Automated upload for benchmark.t09.de

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/certificates.yaml

@@ -0,0 +1,27 @@
+# Self-signed Issuer for webhook TLS.
+# For production, replace with a ClusterIssuer backed by a real CA.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+# cert-manager Certificate for the webhook TLS.
+# The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod.
+# cert-manager also injects the CA into the MutatingWebhookConfiguration via the
+# cert-manager.io/inject-ca-from annotation.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-sizer-webhook-cert
+spec:
+  secretName: gitlab-sizer-webhook-tls
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+  dnsNames:
+    - gitlab-sizer-webhook.ci-sizer.svc
+    - gitlab-sizer-webhook.ci-sizer.svc.cluster.local
+  duration: 8760h
+  renewBefore: 720h

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/deployment.yaml

@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitlab-sizer-webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitlab-sizer-webhook
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitlab-sizer-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gitlab-sizer-webhook
+subjects:
+  - kind: ServiceAccount
+    name: gitlab-sizer-webhook
+    namespace: ci-sizer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: gitlab-sizer-webhook
+  template:
+    metadata:
+      labels:
+        app: gitlab-sizer-webhook
+    spec:
+      serviceAccountName: gitlab-sizer-webhook
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: webhook
+          image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+          args:
+            - --listen-addr=:8443
+            - --tls-cert-file=/etc/webhook/tls/tls.crt
+            - --tls-key-file=/etc/webhook/tls/tls.key
+            - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080
+            - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest
+          env:
+            - name: WEBHOOK_SIZER_READ_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-read-token
+            - name: WEBHOOK_SIZER_PUSH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitlab-sizer-webhook-tokens
+                  key: sizer-push-token
+            - name: HTTP_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTP_PROXY
+                  optional: true
+            - name: HTTPS_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: HTTPS_PROXY
+                  optional: true
+            - name: NO_PROXY
+              valueFrom:
+                configMapKeyRef:
+                  name: gitlab-sizer-webhook-config
+                  key: NO_PROXY
+                  optional: true
+          volumeMounts:
+            - name: webhook-tls
+              mountPath: /etc/webhook/tls
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+      volumes:
+        - name: webhook-tls
+          secret:
+            secretName: gitlab-sizer-webhook-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab-sizer-webhook
+  labels:
+    app: gitlab-sizer-webhook
+spec:
+  selector:
+    app: gitlab-sizer-webhook
+  ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP

otc/benchmark.t09.de/stacks/ci-sizer/gitlab-webhook/webhook-config.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gitlab-sizer-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: ci-sizer/gitlab-sizer-webhook-cert
+webhooks:
+  - name: gitlab-sizer-webhook.ci-sizer.svc
+    admissionReviewVersions: ["v1"]
+    sideEffects: NoneOnDryRun
+    failurePolicy: Ignore
+    timeoutSeconds: 5
+    reinvocationPolicy: Never
+    clientConfig:
+      service:
+        name: gitlab-sizer-webhook
+        namespace: ci-sizer
+        path: /mutate
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: ["CREATE"]
+        resources: ["pods"]
+    namespaceSelector:
+      matchLabels:
+        ci-sizer.devfw.io/watch: "true"
+    objectSelector:
+      matchExpressions:
+        - key: job.runner.gitlab.com/pod
+          operator: Exists