diff --git a/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook.yaml b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook.yaml new file mode 100644 index 0000000..f876092 --- /dev/null +++ b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook.yaml @@ -0,0 +1,29 @@ +# Optional: GitLab CI integration +# Only hydrate this app for clusters that run GitLab Runner. +# For Forgejo/GitHub-only deployments, omit this app from stacks-instances. +# See: ci-sizer/docs/deployment-modes.md +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gitlab-sizer-webhook + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: ci-sizer + source: + repoURL: https://edp.buildth.ing/DevFW-CICD/stacks-instances + targetRevision: HEAD + path: "otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook" diff --git a/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/certificates.yaml b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/certificates.yaml new file mode 100644 index 0000000..ee1fece --- /dev/null +++ b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/certificates.yaml @@ -0,0 +1,27 @@ +# Self-signed Issuer for webhook TLS. +# For production, replace with a ClusterIssuer backed by a real CA. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +# cert-manager Certificate for the webhook TLS. +# The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod. +# cert-manager also injects the CA into the MutatingWebhookConfiguration via the +# cert-manager.io/inject-ca-from annotation. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitlab-sizer-webhook-cert +spec: + secretName: gitlab-sizer-webhook-tls + issuerRef: + name: selfsigned-issuer + kind: Issuer + dnsNames: + - gitlab-sizer-webhook.ci-sizer.svc + - gitlab-sizer-webhook.ci-sizer.svc.cluster.local + duration: 8760h + renewBefore: 720h diff --git a/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/deployment.yaml b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/deployment.yaml new file mode 100644 index 0000000..0b99859 --- /dev/null +++ b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/deployment.yaml @@ -0,0 +1,141 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitlab-sizer-webhook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gitlab-sizer-webhook +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gitlab-sizer-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gitlab-sizer-webhook +subjects: + - kind: ServiceAccount + name: gitlab-sizer-webhook + namespace: ci-sizer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitlab-sizer-webhook + labels: + app: gitlab-sizer-webhook +spec: + replicas: 2 + selector: + matchLabels: + app: gitlab-sizer-webhook + template: + metadata: + labels: + app: gitlab-sizer-webhook + spec: + serviceAccountName: gitlab-sizer-webhook + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + containers: + - name: webhook + image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + ports: + - containerPort: 8443 + protocol: TCP + args: + - --listen-addr=:8443 + - --tls-cert-file=/etc/webhook/tls/tls.crt + - --tls-key-file=/etc/webhook/tls/tls.key + - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080 + - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest + env: + - name: WEBHOOK_SIZER_READ_TOKEN + valueFrom: + secretKeyRef: + name: gitlab-sizer-webhook-tokens + key: sizer-read-token + - name: WEBHOOK_SIZER_PUSH_TOKEN + valueFrom: + secretKeyRef: + name: gitlab-sizer-webhook-tokens + key: sizer-push-token + - name: HTTP_PROXY + valueFrom: + configMapKeyRef: + name: gitlab-sizer-webhook-config + key: HTTP_PROXY + optional: true + - name: HTTPS_PROXY + valueFrom: + configMapKeyRef: + name: gitlab-sizer-webhook-config + key: HTTPS_PROXY + optional: true + - name: NO_PROXY + valueFrom: + configMapKeyRef: + name: gitlab-sizer-webhook-config + key: NO_PROXY + optional: true + volumeMounts: + - name: webhook-tls + mountPath: /etc/webhook/tls + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 128Mi + volumes: + - name: webhook-tls + secret: + secretName: gitlab-sizer-webhook-tls +--- +apiVersion: v1 +kind: Service +metadata: + name: gitlab-sizer-webhook + labels: + app: gitlab-sizer-webhook +spec: + selector: + app: gitlab-sizer-webhook + ports: + - port: 443 + targetPort: 8443 + protocol: TCP diff --git a/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml new file mode 100644 index 0000000..72aea4a --- /dev/null +++ b/otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml @@ -0,0 +1,30 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: gitlab-sizer-webhook + annotations: + cert-manager.io/inject-ca-from: ci-sizer/gitlab-sizer-webhook-cert +webhooks: + - name: gitlab-sizer-webhook.ci-sizer.svc + admissionReviewVersions: ["v1"] + sideEffects: NoneOnDryRun + failurePolicy: Ignore + timeoutSeconds: 5 + reinvocationPolicy: Never + clientConfig: + service: + name: gitlab-sizer-webhook + namespace: ci-sizer + path: /mutate + rules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE"] + resources: ["pods"] + namespaceSelector: + matchLabels: + ci-sizer.devfw.io/watch: "true" + objectSelector: + matchExpressions: + - key: job.runner.gitlab.com/pod + operator: Exists diff --git a/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver.yaml b/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver.yaml index aeb18c9..a1623f9 100644 --- a/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver.yaml +++ b/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver.yaml @@ -1,3 +1,7 @@ +# Required: CI Sizer receiver +# Always deploy this — it stores metrics and computes sizing recommendations. +# Works standalone or with GARM (Forgejo/GitHub) and/or GitLab webhook. +# See: ci-sizer/docs/deployment-modes.md apiVersion: argoproj.io/v1alpha1 kind: Application metadata: diff --git a/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver/deployment.yaml b/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver/deployment.yaml index 7e9261b..fc78147 100644 --- a/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver/deployment.yaml +++ b/otc/benchmark.t09.de/stacks/ci-sizer/sizer-receiver/deployment.yaml @@ -40,7 +40,7 @@ spec: name: sizer-tokens key: hmac-key - name: GARM_URL - value: "http://garm.garm.svc.cluster.local:80" + value: "http://garm.garm.svc:80" - name: GARM_USER value: "admin" - name: GARM_PASSWORD @@ -62,7 +62,7 @@ spec: - name: RECEIVER_SESSION_TTL value: "12h" - name: RECEIVER_ALLOWED_ORG - value: "DevFW-CICD" + value: "giteaAdmin" - name: RECEIVER_CPU_SIZING_MODE value: "observe" - name: RECEIVER_MEMORY_QOS diff --git a/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 18762aa..aa8324a 100644 --- a/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -65,7 +65,7 @@ metadata: namespace: gitea annotations: everest.io/disk-volume-type: GPSSD - everest.io/crypt-key-id: 71ebef9e-5575-4b05-a597-ee1f67c911e3 + everest.io/crypt-key-id: fc9a8e53-1853-4903-b500-7a67dd1a8566 spec: storageClassName: csi-disk accessModes: diff --git a/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/values.yaml b/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/values.yaml index 8a18a98..69a3213 100644 --- a/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/values.yaml +++ b/otc/benchmark.t09.de/stacks/forgejo/forgejo-server/values.yaml @@ -20,7 +20,7 @@ persistence: size: 200Gi storageClass: csi-disk annotations: - everest.io/crypt-key-id: 71ebef9e-5575-4b05-a597-ee1f67c911e3 + everest.io/crypt-key-id: fc9a8e53-1853-4903-b500-7a67dd1a8566 everest.io/disk-volume-type: GPSSD test: @@ -170,7 +170,7 @@ service: nodePort: 32222 externalTrafficPolicy: Cluster annotations: - kubernetes.io/elb.id: 5ee936a2-6308-4924-9fdf-0256cbdf3baa + kubernetes.io/elb.id: 1fb3ccb7-ae1c-4787-a743-6a620978ec8d image: pullPolicy: "IfNotPresent" @@ -178,6 +178,6 @@ image: #tag: "8.0.3" # Adds -rootless suffix to image name # rootless: true - fullOverride: edp.buildth.ing/devfw-cicd/edp-forgejo:14.0.2-edp1-rootless + fullOverride: edp.buildth.ing/devfw-cicd/edp-forgejo:workflow-webhook-20260305 forgejo: {} diff --git a/otc/benchmark.t09.de/stacks/garm/garm.yaml b/otc/benchmark.t09.de/stacks/garm/garm.yaml index fee3847..e7102d4 100644 --- a/otc/benchmark.t09.de/stacks/garm/garm.yaml +++ b/otc/benchmark.t09.de/stacks/garm/garm.yaml @@ -1,3 +1,7 @@ +# Default: Forgejo/GitHub Actions runner manager +# Deploys GARM with the ci-sizer provider for automatic sizing + collector injection. +# For GitLab-only deployments, omit this and use gitlab-webhook instead. +# See: ci-sizer/docs/deployment-modes.md apiVersion: argoproj.io/v1alpha1 kind: Application metadata: diff --git a/otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml index 199a104..2fcd4bf 100644 --- a/otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/otc/benchmark.t09.de/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -9,7 +9,7 @@ spec: metadata: annotations: everest.io/disk-volume-type: GPSSD - everest.io/crypt-key-id: 71ebef9e-5575-4b05-a597-ee1f67c911e3 + everest.io/crypt-key-id: fc9a8e53-1853-4903-b500-7a67dd1a8566 spec: storageClassName: csi-disk accessModes: diff --git a/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml b/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml index a23bc0c..c771b52 100644 --- a/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml +++ b/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml @@ -8,7 +8,7 @@ spec: removePvcAfterDelete: true storageMetadata: annotations: - everest.io/crypt-key-id: 71ebef9e-5575-4b05-a597-ee1f67c911e3 + everest.io/crypt-key-id: fc9a8e53-1853-4903-b500-7a67dd1a8566 everest.io/disk-volume-type: GPSSD storage: storageClassName: csi-disk diff --git a/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/values.yaml b/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/values.yaml index b6565f0..8c61b03 100644 --- a/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/values.yaml +++ b/otc/benchmark.t09.de/stacks/observability/victoria-k8s-stack/values.yaml @@ -288,7 +288,7 @@ vmsingle: extraArgs: {} storageMetadata: annotations: - everest.io/crypt-key-id: 71ebef9e-5575-4b05-a597-ee1f67c911e3 + everest.io/crypt-key-id: fc9a8e53-1853-4903-b500-7a67dd1a8566 everest.io/disk-volume-type: GPSSD storage: storageClassName: csi-disk diff --git a/otc/benchmark.t09.de/stacks/otc/ingress-nginx/values.yaml b/otc/benchmark.t09.de/stacks/otc/ingress-nginx/values.yaml index 038cbc5..7c4d780 100644 --- a/otc/benchmark.t09.de/stacks/otc/ingress-nginx/values.yaml +++ b/otc/benchmark.t09.de/stacks/otc/ingress-nginx/values.yaml @@ -8,8 +8,8 @@ controller: annotations: kubernetes.io/elb.class: union kubernetes.io/elb.port: '80' - kubernetes.io/elb.id: 5ee936a2-6308-4924-9fdf-0256cbdf3baa - kubernetes.io/elb.ip: 80.158.90.69 + kubernetes.io/elb.id: 1fb3ccb7-ae1c-4787-a743-6a620978ec8d + kubernetes.io/elb.ip: 164.30.4.5 ingressClassResource: name: nginx