diff --git a/.gitignore b/.gitignore index 9a623c6..cc43eb1 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,6 @@ data/gitlab-test/gitlab data/gitlab-test/postgresql data/gitlab-test/redis +data/gitlab-test/gitlab-runner_* Addons/ diff --git a/docker-compose.yml b/docker-compose.yml index 41fd6ba..3ad3433 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -172,47 +172,66 @@ services: volumes: - ${SERVICE_DATA}/${SERVICE_NAME}/redis:/var/lib/redis:Z - # runner_1: &runner - # image: ${DOCKER_IMAGE_RUNNER} - # container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_1 - # restart: always - # depends_on: - # - gitlab - # command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner - # environment: - # - CI_SERVER_URL=https://${GITLAB_HOST} - # - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} - # - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} - # - RUNNER_TOKEN=${RUNNER_TOKEN} - # - RUNNER_DESCRIPTION=gitab-runner_1 - # - RUNNER_EXECUTOR=docker - # - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest - # networks: - # - ${SERVICE_NETWORK} - # volumes: - # - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_1:/etc/gitlab-runner - # - /var/run/docker.sock:/var/run/docker.sock + runner_1: &runner + image: ${DOCKER_IMAGE_RUNNER} + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_1 + restart: always + depends_on: + - gitlab + command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_1 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + networks: + - ${SERVICE_NETWORK} + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_1:/etc/gitlab-runner + - /var/run/docker.sock:/var/run/docker.sock - # runner_2: - # <<: *runner - # container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_2 - # environment: - # - RUNNER_DESCRIPTION=gitab-runner_2 - # volumes: - # - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_2:/etc/gitlab-runner + runner_2: + <<: *runner + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_2 + command: --debug run --user=gitlab-runner --working-directory=/home/gitlab-runner + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_2 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_2:/etc/gitlab-runner - # runner_3: - # <<: *runner - # container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_3 - # environment: - # - RUNNER_DESCRIPTION=gitab-runner_3 - # volumes: - # - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_3:/etc/gitlab-runner + runner_3: + <<: *runner + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_3 + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_3 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_3:/etc/gitlab-runner - # runner_4: - # <<: *runner - # container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_4 - # environment: - # - RUNNER_DESCRIPTION=gitab-runner_4 - # volumes: - # - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_4:/etc/gitlab-runner + runner_4: + <<: *runner + container_name: ${SERVICE_NAME}_${CONTAINER_NAME_RUNNER}_4 + environment: + - CI_SERVER_URL=https://${GITLAB_HOST} + - CI_SERVER_LOCAL_IP=${CI_SERVER_LOCAL_IP} + - CI_SERVER_WITH_RUNNER=${CI_SERVER_WITH_RUNNER} + - RUNNER_TOKEN=${RUNNER_TOKEN} + - RUNNER_DESCRIPTION=gitab-runner_4 + - RUNNER_EXECUTOR=docker + - DOCKER_IMAGE=gitlab/gitlab-runner-helper:x86_64-latest + volumes: + - ${SERVICE_DATA}/${SERVICE_NAME}/gitlab-runner_4:/etc/gitlab-runner diff --git a/k8s/gitlab-runner/.gitlab-ci.yml b/k8s/gitlab-runner/.gitlab-ci.yml new file mode 100644 index 0000000..7582c7a --- /dev/null +++ b/k8s/gitlab-runner/.gitlab-ci.yml @@ -0,0 +1,177 @@ +############## +# Conditions # +############## + +.if-merge-request-pipeline: &if-merge-request-pipeline + if: $CI_PIPELINE_SOURCE == "merge_request_event" + +.if-default-branch: &if-default-branch + if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + +.if-stable-release-branch: &if-stable-release-branch + if: $CI_COMMIT_REF_NAME =~ /\A[0-9]+-[0-9]+-stable\z/ + +.if-release-tag: &if-release-tag + if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/charts/gitlab-runner"' + +.if-security-release-tag: &if-security-release-tag + if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/security/charts/gitlab-runner"' + +######### +# Rules # +######### + +.rules:default: + rules: + - <<: *if-merge-request-pipeline + - <<: *if-default-branch + - <<: *if-stable-release-branch + - <<: *if-release-tag + - <<: *if-security-release-tag + +.rules:release:development: + rules: + - <<: *if-default-branch + when: never + - <<: *if-merge-request-pipeline + when: manual + +.rules:release:beta: + rules: + - <<: *if-default-branch + +.rules:release:stable: + rules: + - <<: *if-release-tag + - <<: *if-security-release-tag + +############ +# Pipeline # +############ + +default: + image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base-helm-3.7 + tags: + - gitlab-org + +variables: + GIT_CLONE_PATH: $CI_BUILDS_DIR/gitlab-runner + +stages: +- test +- release +- post-release + +lint: + extends: + - .rules:default + stage: test + script: + - helm lint . + +integration test: + extends: + - .rules:default + variables: + DOCKER_HOST: "tcp://kubernetes:2375/" + DOCKER_TLS_CERTDIR: "" + DOCKER_DRIVER: overlay2 + INTEGRATION_RUNNER_NAME: integration-test-$CI_COMMIT_SHORT_SHA + INTEGRATION_HELM_POD_RELEASE_LABEL: release=$INTEGRATION_RUNNER_NAME + stage: test + services: + - name: docker:20.10.16-dind + alias: kubernetes + image: docker:20.10.16-git + script: + # Initialize KIND cluster + - apk add --no-cache openssl curl bash + - curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.20.4/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl + - curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 && chmod +x /usr/local/bin/kind + - kind create cluster --config=$(pwd)/scripts/kind-config.yaml + - kind get kubeconfig|sed -e 's/0.0.0.0/kubernetes/g' > kubeconfig.yaml + - export KUBECONFIG=$(pwd)/kubeconfig.yaml + - kubectl version + - kubectl cluster-info + - bash -c "for _i in {0..60}; do kubectl -n default get serviceaccount default -o name > /dev/null 2>&1 && break; sleep 1; done" + - bash -c "for _i in {0..60}; do kubectl get nodes|grep -w Ready > /dev/null 2>&1 && break; sleep 1; done" + # Install helm latest version instead of pre-installed one in registry.gitlab.com/gitlab-org/gitlab-build-images image + - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash + # Run tests + - bash -x scripts/integration.sh + after_script: + - export KUBECONFIG=$(pwd)/kubeconfig.yaml + - bash -x scripts/integration_cleanup.sh + tags: + - gitlab-org-docker + +release development: + extends: + - .rules:release:development + stage: release + script: + - helm package . + artifacts: + paths: + - gitlab-runner*.tgz + expire_in: 7d + allow_failure: true + +release beta: + extends: + - .rules:release:beta + stage: release + variables: + S3_URL: s3://${S3_BUCKET}${S3_PATH} + REPO_URL: https://${S3_BUCKET}.s3.amazonaws.com${S3_PATH} + script: + - apk add --no-cache py-pip + - pip install awscli + - 'beta_info=$(git describe --long | sed -r "s/v[0-9\.]+(-rc[0-9]+)?-//")' + - 'build_time=$(date +%s)' + - 'sed -r "s/(version: [0-9\.]+-beta)/\1-${build_time}-${beta_info}/" -i Chart.yaml' + - 'sed -r "s/appVersion: .*/appVersion: bleeding/" -i Chart.yaml' + - 'sed -r "s/imagePullPolicy: IfNotPresent/imagePullPolicy: Always/" -i values.yaml' + - mkdir -p public/ + - aws s3 cp ${S3_URL}/index.yaml public/index.yaml || true + - (cd public; helm package ../) + - helm repo index public --merge public/index.yaml --url ${REPO_URL} + - aws s3 sync public ${S3_URL} --acl public-read + - 'echo "To install repository run: helm repo add gitlab-runner-beta ${REPO_URL} && helm repo update"' + +release stable: + extends: + - .rules:release:stable + stage: release + image: alpine:3.14 + script: + - apk add --no-cache curl + - curl --fail-with-body + --request POST + --form "token=$CI_JOB_TOKEN" + --form ref=master + --form "variables[CHART_NAME]=$CI_PROJECT_NAME" + --form "variables[RELEASE_REF]=$CI_COMMIT_REF_NAME" + https://gitlab.com/api/v4/projects/2860651/trigger/pipeline + +trigger charts update: + extends: + - .rules:release:stable + stage: post-release + image: alpine:3.14 + script: + - apk add --no-cache curl + - curl --fail-with-body + --request POST + --form "token=${GITLAB_CHARTS_TRIGGER_TOKEN}" + --form ref=master + --form "variables[DEPS_PIPELINE]=true" + https://gitlab.com/api/v4/projects/3828396/trigger/pipeline + needs: + - job: release stable + +############## +# Includes # +############## +include: + - template: Security/Dependency-Scanning.gitlab-ci.yml diff --git a/k8s/gitlab-runner/.gitlab/changelog.yml b/k8s/gitlab-runner/.gitlab/changelog.yml new file mode 100644 index 0000000..5c36841 --- /dev/null +++ b/k8s/gitlab-runner/.gitlab/changelog.yml @@ -0,0 +1,53 @@ +default_scope: other +names: + new-feature: New features + security-fix: Security fixes + fix: Bug fixes + maintenance: Maintenance + runner-distribution: GitLab Runner distribution + documentation: Documentation changes + other: Other changes +order: +- new-feature +- security-fix +- fix +- maintenance +- runner-distribution +- documentation +- other +label_matchers: +- labels: + - runner-distribution + scope: runner-distribution +- labels: + - feature::addition + scope: new-feature +- labels: + - security + scope: security-fix +- labels: + - type::bug + scope: fix +- labels: + - type::maintenance + scope: maintenance +- labels: + - feature::enhancement + scope: feature +- labels: + - maintenance::refactor + scope: maintenance +- labels: + - maintenance::pipelines + scope: maintenance +- labels: + - maintenance::workflow + scope: maintenance +- labels: + - documentation + scope: documentation +authorship_labels: +- Community contribution +skip_changelog_labels: +- skip-changelog + diff --git a/k8s/gitlab-runner/.helmignore b/k8s/gitlab-runner/.helmignore new file mode 100644 index 0000000..73d4b16 --- /dev/null +++ b/k8s/gitlab-runner/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +gitlab-runner*.tgz +scripts/ diff --git a/k8s/gitlab-runner/CHANGELOG.md b/k8s/gitlab-runner/CHANGELOG.md new file mode 100644 index 0000000..b6dd64a --- /dev/null +++ b/k8s/gitlab-runner/CHANGELOG.md @@ -0,0 +1,518 @@ +## v0.44.0 (2022-08-19) + +### New features + +- Update GitLab Runner version to 15.3.0 +- Add secrets update permission to RBAC example provided !349 (Tim Hobbs @hobti01) + +### Maintenance + +- Fix the pipeline being blocked by development release !357 + +### Documentation changes + +- Docs: Update values.yaml comments to reference kubernetes service accounts docs !310 + +## v0.43.0 (2022-07-20) + +### New features + +- Update GitLab Runner version to 15.2.0 + +### Documentation changes + +- Fix some dead links !356 (Ben Bodenmiller @bbodenmiller) + +## v0.42.0 (2022-06-20) + +### New features + +- Update GitLab Runner version to 15.1.0 +- Add priority classname !350 +- Update namespaces to be consistent across manifests !343 (blacktide @blacktide) +- Add freely configurable securityContext to deployment !354 +- Add possibility to overwrite default image registry !351 (Patrik Votoček @vrtak-cz) +- Make session server service annotations configurable !336 (Matthias Baur @m.baur) + +### Maintenance + +- Add volume and volumeMount support to runner deployment !348 +- ci: Update Helm from 3.4.1 to 3.7.2 !347 (Takuya Noguchi @tnir) +- Update Docker to 20.10 on integration test !346 (Takuya Noguchi @tnir) +- Update default registry to GitLab Runner registry !345 +- Update casing of GitLab in values YAML file !344 (Ben Bodenmiller @bbodenmiller) +- Remove unneeded rbac role !335 (Matthias Baur @m.baur) + +## v0.41.0 (2022-05-19) + +### New features + +- Update GitLab Runner version to 15.0.0 +- Add the ability to unregister only one runner !329 (LAKostis @LAKostis) +- Remove init container and instead project secrets !312 +- Don't repeat chart name if release name starts with the chart name !232 (Ahmadali Shafiee @ahmadalli) + +### Maintenance + +- Use Helm 3 instead of 2.16.9 on lint/release jobs !342 (Takuya Noguchi @tnir) + +## v0.40.0 (2022-04-20) + +### New features + +- Update GitLab Runner version to 14.10.0 +- Add the possibility to configure maximum timeout that will be set for jobs when using the runner !341 (Adrien Gooris @adrien.gooris) + +### Maintenance + +- Add a post-release CI job to trigger a deps pipeline in Charts repo !339 +- Add helm install integration test !326 +- Make loadBalancerSourceRanges of Session Server configurable !334 (Matthias Baur @m.baur) + +## v0.39.0 (2022-03-21) + +### New Features + +- Update GitLab Runner version to 14.9.0 + +### Bug fixes + +- Disable metrics endpoint by default !337 + +### Maintenance + +- Update labels according to latest taxonomy !338 + +## v0.38.1 (2022-03-02) + +### New Features + +- Update GitLab Runner version to 14.8.2 + +## v0.38.0 (2022-02-21) + +### Maintenance + +- Fix urls with runners configuration information !314 (Dmitriy Stoyanov @DmitriyStoyanov) +- k8s rbac: add more resources in comment. !307 (Chen Yufei @cyfdecyf) +- Add dependency scanning to Runner Helm Chart project !331 + +## v0.37.2 (2022-01-24) + +### Bug fixes + +- Fix appVersion to 14.7.0 + +## v0.37.1 (2022-01-20) + +### Bug fixes + +- Set sessionServer to false by default !332 + +## v0.37.0 (2022-01-19) + +### New Features + +- Update GitLab Runner version to 14.7.0 +- Add support for interactive web terminal !320 + +## v0.36.0 (2021-12-18) + +### New features + +- Update GitLab Runner version to 14.6.0 + +### Bug fixes + +- Fix prometheus annotation unquoted value !323 + +### GitLab Runner distribution + +- Fix the security release rule in .gitlab-ci.yml !324 +- Fail the stable release job on curl failures !322 + +## v0.35.3 (2021-12-13) + +### Maintenance + +- Fix prometheus annotation unquoted value !323 + +## v0.35.2 (2021-12-10) + +### Security + +- Update GitLab Runner version to 14.5.2 + +## v0.35.1 (2021-12-01) + +### Security + +- Update GitLab Runner version to 14.5.1 + +## v0.35.0 (2021-11-21) + +### New features + +- Update GitLab Runner version to 14.5.0 + +### Maintenance + +- Don't run pipelines only for MRs !318 +- Update changelog generator configuration !317 +- Adds configurable value probeTimeoutSeconds !306 (Kyle Wetzler @kwetzler1) + +## v0.34.0-rc1 (2021-10-11) + +### New features + +- Update GitLab Runner version to 14.4.0-rc1 + +### Maintenance + +- Disallow setting both replicas and runnerToken !289 + +## v0.33.0 (2021-09-29) + +### New features + +- Update GitLab Runner version to 14.3.0 + +### Maintenance + +- Update container entrypoint to use `dumb-init` to avoid zombie processes !311 (Georg Lauterbach @georglauterbach) + +## v0.32.0 (2021-08-22) + +### New features + +- Update GitLab Runner version to 14.2.0 +- Add support for revisionHistoryLimit !299 (Romain Grenet @romain.grenet1) + +## v0.31.0 (2021-07-20) + +### New features + +- Update GitLab Runner version to 14.1.0 + +### Bug fixes + +- Only add environment variables if values set !295 (Matthew Warman @mcwarman) + +## v0.30.0 (2021-06-19) + +### New features + +- Update GitLab Runner version to 14.0.0 + +### Bug fixes + +- Resolve runner ignores request_concurrency !296 + +### Maintenance + +- refactor: change default brach references to main !298 +- Add support for specifying schedulerName on deployment podspec. !284 (Dominic Bevacqua @dbevacqua) + +## v0.29.0 (2021-05-20) + +### New features + +- Update GitLab Runner version to 13.12.0 + +## v0.28.0 (2021-04-20) + +### New features + +- Update GitLab Runner version to 13.11.0 + +### Maintenance + +- Pass runners.config through the template engine !290 (Dmitriy @Nevoff89) +- Add role support of individual verbs list for different resources !280 (Horatiu Eugen Vlad @hvlad) +- Use runner namespace for role and role binding if it is specified !256 (Alex Sears @searsaw) +- Add optional configuration values for pod security context `runAsUser` and `supplementalGroups` !242 (Horatiu Eugen Vlad @hvlad) + +### Documentation changes + +- docs: add notice that we run tpl on runner config !291 +- Add comment on imagePullPolicy !288 + +## v0.27.0 (2021-03-21) + +### New features + +- Update GitLab Runner version to 13.10.0 +- Allow setting deployment replicas !286 +- Add support for specify ConfigMaps for gitlab-runner deployment !285 +- Allow to mount arbitrary Kubernetes secrets !283 + +## v0.26.0 (2021-02-22) + +### New features + +- Update GitLab Runner version to 13.9.0 +- Make executor configurable !273 (Matthias Baur @m.baur) + +### Other changes + +- Typo fix !282 (Ben Bodenmiller @bbodenmiller) + +## v0.25.0 (2021-01-20) + +### New features + +- Support secrets for Azure cache !277 +- Update GitLab Runner version to 13.8.0 + +### Maintenance + +- Fix release CI stage failing due to Helm stable deprecation !278 +- Update GitLab Changelog configuration !275 + +### Documentation changes + +- Update link to doc in README.md !276 + +## v0.24.0 (2020-12-21) + +### New features + +- Update GitLab Runner version to 13.7.0 +- add optional 'imagePullSecrets' to deployment !269 (Christian Schoofs @schoofsc) + +### Other changes + +- Make description configruable !229 (Matthias Baur @m.baur) + +## v0.23.0 (2020-11-21) + +### New features + +- Update GitLab Runner version to 13.6.0 +- Allow user to specify any runner configuraton !271 + +## v0.22.0 (2020-10-20) + +### New features + +- Update GitLab Runner version to 13.5.0 +- Add pull secrets to service account for runner image !241 (Horatiu Eugen Vlad @hvlad) + +### Maintenance + +- Set allowPrivilegeEscalation to false for gitlab-runner pod !243 (Horatiu Eugen Vlad @hvlad) + +### Documentation changes + +- Add comment on ubuntu image & securityContext !260 + +## v0.21.0 (2020-09-21) + +### Maintenance + +- Update GitLab Runner version to 13.4.0 +- Fix changelog generator config to catch all maintenance related labels !255 + +### Other changes + +- Add scripts/security-harness script !258 + +## v0.20.0 (2020-08-20) + +### New features + +- Update GitLab Runner version to 13.3.0 +- Enable custom commands !250 + +### Maintenance + +- Add `release stable` job for security fork !252 +- Update changelog generator to accept new labels !249 + +## v0.19.0 (2020-07-20) + +### New features + +- Allow user to define PodSecurityPolicy !184 (Paweł Kalemba @pkalemba) +- Update GitLab Runner version to 13.2.0 + +### Documentation changes + +- Fix external links within values.yaml !248 (Alexandre Jardin @alexandre.jardin) + +## v0.18.0 (2020-06-19) + +### Maintenance + +- Update GitLab Runner version to 13.1.0 + +### Other changes + +- Fix unregister when using token secret !231 (Bernd @arabus) +- Support specifying pod security context. !219 (Chen Yufei @cyfdecyf) + +## v0.17.1 (2020-06-01) + +### Maintenance + +- Update GitLab Runner version to 13.0.1 + +## v0.17.0 (2020-05-20) + +### New features + +- Expose settings for kubernetes resource limits and requests overwrites !220 (Alexander Petermann @lexxxel) +- Add support for setting Node Tolerations !188 (Zeyu Ye @Shuliyey) + +### Maintenance + +- Update GitLab Runner version to 13.0.0 +- Update package name in note !234 +- Pin CI jobs to gitlab-org runners !222 + +## v0.16.0 (2020-04-22) + +### New features + +- Add Service Account annotation support !211 (David Rosson @davidrosson) + +### Bug fixes + +- Support correct spelling of GCS secret !214 (Arthur Wiebe @arthur65) + +### Maintenance + +- Remove dependency of `gitlab-runner-builder` runner !221 +- Fix linting for forks with a different name than "gitlab-runner" !218 +- Install gitlab-changelog installation !217 + +### Other changes + +- Update GitLab Runner version to 12.10.1 +- Change listen address to not force IPv6 !213 (Fábio Matavelli @fabiomatavelli) + +## v0.15.0 (2020-03-20) + +### Maintenance + +- Update GitLab Runner version to 12.9.0 +- Update changelog generator configuration !212 +- Replace changelog entries generation script !209 + +### Other changes + +- Fix values.yaml typo !210 (Brian Choy @bycEEE) + +## v0.14.0 (2020-02-22) + +- Update GitLab Runner version to 12.8.0 + +## v0.13.0 (2020-01-20) + +- Add podLabels to the deployment !198 +- Mount custom-certs in configure init container !202 + +## v0.12.0 (2019-12-22) + +- Add `apiVersion: v1` to chart.yaml !195 +- Add documentation to protected Runners !193 +- Make securityContext configurable !199 +- Update GitLab Runner version to 12.6.0 + +## v0.11.0 (2019-11-20) + +- Variables for RUNNER_OUTPUT_LIMIT, and KUBERNETES_POLL_TIMEOUT !50 +- Add support for register protected Runners !185 + +## v0.10.1 (2019-10-28) + +- Update GitLab Runner to 12.4.1 + +## v0.10.0 (2019-10-21) + +- Updated GitLab Runner to 12.4.0 +- Use updated project path to release helm chart !172 +- Update resources API to stable verson !167 +- Add support for specifying log format !170 +- Use the cache.secret template to check if the secretName is set !166 +- Drop need for helm force update for now !181 +- Fix image version detection for old helm versions !173 + +## v0.9.0 (2019-09-20) + +- Use updated project path to release helm chart !172 +- Enabling horizontal pod auto-scaling based on custom metrics !127 +- Change base image used for CI jobs !156 +- Remove DJ as a listed chart maintainer !160 +- Release beta version on master using Bleeding Edge image !155 +- Update definition of 'release beta' CI jobs !164 +- Fix certs path in the comment in values file !148 +- Implement support for run-untagged option !140 +- Use new location for helm charts repo !162 +- Follow-up to adding run-untagged support !165 + +## v0.8.0 (2019-08-22) + +- Add suport for graceful stop !150 + +## v0.7.0 (2019-07-22) + +- Fix broken anchor link for gcs cache docs !135 +- Allow user to set rbac roles !112 +- Bump used Runner version to 12.1.0 !149 + +## v0.6.0 (2019-06-24) + +- Allow to manually build the package for development branches !120 +- When configuring cache: if no S3 secret assume IAM role !111 +- Allow to define request_concurrency value !121 +- Bump used Runner version to 12.0.0 !138 + +## v0.5.0 (2019-05-22) + +- Bump used Runner version to 11.11.0 !126 + +## v0.4.1 (2019-04-24) + +- Bump used Runner version to 11.10.1 !113 + +## v0.4.0 (2019-04-22) + +- Bump used Runner version to 11.10.0-rc2 !108 +- Fix a typo in values.yaml !101 +- Add pod labels for jobs !98 +- add hostAliases for pod assignment !89 +- Configurable deployment annotations !44 +- Add pod annotations for jobs !97 +- Bump used Runner version to 11.10.0-rc1 !107 + +## v0.3.0 (2019-03-22) + +- Change mount of secret with S3 distributed cache credentials !64 +- Add environment variables to runner !48 +- Replace S3_CACHE_INSECURE with CACHE_S3_INSECURE !90 +- Update values.yaml to remove invalid anchor in comments !85 +- Bump used Runner version to 11.9.0 !102 + +## v0.2.0 (2019-02-22) + +- Fix the error caused by unset 'locked' value !79 +- Create LICENSE file !76 +- Add CONTRIBUTING.md file !81 +- Add plain MIT text into LICENSE and add NOTICE !80 +- Fix incorrect custom secret documentation !71 +- Add affinity, nodeSelector and tolerations for pod assignment !56 +- Ignore scripts directory when buildin helm chart !83 +- Bump used Runner version to 11.8.0-rc1 !87 +- Fix year in Changelog - it's already 2019 !84 + +## v0.1.45 (2019-01-22) + +- Trigger release only for tagged versions !72 +- Fixes typos in values.yaml comments !60 +- Update chart to bring closer to helm standard template !43 +- Add nodeSelector config parameter for CI job pods !19 +- Prepare CHANGELOG management !75 +- Track app version in Chart.yaml !74 +- Fix the error caused by unset 'locked' value !79 +- Bump used Runner version to 11.7.0 !82 diff --git a/k8s/gitlab-runner/CONTRIBUTING.md b/k8s/gitlab-runner/CONTRIBUTING.md new file mode 100644 index 0000000..1e55f92 --- /dev/null +++ b/k8s/gitlab-runner/CONTRIBUTING.md @@ -0,0 +1,16 @@ +## Developer Certificate of Origin + License + +By contributing to GitLab B.V., You accept and agree to the following terms and +conditions for Your present and future Contributions submitted to GitLab B.V. +Except for the license granted herein to GitLab B.V. and recipients of software +distributed by GitLab B.V., You reserve all right, title, and interest in and to +Your Contributions. All Contributions are subject to the following DCO + License +terms. + +[DCO + License](https://gitlab.com/gitlab-org/dco/blob/master/README.md) + +All Documentation content that resides under the [docs/ directory](/docs) of this +repository is licensed under Creative Commons: +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/). + +_This notice should stay as the first item in the CONTRIBUTING.md file._ diff --git a/k8s/gitlab-runner/Chart.yaml b/k8s/gitlab-runner/Chart.yaml new file mode 100644 index 0000000..aa14d65 --- /dev/null +++ b/k8s/gitlab-runner/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: 15.3.0 +description: GitLab Runner +icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png +keywords: +- git +- ci +- deploy +maintainers: +- email: support@gitlab.com + name: GitLab Inc. +name: gitlab-runner +sources: +- https://gitlab.com/gitlab-org/gitlab-runner +- https://docs.gitlab.com/runner/ +version: 0.44.0 diff --git a/k8s/gitlab-runner/LICENSE b/k8s/gitlab-runner/LICENSE new file mode 100644 index 0000000..df96b29 --- /dev/null +++ b/k8s/gitlab-runner/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2018-2019 GitLab B.V. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + diff --git a/k8s/gitlab-runner/Makefile b/k8s/gitlab-runner/Makefile new file mode 100644 index 0000000..d83671c --- /dev/null +++ b/k8s/gitlab-runner/Makefile @@ -0,0 +1,20 @@ +GITLAB_CHANGELOG_VERSION ?= master +GITLAB_CHANGELOG = .tmp/gitlab-changelog-$(GITLAB_CHANGELOG_VERSION) + +.PHONY: generate_changelog +generate_changelog: export CHANGELOG_RELEASE ?= dev +generate_changelog: $(GITLAB_CHANGELOG) + # Generating new changelog entries + @$(GITLAB_CHANGELOG) -project-id 6329679 \ + -release $(CHANGELOG_RELEASE) \ + -starting-point-matcher "v[0-9]*.[0-9]*.[0-9]*" \ + -config-file .gitlab/changelog.yml \ + -changelog-file CHANGELOG.md + +$(GITLAB_CHANGELOG): OS_TYPE ?= $(shell uname -s | tr '[:upper:]' '[:lower:]') +$(GITLAB_CHANGELOG): DOWNLOAD_URL = "https://storage.googleapis.com/gitlab-runner-tools/gitlab-changelog/$(GITLAB_CHANGELOG_VERSION)/gitlab-changelog-$(OS_TYPE)-amd64" +$(GITLAB_CHANGELOG): + # Installing $(DOWNLOAD_URL) as $(GITLAB_CHANGELOG) + @mkdir -p $(shell dirname $(GITLAB_CHANGELOG)) + @curl -sL "$(DOWNLOAD_URL)" -o "$(GITLAB_CHANGELOG)" + @chmod +x "$(GITLAB_CHANGELOG)" diff --git a/k8s/gitlab-runner/NOTICE b/k8s/gitlab-runner/NOTICE new file mode 100644 index 0000000..aa3eb4d --- /dev/null +++ b/k8s/gitlab-runner/NOTICE @@ -0,0 +1,30 @@ +With regard to the GitLab Software: + +The MIT License (MIT) + +Copyright (c) 2018-2019 GitLab B.V. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +--- + +For all third party components incorporated into the GitLab Software, those +components are licensed under the original license provided by the owner of the +applicable component. + diff --git a/k8s/gitlab-runner/README.md b/k8s/gitlab-runner/README.md new file mode 100644 index 0000000..3df7c95 --- /dev/null +++ b/k8s/gitlab-runner/README.md @@ -0,0 +1,3 @@ +# GitLab Runner Helm Chart + +helm upgrade --install --create-namespace gitlab-runner --set runnerRegistrationToken= k8s/gitlab-runner diff --git a/k8s/gitlab-runner/templates/NOTES.txt b/k8s/gitlab-runner/templates/NOTES.txt new file mode 100644 index 0000000..68ab758 --- /dev/null +++ b/k8s/gitlab-runner/templates/NOTES.txt @@ -0,0 +1,36 @@ +{{- if include "gitlab-runner.gitlabUrl" . }} +Your GitLab Runner should now be registered against the GitLab instance reachable at: {{ include "gitlab-runner.gitlabUrl" . }} +{{- else -}} +############################################################################################# +## WARNING: You did not specify an gitlabUrl in your 'helm install' call. ## +############################################################################################# + +This deployment will be incomplete until you provide the URL that your +GitLab instance is reachable at: + + helm upgrade {{ .Release.Name }} \ + --set gitlabUrl=http://gitlab.your-domain.com,runnerRegistrationToken=your-registration-token \ + gitlab/gitlab-runner +{{- end -}} + +{{- if not .Values.runners.config }} +############################################################################################# +## WARNING: You don't seem to be using the GitLab Runner config template functionality. ## +## Configuring the GitLab Runner through that template is recommended as other ## +## configuration options will be deprecated in Helm Chart 1.0. Read more at ## +## https://docs.gitlab.com/runner/install/kubernetes.html#using-configuration-template. ## +############################################################################################# +{{- end }} + +{{- $runnerNamespace := regexFind "\\s*namespace\\s*=.+\\s*" (tpl .Values.runners.config $) | regexFind "=.+" | trimPrefix "=" | trim -}} +{{- if regexMatch "\\s*namespace\\s*=" .Values.runners.config }} + +Runner namespace {{ $runnerNamespace }} was found in runners.config template. +{{- if .Values.runners.namespace }} + +############################################################################################# +## WARNING: You have set the namespace in runners.config and also set in deprecated ## +## runner.namespace element. The runners.config namespace will be ignored. ## +############################################################################################# +{{- end }} +{{- end }} diff --git a/k8s/gitlab-runner/templates/_cache.tpl b/k8s/gitlab-runner/templates/_cache.tpl new file mode 100644 index 0000000..80b001c --- /dev/null +++ b/k8s/gitlab-runner/templates/_cache.tpl @@ -0,0 +1,28 @@ +{{- define "gitlab-runner.cache" }} +{{- if .Values.runners.cache.cacheType }} +- name: CACHE_TYPE + value: {{ default "" .Values.runners.cache.cacheType | quote }} +- name: CACHE_PATH + value: {{ coalesce .Values.runners.cache.cachePath .Values.runners.cache.s3CachePath | default "" | quote }} +{{- if .Values.runners.cache.cacheShared }} +- name: CACHE_SHARED + value: "true" +{{- end }} +{{- if eq .Values.runners.cache.cacheType "s3" }} +- name: CACHE_S3_SERVER_ADDRESS + value: {{ include "gitlab-runner.cache.s3ServerAddress" . }} +- name: CACHE_S3_BUCKET_NAME + value: {{ default "" .Values.runners.cache.s3BucketName | quote }} +- name: CACHE_S3_BUCKET_LOCATION + value: {{ default "" .Values.runners.cache.s3BucketLocation | quote }} +{{- if .Values.runners.cache.s3CacheInsecure }} +- name: CACHE_S3_INSECURE + value: "true" +{{- end }} +{{- end }} +{{- if eq .Values.runners.cache.cacheType "gcs" }} +- name: CACHE_GCS_BUCKET_NAME + value: {{ default "" .Values.runners.cache.gcsBucketName | quote }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/k8s/gitlab-runner/templates/_env_vars.tpl b/k8s/gitlab-runner/templates/_env_vars.tpl new file mode 100644 index 0000000..ba3b441 --- /dev/null +++ b/k8s/gitlab-runner/templates/_env_vars.tpl @@ -0,0 +1,145 @@ +{{- define "gitlab-runner.runner-env-vars" }} +- name: CI_SERVER_URL + value: {{ include "gitlab-runner.gitlabUrl" . }} +- name: CLONE_URL + value: {{ default "" .Values.runners.cloneUrl | quote }} +{{- if .Values.runners.requestConcurrency }} +- name: RUNNER_REQUEST_CONCURRENCY + value: {{ default 1 .Values.runners.requestConcurrency | quote }} +{{- end }} +- name: RUNNER_EXECUTOR + value: {{ default "kubernetes" .Values.runners.executor | quote }} +- name: REGISTER_LOCKED + {{ if or (not (hasKey .Values.runners "locked")) .Values.runners.locked -}} + value: "true" + {{- else -}} + value: "false" + {{- end }} +- name: RUNNER_TAG_LIST + value: {{ default "" .Values.runners.tags | quote }} +{{- if .Values.runners.outputLimit }} +- name: RUNNER_OUTPUT_LIMIT + value: {{ .Values.runners.outputLimit | quote }} +{{- end}} +{{- if eq (default "kubernetes" .Values.runners.executor) "kubernetes" }} +{{- if .Values.runners.image }} +- name: KUBERNETES_IMAGE + value: {{ .Values.runners.image | quote }} +{{- end }} +{{- if .Values.runners.privileged }} +- name: KUBERNETES_PRIVILEGED + value: "true" +{{- end }} +{{- if or .Values.runners.namespace (not (regexMatch "\\s*namespace\\s*=" .Values.runners.config)) }} +- name: KUBERNETES_NAMESPACE + value: {{ default .Release.Namespace .Values.runners.namespace | quote }} +{{- end }} +{{- if .Values.runners.pollTimeout }} +- name: KUBERNETES_POLL_TIMEOUT + value: {{ .Values.runners.pollTimeout | quote }} +{{- end }} +{{- if .Values.runners.builds.cpuLimit }} +- name: KUBERNETES_CPU_LIMIT + value: {{ .Values.runners.builds.cpuLimit | quote }} +{{- end }} +{{- if .Values.runners.builds.cpuLimitOverwriteMaxAllowed }} +- name: KUBERNETES_CPU_LIMIT_OVERWRITE_MAX_ALLOWED + value: {{ .Values.runners.builds.cpuLimitOverwriteMaxAllowed | quote }} +{{- end }} +{{- if .Values.runners.builds.memoryLimit }} +- name: KUBERNETES_MEMORY_LIMIT + value: {{ .Values.runners.builds.memoryLimit | quote }} +{{- end }} +{{- if .Values.runners.builds.memoryLimitOverwriteMaxAllowed }} +- name: KUBERNETES_MEMORY_LIMIT_OVERWRITE_MAX_ALLOWED + value: {{ .Values.runners.builds.memoryLimitOverwriteMaxAllowed | quote }} +{{- end }} +{{- if .Values.runners.builds.cpuRequests }} +- name: KUBERNETES_CPU_REQUEST + value: {{ .Values.runners.builds.cpuRequests | quote }} +{{- end }} +{{- if .Values.runners.builds.cpuRequestsOverwriteMaxAllowed }} +- name: KUBERNETES_CPU_REQUEST_OVERWRITE_MAX_ALLOWED + value: {{ .Values.runners.builds.cpuRequestsOverwriteMaxAllowed | quote }} +{{- end }} +{{- if .Values.runners.builds.memoryRequests }} +- name: KUBERNETES_MEMORY_REQUEST + value: {{ .Values.runners.builds.memoryRequests| quote }} +{{- end }} +{{- if .Values.runners.builds.memoryRequestsOverwriteMaxAllowed }} +- name: KUBERNETES_MEMORY_REQUEST_OVERWRITE_MAX_ALLOWED + value: {{ .Values.runners.builds.memoryRequestsOverwriteMaxAllowed | quote }} +{{- end }} +{{- if .Values.runners.serviceAccountName }} +- name: KUBERNETES_SERVICE_ACCOUNT + value: {{ .Values.runners.serviceAccountName | quote }} +{{- end }} +{{- if .Values.runners.services.cpuLimit }} +- name: KUBERNETES_SERVICE_CPU_LIMIT + value: {{ .Values.runners.services.cpuLimit | quote }} +{{- end }} +{{- if .Values.runners.services.memoryLimit }} +- name: KUBERNETES_SERVICE_MEMORY_LIMIT + value: {{ .Values.runners.services.memoryLimit | quote }} +{{- end }} +{{- if .Values.runners.services.cpuRequests }} +- name: KUBERNETES_SERVICE_CPU_REQUEST + value: {{ .Values.runners.services.cpuRequests | quote }} +{{- end }} +{{- if .Values.runners.services.memoryRequests }} +- name: KUBERNETES_SERVICE_MEMORY_REQUEST + value: {{ .Values.runners.services.memoryRequests | quote }} +{{- end }} +{{- if .Values.runners.helpers.cpuLimit }} +- name: KUBERNETES_HELPER_CPU_LIMIT + value: {{ .Values.runners.helpers.cpuLimit | quote }} +{{- end }} +{{- if .Values.runners.helpers.memoryLimit }} +- name: KUBERNETES_HELPER_MEMORY_LIMIT + value: {{ .Values.runners.helpers.memoryLimit | quote }} +{{- end }} +{{- if .Values.runners.helpers.cpuRequests }} +- name: KUBERNETES_HELPER_CPU_REQUEST + value: {{ .Values.runners.helpers.cpuRequests | quote }} +{{- end }} +{{- if .Values.runners.helpers.memoryRequests }} +- name: KUBERNETES_HELPER_MEMORY_REQUEST + value: {{ .Values.runners.helpers.memoryRequests | quote }} +{{- end }} +{{- if .Values.runners.helpers.image }} +- name: KUBERNETES_HELPER_IMAGE + value: {{ .Values.runners.helpers.image | quote }} +{{- end }} +{{- if .Values.runners.imagePullPolicy }} +- name: KUBERNETES_PULL_POLICY + value: {{ .Values.runners.imagePullPolicy | quote }} +{{- end }} +{{- if .Values.runners.pod_security_context }} +{{- if .Values.runners.pod_security_context.run_as_non_root }} +- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_NON_ROOT + value: "true" +{{- end }} +{{- if .Values.runners.pod_security_context.run_as_user }} +- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_USER + value: {{ .Values.runners.pod_security_context.run_as_user | quote }} +{{- end }} +{{- if .Values.runners.pod_security_context.run_as_group }} +- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_GROUP + value: {{ .Values.runners.pod_security_context.run_as_group | quote }} +{{- end }} +{{- if .Values.runners.pod_security_context.fs_group }} +- name: KUBERNETES_POD_SECURITY_CONTEXT_FS_GROUP + value: {{ .Values.runners.pod_security_context.fs_group | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.runners.cache -}} +{{ include "gitlab-runner.cache" . }} +{{- end }} +{{- if .Values.envVars -}} +{{ range .Values.envVars }} +- name: {{ .name }} + value: {{ .value | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/k8s/gitlab-runner/templates/_helpers.tpl b/k8s/gitlab-runner/templates/_helpers.tpl new file mode 100644 index 0000000..314e3ed --- /dev/null +++ b/k8s/gitlab-runner/templates/_helpers.tpl @@ -0,0 +1,120 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gitlab-runner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "gitlab-runner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if hasPrefix $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gitlab-runner.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Define the name of the secret containing the tokens +*/}} +{{- define "gitlab-runner.secret" -}} +{{- default (include "gitlab-runner.fullname" .) .Values.runners.secret | quote -}} +{{- end -}} + +{{/* +Define the name of the s3 cache secret +*/}} +{{- define "gitlab-runner.cache.secret" -}} +{{- if .Values.runners.cache.secretName -}} +{{- .Values.runners.cache.secretName | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Template for outputing the gitlabUrl +*/}} +{{- define "gitlab-runner.gitlabUrl" -}} +{{- .Values.gitlabUrl | quote -}} +{{- end -}} + +{{/* +Template runners.cache.s3ServerAddress in order to allow overrides from external charts. +*/}} +{{- define "gitlab-runner.cache.s3ServerAddress" }} +{{- default "" .Values.runners.cache.s3ServerAddress | quote -}} +{{- end -}} + +{{/* +Define the image, using .Chart.AppVersion and GitLab Runner image as a default value +*/}} +{{- define "gitlab-runner.image" }} +{{- if kindIs "string" .Values.image -}} +{{- .Values.image }} +{{- else -}} +{{- $appVersion := ternary "bleeding" (print "v" .Chart.AppVersion) (eq .Chart.AppVersion "bleeding") -}} +{{- $appVersionImageTag := printf "alpine-%s" $appVersion -}} +{{- $imageTag := default $appVersionImageTag .Values.image.tag -}} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.image $imageTag }} +{{- end -}} +{{- end -}} + +{{/* +Define the server session timeout, using 1800 as a default value +*/}} +{{- define "gitlab-runner.server-session-timeout" }} +{{- default 1800 .Values.sessionServer.timeout }} +{{- end -}} + +{{/* +Define the server session internal port, using 9000 as a default value +*/}} +{{- define "gitlab-runner.server-session-external-port" }} +{{- default 9000 .Values.sessionServer.externalPort }} +{{- end -}} + +{{/* +Define the server session external port, using 8093 as a default value +*/}} +{{- define "gitlab-runner.server-session-internal-port" }} +{{- default 8093 .Values.sessionServer.internalPort }} +{{- end -}} + +{{/* +Unregister runner on pod stop +*/}} +{{- define "gitlab-runner.unregisterRunner" -}} +{{- if or (and (hasKey .Values "unregisterRunner") .Values.unregisterRunner) (and (not (hasKey .Values "unregisterRunner")) .Values.runnerRegistrationToken) -}} +lifecycle: + preStop: + exec: + command: ["/entrypoint", "unregister", "--config=/home/gitlab-runner/.gitlab-runner/config.toml"] +{{- end -}} +{{- end -}} + +{{/* +Unregister all runners on pod stop +*/}} +{{- define "gitlab-runner.unregisterRunners" -}} +{{- if or (and (hasKey .Values "unregisterRunners") .Values.unregisterRunners) (and (not (hasKey .Values "unregisterRunners")) .Values.runnerRegistrationToken) -}} +lifecycle: + preStop: + exec: + command: ["/entrypoint", "unregister", "--all-runners"] +{{- end -}} +{{- end -}} diff --git a/k8s/gitlab-runner/templates/configmap.yaml b/k8s/gitlab-runner/templates/configmap.yaml new file mode 100644 index 0000000..d5ca5a7 --- /dev/null +++ b/k8s/gitlab-runner/templates/configmap.yaml @@ -0,0 +1,236 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + entrypoint: | + #!/bin/bash + set -e + + mkdir -p /home/gitlab-runner/.gitlab-runner/ + + cp /configmaps/config.toml /home/gitlab-runner/.gitlab-runner/ + + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + quit() { + kill -TERM "$child" + } + + trap quit QUIT TERM + + sh /configmaps/set-session-server-address & + child=$! + wait "$child" + {{- end }} + + # Set up environment variables for cache + if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then + export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey) + export CACHE_S3_SECRET_KEY=$(cat /secrets/secretkey) + fi + + if [[ -f /secrets/gcs-applicaton-credentials-file ]]; then + export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-applicaton-credentials-file" + elif [[ -f /secrets/gcs-application-credentials-file ]]; then + export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file" + else + if [[ -f /secrets/gcs-access-id && -f /secrets/gcs-private-key ]]; then + export CACHE_GCS_ACCESS_ID=$(cat /secrets/gcs-access-id) + # echo -e used to make private key multiline (in google json auth key private key is oneline with \n) + export CACHE_GCS_PRIVATE_KEY=$(echo -e $(cat /secrets/gcs-private-key)) + fi + fi + + if [[ -f /secrets/azure-account-name && -f /secrets/azure-account-key ]]; then + export CACHE_AZURE_ACCOUNT_NAME=$(cat /secrets/azure-account-name) + export CACHE_AZURE_ACCOUNT_KEY=$(cat /secrets/azure-account-key) + fi + + if [[ -f /secrets/runner-registration-token ]]; then + export REGISTRATION_TOKEN=$(cat /secrets/runner-registration-token) + fi + + if [[ -f /secrets/runner-token ]]; then + export CI_SERVER_TOKEN=$(cat /secrets/runner-token) + fi + + {{- if and (not (empty .Values.runnerToken)) (ne "1" ((default "1" .Values.replicas) | toString)) }} + {{- fail "Using a runner token with more than 1 replica is not supported." }} + {{- end }} + + # Validate this also at runtime in case the user has set a custom secret + if [[ ! -z "$CI_SERVER_TOKEN" && "{{ default 1 .Values.replicas }}" -ne "1" ]]; then + echo "Using a runner token with more than 1 replica is not supported." + exit 1 + fi + + # Register the runner + if ! sh /configmaps/register-the-runner; then + exit 1 + fi + + # Run pre-entrypoint-script + if ! bash /configmaps/pre-entrypoint-script; then + exit 1 + fi + + # Start the runner + exec /entrypoint run --user=gitlab-runner \ + --working-directory=/home/gitlab-runner + + config.toml: | + concurrent = {{ .Values.concurrent }} + check_interval = {{ .Values.checkInterval }} + log_level = {{ default "info" .Values.logLevel | quote }} + {{- if .Values.logFormat }} + log_format = {{ .Values.logFormat | quote }} + {{- end }} + {{- if .Values.metrics.enabled }} + listen_address = ':9252' + {{- end }} + {{- if .Values.sentryDsn }} + sentry_dsn = "{{ .Values.sentryDsn }}" + {{- end }} + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + [session_server] + session_timeout = {{ include "gitlab-runner.server-session-timeout" . }} + listen_address = "0.0.0.0:{{ include "gitlab-runner.server-session-internal-port" . }}" + advertise_address = "SESSION_SERVER_IP:{{ include "gitlab-runner.server-session-external-port" . }}" + {{- end }} + + {{ if .Values.runners.config }} + config.template.toml: {{ tpl (toYaml .Values.runners.config) $ | indent 2 }} + {{ end }} + + register-the-runner: | + #!/bin/bash + MAX_REGISTER_ATTEMPTS=30 + + for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do + echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}" + /entrypoint register \ + {{- range .Values.runners.imagePullSecrets }} + --kubernetes-image-pull-secrets {{ . | quote }} \ + {{- end }} + {{- range $key, $val := .Values.runners.nodeSelector }} + --kubernetes-node-selector {{ $key | quote }}:{{ $val | quote }} \ + {{- end }} + {{- range .Values.runners.nodeTolerations }} + {{- $keyValue := .key }} + {{- if eq (.operator | default "Equal") "Equal" }} + {{- $keyValue = print $keyValue "=" (.value | default "" ) }} + {{- end }} + --kubernetes-node-tolerations {{ $keyValue }}:{{ .effect | quote }} \ + {{- end }} + {{- range $key, $value := .Values.runners.podLabels }} + --kubernetes-pod-labels {{ $key | quote }}:{{ $value | quote }} \ + {{- end }} + {{- range $key, $val := .Values.runners.podAnnotations }} + --kubernetes-pod-annotations {{ $key | quote }}:{{ $val | quote }} \ + {{- end }} + {{- if and (hasKey .Values.runners "name") .Values.runners.name }} + --name={{ .Values.runners.name | quote -}} \ + {{- end }} + {{- if and (hasKey .Values.runners "maximumTimeout") .Values.runners.maximumTimeout }} + --maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \ + {{- end }} + {{- range $key, $value := .Values.runners.env }} + --env {{ $key | quote -}} = {{- $value | quote }} \ + {{- end }} + {{- if and (hasKey .Values.runners "runUntagged") .Values.runners.runUntagged }} + --run-untagged=true \ + {{- end }} + {{- if and (hasKey .Values.runners "protected") .Values.runners.protected }} + --access-level="ref_protected" \ + {{- end }} + {{- if .Values.runners.pod_security_context }} + {{- if .Values.runners.pod_security_context.supplemental_groups }} + {{- range $gid := .Values.runners.pod_security_context.supplemental_groups }} + --kubernetes-pod-security-context-supplemental-groups {{ $gid | quote }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.runners.config }} + --template-config /configmaps/config.template.toml \ + {{- end }} + --non-interactive + + retval=$? + + if [ ${retval} = 0 ]; then + break + elif [ ${i} = ${MAX_REGISTER_ATTEMPTS} ]; then + exit 1 + fi + + sleep 5 + done + + exit 0 + + check-live: | + #!/bin/bash + if /usr/bin/pgrep -f .*register-the-runner; then + exit 0 + elif /usr/bin/pgrep gitlab.*runner; then + exit 0 + else + exit 1 + fi + + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + set-session-server-address: | + #!/bin/bash + + {{- if (not .Values.sessionServer.publicIP) }} + APISERVER=https://kubernetes.default.svc \ + && SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount \ + && NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) \ + && TOKEN=$(cat ${SERVICEACCOUNT}/token) \ + && CACERT=${SERVICEACCOUNT}/ca.crt \ + && header="Authorization: Bearer ${TOKEN}" + + SERVICEURL=${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/{{ include "gitlab-runner.fullname" . }}-session-server + + has_address=false + while [ "${has_address}" = false ]; do + SERVICEIP=$(curl —-silent \ + --cacert ${CACERT} \ + --header "${header}" \ + -X GET ${SERVICEURL} 2>/dev/null \ + | grep '"ip":' | cut -d ":" -f2 | xargs) + + # for aws, the hostname is available but not the external IP + SERVICEHOSTNAME=$(curl —-silent \ + --cacert ${CACERT} \ + --header "${header}" \ + -X GET ${SERVICEURL} 2>/dev/null \ + | grep '"hostname":' | cut -d ":" -f2 | xargs) + + ADDRESS="${SERVICEHOSTNAME:-$SERVICEIP}" + + if [ -z "${ADDRESS}" ] + then + echo "Service LoadBalancer External Address not yet available" + has_address=false + sleep 5 + else + has_address=true + sed -i -e "s/SESSION_SERVER_IP/${ADDRESS}/g" /home/gitlab-runner/.gitlab-runner/config.toml + fi + done + {{- else }} + sed -i -e "s/SESSION_SERVER_IP/{{ .Values.sessionServer.publicIP }}/g" /home/gitlab-runner/.gitlab-runner/config.toml + {{- end}} + {{ end }} + + pre-entrypoint-script: | +{{ .Values.preEntrypointScript | default "" | indent 4 }} + +{{ if not (empty .Values.configMaps) }}{{ toYaml .Values.configMaps | indent 2 }}{{ end }} diff --git a/k8s/gitlab-runner/templates/deployment.yaml b/k8s/gitlab-runner/templates/deployment.yaml new file mode 100644 index 0000000..0115d6c --- /dev/null +++ b/k8s/gitlab-runner/templates/deployment.yaml @@ -0,0 +1,169 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + replicas: {{ default 1 .Values.replicas }} + revisionHistoryLimit: {{ default 10 .Values.revisionHistoryLimit }} + selector: + matchLabels: + app: {{ include "gitlab-runner.fullname" . }} + template: + metadata: + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{- range $key, $value := .Values.podLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- if .Values.metrics.enabled }} + prometheus.io/scrape: 'true' + prometheus.io/port: {{ .Values.metrics.port | quote }} + {{- end }} + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: {{ if .Values.rbac.create }}{{ include "gitlab-runner.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} + containers: + - name: {{ include "gitlab-runner.fullname" . }} + image: {{ include "gitlab-runner.image" . }} + imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} + securityContext: {{ toYaml .Values.securityContext | nindent 10 }} + {{- include "gitlab-runner.unregisterRunner" . | nindent 8 }} + {{- include "gitlab-runner.unregisterRunners" . | nindent 8 }} + command: ["/usr/bin/dumb-init", "--", "/bin/bash", "/configmaps/entrypoint"] + env: + {{ include "gitlab-runner.runner-env-vars" . | indent 8 }} + livenessProbe: + exec: + command: ["/bin/bash", "/configmaps/check-live"] + initialDelaySeconds: 60 + timeoutSeconds: {{ default 1 .Values.probeTimeoutSeconds }} + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: ["/usr/bin/pgrep","gitlab.*runner"] + initialDelaySeconds: 10 + timeoutSeconds: {{ default 1 .Values.probeTimeoutSeconds }} + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + ports: + - name: {{ .Values.metrics.portName | quote }} + containerPort: {{ .Values.metrics.port }} + {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} + - name: session-server + containerPort: {{ include "gitlab-runner.server-session-internal-port" . }} + protocol: TCP + {{- end }} + volumeMounts: + - name: projected-secrets + mountPath: /secrets + - name: etc-gitlab-runner + mountPath: /home/gitlab-runner/.gitlab-runner + - name: configmaps + mountPath: /configmaps + {{- if .Values.certsSecretName }} + - name: custom-certs + readOnly: true + mountPath: /home/gitlab-runner/.gitlab-runner/certs/ + {{- end }} + {{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 8 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumes: + - name: runner-secrets + emptyDir: + medium: "Memory" + - name: etc-gitlab-runner + emptyDir: + medium: "Memory" + - name: projected-secrets + projected: + sources: + {{- if .Values.runners.cache.cacheType }} + # .Values.runners.cache.cacheType is deprecated: https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/224 + {{- end }} + + {{- if and .Values.runners.cache .Values.runners.cache.cacheType }} + {{- if and (include "gitlab-runner.cache.secret" .) (eq .Values.runners.cache.cacheType "s3") }} + - secret: + name: {{ include "gitlab-runner.cache.secret" . }} + {{- end }} + {{- if eq .Values.runners.cache.cacheType "gcs"}} + - secret: + # Outdated default secret "s3access" kept for compatibilty with older installs using it. + # Will be removed in next major release: https://gitlab.com/gitlab-org/charts/gitlab-runner/merge_requests/177 + name: {{ default "s3access" (include "gitlab-runner.cache.secret" .) }} + {{- end }} + {{- else if include "gitlab-runner.cache.secret" . }} + - secret: + name: {{ include "gitlab-runner.cache.secret" . }} + {{- end }} + - secret: + name: {{ include "gitlab-runner.secret" . }} + items: + - key: runner-registration-token + path: runner-registration-token + - key: runner-token + path: runner-token + + {{- range .Values.secrets }} + - secret: +{{ toYaml . | indent 16 }} + {{- end }} + {{- if .Values.certsSecretName }} + - name: custom-certs + secret: + secretName: {{ .Values.certsSecretName }} + {{- end }} + - name: configmaps + configMap: + name: {{ include "gitlab-runner.fullname" . }} + {{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 6 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: +{{ toYaml .Values.hostAliases | indent 8 }} + {{- end }} diff --git a/k8s/gitlab-runner/templates/hpa.yaml b/k8s/gitlab-runner/templates/hpa.yaml new file mode 100644 index 0000000..d4ad4c4 --- /dev/null +++ b/k8s/gitlab-runner/templates/hpa.yaml @@ -0,0 +1,16 @@ +{{- if .Values.hpa}} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gitlab-runner.fullname" . }} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "gitlab-runner.fullname" . }} + minReplicas: {{ default 1 .Values.hpa.minReplicas }} + maxReplicas: {{ default 1 .Values.hpa.maxReplicas }} + metrics: +{{ toYaml .Values.hpa.metrics | indent 2 }} +{{- end}} diff --git a/k8s/gitlab-runner/templates/role-binding.yaml b/k8s/gitlab-runner/templates/role-binding.yaml new file mode 100644 index 0000000..f895594 --- /dev/null +++ b/k8s/gitlab-runner/templates/role-binding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRoleBinding"{{ else }}"RoleBinding"{{ end }} +metadata: + name: {{ include "gitlab-runner.fullname" . }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{ if not .Values.rbac.clusterWideAccess -}} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }} + name: {{ include "gitlab-runner.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gitlab-runner.fullname" . }} + namespace: "{{ .Release.Namespace }}" +{{- end -}} diff --git a/k8s/gitlab-runner/templates/role.yaml b/k8s/gitlab-runner/templates/role.yaml new file mode 100644 index 0000000..b1b8e30 --- /dev/null +++ b/k8s/gitlab-runner/templates/role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }} +metadata: + name: {{ include "gitlab-runner.fullname" . }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + {{ if not .Values.rbac.clusterWideAccess -}} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + {{- end }} +rules: +{{- if .Values.rbac.podSecurityPolicy.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: +{{ toYaml .Values.rbac.podSecurityPolicy.resourceNames | indent 2 }} +{{- end }} +{{- if or (empty .Values.rbac.rules) (or .Values.rbac.resources .Values.rbac.verbs) }} +- apiGroups: [""] + resources: {{ (default (list "*") .Values.rbac.resources | toJson) }} + verbs: {{ (default (list "*") .Values.rbac.verbs | toJson) }} +{{- end -}} +{{ range .Values.rbac.rules }} +- apiGroups: {{ (default (list "") .apiGroups) | toJson }} + resources: {{ (default (list "*") .resources) | toJson }} + verbs: {{ (default (list "*") .verbs) | toJson }} +{{- end }} +{{- end -}} diff --git a/k8s/gitlab-runner/templates/secrets.yaml b/k8s/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..043bf20 --- /dev/null +++ b/k8s/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{- if or .Values.runnerRegistrationToken .Values.runnerToken -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitlab-runner.secret" . }} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + runner-registration-token: {{ default "" .Values.runnerRegistrationToken | b64enc | quote }} + runner-token: {{ default "" .Values.runnerToken | b64enc | quote }} +{{- end -}} diff --git a/k8s/gitlab-runner/templates/service-account.yaml b/k8s/gitlab-runner/templates/service-account.yaml new file mode 100644 index 0000000..1e5da6a --- /dev/null +++ b/k8s/gitlab-runner/templates/service-account.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- range $key, $value := .Values.rbac.serviceAccountAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + name: {{ include "gitlab-runner.fullname" . }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.rbac.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.rbac.imagePullSecrets }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/k8s/gitlab-runner/templates/service-session-server.yaml b/k8s/gitlab-runner/templates/service-session-server.yaml new file mode 100644 index 0000000..be0d99b --- /dev/null +++ b/k8s/gitlab-runner/templates/service-session-server.yaml @@ -0,0 +1,32 @@ +{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab-runner.fullname" . }}-session-server + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + {{- if .Values.sessionServer.annotations }} + annotations: + {{- toYaml .Values.sessionServer.annotations | nindent 4 }} + {{- end }} + labels: + app: {{ include "gitlab-runner.fullname" . }} + chart: {{ include "gitlab-runner.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + app: {{ include "gitlab-runner.fullname" . }} + release: "{{ .Release.Name }}" + type: LoadBalancer + {{- if .Values.sessionServer.publicIP }} + loadBalancerIP: {{ .Values.sessionServer.publicIP }} + {{- end }} + {{- if .Values.sessionServer.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.sessionServer.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + ports: + - protocol: TCP + port: {{ include "gitlab-runner.server-session-external-port" . }} + targetPort: {{ include "gitlab-runner.server-session-internal-port" . }} +{{- end }} diff --git a/k8s/gitlab-runner/templates/service.yaml b/k8s/gitlab-runner/templates/service.yaml new file mode 100644 index 0000000..5609d0d --- /dev/null +++ b/k8s/gitlab-runner/templates/service.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.service.enabled .Values.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitlab-runner.fullname" . | quote }} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . | quote }} + chart: {{ include "gitlab-runner.chart" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.service.labels }} + {{- toYaml .Values.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.service.annotations }} + annotations: + {{- toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP | quote }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: + {{- toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP | quote }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr | quote }} + {{- end }} + {{- end }} + ports: + {{- if .Values.metrics.enabled }} + - name: {{ .Values.metrics.portName | quote }} + {{- if eq .Values.service.type "NodePort" }} + nodePort: {{ .Values.service.metrics.nodePort }} + {{- end }} + port: {{ .Values.metrics.port }} + targetPort: {{ .Values.metrics.portName | quote }} + {{- end }} + {{- if .Values.service.additionalPorts }} + {{- toYaml .Values.service.additionalPorts | nindent 2 }} + {{- end }} + selector: + app: {{ include "gitlab-runner.fullname" . | quote }} + release: {{ .Release.Name | quote }} + type: {{ .Values.service.type | default "ClusterIP" | quote }} +{{- end }} diff --git a/k8s/gitlab-runner/templates/servicemonitor.yaml b/k8s/gitlab-runner/templates/servicemonitor.yaml new file mode 100644 index 0000000..bd3ffc9 --- /dev/null +++ b/k8s/gitlab-runner/templates/servicemonitor.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.enabled .Values.service.enabled -}} +{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gitlab-runner.fullname" . | quote }} + namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }} + labels: + app: {{ include "gitlab-runner.fullname" . | quote }} + chart: {{ include "gitlab-runner.chart" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.metrics.serviceMonitor.labels }} + {{- toYaml .Values.metrics.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.metrics.portName | quote }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scheme }} + scheme: {{ .Values.metrics.serviceMonitor.scheme | quote }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.metrics.serviceMonitor.tlsConfig | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6) . }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.path }} + path: {{ .Values.metrics.serviceMonitor.path }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + namespaceSelector: + matchNames: + - {{ $.Release.Namespace | quote }} + selector: + matchLabels: + app: {{ include "gitlab-runner.fullname" . | quote }} + chart: {{ include "gitlab-runner.chart" . | quote }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- end }} +{{- end }} diff --git a/k8s/gitlab-runner/values.yaml b/k8s/gitlab-runner/values.yaml new file mode 100644 index 0000000..0808baa --- /dev/null +++ b/k8s/gitlab-runner/values.yaml @@ -0,0 +1,728 @@ +## GitLab Runner Image +## +## By default it's using registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v{VERSION} +## where {VERSION} is taken from Chart.yaml from appVersion field +## +## DEPRECATED: Setting `image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v11.6.0` is deprecated +## +## ref: https://gitlab.com/gitlab-org/gitlab-runner/container_registry/29383?orderBy=NAME&sort=asc&search[]=alpine-v&search[]= +## +## Note: If you change the image to the ubuntu release +## don't forget to change the securityContext; +## these images run on different user IDs. +## +image: + registry: registry.gitlab.com + image: gitlab-org/gitlab-runner + # tag: alpine-v11.6.0 + +## Specify a imagePullPolicy for the main runner deployment +## 'Always' if imageTag is 'latest', else set to 'IfNotPresent' +## +## Note: it does not apply to job containers launched by this executor. +## Use `pull_policy` in [runners.kubernetes] to change it. +## +## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images +## +imagePullPolicy: IfNotPresent + +## Specifying ImagePullSecrets on a Pod +## Kubernetes supports specifying container image registry keys on a Pod. +## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod +## +# imagePullSecrets: +# - name: "image-pull-secret" + +## Timeout, in seconds, for liveness and readiness probes of a runner pod. +# probeTimeoutSeconds: 1 + +## How many runner pods to launch. +## +## Note: Using more than one replica is not supported with a runnerToken. Use a runnerRegistrationToken +## to create multiple runner replicas. +# replicas: 1 + +## How many old ReplicaSets for this Deployment you want to retain +# revisionHistoryLimit: 10 + +## The GitLab Server URL (with protocol) that want to register the runner against +## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-register +## +# gitlabUrl: http://gitlab.your-domain.com/ + +## The Registration Token for adding new Runners to the GitLab Server. This must +## be retrieved from your GitLab Instance. +## ref: https://docs.gitlab.com/ce/ci/runners/index.html +## +# runnerRegistrationToken: "" + +## The Runner Token for adding new Runners to the GitLab Server. This must +## be retrieved from your GitLab Instance. It is token of already registered runner. +## ref: (we don't yet have docs for that, but we want to use existing token) +## +# runnerToken: "" +# + +## Unregister runner before termination +## +## Updating the runner's chart version or configuration will cause the runner container +## to be terminated and created again. This may cause your GitLab instance to reference +## non-existant runners. Un-registering the runner before termination mitigates this issue. +## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-unregister +## +## Please set unregisterRunners to false if you set unregisterRunner to true as only +## one preStop action is supported. +## +# unregisterRunner: true + +## Unregister all runners before termination +## +## Updating the runner's chart version or configuration will cause the runner container +## to be terminated and created again. This may cause your Gitlab instance to reference +## non-existant runners. Un-registering the runner before termination mitigates this issue. +## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-unregister +## +# unregisterRunners: true + +## When stopping the runner, give it time to wait for its jobs to terminate. +## +## Updating the runner's chart version or configuration will cause the runner container +## to be terminated with a graceful stop request. terminationGracePeriodSeconds +## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully. +## ref: https://docs.gitlab.com/runner/commands/#signals +terminationGracePeriodSeconds: 3600 + +## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use +## Provide resource name for a Kubernetes Secret Object in the same namespace, +## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory +## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates-targeting-the-gitlab-server +## +# certsSecretName: + +## Configure the maximum number of concurrent jobs +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +concurrent: 10 + +## Defines in seconds how often to check GitLab for a new builds +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +checkInterval: 30 + +## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +# logLevel: + +## Configure GitLab Runner's logging format. Available values are: runner, text, json +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +# logFormat: + +## Configure GitLab Runner's Sentry DSN. +## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section +## +# sentryDsn: + +## A custom bash script that will be executed prior to the invocation +## gitlab-runner process +# +#preEntrypointScript: | +# echo "hello" + +## Specify whether the runner should start the session server. +## Defaults to false +## ref: +## +## When sessionServer is enabled, the user can either provide a public publicIP +## or either rely on the external IP auto discovery +## When a serviceAccountName is used with the automounting to the pod disable, +## we recommend the usage of the publicIP +sessionServer: + enabled: false + # annotations: {} + # timeout: 1800 + # internalPort: 8093 + # externalPort: 9000 + # publicIP: "" + # loadBalancerSourceRanges: + # - 1.2.3.4/32 + +## For RBAC support: +rbac: + create: false + + ## Define specific rbac permissions. + ## DEPRECATED: see .Values.rbac.rules + # resources: ["pods", "pods/exec", "secrets"] + # verbs: ["get", "list", "watch", "create", "patch", "delete"] + + ## Define list of rules to be added to the rbac role permissions. + ## Each rule supports the keys: + ## - apiGroups: default "" (indicates the core API group) if missing or empty. + ## - resources: default "*" if missing or empty. + ## - verbs: default "*" if missing or empty. + ## + ## Read more about the recommended rules on the following link + ## + ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#configuring-executor-service-account + ## + rules: [] + # - resources: ["configmaps", "pods", "pods/attach", "secrets", "services"] + # verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] + # - apiGroups: [""] + # resources: ["pods/exec"] + # verbs: ["create", "patch", "delete"] + + ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs + ## cluster-wide or only within namespace + clusterWideAccess: false + + ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create) + ## + # serviceAccountName: default + + ## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn + ## + ## ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html + ## + # serviceAccountAnnotations: {} + + ## Use podSecurity Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + podSecurityPolicy: + enabled: false + resourceNames: + - gitlab-runner + + ## Specify one or more imagePullSecrets used for pulling the runner image + ## + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + ## + # imagePullSecrets: [] + +## Configure integrated Prometheus metrics exporter +## +## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server +## +metrics: + enabled: false + + ## Define a name for the metrics port + ## + portName: metrics + + ## Provide a port number for the integrated Prometheus metrics exporter + ## + port: 9252 + + ## Configure a prometheus-operator serviceMonitor to allow autodetection of + ## the scraping target. Requires enabling the service resource below. + ## + serviceMonitor: + enabled: false + + ## Provide additional labels to the service monitor ressource + ## + ## labels: {} + + ## Define a scrape interval (otherwise prometheus default is used) + ## + ## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config + ## + # interval: "" + + ## Specify the scrape protocol scheme e.g., https or http + ## + # scheme: "http" + + ## Supply a tls configuration for the service monitor + ## + ## ref: https://github.com/helm/charts/blob/master/stable/prometheus-operator/crds/crd-servicemonitor.yaml + ## + # tlsConfig: {} + + ## The URI path where prometheus metrics can be scraped from + ## + # path: "/metrics" + + ## A list of MetricRelabelConfigs to apply to samples before ingestion + ## + ## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs + ## + # metricRelabelings: [] + + ## A list of RelabelConfigs to apply to samples before scraping + ## + ## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + ## + ## relabelings: [] + +## Configure a service resource e.g., to allow scraping metrics via +## prometheus-operator serviceMonitor +service: + enabled: false + + ## Provide additonal labels for the service + ## + # labels: {} + + ## Provide additonal annotations for the service + ## + # annotations: {} + + ## Define a specific ClusterIP if you do not want a dynamic one + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + # clusterIP: "" + + ## Define a list of one or more external IPs for this service + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + # externalIPs: [] + + ## Provide a specific loadbalancerIP e.g., of an external Loadbalancer + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + # loadBalancerIP: "" + + ## Provide a list of source IP ranges to have access to this service + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support + ## + # loadBalancerSourceRanges: [] + + ## Specify the service type e.g., ClusterIP, NodePort, Loadbalancer or ExternalName + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + ## + type: ClusterIP + + ## Specify the services metrics nodeport if you use a service of type nodePort + ## + # metrics: + + ## Specify the node port under which the prometheus metrics of the runner are made + ## available. + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + ## + # nodePort: "" + + ## Provide a list of additional ports to be exposed by this service + ## + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + ## + # additionalPorts: [] + +## Configuration for the Pods that the runner launches for each new job +## +runners: + # runner configuration, where the multi line strings is evaluated as + # template so you can specify helm values inside of it. + # + # tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function + # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html + config: | + [[runners]] + [runners.kubernetes] + namespace = "{{.Release.Namespace}}" + image = "ubuntu:16.04" + + ## Which executor should be used + ## + # executor: kubernetes + + ## Default container image to use for builds when none is specified + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # image: ubuntu:16.04 + + ## Specify one or more imagePullSecrets + ## + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # imagePullSecrets: [] + + ## Specify the image pull policy: never, if-not-present, always. The cluster default will be used if not set. + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # imagePullPolicy: "" + + ## Defines number of concurrent requests for new job from GitLab + ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # requestConcurrency: 1 + + ## Specify whether the runner should be locked to a specific project: true, false. Defaults to true. + ## + # locked: true + + ## Specify the tags associated with the runner. Comma-separated list of tags. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#use-tags-to-control-which-jobs-a-runner-can-run + ## + # tags: "" + + ## Specify the name for the runner. + ## + # name: "" + + ## Specify the maximum timeout (in seconds) that will be set for job when using this Runner + ## + # maximumTimeout: "" + + ## Specify if jobs without tags should be run. + ## If not specified, Runner will default to true if no tags were specified. In other case it will + ## default to false. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#set-a-runner-to-run-untagged-jobs + ## + # runUntagged: true + + ## Specify whether the runner should only run protected branches. + ## Defaults to false. + ## + ## ref: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#prevent-runners-from-revealing-sensitive-information + ## + # protected: true + + ## Run all containers with the privileged flag enabled + ## This will allow the docker:dind image to run if you need to run Docker + ## commands. Please read the docs before turning this on: + ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # privileged: false + + ## The name of the secret containing runner-token and runner-registration-token + # secret: gitlab-runner + + ## Namespace to run Kubernetes jobs in (defaults to the same namespace of this release) + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # namespace: + + ## The amount of time, in seconds, that needs to pass before the runner will + ## timeout attempting to connect to the container it has just created. + ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # pollTimeout: 180 + + ## Set maximum build log size in kilobytes, by default set to 4096 (4MB) + ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # outputLimit: 4096 + + ## Distributed runners caching + ## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching + ## + ## If you want to use s3 based distributing caching: + ## First of all you need to uncomment General settings and S3 settings sections. + ## + ## Create a secret 's3access' containing 'accesskey' & 'secretkey' + ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/ + ## + ## $ kubectl create secret generic s3access \ + ## --from-literal=accesskey="YourAccessKey" \ + ## --from-literal=secretkey="YourSecretKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + ## If you want to use gcs based distributing caching: + ## First of all you need to uncomment General settings and GCS settings sections. + ## + ## Access using credentials file: + ## Create a secret 'google-application-credentials' containing your application credentials file. + ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section + ## You could configure + ## $ kubectl create secret generic google-application-credentials \ + ## --from-file=gcs-application-credentials-file=./path-to-your-google-application-credentials-file.json + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + ## Access using access-id and private-key: + ## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'. + ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section + ## You could configure + ## $ kubectl create secret generic gcsaccess \ + ## --from-literal=gcs-access-id="YourAccessID" \ + ## --from-literal=gcs-private-key="YourPrivateKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + ## + ## If you want to use Azure-based distributed caching: + ## First, uncomment General settings. + ## + ## Create a secret 'azureaccess' containing 'azure-account-name' & 'azure-account-key' + ## ref: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction + ## + ## $ kubectl create secret generic azureaccess \ + ## --from-literal=azure-account-name="YourAccountName" \ + ## --from-literal=azure-account-key="YourAccountKey" + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + + cache: {} + ## General settings + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template + # cacheType: s3 + # cachePath: "gitlab_runner" + # cacheShared: true + + ## S3 settings + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template + # s3ServerAddress: s3.amazonaws.com + # s3BucketName: + # s3BucketLocation: + # s3CacheInsecure: false + + ## GCS settings + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template + # gcsBucketName: + + ## S3 the name of the secret. + # secretName: s3access + ## Use this line for access using gcs-access-id and gcs-private-key + # secretName: gcsaccess + ## Use this line for access using google-application-credentials file + # secretName: google-application-credentials + ## Use this line for access using Azure with azure-account-name and azure-account-key + # secretName: azureaccess + + + ## Build Container specific configuration + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + builds: {} + # cpuLimit: 200m + # cpuLimitOverwriteMaxAllowed: 400m + # memoryLimit: 256Mi + # memoryLimitOverwriteMaxAllowed: 512Mi + # cpuRequests: 100m + # cpuRequestsOverwriteMaxAllowed: 200m + # memoryRequests: 128Mi + # memoryRequestsOverwriteMaxAllowed: 256Mi + + ## Service Container specific configuration + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + services: {} + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + + ## Helper Container specific configuration + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + helpers: {} + # cpuLimit: 200m + # memoryLimit: 256Mi + # cpuRequests: 100m + # memoryRequests: 128Mi + # image: "registry.gitlab.com/gitlab-org/gitlab-runner-helper:x86_64-${CI_RUNNER_REVISION}" + + ## Helper container security context configuration + ## Refer to https://docs.gitlab.com/runner/executors/kubernetes.html#using-security-context + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # pod_security_context: + # run_as_non_root: true + # run_as_user: 100 + # run_as_group: 100 + # fs_group: 65533 + # supplemental_groups: [101, 102] + + ## Service Account to be used for runners + ## + # serviceAccountName: + + ## If Gitlab is not reachable through $CI_SERVER_URL + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # cloneUrl: + + ## Specify node labels for CI job pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # nodeSelector: {} + + ## Specify node tolerations for CI job pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # nodeTolerations: {} + + ## Specify pod labels for CI job pods + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # podLabels: {} + + ## Specify annotations for job pods, useful for annotations such as iam.amazonaws.com/role + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # podAnnotations: {} + + ## Configure environment variables that will be injected to the pods that are created while + ## the build is running. These variables are passed as parameters, i.e. `--env "NAME=VALUE"`, + ## to `gitlab-runner register` command. + ## + ## Note that `envVars` (see below) are only present in the runner pod, not the pods that are + ## created for each build. + ## + ## ref: https://docs.gitlab.com/runner/commands/#gitlab-runner-register + ## + ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration + # env: + # NAME: VALUE + + +## Specify the name of the scheduler which used to schedule runner pods. +## Kubernetes supports multiple scheduler configurations. +## ref: https://kubernetes.io/docs/reference/scheduling +# schedulerName: "my-custom-scheduler" + +## Configure securitycontext for the main container +## ref: http://kubernetes.io/docs/user-guide/security-context/ +## +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + privileged: false + capabilities: + drop: ["ALL"] + +## Configure securitycontext valid for the whole pod +## ref: http://kubernetes.io/docs/user-guide/security-context/ +## +podSecurityContext: + runAsUser: 100 + # runAsGroup: 65533 + fsGroup: 65533 + # supplementalGroups: [65533] + + ## Note: values for the ubuntu image: + # runAsUser: 999 + # fsGroup: 999 + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: {} + # limits: + # memory: 256Mi + # cpu: 200m + # requests: + # memory: 128Mi + # cpu: 100m + +## Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + # Example: The gitlab runner manager should not run on spot instances so you can assign + # them to the regular worker nodes only. + # node-role.kubernetes.io/worker: "true" + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + # Example: Regular worker nodes may have a taint, thus you need to tolerate the taint + # when you assign the gitlab runner manager with nodeSelector or affinity to the nodes. + # - key: "node-role.kubernetes.io/worker" + # operator: "Exists" + +## Configure environment variables that will be present when the registration command runs +## This provides further control over the registration process and the config.toml file +## ref: `gitlab-runner register --help` +## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html +## +# envVars: +# - name: RUNNER_EXECUTOR +# value: kubernetes + +## list of hosts and IPs that will be injected into the pod's hosts file +hostAliases: [] + # Example: + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # - ip: "10.1.2.3" + # hostnames: + # - "foo.remote" + # - "bar.remote" + +## Annotations to be added to manager pod +## +podAnnotations: {} + # Example: + # iam.amazonaws.com/role: + +## Labels to be added to manager pod +## +podLabels: {} + # Example: + # owner.team: + +## HPA support for custom metrics: +## This section enables runners to autoscale based on defined custom metrics. +## In order to use this functionality, Need to enable a custom metrics API server by +## implementing "custom.metrics.k8s.io" using supported third party adapter +## Example: https://github.com/directxman12/k8s-prometheus-adapter +## +#hpa: {} + # minReplicas: 1 + # maxReplicas: 10 + # metrics: + # - type: Pods + # pods: + # metricName: gitlab_runner_jobs + # targetAverageValue: 400m + +## Configure priorityClassName for manager pod. See k8s docs for more info on how pod priority works: +## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: "" + +## Secrets to be additionally mounted to the containers. +## All secrets are mounted through init-runner-secrets volume +## and placed as readonly at /init-secrets in the init container +## and finally copied to an in-memory volume runner-secrets that is +## mounted at /secrets. +secrets: [] + # Example: + # - name: my-secret + # - name: myOtherSecret + # items: + # - key: key_one + # path: path_one + +## Additional config files to mount in the containers in `/configmaps`. +## +## Please note that a number of keys are reserved by the runner. +## See https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml +## for a current list. +configMaps: {} + +## Additional volumeMounts to add to the runner container +## +volumeMounts: [] + # Example: + # - name: my-volume + # mountPath: /mount/path + +## Additional volumes to add to the runner deployment +## +volumes: [] + # Example: + # - name: my-volume + # persistentVolumeClaim: + # claimName: my-pvc