Skip to content

Instantly share code, notes, and snippets.

@pen-pal

pen-pal/install.sh

Created December 6, 2023 04:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pen-pal/3de919d56c823951766b73be811a710c to your computer and use it in GitHub Desktop.
Save pen-pal/3de919d56c823951766b73be811a710c to your computer and use it in GitHub Desktop.
Download ZIP
gitlab runner k8s installation
Raw
install.sh
helm repo add gitlab https://charts.gitlab.io
helm repo update
helm upgrade --install --create-namespace --namespace <NAMESPACE> gitlab-runner -f <CONFIG_VALUES_FILE> gitlab/gitlab-runner --set gitlabUrl=https://gitlab.com/ --set runnerToken=<GITLAB_RUNNER_TOKEN>
Raw
values.yaml
## GitLab Runner Image
##
## By default it's using registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v{VERSION}
## where {VERSION} is taken from Chart.yaml from appVersion field
##
## ref: https://gitlab.com/gitlab-org/gitlab-runner/container_registry/29383?orderBy=NAME&sort=asc&search[]=alpine-v&search[]=
##
## Note: If you change the image to the ubuntu release
## don't forget to change the securityContext;
## these images run on different user IDs.
##
image:
registry: registry.gitlab.com
image: gitlab-org/gitlab-runner
# tag: alpine-v11.6.0
## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry)
## the installation fails because dumb-init is not packaged in the image. However, the tini is present.
## This configuration will allow gitlab-runner-ubi-images users to explicitly enabled the use of `tini` instead of `dumb-init`
useTini: false
## Specify a imagePullPolicy for the main runner deployment
## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
##
## Note: it does not apply to job containers launched by this executor.
## Use `pull_policy` in [runners.kubernetes] to change it.
##
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
imagePullPolicy: IfNotPresent
## Specifying ImagePullSecrets on a Pod
## Kubernetes supports specifying container image registry keys on a Pod.
## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
##
# imagePullSecrets:
# - name: "image-pull-secret"
## Timeout, in seconds, for liveness and readiness probes of a runner pod.
# probeTimeoutSeconds: 3
## How many runner pods to launch.
##
# replicas: 1
## How many old ReplicaSets for this Deployment you want to retain
# revisionHistoryLimit: 10
## The GitLab Server URL (with protocol) that want to register the runner against
## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-register
##
gitlabUrl: https://gitlab.com/
## DEPRECATED: The Registration Token for adding new Runners to the GitLab Server.
##
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
##
# runnerRegistrationToken: ""
## The Runner Token for adding new Runners to the GitLab Server. This must
## be retrieved from your GitLab Instance. It is token of already registered runner.
## ref: (we don't yet have docs for that, but we want to use existing token)
##
# runnerToken: ""
#
## Unregister all runners before termination
##
## Updating the runner's chart version or configuration will cause the runner container
## to be terminated and created again. This may cause your Gitlab instance to reference
## non-existant runners. Un-registering the runner before termination mitigates this issue.
## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-unregister
##
# unregisterRunners: true
## When stopping the runner, give it time to wait for its jobs to terminate.
##
## Updating the runner's chart version or configuration will cause the runner container
## to be terminated with a graceful stop request. terminationGracePeriodSeconds
## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully.
## ref: https://docs.gitlab.com/runner/commands/#signals
terminationGracePeriodSeconds: 3600
## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
## Provide resource name for a Kubernetes Secret Object in the same namespace,
## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory
## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates-targeting-the-gitlab-server
##
# certsSecretName:
## Configure the maximum number of concurrent jobs
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
concurrent: 20
## Number of seconds until the forceful shutdown operation times out and exits the process.
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
shutdown_timeout: 0
## Defines in seconds how often to check GitLab for a new builds
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
checkInterval: 30
## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
# logLevel:
## Configure GitLab Runner's logging format. Available values are: runner, text, json
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
# logFormat:
## Configure GitLab Runner's Sentry DSN.
## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
# sentryDsn:
## A custom bash script that will be executed prior to the invocation
## gitlab-runner process
#
#preEntrypointScript: |
# echo "hello"
## Specify whether the runner should start the session server.
## Defaults to false
## ref:
##
## When sessionServer is enabled, the user can either provide a public publicIP
## or rely on the external IP auto discovery
## When a serviceAccountName is used with the automounting to the pod disable,
## we recommend the usage of the publicIP
sessionServer:
enabled: false
# annotations: {}
# timeout: 1800
# internalPort: 8093
# externalPort: 9000
# publicIP: ""
# loadBalancerSourceRanges:
# - 1.2.3.4/32
## For RBAC support:
rbac:
#create: false
create: true
## Define list of rules to be added to the rbac role permissions.
## Each rule supports the keys:
## - apiGroups: default "" (indicates the core API group) if missing or empty.
## - resources: default "*" if missing or empty.
## - verbs: default "*" if missing or empty.
##
## Read more about the recommended rules on the following link
##
## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#configure-runner-api-permissions
##
#rules: []
rules:
- resources: ["configmaps", "events", "pods", "pods/attach", "pods/exec", "secrets", "services"]
verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
## cluster-wide or only within namespace
clusterWideAccess: false
## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
##
# serviceAccountName: default
## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn.
## Values may refer other values as the _tpl_ function is implicitly applied. Mind the quotes when using this, e.g.
## serviceAccountAnnotations:
## eks.amazonaws.com/role-arn: "arn:aws:iam::{{ .Values.global.accountId }}:role/{{ .Values.global.iamRoleName }}"
##
## ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
##
# serviceAccountAnnotations: {}
## Use podSecurity Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: false
resourceNames:
- gitlab-runner
## Specify one or more imagePullSecrets used for pulling the runner image
##
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
##
# imagePullSecrets: []
## Configure integrated Prometheus metrics exporter
##
## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server
##
metrics:
enabled: true
## Define a name for the metrics port
##
portName: metrics
## Provide a port number for the integrated Prometheus metrics exporter
##
port: 9252
## Configure a prometheus-operator serviceMonitor to allow autodetection of
## the scraping target. Requires enabling the service resource below.
##
serviceMonitor:
enabled: true
## Provide additional labels to the service monitor resource
##
## labels: {}
## Provide annotations to the service monitor ressource
##
## annotations: {}
## Define a scrape interval (otherwise prometheus default is used)
##
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
##
# interval: ""
## Specify the scrape protocol scheme e.g., https or http
##
# scheme: "http"
## Supply a tls configuration for the service monitor
##
## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/charts/crds/crds/crd-servicemonitors.yaml
##
# tlsConfig: {}
## The URI path where prometheus metrics can be scraped from
##
# path: "/metrics"
## A list of MetricRelabelConfigs to apply to samples before ingestion
##
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
##
# metricRelabelings: []
## A list of RelabelConfigs to apply to samples before scraping
##
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
##
## relabelings: []
## Configure a service resource e.g., to allow scraping metrics via
## prometheus-operator serviceMonitor
service:
enabled: true
## Provide additonal labels for the service
##
# labels: {}
## Provide additonal annotations for the service
##
# annotations: {}
## Define a specific ClusterIP if you do not want a dynamic one
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
##
# clusterIP: ""
## Define a list of one or more external IPs for this service
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
##
# externalIPs: []
## Provide a specific loadbalancerIP e.g., of an external Loadbalancer
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
##
# loadBalancerIP: ""
## Provide a list of source IP ranges to have access to this service
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support
##
# loadBalancerSourceRanges: []
## Specify the service type e.g., ClusterIP, NodePort, LoadBalancer or ExternalName
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
##
type: ClusterIP
## Specify the services metrics nodeport if you use a service of type nodePort
##
# metrics:
## Specify the node port under which the prometheus metrics of the runner are made
## available.
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
##
# nodePort: ""
## Provide a list of additional ports to be exposed by this service
##
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
##
# additionalPorts: []
## Configuration for the Pods that the runner launches for each new job
##
runners:
# runner configuration, where the multi line strings is evaluated as
# template so you can specify helm values inside of it.
#
# tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
# runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
config: |
[[runners]]
[runners.kubernetes]
namespace = "{{.Release.Namespace}}"
image = "docker:24.0.7"
privileged = true
[[runners.kubernetes.volumes.empty_dir]]
name = "docker-certs"
mount_path = "/certs/client"
medium = "Memory"
## Absolute path for an existing runner configuration file
## Can be used alongside "volumes" and "volumeMounts" to use an external config file
## Active if runners.config is empty or null
#configPath: ""
configPath:
## Which executor should be used
##
executor: kubernetes
## DEPRECATED: Specify whether the runner should be locked to a specific project: true, false.
##
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
##
# locked: true
## DEPRECATED: Specify the tags associated with the runner. Comma-separated list of tags.
##
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
##
# tags: ""
## Specify the name for the runner.
##
# name: ""
## DEPRECATED:Specify the maximum timeout (in seconds) that will be set for job when using this Runner
##
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
##
# maximumTimeout: ""
## DEPRECATED: Specify if jobs without tags should be run.
##
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
##
# runUntagged: true
## DEPRECATED: Specify whether the runner should only run protected branches.
##
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
##
# protected: true
## The name of the secret containing runner-token and runner-registration-token
secret: gitlab-runner
## Distributed runners caching
## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching
##
## If you want to use s3 based distributing caching:
## First of all you need to uncomment General settings and S3 settings sections.
##
## Create a secret 's3access' containing 'accesskey' & 'secretkey'
## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
##
## $ kubectl create secret generic s3access \
## --from-literal=accesskey="YourAccessKey" \
## --from-literal=secretkey="YourSecretKey"
## ref: https://kubernetes.io/docs/concepts/configuration/secret/
##
## If you want to use gcs based distributing caching:
## First of all you need to uncomment General settings and GCS settings sections.
##
## Access using credentials file:
## Create a secret 'google-application-credentials' containing your application credentials file.
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
## You could configure
## $ kubectl create secret generic google-application-credentials \
## --from-file=gcs-application-credentials-file=./path-to-your-google-application-credentials-file.json
## ref: https://kubernetes.io/docs/concepts/configuration/secret/
##
## Access using access-id and private-key:
## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'.
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
## You could configure
## $ kubectl create secret generic gcsaccess \
## --from-literal=gcs-access-id="YourAccessID" \
## --from-literal=gcs-private-key="YourPrivateKey"
## ref: https://kubernetes.io/docs/concepts/configuration/secret/
##
## If you want to use Azure-based distributed caching:
## First, uncomment General settings.
##
## Create a secret 'azureaccess' containing 'azure-account-name' & 'azure-account-key'
## ref: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
##
## $ kubectl create secret generic azureaccess \
## --from-literal=azure-account-name="YourAccountName" \
## --from-literal=azure-account-key="YourAccountKey"
## ref: https://kubernetes.io/docs/concepts/configuration/secret/
cache: {}
## S3 the name of the secret.
# secretName: s3access
## Use this line for access using gcs-access-id and gcs-private-key
# secretName: gcsaccess
## Use this line for access using google-application-credentials file
# secretName: google-application-credentials
## Use this line for access using Azure with azure-account-name and azure-account-key
# secretName: azureaccess
## Specify the name of the scheduler which used to schedule runner pods.
## Kubernetes supports multiple scheduler configurations.
## ref: https://kubernetes.io/docs/reference/scheduling
# schedulerName: "my-custom-scheduler"
## Configure securitycontext for the main container
## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
##
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
privileged: false
#capabilities:
# drop: ["ALL"]
## Configure update strategy for multi-replica deployments
## Kubernetes supports types Recreate, and RollingUpdate
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
##
strategy: {}
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
# type: RollingUpdate
## Configure securitycontext valid for the whole pod
## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
##
podSecurityContext:
runAsUser: 100
# runAsGroup: 65533
fsGroup: 65533
# supplementalGroups: [65533]
## Note: values for the ubuntu image:
# runAsUser: 999
# fsGroup: 999
## Configure resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
##
#resources: {}
resources:
limits:
memory: 4Gi
cpu: 4
requests:
memory: 500Mi
cpu: 500m
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## TopologySpreadConstraints for pod assignment
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
##
topologySpreadConstraints: {}
# Example: The gitlab runner should be evenly spread across zones
# - maxSkew: 1
# topologyKey: zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# foo: bar
## Node labels for pod assignment
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
# Example: The gitlab runner manager should not run on spot instances so you can assign
# them to the regular worker nodes only.
# node-role.kubernetes.io/worker: "true"
## List of node taints to tolerate (requires Kubernetes >= 1.6)
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
# Example: Regular worker nodes may have a taint, thus you need to tolerate the taint
# when you assign the gitlab runner manager with nodeSelector or affinity to the nodes.
# - key: "node-role.kubernetes.io/worker"
# operator: "Exists"
## Configure environment variables that will be present when the registration command runs
## This provides further control over the registration process and the config.toml file
## ref: `gitlab-runner register --help`
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
##
# envVars:
# - name: RUNNER_EXECUTOR
# value: kubernetes
## list of hosts and IPs that will be injected into the pod's hosts file
hostAliases: []
# Example:
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
# - ip: "10.1.2.3"
# hostnames:
# - "foo.remote"
# - "bar.remote"
## Annotations to be added to deployment
##
deploymentAnnotations: {}
# Example:
# downscaler/uptime: <my_uptime_period>
## Labels to be added to deployment
##
deploymentLabels: {}
# Example:
# owner.team: <my_cool_team>
## Annotations to be added to manager pod
##
podAnnotations: {}
# Example:
# iam.amazonaws.com/role: <my_role_arn>
## Labels to be added to manager pod
##
podLabels: {}
# Example:
# owner.team: <my_cool_team>
## HPA support for custom metrics:
## This section enables runners to autoscale based on defined custom metrics.
## In order to use this functionality, Need to enable a custom metrics API server by
## implementing "custom.metrics.k8s.io" using supported third party adapter
## Example: https://github.com/directxman12/k8s-prometheus-adapter
##
#hpa: {}
hpa:
minReplicas: 1
maxReplicas: 10
metrics:
- type: Pods
pods:
metric:
name: gitlab_runner_jobs
target:
type: AverageValue
averageValue: 400m
## Configure priorityClassName for manager pod. See k8s docs for more info on how pod priority works:
## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## Secrets to be additionally mounted to the containers.
## All secrets are mounted through init-runner-secrets volume
## and placed as readonly at /init-secrets in the init container
## and finally copied to an in-memory volume runner-secrets that is
## mounted at /secrets.
secrets: []
# Example:
# - name: my-secret
# - name: myOtherSecret
# items:
# - key: key_one
# path: path_one
## Boolean to turn off the automountServiceAccountToken in the deployment
## ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume
##
# automountServiceAccountToken: false
## Additional config files to mount in the containers in `/configmaps`.
##
## Please note that a number of keys are reserved by the runner.
## See https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml
## for a current list.
configMaps: {}
## Additional volumeMounts to add to the runner container
##
volumeMounts: []
# Example:
# - name: my-volume
# mountPath: /mount/path
## Additional volumes to add to the runner deployment
##
volumes: []
# Example:
# - name: my-volume
# persistentVolumeClaim:
# claimName: my-pvc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment