added a current version of the autodeploy chart

chart/.gitignore

-charts/*

chart/.gitlab-ci.yml

-image: "registry.gitlab.com/gitlab-org/gitlab-build-images:alpine-helm"
-
-stages:
-  - test
-  - release
-
-lint:
-  stage: test
-  script:
-    - helm lint .
-
-release-chart:
-  stage: release
-  script:
-    - curl --fail --request POST --form "token=$CI_JOB_TOKEN" --form ref=master https://gitlab.com/api/v4/projects/2860651/trigger/pipeline
-  only:
-    - master@gitlab-org/charts/auto-deploy-app

chart/.helmignore

-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj

chart/CONTRIBUTING.md

@@ -23,4 +23,31 @@ _This notice should stay as the first item in the CONTRIBUTING.md file._
 We want to create a welcoming environment for everyone who is interested
 in contributing. Please visit our [Code of Conduct
 page](https://about.gitlab.com/contributing/code-of-conduct) to learn
-more about our committment to an open and welcoming environment.
+more about our commitment to an open and welcoming environment.
+
+## Merge request guidelines
+
+Below are some guidelines for merge requests:
+
+- Any new configuration option should be documented in
+  the `Configuration` section in README.md.
+- For any template changes, we encourage a test case be added or
+  updated in the
+  [template tests](https://gitlab.com/gitlab-org/charts/auto-deploy-app/-/blob/master/test/template_test.go).
+
+### Working with the tests
+
+The tests are written in [Go](https://golang.org) (version 1.13 or later,
+with [modules enabled](https://golang.org/cmd/go/#hdr-Module_support)) using
+the [Terratest](https://github.com/gruntwork-io/terratest) library. To work
+on the tests, you need to have [Helm 2](https://v2.helm.sh/docs/) and
+[Go](https://golang.org) installed.
+
+To run the tests, run the following commands from the root of your copy of `auto-deploy-app`:
+
+```shell
+helm init --client-only               # required only once
+helm dependency build .               # required only once
+cd test
+GO111MODULE=auto go test .            # required for every change to the tests or the template
+```

chart/Chart.yaml

 apiVersion: v1
 description: GitLab's Auto-deploy Helm Chart
 name: auto-deploy-app
-version: 0.4.0
+version: 1.0.3
 icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png

chart/README.md

 # GitLab's Auto-deploy Helm Chart
 
+## Deprecation Notice
+
+GitLab is moving all development for `auto-deploy-app` into [`auto-deploy-image`](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image). 
+Going forward, the `auto-deploy-app` Helm chart will be bundled with `auto-deploy-image`
+and will no longer released as a stand-alone Helm chart. Existing releases of `auto-deploy-app`
+will remain in [GitLab's chart registry](http://charts.gitlab.io/).
+
+If you have any questions, please ask in <https://gitlab.com/gitlab-org/charts/auto-deploy-app/-/issues/70>.
+
 ## Requirements
 
 - Helm `2.9.0` and above is required in order support `"helm.sh/hook-delete-policy": before-hook-creation` for migrations
@@ -9,6 +18,9 @@
 | Parameter                     | Description | Default                            |
 | ---                           | ---         | ---                                |
 | replicaCount                  |             | `1`                                |
+| strategyType                  | Pod deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) | `nil` |
+| enableSelector                | If `true`, enables selector field for the deployment. Only applicable for `extensions/v1beta1`, as selector field will always be included for `apps/v1` | `nil` |
+| deploymentApiVersion          | Sets `apiVersion` field for the deployment. Can be set to either `extensions/v1beta1` or `apps/v1`. | `extensions/v1beta1` |
 | image.repository              |             | `gitlab.example.com/group/project` |
 | image.tag                     |             | `stable`                           |
 | image.pullPolicy              |             | `Always`                           |
@@ -17,7 +29,7 @@
 | application.track             |             | `stable`                           |
 | application.tier              |             | `web`                              |
 | application.migrateCommand    | If present, this variable will run as a shell command within an application Container as a Helm pre-upgrade Hook. Intended to run migration commands. | `nil` |
-| application.initializeCommand | If present, this variable will run as shall command within an application Container as a Helm post-install Hook. Intended to run database initialization commands. | `nil` |
+| application.initializeCommand | If present, this variable will run as shell command within an application Container as a Helm post-install Hook. Intended to run database initialization commands. When set, the Deployment resource will be skipped.| `nil` |
 | application.secretName        | Pass in the name of a Secret which the deployment will [load all key-value pairs from the Secret as environment variables](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables) in the application container. | `nil` |
 | application.secretChecksum    | Pass in the checksum of the secrets referenced by `application.secretName`. | `nil` |
 | hpa.enabled                   | If true, enables horizontal pod autoscaler. A resource request is also required to be set, such as `resources.requests.cpu: 200m`.| `false` |
@@ -37,21 +49,25 @@
 | service.commonName            | If present, this will define the ssl certificate common name to be used by CertManager. `service.url` and `service.additionalHosts` will be added as Subject Alternative Names (SANs) | `nil` |
 | service.externalPort          |             | `5000`                             |
 | service.internalPort          |             | `5000`                             |
+| ingress.enabled               | If true, enables ingress | `true`                |
 | ingress.tls.enabled           | If true, enables SSL | `true`                    |
 | ingress.tls.secretName        | Name of the secret used to terminate SSL traffic | `""` |
 | ingress.modSecurity.enabled | Enable custom configuration for modsecurity, defaulting to [the Core Rule Set](https://coreruleset.org) | `false` |
 | ingress.modSecurity.secRuleEngine | Configuration for [ModSecurity's rule engine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine) | `DetectionOnly` |
+| ingress.modSecurity.secRules | Configuration for custom [ModSecurity's rules](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secrule) | `nil` |
 | ingress.annotations           | Ingress annotations | `{kubernetes.io/tls-acme: "true", kubernetes.io/ingress.class: "nginx"}` |
 | livenessProbe.path            | Path to access on the HTTP server on periodic probe of container liveness. | `/`                                |
 | livenessProbe.scheme          | Scheme to access the HTTP server (HTTP or HTTPS). | `HTTP`                                |
 | livenessProbe.initialDelaySeconds | # of seconds after the container has started before liveness probes are initiated. | `15`                               |
 | livenessProbe.timeoutSeconds  | # of seconds after which the liveness probe times out. | `15`                               |
 | livenessProbe.probeType       | Type of [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes) to use. | `httpGet`
+| livenessProbe.command         | Commands for use with probe type 'exec'. | `{}`
 | readinessProbe.path           | Path to access on the HTTP server on periodic probe of container readiness. | `/`                                |
 | readinessProbe.scheme         | Scheme to access the HTTP server (HTTP or HTTPS). | `HTTP`                                |
 | readinessProbe.initialDelaySeconds | # of seconds after the container has started before readiness probes are initiated. | `5`                                |
 | readinessProbe.timeoutSeconds | # of seconds after which the readiness probe times out. | `3`                                |
 | readinessProbe.probeType     | Type of [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes) to use. | `httpGet`
+| readinessProbe.command       | Commands for use with probe type 'exec'. | `{}`
 | postgresql.enabled            |             | `true`                             |
 | postgresql.managed            | If true, this will provision a managed Postgres instance via crossplane.            | `false`                             |
 | postgresql.managedClassSelector            | This will allow provisioning a Postgres instance based on label selectors via Crossplane, eg: `managedClassSelector.matchLabels.stack: gitlab`. The `postgresql.managed` value should be true as well for this to be honoured. [Crossplane Configuration](https://docs.gitlab.com/ee/user/clusters/applications.html#crossplane)            | `{}`                             |
@@ -59,3 +75,10 @@
 | podDisruptionBudget.maxUnavailable |             | `1`                            |
 | podDisruptionBudget.minAvailable | If present, this variable will configure minAvailable in the PodDisruptionBudget. :warning: if you have `replicaCount: 1` and `podDisruptionBudget.minAvailable: 1` `kubectl drain` will be blocked.              | `nil`                            |
 | prometheus.metrics            | Annotates the service for prometheus auto-discovery. Also denies access to the `/metrics` endpoint from external addresses with Ingress. | `false` |
+| networkPolicy.enabled         | Enable container network policy | `false` |
+| networkPolicy.spec            | [Network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) definition | `{ podSelector: { matchLabels: {} }, ingress: [{ from: [{ podSelector: { matchLabels: {} } }, { namespaceSelector: { matchLabels: { app.gitlab.com/managed_by: gitlab } } }] }] }` |
+
+## PostgreSQL
+
+This chart depends on version 0.7.1 of the `stable/postgresql` chart.
+For reference the source code for this specific version can be found at https://github.com/helm/charts/tree/b90ad657e1a226eb52c3eb6a2a95ba3d6d494f58/stable/postgresql
\ No newline at end of file

chart/templates/NOTES.txt

-{{- if .Values.service.enabled -}}
-Application should be accessible at: {{ .Values.service.url }}
+{{- if and .Values.ingress.enabled .Values.service.enabled -}}
+Application should be accessible at
+
+    {{ .Values.service.url }}
 {{- else -}}
-Application will be accessible at: {{ .Values.service.url }} when you deploy stable track.
+Application was deployed reusing the service at
+
+    {{ .Values.service.url }}
+
+It will share a load balancer with the previous release (or be unavailable if
+no service or ingress was previously deployed).
 {{- end -}}

chart/templates/_helpers.tpl

@@ -20,6 +20,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s" $releaseName | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "imagename" -}}
+{{- if eq .Values.image.tag "" -}}
+{{- .Values.image.repository -}}
+{{- else -}}
+{{- printf "%s:%s" .Values.image.repository .Values.image.tag -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "trackableappname" -}}
 {{- $trackableName := printf "%s-%s" (include "appname" .) .Values.application.track -}}
 {{- $trackableName | trimSuffix "-stable" | trunc 63 | trimSuffix "-" -}}
@@ -29,5 +37,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 Get a hostname from URL
 */}}
 {{- define "hostname" -}}
-{{- . | trimPrefix "http://" |  trimPrefix "https://" | trimSuffix "/" | quote -}}
+{{- . | trimPrefix "http://" |  trimPrefix "https://" | trimSuffix "/" | trim | quote -}}
 {{- end -}}
+
+{{/*
+Get SecRule's arguments with unescaped single&double quotes
+*/}}
+{{- define "secrule" -}}
+{{- $operator := .operator | quote | replace "\"" "\\\"" | replace "'" "\\'" -}}
+{{- $action := .action | quote | replace "\"" "\\\"" | replace "'" "\\'" -}}
+{{- printf "SecRule %s %s %s" .variable $operator $action -}}
+{{- end -}}
\ No newline at end of file

chart/templates/db-initialize-job.yaml

@@ -24,7 +24,7 @@ spec:
 {{ toYaml .Values.image.secrets | indent 10 }}
       containers:
       - name: {{ .Chart.Name }}
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        image: {{ template "imagename" . }}
         command: ["/bin/sh"]
         args: ["-c", "{{ .Values.application.initializeCommand }}"]
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -36,4 +36,8 @@ spec:
         env:
         - name: DATABASE_URL
           value: {{ .Values.application.database_url | quote }}
+        - name: GITLAB_ENVIRONMENT_NAME
+          value: {{ .Values.gitlab.envName | quote }}
+        - name: GITLAB_ENVIRONMENT_URL
+          value: {{ .Values.gitlab.envURL | quote }}
 {{- end -}}

chart/templates/db-migrate-hook.yaml

@@ -24,7 +24,7 @@ spec:
 {{ toYaml .Values.image.secrets | indent 10 }}
       containers:
       - name: {{ .Chart.Name }}
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        image: {{ template "imagename" . }}
         command: ["/bin/sh"]
         args: ["-c", "{{ .Values.application.migrateCommand }}"]
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -36,4 +36,8 @@ spec:
         env:
         - name: DATABASE_URL
           value: {{ .Values.application.database_url | quote }}
+        - name: GITLAB_ENVIRONMENT_NAME
+          value: {{ .Values.gitlab.envName | quote }}
+        - name: GITLAB_ENVIRONMENT_URL
+          value: {{ .Values.gitlab.envURL | quote }}
 {{- end -}}

chart/templates/deployment.yaml

 {{- if not .Values.application.initializeCommand -}}
-apiVersion: extensions/v1beta1
+apiVersion: {{ default "extensions/v1beta1" .Values.deploymentApiVersion }}
 kind: Deployment
 metadata:
   name: {{ template "trackableappname" . }}
@@ -14,7 +14,19 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
+{{- if or .Values.enableSelector (eq (default "extensions/v1beta1" .Values.deploymentApiVersion) "apps/v1") }}
+  selector:
+    matchLabels:
+      app: {{ template "appname" . }}
+      track: "{{ .Values.application.track }}"
+      tier: "{{ .Values.application.tier }}"
+      release: {{ .Release.Name }}
+{{- end }}
   replicas: {{ .Values.replicaCount }}
+{{- if .Values.strategyType }}
+  strategy:
+    type: {{ .Values.strategyType | quote }}
+{{- end }}
   template:
     metadata:
       annotations:
@@ -30,116 +42,11 @@ spec:
         tier: "{{ .Values.application.tier }}"
         release: {{ .Release.Name }}
     spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: worker
-                operator: NotIn
-                values:
-                - temp
       imagePullSecrets:
 {{ toYaml .Values.image.secrets | indent 10 }}
-      securityContext:
-        fsGroup: 2000
-      volumes:
-      - name: mglogs-persistent-storage
-        persistentVolumeClaim:
-          claimName: mg-logs
-      - name: env-files
-        secret:
-          secretName: metager-env
-      - name: sumas
-        secret:
-          secretName: metager-sumas
-      - name: sumas-en
-        secret:
-          secretName: metager-sumas-en
-      - name: blacklist
-        secret:
-          secretName: metager-blacklist
-      - name: blacklist-ad
-        secret:
-          secretName: metager-ad-blacklist
       containers:
-      # Main PHP-FPM Container
-      - name: {{ .Chart.Name }}-phpfpm
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        {{- if .Values.application.secretName }}
-        envFrom:
-        - secretRef:
-            name: {{ .Values.application.secretName }}
-        {{- end }}
-        env:
-        - name: DATABASE_URL
-          value: {{ .Values.application.database_url | quote }}
-        - name: GITLAB_ENVIRONMENT_NAME
-          value: {{ .Values.gitlab.envName }}
-        - name: GITLAB_ENVIRONMENT_URL
-          value: {{ .Values.gitlab.envURL }}
-        ports:
-        - name: "{{ .Values.service.name }}-phpfpm"
-          containerPort: 9000
-        livenessProbe:
-          tcpSocket:
-            port: "{{ .Values.service.name }}-phpfpm"
-          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
-          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
-        readinessProbe:
-          tcpSocket:
-            port: "{{ .Values.service.name }}-phpfpm"
-          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
-          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
-        volumeMounts:
-        - name: mglogs-persistent-storage
-          mountPath: /html/storage/logs/metager
-          readOnly: false
-        - name: env-files
-          mountPath: /root/.env
-          subPath: .env
-          readOnly: true
-        - name: env-files
-          mountPath: /html/database/seeds/UsersSeeder.php
-          subPath: UsersSeeder.php
-          readOnly: true
-        - name: env-files
-          mountPath: /html/config/spam.txt
-          subPath: spam.txt
-          readOnly: true
-        - name: sumas
-          mountPath: /html/config/sumas.json
-          subPath: sumas.json
-          readOnly: true
-        - name: sumas-en
-          mountPath: /html/config/sumasEn.json
-          subPath: sumasEn.json
-          readOnly: true
-        - name: blacklist
-          mountPath: /html/config/blacklistUrl.txt
-          subPath: blacklistUrl.txt
-          readOnly: true
-        - name: blacklist
-          mountPath: /html/config/blacklistDomains.txt
-          subPath: blacklistDomains.txt
-          readOnly: true
-        - name: blacklist-ad
-          mountPath: /html/config/adBlacklistUrl.txt
-          subPath: adBlacklistUrl.txt
-          readOnly: true
-        - name: blacklist-ad
-          mountPath: /html/config/adBlacklistDomains.txt
-          subPath: adBlacklistDomains.txt
-          readOnly: true
-        resources:
-          requests:
-            cpu: 500m
-            memory: 500m
-      # Nginx Container
-      - name: {{ .Chart.Name }}-nginx
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        command: ["nginx"]
+      - name: {{ .Chart.Name }}
+        image: {{ template "imagename" . }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if .Values.application.secretName }}
         envFrom:
@@ -147,12 +54,29 @@ spec:
             name: {{ .Values.application.secretName }}
         {{- end }}
         env:
+{{- if .Values.postgresql.managed }}
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: app-postgres
+              key: username
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: app-postgres
+              key: password
+        - name: POSTGRES_HOST
+          valueFrom:
+            secretKeyRef:
+              name: app-postgres
+              key: privateIP
+{{- end }}
         - name: DATABASE_URL
           value: {{ .Values.application.database_url | quote }}
         - name: GITLAB_ENVIRONMENT_NAME
-          value: {{ .Values.gitlab.envName }}
+          value: {{ .Values.gitlab.envName | quote }}
         - name: GITLAB_ENVIRONMENT_URL
-          value: {{ .Values.gitlab.envURL }}
+          value: {{ .Values.gitlab.envURL | quote }}
         ports:
         - name: "{{ .Values.service.name }}"
           containerPort: {{ .Values.service.internalPort }}
@@ -165,6 +89,10 @@ spec:
 {{- else if eq .Values.livenessProbe.probeType "tcpSocket" }}
           tcpSocket:
             port: {{ .Values.service.internalPort }}
+{{- else if eq .Values.livenessProbe.probeType "exec" }}
+          exec:
+            command:
+{{ toYaml .Values.livenessProbe.command | indent 14 }}
 {{- end }}
           initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
           timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
@@ -177,56 +105,13 @@ spec:
 {{- else if eq .Values.readinessProbe.probeType "tcpSocket" }}
           tcpSocket:
             port: {{ .Values.service.internalPort }}
-{{- end }}
-          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
-          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
-        resources:
-          requests:
-            cpu: 100m
-            memory: 100m
-      # Redis Container
-      - name: {{ .Chart.Name }}-redis
-        image: "redis:5.0.3-alpine"
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        ports:
-        - name: "{{ .Values.service.name }}-redis"
-          containerPort: 6379
-        livenessProbe:
-          tcpSocket:
-            port: "{{ .Values.service.name }}-redis"
-          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
-          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
-        readinessProbe:
-          tcpSocket:
-            port: "{{ .Values.service.name }}-redis"
-          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
-          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
-        resources:
-          requests:
-            cpu: 100m
-            memory: 1Gi
-      # Fetcher Container
-      - name: {{ .Chart.Name }}-fetcher
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        command: ["su"]
-        args: ["-s", "/bin/sh", "-c", "php artisan requests:fetcher", "nginx"]
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        livenessProbe:
+{{- else if eq .Values.readinessProbe.probeType "exec" }}
           exec:
             command:
-            - cat
-            - /tmp/fetcher
-          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
-          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
-        readinessProbe:
-          exec:
-            command:
-            - cat
-            - /tmp/fetcher
+{{ toYaml .Values.readinessProbe.command | indent 14 }}
+{{- end }}
           initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
           timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
         resources:
-          requests:
-            cpu: 500m
-            memory: 100m
+{{ toYaml .Values.resources | indent 12 }}
 {{- end -}}

chart/templates/ingress.yaml

-{{- if .Values.service.enabled -}}
+{{- if and (.Values.service.enabled) (eq .Values.application.track "stable") (or (.Values.ingress.enabled) (not (hasKey .Values.ingress "enabled"))) -}}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@@ -12,10 +12,15 @@ metadata:
 {{- if .Values.ingress.annotations }}
 {{ toYaml .Values.ingress.annotations | indent 4 }}
 {{- end }}
-{{- if and .Values.ingress.modSecurity .Values.ingress.modSecurity.enabled }}
+{{- with .Values.ingress.modSecurity }}
+{{- if .enabled }}
+    nginx.ingress.kubernetes.io/modsecurity-transaction-id: "$server_name-$request_id"
     nginx.ingress.kubernetes.io/modsecurity-snippet: |
-      SecRuleEngine {{ .Values.ingress.modSecurity.secRuleEngine | default "DetectionOnly" | title }}
-
+      SecRuleEngine {{ .secRuleEngine | default "DetectionOnly" | title }}
+{{- range $rule := .secRules }}
+{{ (include "secrule" $rule) | indent 6 }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- if .Values.prometheus.metrics }}
     nginx.ingress.kubernetes.io/server-snippet: |-
@@ -34,7 +39,7 @@ spec:
     - {{ template "hostname" .Values.service.url }}
 {{- if .Values.service.additionalHosts }}
 {{- range $host := .Values.service.additionalHosts }}
-    - {{ $host }}
+    - {{ template "hostname" $host }}
 {{- end -}}
 {{- end }}
     secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" (include "fullname" .)) }}
@@ -48,10 +53,6 @@ spec:
         backend:
           serviceName: {{ template "fullname" . }}
           servicePort: {{ .Values.service.externalPort }}
-      - path: /wsb
-        backend:
-          serviceName: wsb
-          servicePort: 80
 {{- if .Values.service.commonName }}
   - host: {{ template "hostname" .Values.service.commonName }}
     http:
@@ -59,7 +60,7 @@ spec:
 {{- end -}}
 {{- if .Values.service.additionalHosts }}
 {{- range $host := .Values.service.additionalHosts }}
-  - host: {{ $host }}
+  - host: {{ template "hostname" $host }}
     http:
       <<: *httpRule
 {{- end -}}

chart/templates/network-policy.yaml

+{{- if .Values.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "appname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+{{ toYaml .Values.networkPolicy.spec | indent 2 }}
+{{- end -}}

chart/templates/service.yaml

-{{- if .Values.service.enabled -}}
+{{- if and (.Values.service.enabled) (eq .Values.application.track "stable") -}}
 apiVersion: v1
 kind: Service
 metadata:

chart/templates/worker-deployment.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: List
 items:
 {{- range $workerName, $workerConfig :=  .Values.workers }}
-- apiVersion: extensions/v1beta1
+- apiVersion: {{ default "extensions/v1beta1" $.Values.deploymentApiVersion }}
   kind: Deployment
   metadata:
     name: {{ template "trackableappname" $ }}-{{ $workerName }}
@@ -17,7 +17,18 @@ items:
       release: {{ $.Release.Name }}
       heritage: {{ $.Release.Service }}
   spec:
+  {{- if or $.Values.enableSelector (eq (default "extensions/v1beta1" $.Values.deploymentApiVersion) "apps/v1") }}
+    selector:
+      matchLabels:
+        track: "{{ $.Values.application.track }}"
+        tier: worker
+        release: {{ $.Release.Name }}
+  {{- end }}
     replicas: {{ $workerConfig.replicaCount }}
+  {{- if $workerConfig.strategyType }}
+    strategy:
+      type: {{ $workerConfig.strategyType | quote }}
+  {{- end  }}
     template:
       metadata:
         annotations:
@@ -37,7 +48,7 @@ items:
         terminationGracePeriodSeconds: {{ $workerConfig.terminationGracePeriodSeconds }}
         containers:
         - name: {{ $.Chart.Name }}-{{ $workerName }}
-          image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}"
+          image: {{ template "imagename" $ }}
           command:
           {{- range $workerConfig.command }}
           - {{ . }}
@@ -52,7 +63,7 @@ items:
           - name: DATABASE_URL
             value: {{ $.Values.application.database_url | quote }}
           - name: GITLAB_ENVIRONMENT_NAME
-            value: {{ $.Values.gitlab.envName }}
+            value: {{ $.Values.gitlab.envName | quote }}
           livenessProbe:
 {{- if eq $.Values.livenessProbe.probeType "httpGet" }}
             httpGet:
@@ -72,7 +83,7 @@ items:
               scheme: {{ $.Values.readinessProbe.scheme }}
               port: {{ $.Values.service.internalPort }}
 {{- else if eq $.Values.readinessProbe.probeType "tcpSocket" }}
-          tcpSocket:
+            tcpSocket:
               port: {{ $.Values.service.internalPort }}
 {{- end }}
             initialDelaySeconds: {{ $.Values.readinessProbe.initialDelaySeconds }}
@@ -87,6 +98,6 @@ items:
                 {{- end }}
           {{- end }}
           resources:
-  {{ toYaml $.Values.resources | indent 14 }}
+{{ toYaml $.Values.resources | indent 12 }}
 {{- end -}}
 {{- end -}}

chart/test/go.mod

+module gitlab.com/gitlab-org/charts/auto-deploy-app/test
+
+go 1.13
+
+require (
+	github.com/gruntwork-io/terratest v0.23.0
+	github.com/stretchr/testify v1.4.0
+	k8s.io/api v0.0.0-20181110191121-a33c8200050f
+	k8s.io/apimachinery v0.0.0-20190704094520-6f131bee5e2c
+)

chart/test/testdata/custom-policy.yaml

+networkPolicy:
+  enabled: true
+  spec:
+    podSelector:
+      matchLabels:
+        foo: bar
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels: {}
+      - namespaceSelector:
+          matchLabels:
+            name: foo

chart/test/testdata/full-spec-policy.yaml

+networkPolicy:
+  enabled: true
+  spec:
+    podSelector:
+      matchLabels: {}
+    policyTypes:
+    - Ingress
+    - Egress
+    ingress:
+    - from:
+      - podSelector:
+          matchLabels: {}
+    egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            name: gitlab-managed-apps