clofour · clofour · Apr 12, 2026 · Apr 12, 2026 · Apr 12, 2026 · Apr 12, 2026
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
@@ -0,0 +1,27 @@
+name: terraform-validate
+on:
+  push:
+    branches:
+      - main
+      - dev
-on:
-  push:
-    branches:
-      - main
-      - dev
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+      - dev
-on:
-  push:
-    branches:
-      - main
-      - dev
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+      - dev
+jobs:
+  validate:
+    name: Terraform Validate
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        working-directory: ./terraform
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+        with:
+          terraform_version: "1.14.7"
+
+      - name: Initialize Terraform project
+        run: terraform init -backend=false
+
+      - name: Run Terraform Validate
+        run: terraform validate
diff --git a/Makefile b/Makefile
diff --git a/helm/gitlab/values.yaml b/helm/gitlab/values.yaml
@@ -0,0 +1,63 @@
+global:
+  edition: ce
+
+  hosts:
+    domain: ${domain}
+    https: true
+    gitlab:
+      name: ${gitlab_host}.${domain}
+    registry:
+      name: ${registry_host}.${domain}
+
+  psql:
+    host: ${postgres_host}
+    port: ${postgres_port}
+    database: ${postgres_database}
+    username: ${postgres_username}
+    password:
+      secret: gitlab-postgres-secret
+      key: password
+
+  redis:
+    host: ${redis_host}
+    port: ${redis_port}
+    auth:
+      enabled: true
+      secret: gitlab-redis-secret
+      key: password
+
+  appConfig:
+    object_store:
+      enabled: true
+      proxy_download: true
+      connection:
+        secret: gitlab-s3-main-secret
+        key: connection
+
+    artifacts:
+      bucket: ${buckets["artifacts"]}
+      connection: {}
+    uploads:
+      bucket: ${buckets["uploads"]}
+      connection: {}
+    packages:
+      bucket: ${buckets["packages"]}
+      connection: {}
+    lfs:
+      bucket: ${buckets["lfs"]}
+      connection: {}
+    backups:
+      bucket: ${buckets["backups"]}
+      tmpBucket: ${buckets["backups"]}
+
+  time_zone: UTC
+
+
+postgresql:
+  install: false
+
+redis:
+  install: false
+
+minio:
+  install: false
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/cluster.tf b/terraform/cluster.tf
@@ -0,0 +1,20 @@
+data "digitalocean_kubernetes_versions" "current" {
+    version_prefix = var.k8s_version
+}
+
+resource "digitalocean_kubernetes_cluster" "main" {
+    name = var.cluster_name
+    region = var.region
+    version = data.digitalocean_kubernetes_versions.current.latest_version
+    vpc_uuid = digitalocean_vpc.main.id
+
+    auto_upgrade = false
+    surge_upgrade = true
+
+    node_pool {
+      name = "default"
+      size = var.node_size
+      node_count = var.node_count
+      labels = { role = "general" }
+    }
+}
diff --git a/terraform/dependencies.tf b/terraform/dependencies.tf
@@ -6,6 +6,14 @@ terraform {
         source = "digitalocean/digitalocean"
         version = "~> 2.81.0"
       }
+      kubernetes = {
+        source = "hashicorp/kubernetes"
+        version = "~> 3.0.1"
+      }
+      helm = {
+        source = "hashicorp/helm"
+        version = "~> 3.1.1"
+      }
       random = {
         source = "hashicorp/random"
         version = "~> 3.8.1"

diff --git a/terraform/helm.tf b/terraform/helm.tf
@@ -0,0 +1,29 @@
+resource "helm_release" "gitlab" {
+    name = "gitlab"
+    namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    repository = "https://charts.gitlab.io/"
+    chart = "gitlab"
+    version = "9.10.3"
+
+    values = [
+        templatefile("${path.module}/../helm/gitlab/values.yaml", {
+            domain = var.domain_name
+            gitlab_host = var.gitlab_host
+            registry_host = var.registry_host
+            postgres_host = digitalocean_database_cluster.postgres.private_host
+            postgres_port = digitalocean_database_cluster.postgres.port
+            postgres_database = digitalocean_database_db.gitlab.name
+            postgres_username = digitalocean_database_user.gitlab.name
+            redis_host = digitalocean_database_cluster.valkey.private_host
+            redis_port = digitalocean_database_cluster.valkey.port
+            buckets = {for key, bucket in digitalocean_spaces_bucket.gitlab : key => bucket.name}
+        })
+    ]
+
+    depends_on = [
+        kubernetes_secret_v1.gitlab_postgres,
+        kubernetes_secret_v1.gitlab_redis,
+        kubernetes_secret_v1.gitlab_s3_main,
+        digitalocean_database_db.gitlab
+    ]
+}
diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf
@@ -1,20 +1,92 @@
-data "digitalocean_kubernetes_versions" "current" {
-    version_prefix = var.k8s_version
+resource "kubernetes_namespace_v1" "gitlab" {
+    metadata {
+      name = "gitlab"
+    }
+
+    depends_on = [ digitalocean_kubernetes_cluster.main ]
+}
+
+resource "kubernetes_secret_v1" "gitlab_postgres" {
+    metadata {
+        name = "gitlab-postgres-secret"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
+
+    data = {
+        password = digitalocean_database_user.gitlab.password
+    }
+
+    type = "Opaque"
 }
 
-resource "digitalocean_kubernetes_cluster" "main" {
-    name = var.cluster_name
-    region = var.region
-    version = data.digitalocean_kubernetes_versions.current.latest_version
-    vpc_uuid = digitalocean_vpc.main.id
+resource "kubernetes_secret_v1" "gitlab_redis" {
+    metadata {
+        name = "gitlab-redis-secret"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
+
+    data = {
+        password = digitalocean_database_cluster.valkey.password
+    }
 
-    auto_upgrade = false
-    surge_upgrade = true
+    type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "gitlab_s3_main" {
+    metadata {
+        name = "gitlab-s3-main-secret"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
 
-    node_pool {
-      name = "default"
-      size = var.node_size
-      node_count = var.node_count
-      labels = { role = "general" }
+    data = {
+        connection = yamlencode({
+            provider = "AWS"
+            region = var.region
+            endpoint = "https://${var.region}.digitaloceanspaces.com"
+            aws_access_key_id = var.spaces_access_id
+            aws_secret_access_key = var.spaces_secret_key
+            path_style = true
+        })
     }
+
+    type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "gitlab_s3_registry" {
+    metadata {
+        name = "gitlab-s3-registry-secret"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
+
+    data = {
+        connection = yamlencode({
+           accesskey = var.spaces_access_id
+           secretkey = var.spaces_secret_key
+           region = var.region
+           regionendpoint = "https://${var.region}.digitaloceanspaces.com"
+           bucket = digitalocean_spaces_bucket.gitlab["registry"].name
+        })
+    }
+
+    type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "gitlab_s3_backup" {
+    metadata {
+        name = "gitlab-s3-backup-secret"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
+
+    data = {
+        connection = yamlencode({
+            provider = "AWS"
+            region = var.region
+            endpoint = "https://${var.region}.digitaloceanspaces.com"
+            aws_access_key_id = var.spaces_access_id
+            aws_secret_access_key = var.spaces_secret_key
+            path_style = true
+        })
+    }
+
+    type = "Opaque"
 }
diff --git a/terraform/postgres.tf b/terraform/postgres.tf
@@ -10,7 +10,7 @@ resource "digitalocean_database_cluster" "postgres" {
 
 resource "digitalocean_database_db" "gitlab" {
     cluster_id = digitalocean_database_cluster.postgres.id
-    name = "gitlab_production"
+    name = "gitlab"
 }
 
 resource "digitalocean_database_user" "gitlab" {

diff --git a/terraform/providers.tf b/terraform/providers.tf
@@ -2,4 +2,22 @@ provider "digitalocean" {
     token = var.do_token
     spaces_access_id = var.spaces_access_id
     spaces_secret_key = var.spaces_secret_key
+}
+
+provider "kubernetes" {
+    host = digitalocean_kubernetes_cluster.main.endpoint
+    token = digitalocean_kubernetes_cluster.main.kube_config[0].token
+    cluster_ca_certificate = base64decode(
+        digitalocean_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate
+    )
+}
+
+provider "helm" {
+    kubernetes = {
+        host = digitalocean_kubernetes_cluster.main.endpoint
+        token = digitalocean_kubernetes_cluster.main.kube_config[0].token
+        cluster_ca_certificate = base64decode(
+            digitalocean_kubernetes_cluster.main.kube_config[0].cluster_ca_certificate
+        )
+    }
 }