pub/gitlab-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-09-06 10:22:06 +07:00
parent a3ace3a444
commit 8b460261db
27 changed files with 2646 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
k8s/gitlab-runner/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,36 @@
{{- if include "gitlab-runner.gitlabUrl" . }}
Your GitLab Runner should now be registered against the GitLab instance reachable at: {{ include "gitlab-runner.gitlabUrl" . }}
{{- else -}}
#############################################################################################
## WARNING: You did not specify an gitlabUrl in your 'helm install' call. ##
#############################################################################################
This deployment will be incomplete until you provide the URL that your
GitLab instance is reachable at:
helm upgrade {{ .Release.Name }} \
--set gitlabUrl=http://gitlab.your-domain.com,runnerRegistrationToken=your-registration-token \
gitlab/gitlab-runner
{{- end -}}
{{- if not .Values.runners.config }}
#############################################################################################
## WARNING: You don't seem to be using the GitLab Runner config template functionality. ##
## Configuring the GitLab Runner through that template is recommended as other ##
## configuration options will be deprecated in Helm Chart 1.0. Read more at ##
## https://docs.gitlab.com/runner/install/kubernetes.html#using-configuration-template. ##
#############################################################################################
{{- end }}
{{- $runnerNamespace := regexFind "\\s*namespace\\s*=.+\\s*" (tpl .Values.runners.config $) | regexFind "=.+" | trimPrefix "=" | trim -}}
{{- if regexMatch "\\s*namespace\\s*=" .Values.runners.config }}
Runner namespace {{ $runnerNamespace }} was found in runners.config template.
{{- if .Values.runners.namespace }}
#############################################################################################
## WARNING: You have set the namespace in runners.config and also set in deprecated ##
## runner.namespace element. The runners.config namespace will be ignored. ##
#############################################################################################
{{- end }}
{{- end }}

28
k8s/gitlab-runner/templates/_cache.tpl Normal file
View File

@@ -0,0 +1,28 @@
{{- define "gitlab-runner.cache" }}
{{- if .Values.runners.cache.cacheType }}
- name: CACHE_TYPE
value: {{ default "" .Values.runners.cache.cacheType | quote }}
- name: CACHE_PATH
value: {{ coalesce .Values.runners.cache.cachePath .Values.runners.cache.s3CachePath | default "" | quote }}
{{- if .Values.runners.cache.cacheShared }}
- name: CACHE_SHARED
value: "true"
{{- end }}
{{- if eq .Values.runners.cache.cacheType "s3" }}
- name: CACHE_S3_SERVER_ADDRESS
value: {{ include "gitlab-runner.cache.s3ServerAddress" . }}
- name: CACHE_S3_BUCKET_NAME
value: {{ default "" .Values.runners.cache.s3BucketName | quote }}
- name: CACHE_S3_BUCKET_LOCATION
value: {{ default "" .Values.runners.cache.s3BucketLocation | quote }}
{{- if .Values.runners.cache.s3CacheInsecure }}
- name: CACHE_S3_INSECURE
value: "true"
{{- end }}
{{- end }}
{{- if eq .Values.runners.cache.cacheType "gcs" }}
- name: CACHE_GCS_BUCKET_NAME
value: {{ default "" .Values.runners.cache.gcsBucketName | quote }}
{{- end }}
{{- end }}
{{- end -}}

145
k8s/gitlab-runner/templates/_env_vars.tpl Normal file
View File

@@ -0,0 +1,145 @@
{{- define "gitlab-runner.runner-env-vars" }}
- name: CI_SERVER_URL
value: {{ include "gitlab-runner.gitlabUrl" . }}
- name: CLONE_URL
value: {{ default "" .Values.runners.cloneUrl | quote }}
{{- if .Values.runners.requestConcurrency }}
- name: RUNNER_REQUEST_CONCURRENCY
value: {{ default 1 .Values.runners.requestConcurrency | quote }}
{{- end }}
- name: RUNNER_EXECUTOR
value: {{ default "kubernetes" .Values.runners.executor | quote }}
- name: REGISTER_LOCKED
{{ if or (not (hasKey .Values.runners "locked")) .Values.runners.locked -}}
value: "true"
{{- else -}}
value: "false"
{{- end }}
- name: RUNNER_TAG_LIST
value: {{ default "" .Values.runners.tags | quote }}
{{- if .Values.runners.outputLimit }}
- name: RUNNER_OUTPUT_LIMIT
value: {{ .Values.runners.outputLimit | quote }}
{{- end}}
{{- if eq (default "kubernetes" .Values.runners.executor) "kubernetes" }}
{{- if .Values.runners.image }}
- name: KUBERNETES_IMAGE
value: {{ .Values.runners.image | quote }}
{{- end }}
{{- if .Values.runners.privileged }}
- name: KUBERNETES_PRIVILEGED
value: "true"
{{- end }}
{{- if or .Values.runners.namespace (not (regexMatch "\\s*namespace\\s*=" .Values.runners.config)) }}
- name: KUBERNETES_NAMESPACE
value: {{ default .Release.Namespace .Values.runners.namespace | quote }}
{{- end }}
{{- if .Values.runners.pollTimeout }}
- name: KUBERNETES_POLL_TIMEOUT
value: {{ .Values.runners.pollTimeout | quote }}
{{- end }}
{{- if .Values.runners.builds.cpuLimit }}
- name: KUBERNETES_CPU_LIMIT
value: {{ .Values.runners.builds.cpuLimit | quote }}
{{- end }}
{{- if .Values.runners.builds.cpuLimitOverwriteMaxAllowed }}
- name: KUBERNETES_CPU_LIMIT_OVERWRITE_MAX_ALLOWED
value: {{ .Values.runners.builds.cpuLimitOverwriteMaxAllowed | quote }}
{{- end }}
{{- if .Values.runners.builds.memoryLimit }}
- name: KUBERNETES_MEMORY_LIMIT
value: {{ .Values.runners.builds.memoryLimit | quote }}
{{- end }}
{{- if .Values.runners.builds.memoryLimitOverwriteMaxAllowed }}
- name: KUBERNETES_MEMORY_LIMIT_OVERWRITE_MAX_ALLOWED
value: {{ .Values.runners.builds.memoryLimitOverwriteMaxAllowed | quote }}
{{- end }}
{{- if .Values.runners.builds.cpuRequests }}
- name: KUBERNETES_CPU_REQUEST
value: {{ .Values.runners.builds.cpuRequests | quote }}
{{- end }}
{{- if .Values.runners.builds.cpuRequestsOverwriteMaxAllowed }}
- name: KUBERNETES_CPU_REQUEST_OVERWRITE_MAX_ALLOWED
value: {{ .Values.runners.builds.cpuRequestsOverwriteMaxAllowed | quote }}
{{- end }}
{{- if .Values.runners.builds.memoryRequests }}
- name: KUBERNETES_MEMORY_REQUEST
value: {{ .Values.runners.builds.memoryRequests| quote }}
{{- end }}
{{- if .Values.runners.builds.memoryRequestsOverwriteMaxAllowed }}
- name: KUBERNETES_MEMORY_REQUEST_OVERWRITE_MAX_ALLOWED
value: {{ .Values.runners.builds.memoryRequestsOverwriteMaxAllowed | quote }}
{{- end }}
{{- if .Values.runners.serviceAccountName }}
- name: KUBERNETES_SERVICE_ACCOUNT
value: {{ .Values.runners.serviceAccountName | quote }}
{{- end }}
{{- if .Values.runners.services.cpuLimit }}
- name: KUBERNETES_SERVICE_CPU_LIMIT
value: {{ .Values.runners.services.cpuLimit | quote }}
{{- end }}
{{- if .Values.runners.services.memoryLimit }}
- name: KUBERNETES_SERVICE_MEMORY_LIMIT
value: {{ .Values.runners.services.memoryLimit | quote }}
{{- end }}
{{- if .Values.runners.services.cpuRequests }}
- name: KUBERNETES_SERVICE_CPU_REQUEST
value: {{ .Values.runners.services.cpuRequests | quote }}
{{- end }}
{{- if .Values.runners.services.memoryRequests }}
- name: KUBERNETES_SERVICE_MEMORY_REQUEST
value: {{ .Values.runners.services.memoryRequests | quote }}
{{- end }}
{{- if .Values.runners.helpers.cpuLimit }}
- name: KUBERNETES_HELPER_CPU_LIMIT
value: {{ .Values.runners.helpers.cpuLimit | quote }}
{{- end }}
{{- if .Values.runners.helpers.memoryLimit }}
- name: KUBERNETES_HELPER_MEMORY_LIMIT
value: {{ .Values.runners.helpers.memoryLimit | quote }}
{{- end }}
{{- if .Values.runners.helpers.cpuRequests }}
- name: KUBERNETES_HELPER_CPU_REQUEST
value: {{ .Values.runners.helpers.cpuRequests | quote }}
{{- end }}
{{- if .Values.runners.helpers.memoryRequests }}
- name: KUBERNETES_HELPER_MEMORY_REQUEST
value: {{ .Values.runners.helpers.memoryRequests | quote }}
{{- end }}
{{- if .Values.runners.helpers.image }}
- name: KUBERNETES_HELPER_IMAGE
value: {{ .Values.runners.helpers.image | quote }}
{{- end }}
{{- if .Values.runners.imagePullPolicy }}
- name: KUBERNETES_PULL_POLICY
value: {{ .Values.runners.imagePullPolicy | quote }}
{{- end }}
{{- if .Values.runners.pod_security_context }}
{{- if .Values.runners.pod_security_context.run_as_non_root }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_NON_ROOT
value: "true"
{{- end }}
{{- if .Values.runners.pod_security_context.run_as_user }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_USER
value: {{ .Values.runners.pod_security_context.run_as_user | quote }}
{{- end }}
{{- if .Values.runners.pod_security_context.run_as_group }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_GROUP
value: {{ .Values.runners.pod_security_context.run_as_group | quote }}
{{- end }}
{{- if .Values.runners.pod_security_context.fs_group }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_FS_GROUP
value: {{ .Values.runners.pod_security_context.fs_group | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.runners.cache -}}
{{ include "gitlab-runner.cache" . }}
{{- end }}
{{- if .Values.envVars -}}
{{ range .Values.envVars }}
- name: {{ .name }}
value: {{ .value | quote }}
{{- end }}
{{- end }}
{{- end }}

120
k8s/gitlab-runner/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,120 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "gitlab-runner.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "gitlab-runner.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if hasPrefix $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gitlab-runner.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Define the name of the secret containing the tokens
*/}}
{{- define "gitlab-runner.secret" -}}
{{- default (include "gitlab-runner.fullname" .) .Values.runners.secret | quote -}}
{{- end -}}
{{/*
Define the name of the s3 cache secret
*/}}
{{- define "gitlab-runner.cache.secret" -}}
{{- if .Values.runners.cache.secretName -}}
{{- .Values.runners.cache.secretName | quote -}}
{{- end -}}
{{- end -}}
{{/*
Template for outputing the gitlabUrl
*/}}
{{- define "gitlab-runner.gitlabUrl" -}}
{{- .Values.gitlabUrl | quote -}}
{{- end -}}
{{/*
Template runners.cache.s3ServerAddress in order to allow overrides from external charts.
*/}}
{{- define "gitlab-runner.cache.s3ServerAddress" }}
{{- default "" .Values.runners.cache.s3ServerAddress | quote -}}
{{- end -}}
{{/*
Define the image, using .Chart.AppVersion and GitLab Runner image as a default value
*/}}
{{- define "gitlab-runner.image" }}
{{- if kindIs "string" .Values.image -}}
{{- .Values.image }}
{{- else -}}
{{- $appVersion := ternary "bleeding" (print "v" .Chart.AppVersion) (eq .Chart.AppVersion "bleeding") -}}
{{- $appVersionImageTag := printf "alpine-%s" $appVersion -}}
{{- $imageTag := default $appVersionImageTag .Values.image.tag -}}
{{- printf "%s/%s:%s" .Values.image.registry .Values.image.image $imageTag }}
{{- end -}}
{{- end -}}
{{/*
Define the server session timeout, using 1800 as a default value
*/}}
{{- define "gitlab-runner.server-session-timeout" }}
{{- default 1800 .Values.sessionServer.timeout }}
{{- end -}}
{{/*
Define the server session internal port, using 9000 as a default value
*/}}
{{- define "gitlab-runner.server-session-external-port" }}
{{- default 9000 .Values.sessionServer.externalPort }}
{{- end -}}
{{/*
Define the server session external port, using 8093 as a default value
*/}}
{{- define "gitlab-runner.server-session-internal-port" }}
{{- default 8093 .Values.sessionServer.internalPort }}
{{- end -}}
{{/*
Unregister runner on pod stop
*/}}
{{- define "gitlab-runner.unregisterRunner" -}}
{{- if or (and (hasKey .Values "unregisterRunner") .Values.unregisterRunner) (and (not (hasKey .Values "unregisterRunner")) .Values.runnerRegistrationToken) -}}
lifecycle:
preStop:
exec:
command: ["/entrypoint", "unregister", "--config=/home/gitlab-runner/.gitlab-runner/config.toml"]
{{- end -}}
{{- end -}}
{{/*
Unregister all runners on pod stop
*/}}
{{- define "gitlab-runner.unregisterRunners" -}}
{{- if or (and (hasKey .Values "unregisterRunners") .Values.unregisterRunners) (and (not (hasKey .Values "unregisterRunners")) .Values.runnerRegistrationToken) -}}
lifecycle:
preStop:
exec:
command: ["/entrypoint", "unregister", "--all-runners"]
{{- end -}}
{{- end -}}

236
k8s/gitlab-runner/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,236 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitlab-runner.fullname" . }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
data:
entrypoint: |
#!/bin/bash
set -e
mkdir -p /home/gitlab-runner/.gitlab-runner/
cp /configmaps/config.toml /home/gitlab-runner/.gitlab-runner/
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
quit() {
kill -TERM "$child"
}
trap quit QUIT TERM
sh /configmaps/set-session-server-address &
child=$!
wait "$child"
{{- end }}
# Set up environment variables for cache
if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then
export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey)
export CACHE_S3_SECRET_KEY=$(cat /secrets/secretkey)
fi
if [[ -f /secrets/gcs-applicaton-credentials-file ]]; then
export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-applicaton-credentials-file"
elif [[ -f /secrets/gcs-application-credentials-file ]]; then
export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file"
else
if [[ -f /secrets/gcs-access-id && -f /secrets/gcs-private-key ]]; then
export CACHE_GCS_ACCESS_ID=$(cat /secrets/gcs-access-id)
# echo -e used to make private key multiline (in google json auth key private key is oneline with \n)
export CACHE_GCS_PRIVATE_KEY=$(echo -e $(cat /secrets/gcs-private-key))
fi
fi
if [[ -f /secrets/azure-account-name && -f /secrets/azure-account-key ]]; then
export CACHE_AZURE_ACCOUNT_NAME=$(cat /secrets/azure-account-name)
export CACHE_AZURE_ACCOUNT_KEY=$(cat /secrets/azure-account-key)
fi
if [[ -f /secrets/runner-registration-token ]]; then
export REGISTRATION_TOKEN=$(cat /secrets/runner-registration-token)
fi
if [[ -f /secrets/runner-token ]]; then
export CI_SERVER_TOKEN=$(cat /secrets/runner-token)
fi
{{- if and (not (empty .Values.runnerToken)) (ne "1" ((default "1" .Values.replicas) | toString)) }}
{{- fail "Using a runner token with more than 1 replica is not supported." }}
{{- end }}
# Validate this also at runtime in case the user has set a custom secret
if [[ ! -z "$CI_SERVER_TOKEN" && "{{ default 1 .Values.replicas }}" -ne "1" ]]; then
echo "Using a runner token with more than 1 replica is not supported."
exit 1
fi
# Register the runner
if ! sh /configmaps/register-the-runner; then
exit 1
fi
# Run pre-entrypoint-script
if ! bash /configmaps/pre-entrypoint-script; then
exit 1
fi
# Start the runner
exec /entrypoint run --user=gitlab-runner \
--working-directory=/home/gitlab-runner
config.toml: |
concurrent = {{ .Values.concurrent }}
check_interval = {{ .Values.checkInterval }}
log_level = {{ default "info" .Values.logLevel | quote }}
{{- if .Values.logFormat }}
log_format = {{ .Values.logFormat | quote }}
{{- end }}
{{- if .Values.metrics.enabled }}
listen_address = ':9252'
{{- end }}
{{- if .Values.sentryDsn }}
sentry_dsn = "{{ .Values.sentryDsn }}"
{{- end }}
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
[session_server]
session_timeout = {{ include "gitlab-runner.server-session-timeout" . }}
listen_address = "0.0.0.0:{{ include "gitlab-runner.server-session-internal-port" . }}"
advertise_address = "SESSION_SERVER_IP:{{ include "gitlab-runner.server-session-external-port" . }}"
{{- end }}
{{ if .Values.runners.config }}
config.template.toml: {{ tpl (toYaml .Values.runners.config) $ | indent 2 }}
{{ end }}
register-the-runner: |
#!/bin/bash
MAX_REGISTER_ATTEMPTS=30
for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do
echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}"
/entrypoint register \
{{- range .Values.runners.imagePullSecrets }}
--kubernetes-image-pull-secrets {{ . | quote }} \
{{- end }}
{{- range $key, $val := .Values.runners.nodeSelector }}
--kubernetes-node-selector {{ $key | quote }}:{{ $val | quote }} \
{{- end }}
{{- range .Values.runners.nodeTolerations }}
{{- $keyValue := .key }}
{{- if eq (.operator | default "Equal") "Equal" }}
{{- $keyValue = print $keyValue "=" (.value | default "" ) }}
{{- end }}
--kubernetes-node-tolerations {{ $keyValue }}:{{ .effect | quote }} \
{{- end }}
{{- range $key, $value := .Values.runners.podLabels }}
--kubernetes-pod-labels {{ $key | quote }}:{{ $value | quote }} \
{{- end }}
{{- range $key, $val := .Values.runners.podAnnotations }}
--kubernetes-pod-annotations {{ $key | quote }}:{{ $val | quote }} \
{{- end }}
{{- if and (hasKey .Values.runners "name") .Values.runners.name }}
--name={{ .Values.runners.name | quote -}} \
{{- end }}
{{- if and (hasKey .Values.runners "maximumTimeout") .Values.runners.maximumTimeout }}
--maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \
{{- end }}
{{- range $key, $value := .Values.runners.env }}
--env {{ $key | quote -}} = {{- $value | quote }} \
{{- end }}
{{- if and (hasKey .Values.runners "runUntagged") .Values.runners.runUntagged }}
--run-untagged=true \
{{- end }}
{{- if and (hasKey .Values.runners "protected") .Values.runners.protected }}
--access-level="ref_protected" \
{{- end }}
{{- if .Values.runners.pod_security_context }}
{{- if .Values.runners.pod_security_context.supplemental_groups }}
{{- range $gid := .Values.runners.pod_security_context.supplemental_groups }}
--kubernetes-pod-security-context-supplemental-groups {{ $gid | quote }} \
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.runners.config }}
--template-config /configmaps/config.template.toml \
{{- end }}
--non-interactive
retval=$?
if [ ${retval} = 0 ]; then
break
elif [ ${i} = ${MAX_REGISTER_ATTEMPTS} ]; then
exit 1
fi
sleep 5
done
exit 0
check-live: |
#!/bin/bash
if /usr/bin/pgrep -f .*register-the-runner; then
exit 0
elif /usr/bin/pgrep gitlab.*runner; then
exit 0
else
exit 1
fi
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
set-session-server-address: |
#!/bin/bash
{{- if (not .Values.sessionServer.publicIP) }}
APISERVER=https://kubernetes.default.svc \
&& SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount \
&& NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) \
&& TOKEN=$(cat ${SERVICEACCOUNT}/token) \
&& CACERT=${SERVICEACCOUNT}/ca.crt \
&& header="Authorization: Bearer ${TOKEN}"
SERVICEURL=${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/{{ include "gitlab-runner.fullname" . }}-session-server
has_address=false
while [ "${has_address}" = false ]; do
SERVICEIP=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"ip":' | cut -d ":" -f2 | xargs)
# for aws, the hostname is available but not the external IP
SERVICEHOSTNAME=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"hostname":' | cut -d ":" -f2 | xargs)
ADDRESS="${SERVICEHOSTNAME:-$SERVICEIP}"
if [ -z "${ADDRESS}" ]
then
echo "Service LoadBalancer External Address not yet available"
has_address=false
sleep 5
else
has_address=true
sed -i -e "s/SESSION_SERVER_IP/${ADDRESS}/g" /home/gitlab-runner/.gitlab-runner/config.toml
fi
done
{{- else }}
sed -i -e "s/SESSION_SERVER_IP/{{ .Values.sessionServer.publicIP }}/g" /home/gitlab-runner/.gitlab-runner/config.toml
{{- end}}
{{ end }}
pre-entrypoint-script: |
{{ .Values.preEntrypointScript | default "" | indent 4 }}
{{ if not (empty .Values.configMaps) }}{{ toYaml .Values.configMaps | indent 2 }}{{ end }}

169
k8s/gitlab-runner/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,169 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gitlab-runner.fullname" . }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
replicas: {{ default 1 .Values.replicas }}
revisionHistoryLimit: {{ default 10 .Values.revisionHistoryLimit }}
selector:
matchLabels:
app: {{ include "gitlab-runner.fullname" . }}
template:
metadata:
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- range $key, $value := .Values.podLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- if .Values.metrics.enabled }}
prometheus.io/scrape: 'true'
prometheus.io/port: {{ .Values.metrics.port | quote }}
{{- end }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
serviceAccountName: {{ if .Values.rbac.create }}{{ include "gitlab-runner.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
containers:
- name: {{ include "gitlab-runner.fullname" . }}
image: {{ include "gitlab-runner.image" . }}
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
securityContext: {{ toYaml .Values.securityContext | nindent 10 }}
{{- include "gitlab-runner.unregisterRunner" . | nindent 8 }}
{{- include "gitlab-runner.unregisterRunners" . | nindent 8 }}
command: ["/usr/bin/dumb-init", "--", "/bin/bash", "/configmaps/entrypoint"]
env:
{{ include "gitlab-runner.runner-env-vars" . | indent 8 }}
livenessProbe:
exec:
command: ["/bin/bash", "/configmaps/check-live"]
initialDelaySeconds: 60
timeoutSeconds: {{ default 1 .Values.probeTimeoutSeconds }}
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
exec:
command: ["/usr/bin/pgrep","gitlab.*runner"]
initialDelaySeconds: 10
timeoutSeconds: {{ default 1 .Values.probeTimeoutSeconds }}
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
ports:
- name: {{ .Values.metrics.portName | quote }}
containerPort: {{ .Values.metrics.port }}
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
- name: session-server
containerPort: {{ include "gitlab-runner.server-session-internal-port" . }}
protocol: TCP
{{- end }}
volumeMounts:
- name: projected-secrets
mountPath: /secrets
- name: etc-gitlab-runner
mountPath: /home/gitlab-runner/.gitlab-runner
- name: configmaps
mountPath: /configmaps
{{- if .Values.certsSecretName }}
- name: custom-certs
readOnly: true
mountPath: /home/gitlab-runner/.gitlab-runner/certs/
{{- end }}
{{- if .Values.volumeMounts }}
{{ toYaml .Values.volumeMounts | indent 8 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumes:
- name: runner-secrets
emptyDir:
medium: "Memory"
- name: etc-gitlab-runner
emptyDir:
medium: "Memory"
- name: projected-secrets
projected:
sources:
{{- if .Values.runners.cache.cacheType }}
# .Values.runners.cache.cacheType is deprecated: https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/224
{{- end }}
{{- if and .Values.runners.cache .Values.runners.cache.cacheType }}
{{- if and (include "gitlab-runner.cache.secret" .) (eq .Values.runners.cache.cacheType "s3") }}
- secret:
name: {{ include "gitlab-runner.cache.secret" . }}
{{- end }}
{{- if eq .Values.runners.cache.cacheType "gcs"}}
- secret:
# Outdated default secret "s3access" kept for compatibilty with older installs using it.
# Will be removed in next major release: https://gitlab.com/gitlab-org/charts/gitlab-runner/merge_requests/177
name: {{ default "s3access" (include "gitlab-runner.cache.secret" .) }}
{{- end }}
{{- else if include "gitlab-runner.cache.secret" . }}
- secret:
name: {{ include "gitlab-runner.cache.secret" . }}
{{- end }}
- secret:
name: {{ include "gitlab-runner.secret" . }}
items:
- key: runner-registration-token
path: runner-registration-token
- key: runner-token
path: runner-token
{{- range .Values.secrets }}
- secret:
{{ toYaml . | indent 16 }}
{{- end }}
{{- if .Values.certsSecretName }}
- name: custom-certs
secret:
secretName: {{ .Values.certsSecretName }}
{{- end }}
- name: configmaps
configMap:
name: {{ include "gitlab-runner.fullname" . }}
{{- if .Values.volumes }}
{{ toYaml .Values.volumes | indent 6 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.hostAliases }}
hostAliases:
{{ toYaml .Values.hostAliases | indent 8 }}
{{- end }}

16
k8s/gitlab-runner/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.hpa}}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "gitlab-runner.fullname" . }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "gitlab-runner.fullname" . }}
minReplicas: {{ default 1 .Values.hpa.minReplicas }}
maxReplicas: {{ default 1 .Values.hpa.maxReplicas }}
metrics:
{{ toYaml .Values.hpa.metrics | indent 2 }}
{{- end}}

22
k8s/gitlab-runner/templates/role-binding.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRoleBinding"{{ else }}"RoleBinding"{{ end }}
metadata:
name: {{ include "gitlab-runner.fullname" . }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{ if not .Values.rbac.clusterWideAccess -}}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }}
name: {{ include "gitlab-runner.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gitlab-runner.fullname" . }}
namespace: "{{ .Release.Namespace }}"
{{- end -}}

32
k8s/gitlab-runner/templates/role.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }}
metadata:
name: {{ include "gitlab-runner.fullname" . }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{ if not .Values.rbac.clusterWideAccess -}}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
{{- end }}
rules:
{{- if .Values.rbac.podSecurityPolicy.enabled }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
{{ toYaml .Values.rbac.podSecurityPolicy.resourceNames | indent 2 }}
{{- end }}
{{- if or (empty .Values.rbac.rules) (or .Values.rbac.resources .Values.rbac.verbs) }}
- apiGroups: [""]
resources: {{ (default (list "*") .Values.rbac.resources | toJson) }}
verbs: {{ (default (list "*") .Values.rbac.verbs | toJson) }}
{{- end -}}
{{ range .Values.rbac.rules }}
- apiGroups: {{ (default (list "") .apiGroups) | toJson }}
resources: {{ (default (list "*") .resources) | toJson }}
verbs: {{ (default (list "*") .verbs) | toJson }}
{{- end }}
{{- end -}}

16
k8s/gitlab-runner/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if or .Values.runnerRegistrationToken .Values.runnerToken -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitlab-runner.secret" . }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
runner-registration-token: {{ default "" .Values.runnerRegistrationToken | b64enc | quote }}
runner-token: {{ default "" .Values.runnerToken | b64enc | quote }}
{{- end -}}

21
k8s/gitlab-runner/templates/service-account.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.rbac.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
{{- range $key, $value := .Values.rbac.serviceAccountAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
name: {{ include "gitlab-runner.fullname" . }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.rbac.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.rbac.imagePullSecrets }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
{{- end -}}

32
k8s/gitlab-runner/templates/service-session-server.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gitlab-runner.fullname" . }}-session-server
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
{{- if .Values.sessionServer.annotations }}
annotations:
{{- toYaml .Values.sessionServer.annotations | nindent 4 }}
{{- end }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
selector:
app: {{ include "gitlab-runner.fullname" . }}
release: "{{ .Release.Name }}"
type: LoadBalancer
{{- if .Values.sessionServer.publicIP }}
loadBalancerIP: {{ .Values.sessionServer.publicIP }}
{{- end }}
{{- if .Values.sessionServer.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml .Values.sessionServer.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
ports:
- protocol: TCP
port: {{ include "gitlab-runner.server-session-external-port" . }}
targetPort: {{ include "gitlab-runner.server-session-internal-port" . }}
{{- end }}

52
k8s/gitlab-runner/templates/service.yaml Normal file
View File

@@ -0,0 +1,52 @@
{{- if and .Values.service.enabled .Values.metrics.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gitlab-runner.fullname" . | quote }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . | quote }}
chart: {{ include "gitlab-runner.chart" . | quote }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- if .Values.service.labels }}
{{- toYaml .Values.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{- toYaml .Values.service.annotations | nindent 4 }}
{{- end }}
spec:
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP | quote }}
{{- end }}
{{- if .Values.service.externalIPs }}
externalIPs:
{{- toYaml .Values.service.externalIPs | nindent 4 }}
{{- end }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP | quote }}
{{- end }}
{{- if .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range $cidr := .Values.service.loadBalancerSourceRanges }}
- {{ $cidr | quote }}
{{- end }}
{{- end }}
ports:
{{- if .Values.metrics.enabled }}
- name: {{ .Values.metrics.portName | quote }}
{{- if eq .Values.service.type "NodePort" }}
nodePort: {{ .Values.service.metrics.nodePort }}
{{- end }}
port: {{ .Values.metrics.port }}
targetPort: {{ .Values.metrics.portName | quote }}
{{- end }}
{{- if .Values.service.additionalPorts }}
{{- toYaml .Values.service.additionalPorts | nindent 2 }}
{{- end }}
selector:
app: {{ include "gitlab-runner.fullname" . | quote }}
release: {{ .Release.Name | quote }}
type: {{ .Values.service.type | default "ClusterIP" | quote }}
{{- end }}

53
k8s/gitlab-runner/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.enabled .Values.service.enabled -}}
{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "gitlab-runner.fullname" . | quote }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . | quote }}
chart: {{ include "gitlab-runner.chart" . | quote }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- if .Values.metrics.serviceMonitor.labels }}
{{- toYaml .Values.metrics.serviceMonitor.labels | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.metrics.portName | quote }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scheme }}
scheme: {{ .Values.metrics.serviceMonitor.scheme | quote }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml .Values.metrics.serviceMonitor.tlsConfig | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6) . }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.path }}
path: {{ .Values.metrics.serviceMonitor.path }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
namespaceSelector:
matchNames:
- {{ $.Release.Namespace | quote }}
selector:
matchLabels:
app: {{ include "gitlab-runner.fullname" . | quote }}
chart: {{ include "gitlab-runner.chart" . | quote }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- end }}
{{- end }}