Created
December 6, 2023 04:13
-
-
Save pen-pal/3de919d56c823951766b73be811a710c to your computer and use it in GitHub Desktop.
gitlab runner k8s installation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
helm repo add gitlab https://charts.gitlab.io | |
helm repo update | |
helm upgrade --install --create-namespace --namespace <NAMESPACE> gitlab-runner -f <CONFIG_VALUES_FILE> gitlab/gitlab-runner --set gitlabUrl=https://gitlab.com/ --set runnerToken=<GITLAB_RUNNER_TOKEN> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## GitLab Runner Image | |
## | |
## By default it's using registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v{VERSION} | |
## where {VERSION} is taken from Chart.yaml from appVersion field | |
## | |
## ref: https://gitlab.com/gitlab-org/gitlab-runner/container_registry/29383?orderBy=NAME&sort=asc&search[]=alpine-v&search[]= | |
## | |
## Note: If you change the image to the ubuntu release | |
## don't forget to change the securityContext; | |
## these images run on different user IDs. | |
## | |
image: | |
registry: registry.gitlab.com | |
image: gitlab-org/gitlab-runner | |
# tag: alpine-v11.6.0 | |
## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry) | |
## the installation fails because dumb-init is not packaged in the image. However, the tini is present. | |
## This configuration will allow gitlab-runner-ubi-images users to explicitly enabled the use of `tini` instead of `dumb-init` | |
useTini: false | |
## Specify a imagePullPolicy for the main runner deployment | |
## 'Always' if imageTag is 'latest', else set to 'IfNotPresent' | |
## | |
## Note: it does not apply to job containers launched by this executor. | |
## Use `pull_policy` in [runners.kubernetes] to change it. | |
## | |
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | |
## | |
imagePullPolicy: IfNotPresent | |
## Specifying ImagePullSecrets on a Pod | |
## Kubernetes supports specifying container image registry keys on a Pod. | |
## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod | |
## | |
# imagePullSecrets: | |
# - name: "image-pull-secret" | |
## Timeout, in seconds, for liveness and readiness probes of a runner pod. | |
# probeTimeoutSeconds: 3 | |
## How many runner pods to launch. | |
## | |
# replicas: 1 | |
## How many old ReplicaSets for this Deployment you want to retain | |
# revisionHistoryLimit: 10 | |
## The GitLab Server URL (with protocol) that want to register the runner against | |
## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-register | |
## | |
gitlabUrl: https://gitlab.com/ | |
## DEPRECATED: The Registration Token for adding new Runners to the GitLab Server. | |
## | |
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html | |
## | |
# runnerRegistrationToken: "" | |
## The Runner Token for adding new Runners to the GitLab Server. This must | |
## be retrieved from your GitLab Instance. It is token of already registered runner. | |
## ref: (we don't yet have docs for that, but we want to use existing token) | |
## | |
# runnerToken: "" | |
# | |
## Unregister all runners before termination | |
## | |
## Updating the runner's chart version or configuration will cause the runner container | |
## to be terminated and created again. This may cause your Gitlab instance to reference | |
## non-existant runners. Un-registering the runner before termination mitigates this issue. | |
## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-unregister | |
## | |
# unregisterRunners: true | |
## When stopping the runner, give it time to wait for its jobs to terminate. | |
## | |
## Updating the runner's chart version or configuration will cause the runner container | |
## to be terminated with a graceful stop request. terminationGracePeriodSeconds | |
## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully. | |
## ref: https://docs.gitlab.com/runner/commands/#signals | |
terminationGracePeriodSeconds: 3600 | |
## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use | |
## Provide resource name for a Kubernetes Secret Object in the same namespace, | |
## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory | |
## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates-targeting-the-gitlab-server | |
## | |
# certsSecretName: | |
## Configure the maximum number of concurrent jobs | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section | |
## | |
concurrent: 20 | |
## Number of seconds until the forceful shutdown operation times out and exits the process. | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section | |
## | |
shutdown_timeout: 0 | |
## Defines in seconds how often to check GitLab for a new builds | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section | |
## | |
checkInterval: 30 | |
## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section | |
## | |
# logLevel: | |
## Configure GitLab Runner's logging format. Available values are: runner, text, json | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section | |
## | |
# logFormat: | |
## Configure GitLab Runner's Sentry DSN. | |
## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section | |
## | |
# sentryDsn: | |
## A custom bash script that will be executed prior to the invocation | |
## gitlab-runner process | |
# | |
#preEntrypointScript: | | |
# echo "hello" | |
## Specify whether the runner should start the session server. | |
## Defaults to false | |
## ref: | |
## | |
## When sessionServer is enabled, the user can either provide a public publicIP | |
## or rely on the external IP auto discovery | |
## When a serviceAccountName is used with the automounting to the pod disable, | |
## we recommend the usage of the publicIP | |
sessionServer: | |
enabled: false | |
# annotations: {} | |
# timeout: 1800 | |
# internalPort: 8093 | |
# externalPort: 9000 | |
# publicIP: "" | |
# loadBalancerSourceRanges: | |
# - 1.2.3.4/32 | |
## For RBAC support: | |
rbac: | |
#create: false | |
create: true | |
## Define list of rules to be added to the rbac role permissions. | |
## Each rule supports the keys: | |
## - apiGroups: default "" (indicates the core API group) if missing or empty. | |
## - resources: default "*" if missing or empty. | |
## - verbs: default "*" if missing or empty. | |
## | |
## Read more about the recommended rules on the following link | |
## | |
## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#configure-runner-api-permissions | |
## | |
#rules: [] | |
rules: | |
- resources: ["configmaps", "events", "pods", "pods/attach", "pods/exec", "secrets", "services"] | |
verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] | |
- apiGroups: [""] | |
resources: ["pods/exec"] | |
verbs: ["create", "patch", "delete"] | |
- apiGroups: [""] | |
resources: ["pods/log"] | |
verbs: ["get"] | |
## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs | |
## cluster-wide or only within namespace | |
clusterWideAccess: false | |
## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create) | |
## | |
# serviceAccountName: default | |
## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn. | |
## Values may refer other values as the _tpl_ function is implicitly applied. Mind the quotes when using this, e.g. | |
## serviceAccountAnnotations: | |
## eks.amazonaws.com/role-arn: "arn:aws:iam::{{ .Values.global.accountId }}:role/{{ .Values.global.iamRoleName }}" | |
## | |
## ref: https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html | |
## | |
# serviceAccountAnnotations: {} | |
## Use podSecurity Policy | |
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |
podSecurityPolicy: | |
enabled: false | |
resourceNames: | |
- gitlab-runner | |
## Specify one or more imagePullSecrets used for pulling the runner image | |
## | |
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account | |
## | |
# imagePullSecrets: [] | |
## Configure integrated Prometheus metrics exporter | |
## | |
## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server | |
## | |
metrics: | |
enabled: true | |
## Define a name for the metrics port | |
## | |
portName: metrics | |
## Provide a port number for the integrated Prometheus metrics exporter | |
## | |
port: 9252 | |
## Configure a prometheus-operator serviceMonitor to allow autodetection of | |
## the scraping target. Requires enabling the service resource below. | |
## | |
serviceMonitor: | |
enabled: true | |
## Provide additional labels to the service monitor resource | |
## | |
## labels: {} | |
## Provide annotations to the service monitor ressource | |
## | |
## annotations: {} | |
## Define a scrape interval (otherwise prometheus default is used) | |
## | |
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config | |
## | |
# interval: "" | |
## Specify the scrape protocol scheme e.g., https or http | |
## | |
# scheme: "http" | |
## Supply a tls configuration for the service monitor | |
## | |
## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/charts/crds/crds/crd-servicemonitors.yaml | |
## | |
# tlsConfig: {} | |
## The URI path where prometheus metrics can be scraped from | |
## | |
# path: "/metrics" | |
## A list of MetricRelabelConfigs to apply to samples before ingestion | |
## | |
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs | |
## | |
# metricRelabelings: [] | |
## A list of RelabelConfigs to apply to samples before scraping | |
## | |
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config | |
## | |
## relabelings: [] | |
## Configure a service resource e.g., to allow scraping metrics via | |
## prometheus-operator serviceMonitor | |
service: | |
enabled: true | |
## Provide additonal labels for the service | |
## | |
# labels: {} | |
## Provide additonal annotations for the service | |
## | |
# annotations: {} | |
## Define a specific ClusterIP if you do not want a dynamic one | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | |
## | |
# clusterIP: "" | |
## Define a list of one or more external IPs for this service | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | |
## | |
# externalIPs: [] | |
## Provide a specific loadbalancerIP e.g., of an external Loadbalancer | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | |
## | |
# loadBalancerIP: "" | |
## Provide a list of source IP ranges to have access to this service | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support | |
## | |
# loadBalancerSourceRanges: [] | |
## Specify the service type e.g., ClusterIP, NodePort, LoadBalancer or ExternalName | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | |
## | |
type: ClusterIP | |
## Specify the services metrics nodeport if you use a service of type nodePort | |
## | |
# metrics: | |
## Specify the node port under which the prometheus metrics of the runner are made | |
## available. | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | |
## | |
# nodePort: "" | |
## Provide a list of additional ports to be exposed by this service | |
## | |
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | |
## | |
# additionalPorts: [] | |
## Configuration for the Pods that the runner launches for each new job | |
## | |
runners: | |
# runner configuration, where the multi line strings is evaluated as | |
# template so you can specify helm values inside of it. | |
# | |
# tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function | |
# runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html | |
config: | | |
[[runners]] | |
[runners.kubernetes] | |
namespace = "{{.Release.Namespace}}" | |
image = "docker:24.0.7" | |
privileged = true | |
[[runners.kubernetes.volumes.empty_dir]] | |
name = "docker-certs" | |
mount_path = "/certs/client" | |
medium = "Memory" | |
## Absolute path for an existing runner configuration file | |
## Can be used alongside "volumes" and "volumeMounts" to use an external config file | |
## Active if runners.config is empty or null | |
#configPath: "" | |
configPath: | |
## Which executor should be used | |
## | |
executor: kubernetes | |
## DEPRECATED: Specify whether the runner should be locked to a specific project: true, false. | |
## | |
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html | |
## | |
# locked: true | |
## DEPRECATED: Specify the tags associated with the runner. Comma-separated list of tags. | |
## | |
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html | |
## | |
# tags: "" | |
## Specify the name for the runner. | |
## | |
# name: "" | |
## DEPRECATED:Specify the maximum timeout (in seconds) that will be set for job when using this Runner | |
## | |
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html | |
## | |
# maximumTimeout: "" | |
## DEPRECATED: Specify if jobs without tags should be run. | |
## | |
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html | |
## | |
# runUntagged: true | |
## DEPRECATED: Specify whether the runner should only run protected branches. | |
## | |
## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html | |
## | |
# protected: true | |
## The name of the secret containing runner-token and runner-registration-token | |
secret: gitlab-runner | |
## Distributed runners caching | |
## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching | |
## | |
## If you want to use s3 based distributing caching: | |
## First of all you need to uncomment General settings and S3 settings sections. | |
## | |
## Create a secret 's3access' containing 'accesskey' & 'secretkey' | |
## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/ | |
## | |
## $ kubectl create secret generic s3access \ | |
## --from-literal=accesskey="YourAccessKey" \ | |
## --from-literal=secretkey="YourSecretKey" | |
## ref: https://kubernetes.io/docs/concepts/configuration/secret/ | |
## | |
## If you want to use gcs based distributing caching: | |
## First of all you need to uncomment General settings and GCS settings sections. | |
## | |
## Access using credentials file: | |
## Create a secret 'google-application-credentials' containing your application credentials file. | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section | |
## You could configure | |
## $ kubectl create secret generic google-application-credentials \ | |
## --from-file=gcs-application-credentials-file=./path-to-your-google-application-credentials-file.json | |
## ref: https://kubernetes.io/docs/concepts/configuration/secret/ | |
## | |
## Access using access-id and private-key: | |
## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'. | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section | |
## You could configure | |
## $ kubectl create secret generic gcsaccess \ | |
## --from-literal=gcs-access-id="YourAccessID" \ | |
## --from-literal=gcs-private-key="YourPrivateKey" | |
## ref: https://kubernetes.io/docs/concepts/configuration/secret/ | |
## | |
## If you want to use Azure-based distributed caching: | |
## First, uncomment General settings. | |
## | |
## Create a secret 'azureaccess' containing 'azure-account-name' & 'azure-account-key' | |
## ref: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction | |
## | |
## $ kubectl create secret generic azureaccess \ | |
## --from-literal=azure-account-name="YourAccountName" \ | |
## --from-literal=azure-account-key="YourAccountKey" | |
## ref: https://kubernetes.io/docs/concepts/configuration/secret/ | |
cache: {} | |
## S3 the name of the secret. | |
# secretName: s3access | |
## Use this line for access using gcs-access-id and gcs-private-key | |
# secretName: gcsaccess | |
## Use this line for access using google-application-credentials file | |
# secretName: google-application-credentials | |
## Use this line for access using Azure with azure-account-name and azure-account-key | |
# secretName: azureaccess | |
## Specify the name of the scheduler which used to schedule runner pods. | |
## Kubernetes supports multiple scheduler configurations. | |
## ref: https://kubernetes.io/docs/reference/scheduling | |
# schedulerName: "my-custom-scheduler" | |
## Configure securitycontext for the main container | |
## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ | |
## | |
securityContext: | |
allowPrivilegeEscalation: false | |
readOnlyRootFilesystem: false | |
runAsNonRoot: true | |
privileged: false | |
#capabilities: | |
# drop: ["ALL"] | |
## Configure update strategy for multi-replica deployments | |
## Kubernetes supports types Recreate, and RollingUpdate | |
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | |
## | |
strategy: {} | |
# rollingUpdate: | |
# maxSurge: 1 | |
# maxUnavailable: 0 | |
# type: RollingUpdate | |
## Configure securitycontext valid for the whole pod | |
## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ | |
## | |
podSecurityContext: | |
runAsUser: 100 | |
# runAsGroup: 65533 | |
fsGroup: 65533 | |
# supplementalGroups: [65533] | |
## Note: values for the ubuntu image: | |
# runAsUser: 999 | |
# fsGroup: 999 | |
## Configure resource requests and limits | |
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | |
## | |
#resources: {} | |
resources: | |
limits: | |
memory: 4Gi | |
cpu: 4 | |
requests: | |
memory: 500Mi | |
cpu: 500m | |
## Affinity for pod assignment | |
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | |
## | |
affinity: {} | |
## TopologySpreadConstraints for pod assignment | |
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | |
## | |
topologySpreadConstraints: {} | |
# Example: The gitlab runner should be evenly spread across zones | |
# - maxSkew: 1 | |
# topologyKey: zone | |
# whenUnsatisfiable: DoNotSchedule | |
# labelSelector: | |
# matchLabels: | |
# foo: bar | |
## Node labels for pod assignment | |
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ | |
## | |
nodeSelector: {} | |
# Example: The gitlab runner manager should not run on spot instances so you can assign | |
# them to the regular worker nodes only. | |
# node-role.kubernetes.io/worker: "true" | |
## List of node taints to tolerate (requires Kubernetes >= 1.6) | |
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | |
## | |
tolerations: [] | |
# Example: Regular worker nodes may have a taint, thus you need to tolerate the taint | |
# when you assign the gitlab runner manager with nodeSelector or affinity to the nodes. | |
# - key: "node-role.kubernetes.io/worker" | |
# operator: "Exists" | |
## Configure environment variables that will be present when the registration command runs | |
## This provides further control over the registration process and the config.toml file | |
## ref: `gitlab-runner register --help` | |
## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html | |
## | |
# envVars: | |
# - name: RUNNER_EXECUTOR | |
# value: kubernetes | |
## list of hosts and IPs that will be injected into the pod's hosts file | |
hostAliases: [] | |
# Example: | |
# - ip: "127.0.0.1" | |
# hostnames: | |
# - "foo.local" | |
# - "bar.local" | |
# - ip: "10.1.2.3" | |
# hostnames: | |
# - "foo.remote" | |
# - "bar.remote" | |
## Annotations to be added to deployment | |
## | |
deploymentAnnotations: {} | |
# Example: | |
# downscaler/uptime: <my_uptime_period> | |
## Labels to be added to deployment | |
## | |
deploymentLabels: {} | |
# Example: | |
# owner.team: <my_cool_team> | |
## Annotations to be added to manager pod | |
## | |
podAnnotations: {} | |
# Example: | |
# iam.amazonaws.com/role: <my_role_arn> | |
## Labels to be added to manager pod | |
## | |
podLabels: {} | |
# Example: | |
# owner.team: <my_cool_team> | |
## HPA support for custom metrics: | |
## This section enables runners to autoscale based on defined custom metrics. | |
## In order to use this functionality, Need to enable a custom metrics API server by | |
## implementing "custom.metrics.k8s.io" using supported third party adapter | |
## Example: https://github.com/directxman12/k8s-prometheus-adapter | |
## | |
#hpa: {} | |
hpa: | |
minReplicas: 1 | |
maxReplicas: 10 | |
metrics: | |
- type: Pods | |
pods: | |
metric: | |
name: gitlab_runner_jobs | |
target: | |
type: AverageValue | |
averageValue: 400m | |
## Configure priorityClassName for manager pod. See k8s docs for more info on how pod priority works: | |
## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | |
priorityClassName: "" | |
## Secrets to be additionally mounted to the containers. | |
## All secrets are mounted through init-runner-secrets volume | |
## and placed as readonly at /init-secrets in the init container | |
## and finally copied to an in-memory volume runner-secrets that is | |
## mounted at /secrets. | |
secrets: [] | |
# Example: | |
# - name: my-secret | |
# - name: myOtherSecret | |
# items: | |
# - key: key_one | |
# path: path_one | |
## Boolean to turn off the automountServiceAccountToken in the deployment | |
## ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume | |
## | |
# automountServiceAccountToken: false | |
## Additional config files to mount in the containers in `/configmaps`. | |
## | |
## Please note that a number of keys are reserved by the runner. | |
## See https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml | |
## for a current list. | |
configMaps: {} | |
## Additional volumeMounts to add to the runner container | |
## | |
volumeMounts: [] | |
# Example: | |
# - name: my-volume | |
# mountPath: /mount/path | |
## Additional volumes to add to the runner deployment | |
## | |
volumes: [] | |
# Example: | |
# - name: my-volume | |
# persistentVolumeClaim: | |
# claimName: my-pvc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment