string	true	no
gitlab_kas_hostname	Gitlab custom hostname KAS. If set, this hostname is used with domain set in domain variable (i.e. my_kas_hostname.example.com)	string	""	no
gitlab_monitoring_allowed_cidrs	Set the list of the allowed CIDRs for the Gitlab monitoring paths (readiness, liveness and metrics).	list(string)	[]	no
gitlab_monitoring_restrict_to_pod_subnet	Restricrt access to the Gitlab monitoring paths (readiness, liveness and metrics) to the pod cidr. If you specify the 'gitlab_monitoring_allowed_cidrs' list, the pod subnet will be automatically added to the list to grant access to the probes.	bool	true	no
gitlab_namespace	Setup the Kubernetes Namespace where to install gitlab	string	"gitlab"	no
gitlab_restore_pv_size	Set the size of the additional storage for Backup TAR Restoration Process	number	100	no
gitlab_schedule_cron_backup	Setup Cron Job for Gitlab Scheduled Backup using unix-cron string format. Default to '0 1 * * *' (Everyday at 1 AM).	string	"0 1 * * *"	no
gitlab_service_desk_imap_host	Imap server address for the Service Desk	string	""	no
gitlab_service_desk_imap_port	Imap Port for the Service Desk Mail Host	number	993	no
gitlab_service_desk_imap_user	Imap server user for Service Desk Imap Service	string	""	no
gitlab_service_desk_k8s_secret	Kubernetes secret name for storing Service Desk Mail account password	string	"gitlab-servicedesk-secret"	no
gitlab_service_desk_mail_address	Email Address for Service Desk Service	string	""	no
gitlab_smtp_user	Setup email sender address for Gitlab smtp server to send emails.	string	"[email protected]"	no
gitlab_time_zone	Setup timezone for gitlab containers	string	"Europe/Rome"	no
gke_additional_node_pools	Additional node pools to create in the cluster	list(map(any))	[]	no
gke_auto_repair	Enable auto repair for the cluster. Default true	bool	true	no
gke_auto_scaling	Enable auto scaling for the cluster. Default true	bool	true	no
gke_auto_upgrade	Enable auto upgrade for the cluster. Default true	bool	true	no
gke_cluster_autoscaling	Setup Profile and Resources for Cluster Autoscaler - BALANCED (Default Profile) or OPTIMIZE UTILIZATION (Prioritize optimizing utilization of resources)	object({ enabled = bool auto_repair = bool auto_upgrade = bool autoscaling_profile = string min_cpu_cores = number max_cpu_cores = number min_memory_gb = number max_memory_gb = number gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) })	{ "auto_repair": true, "auto_upgrade": true, "autoscaling_profile": "BALANCED", "enabled": false, "gpu_resources": [], "max_cpu_cores": 0, "max_memory_gb": 0, "min_cpu_cores": 0, "min_memory_gb": 0 }	no
gke_cluster_resource_labels	The GCE resource labels (a map of key/value pairs) to be applied to the cluster	map(string)	{}	no
gke_datapath	The desired datapath provider for this cluster. By default, DATAPATH_PROVIDER_UNSPECIFIED enables the IPTables-based kube-proxy implementation. ADVANCED_DATAPATH enables Dataplane-V2 feature.	string	"DATAPATH_PROVIDER_UNSPECIFIED"	no
gke_disk_replication	Setup replication type for disk persistent volune. Possible values none or regional-pd. Default to none.	string	"none"	no
gke_disk_size_gb	Define the size of the disk of the cluster. Default 100	number	100	no
gke_disk_type	Define the type of the disk of the cluster. Default pd-balanced	string	"pd-balanced"	no
gke_enable_backup_agent	Whether Backup for GKE agent is enabled for this cluster.	bool	false	no
gke_enable_cloudrun	Enable Google Cloudrun on GKE Cluster. Default false	bool	false	no
gke_enable_image_stream	Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD.	bool	false	no
gke_enable_istio_addon	Enable Istio addon	bool	false	no
gke_enable_pod_security_policy	Enable Pod Security Policy for the cluster. Default false	bool	false	no
gke_gce_pd_csi_driver	Enable GCE Persistent Disk CSI Driver for GKE Cluster. Default true	bool	true	no
gke_gitaly_pv_labels	The GITALY Persistent Volume labels (a map of key/value pairs comma separeted) to match against when choosing a volume to bind. This is used in the PersistentVolumeClaim selector section	map(string)	{}	no
gke_google_group_rbac_mail	The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected]	string	"null"	no
gke_image_type	Define the image type of the cluster. Default COS_CONTAINERD	string	"COS_CONTAINERD"	no
gke_istio_auth	The authentication type between services in Istio	string	"AUTH_MUTUAL_TLS"	no
gke_location_policy	Location policy specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters.Supported values BALANCED or ANY. Default BALANCED	string	"BALANCED"	no
gke_machine_type	Machine type used for the node-pool	string	"n1-standard-4"	no
gke_max_node_count	Define the maximum number of nodes of the autoscaling cluster. Default 5	number	5	no
gke_min_node_count	Define the minimum number of nodes of the autoscaling cluster. Default 1	number	1	no
gke_node_count	Define the number of nodes of the cluster. Default 1	number	1	no
gke_node_pool_description	Description of the node pool for the GitLab cluster	string	"Gitlab Cluster"	no
gke_node_pool_name	Name of the node pool for the GitLab cluster	string	"gitlab"	no
gke_node_pools_taints	Map of lists containing node taints by node-pool name	map(list(object({ key = string, value = string, effect = string })))	{ "gitlab": [] }	no
gke_nodes_subnet_cidr	Cidr range to use for gitlab GKE nodes subnet	string	"10.10.0.0/16"	no
gke_pods_subnet_cidr	Cidr range to use for gitlab GKE pods subnet	string	"10.30.0.0/16"	no
gke_preemptible	Enable preemptible nodes for the cluster. Default false	bool	false	no
gke_sc_gitlab_backup_disk	Storage class for Perstistent Volume used for extra space in Backup Cron Job . Default pd-sdd.	string	"standard"	no
gke_sc_gitlab_restore_disk	Storage class for Perstistent Volume used for extra space in Backup Restore Job. Default pd-sdd.	string	"standard"	no
gke_services_subnet_cidr	Cidr range to use for gitlab GKE services subnet	string	"10.20.0.0/16"	no
gke_storage_class	Default storage class for GKE Cluster. Default pd-sdd	string	"pd-ssd"	no
gke_storage_class_reclaim_policy	Set storage class reclaim policy. Default Retain	string	"Retain"	no
gke_version	Version of GKE to use for the GitLab cluster	string	"latest"	no
helm_chart_version	Helm chart version to install during deployment - Default Gitlab 14.9.3	string	"5.9.3"	no
postgresql_availability_type	The availability type of the Cloud SQL instance, high availability (REGIONAL) or single zone (ZONAL).	string	"REGIONAL"	no
postgresql_backup_retained_count	Numeber of postgres backup to be retained. Default 30.	number	"30"	no
postgresql_backup_start_time	HH:MM format time indicating when postgres backup configuration starts.	string	"02:00"	no
postgresql_db_random_suffix	Sets random suffix at the end of the Cloud SQL instance name.	bool	false	no
postgresql_del_protection	Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply command that deletes the instance will fail.	bool	true	no
postgresql_disk_size	he size of data disk, in GB. Size of a running instance cannot be reduced but can be increased. Default to 100 GB	number	"100"	no
postgresql_disk_type	The type of postgresql data disk: PD_SSD or PD_HDD.	string	"PD_SSD"	no
postgresql_enable_backup	Setup if postgres backup configuration is enabled.Default true	bool	true	no
postgresql_tier	(Required) The machine type to use.Postgres supports only shared-core machine types, and custom machine types such as db-custom-2-13312	string	"db-custom-2-8192"	no
postgresql_version	(Required) The PostgreSQL version to use. Supported values for Gitlab POSTGRES_12, POSTGRES_13. Default: POSTGRES_12	string	"POSTGRES_12"	no
project_id	GCP Project to deploy resources	string	n/a	yes
redis_maxmemory_gb	Set a Max memory usage limit for Redis specified in GiB.	number	0.8	no
redis_size	Redis memory size in GiB.	number	1	no
redis_tier	The service tier of the instance. Must be one of these values BASIC and STANDARD_HA	string	"STANDARD_HA"	no
region	GCP region to deploy resources to	string	"europe-west1"	no

Outputs

Name	Description
buckets_random_suffix	The random suffix used to have unique bucket names.
cluster_ca_certificate	Certification Authority of the GKE cluster API server that GitLab is deployed in.
cluster_endpoint	Endpoint of the GKE cluster API server that GitLab is deployed in.
cluster_location	Location of the GKE cluster that GitLab is deployed in.
cluster_name	Name of the GKE cluster that GitLab is deployed in.
created_bucket_names	The list of the created buckets.
gitlab_address	IP address where you can connect to your GitLab instance
gitlab_namespace	The namespace where Gitlab is installed.
gitlab_url	URL where you can access your GitLab instance
root_password_instructions	Instructions for getting the root user's password for initial setup
service_account_id	The id of the default service account

Requirements

Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:

1. Terraform is installed on the machine where Terraform is executed.
2. The Service Account you execute the module with has the right permissions.

The project factory can be used to provision projects with the correct APIs active.

Software Dependencies

Terraform

• Terraform 0.13.x
• terraform-provider-google plugin v1.8.0

Configure a Service Account

In order to execute this module you must have a Service Account with the following project roles:

• roles/owner

Install

Terraform

Be sure you have the correct Terraform version (0.13.x), you can choose the binary here:

• https://releases.hashicorp.com/terraform/

File structure

The project has the following folders and files:

• /: root folder
• /examples: examples for using this module
• /helpers: Helper scripts
• /test: Folders with files for testing the module (see Testing section on this file)
• /main.tf: main file for this module, contains all the resources to create
• /variables.tf: all the variables for the module
• /output.tf: the outputs of the module
• /README.md: this file