pub/gitlab-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-09-06 10:22:06 +07:00
parent a3ace3a444
commit 8b460261db
27 changed files with 2646 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
k8s/gitlab-runner/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,236 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitlab-runner.fullname" . }}
namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
labels:
app: {{ include "gitlab-runner.fullname" . }}
chart: {{ include "gitlab-runner.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
data:
entrypoint: |
#!/bin/bash
set -e
mkdir -p /home/gitlab-runner/.gitlab-runner/
cp /configmaps/config.toml /home/gitlab-runner/.gitlab-runner/
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
quit() {
kill -TERM "$child"
}
trap quit QUIT TERM
sh /configmaps/set-session-server-address &
child=$!
wait "$child"
{{- end }}
# Set up environment variables for cache
if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then
export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey)
export CACHE_S3_SECRET_KEY=$(cat /secrets/secretkey)
fi
if [[ -f /secrets/gcs-applicaton-credentials-file ]]; then
export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-applicaton-credentials-file"
elif [[ -f /secrets/gcs-application-credentials-file ]]; then
export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file"
else
if [[ -f /secrets/gcs-access-id && -f /secrets/gcs-private-key ]]; then
export CACHE_GCS_ACCESS_ID=$(cat /secrets/gcs-access-id)
# echo -e used to make private key multiline (in google json auth key private key is oneline with \n)
export CACHE_GCS_PRIVATE_KEY=$(echo -e $(cat /secrets/gcs-private-key))
fi
fi
if [[ -f /secrets/azure-account-name && -f /secrets/azure-account-key ]]; then
export CACHE_AZURE_ACCOUNT_NAME=$(cat /secrets/azure-account-name)
export CACHE_AZURE_ACCOUNT_KEY=$(cat /secrets/azure-account-key)
fi
if [[ -f /secrets/runner-registration-token ]]; then
export REGISTRATION_TOKEN=$(cat /secrets/runner-registration-token)
fi
if [[ -f /secrets/runner-token ]]; then
export CI_SERVER_TOKEN=$(cat /secrets/runner-token)
fi
{{- if and (not (empty .Values.runnerToken)) (ne "1" ((default "1" .Values.replicas) | toString)) }}
{{- fail "Using a runner token with more than 1 replica is not supported." }}
{{- end }}
# Validate this also at runtime in case the user has set a custom secret
if [[ ! -z "$CI_SERVER_TOKEN" && "{{ default 1 .Values.replicas }}" -ne "1" ]]; then
echo "Using a runner token with more than 1 replica is not supported."
exit 1
fi
# Register the runner
if ! sh /configmaps/register-the-runner; then
exit 1
fi
# Run pre-entrypoint-script
if ! bash /configmaps/pre-entrypoint-script; then
exit 1
fi
# Start the runner
exec /entrypoint run --user=gitlab-runner \
--working-directory=/home/gitlab-runner
config.toml: |
concurrent = {{ .Values.concurrent }}
check_interval = {{ .Values.checkInterval }}
log_level = {{ default "info" .Values.logLevel | quote }}
{{- if .Values.logFormat }}
log_format = {{ .Values.logFormat | quote }}
{{- end }}
{{- if .Values.metrics.enabled }}
listen_address = ':9252'
{{- end }}
{{- if .Values.sentryDsn }}
sentry_dsn = "{{ .Values.sentryDsn }}"
{{- end }}
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
[session_server]
session_timeout = {{ include "gitlab-runner.server-session-timeout" . }}
listen_address = "0.0.0.0:{{ include "gitlab-runner.server-session-internal-port" . }}"
advertise_address = "SESSION_SERVER_IP:{{ include "gitlab-runner.server-session-external-port" . }}"
{{- end }}
{{ if .Values.runners.config }}
config.template.toml: {{ tpl (toYaml .Values.runners.config) $ | indent 2 }}
{{ end }}
register-the-runner: |
#!/bin/bash
MAX_REGISTER_ATTEMPTS=30
for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do
echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}"
/entrypoint register \
{{- range .Values.runners.imagePullSecrets }}
--kubernetes-image-pull-secrets {{ . | quote }} \
{{- end }}
{{- range $key, $val := .Values.runners.nodeSelector }}
--kubernetes-node-selector {{ $key | quote }}:{{ $val | quote }} \
{{- end }}
{{- range .Values.runners.nodeTolerations }}
{{- $keyValue := .key }}
{{- if eq (.operator | default "Equal") "Equal" }}
{{- $keyValue = print $keyValue "=" (.value | default "" ) }}
{{- end }}
--kubernetes-node-tolerations {{ $keyValue }}:{{ .effect | quote }} \
{{- end }}
{{- range $key, $value := .Values.runners.podLabels }}
--kubernetes-pod-labels {{ $key | quote }}:{{ $value | quote }} \
{{- end }}
{{- range $key, $val := .Values.runners.podAnnotations }}
--kubernetes-pod-annotations {{ $key | quote }}:{{ $val | quote }} \
{{- end }}
{{- if and (hasKey .Values.runners "name") .Values.runners.name }}
--name={{ .Values.runners.name | quote -}} \
{{- end }}
{{- if and (hasKey .Values.runners "maximumTimeout") .Values.runners.maximumTimeout }}
--maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \
{{- end }}
{{- range $key, $value := .Values.runners.env }}
--env {{ $key | quote -}} = {{- $value | quote }} \
{{- end }}
{{- if and (hasKey .Values.runners "runUntagged") .Values.runners.runUntagged }}
--run-untagged=true \
{{- end }}
{{- if and (hasKey .Values.runners "protected") .Values.runners.protected }}
--access-level="ref_protected" \
{{- end }}
{{- if .Values.runners.pod_security_context }}
{{- if .Values.runners.pod_security_context.supplemental_groups }}
{{- range $gid := .Values.runners.pod_security_context.supplemental_groups }}
--kubernetes-pod-security-context-supplemental-groups {{ $gid | quote }} \
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.runners.config }}
--template-config /configmaps/config.template.toml \
{{- end }}
--non-interactive
retval=$?
if [ ${retval} = 0 ]; then
break
elif [ ${i} = ${MAX_REGISTER_ATTEMPTS} ]; then
exit 1
fi
sleep 5
done
exit 0
check-live: |
#!/bin/bash
if /usr/bin/pgrep -f .*register-the-runner; then
exit 0
elif /usr/bin/pgrep gitlab.*runner; then
exit 0
else
exit 1
fi
{{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
set-session-server-address: |
#!/bin/bash
{{- if (not .Values.sessionServer.publicIP) }}
APISERVER=https://kubernetes.default.svc \
&& SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount \
&& NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) \
&& TOKEN=$(cat ${SERVICEACCOUNT}/token) \
&& CACERT=${SERVICEACCOUNT}/ca.crt \
&& header="Authorization: Bearer ${TOKEN}"
SERVICEURL=${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/{{ include "gitlab-runner.fullname" . }}-session-server
has_address=false
while [ "${has_address}" = false ]; do
SERVICEIP=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"ip":' | cut -d ":" -f2 | xargs)
# for aws, the hostname is available but not the external IP
SERVICEHOSTNAME=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"hostname":' | cut -d ":" -f2 | xargs)
ADDRESS="${SERVICEHOSTNAME:-$SERVICEIP}"
if [ -z "${ADDRESS}" ]
then
echo "Service LoadBalancer External Address not yet available"
has_address=false
sleep 5
else
has_address=true
sed -i -e "s/SESSION_SERVER_IP/${ADDRESS}/g" /home/gitlab-runner/.gitlab-runner/config.toml
fi
done
{{- else }}
sed -i -e "s/SESSION_SERVER_IP/{{ .Values.sessionServer.publicIP }}/g" /home/gitlab-runner/.gitlab-runner/config.toml
{{- end}}
{{ end }}
pre-entrypoint-script: |
{{ .Values.preEntrypointScript | default "" | indent 4 }}
{{ if not (empty .Values.configMaps) }}{{ toYaml .Values.configMaps | indent 2 }}{{ end }}