apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: gitlab-gitaly
  namespace: public-service
  labels:
    app: gitlab
    component: gitaly
spec:
  serviceName: gitlab-gitaly
  replicas:  1
  podManagementPolicy: Parallel
  selector:
    matchLabels:
      app: gitlab
      component: gitaly
  template:
    metadata:
      labels:
        app: gitlab
        component: gitaly
    spec:
      terminationGracePeriodSeconds: 30
      initContainers:
        - name: configure
          image: busybox:latest
          imagePullPolicy: IfNotPresent
          command: ['sh', '/config/configure']
          resources:
            requests:
              cpu: 50m
          volumeMounts:
          - name: gitaly-config
            mountPath: /config
            readOnly: true
          - name: init-gitaly-secrets
            mountPath: /init-config
            readOnly: true
          - name: gitaly-secrets
            mountPath: /init-secrets
            readOnly: false
      containers:
        - name: gitaly
          image: registry.gitlab.com/gitlab-org/build/cng/gitaly:v13.4.3
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8075
            - containerPort: 9236
          env:
            - name: CONFIG_TEMPLATE_DIRECTORY
              value: '/etc/gitaly/templates'
            - name: CONFIG_DIRECTORY
              value: '/etc/gitaly'
            - name: GITALY_CONFIG_FILE
              value: '/etc/gitaly/config.toml'
            - name: SSL_CERT_DIR
              value: '/etc/ssl/certs'
            - name: GITALY_PROMETHEUS_LISTEN_ADDR
              value: ':9236'
          resources:
            requests:
              cpu: 100m
              memory: 200Mi
          livenessProbe:
            exec:
              command:
              - /scripts/healthcheck
            initialDelaySeconds: 30
            timeoutSeconds: 3
            periodSeconds: 10
          readinessProbe:
            exec:
              command:
              - /scripts/healthcheck
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 10
          volumeMounts:
            - name: etc-ssl-certs
              mountPath: /etc/ssl/certs/
              readOnly: true
            - name: gitaly-config
              mountPath: '/etc/gitaly/templates'
            - name: gitaly-secrets
              mountPath: '/etc/gitlab-secrets'
              readOnly: true
            - name: repo-data
              mountPath: '/home/git/repositories'
      securityContext:
        runAsUser: 0
        fsGroup: 0      
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              topologyKey: kubernetes.io/hostname
              labelSelector:
                matchLabels:
                  app: gitlab
                  component: gitaly
      volumes:
      - name: gitaly-config
        configMap:
          name: gitlab-gitaly
      - name: gitaly-secrets
        emptyDir:
          medium: "Memory"
      - name: init-gitaly-secrets
        projected:
          defaultMode: 0440
          sources:
          - secret:
              name: "gitlab-gitaly-secret"
              items:
                - key: "token"
                  path: "gitaly_token"
          - secret:
              name: "gitlab-shell-secret"
              items:
                - key: "secret"
                  path: ".gitlab_shell_secret"
      - name: etc-ssl-certs
        emptyDir:
          medium: "Memory"
  volumeClaimTemplates:
    - metadata:
        name: repo-data
        labels:
          app: gitlab
          component: gitaly
      spec:
        accessModes:
          - "ReadWriteOnce"
        resources:
          requests:
            storage: "50Gi"
        selector:
          matchLabels:
            app: gitlab
            component: gitaly