From 711b6813e91361d591d98e67000bdc85fe1fd3a5 Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Thu, 20 May 2021 12:51:16 -0400
Subject: [PATCH] store token as secret

---
 README.md                 |  21 +-
 rolebinding.yaml          |  12 -
 runnerconfig.yaml.example |  57 -----
 values.yaml               | 473 ++------------------------------------
 4 files changed, 23 insertions(+), 540 deletions(-)
 delete mode 100644 rolebinding.yaml
 delete mode 100644 runnerconfig.yaml.example

diff --git a/README.md b/README.md
index a0462f9..bd0f7a1 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,13 @@
-# Create a gitlab runner in your namespace with Helm
+# Install Gitlab Runner
 
-Install:
-
-Edit runnerconfig.yaml and add your token
+Create runner secret
 
 ```bash
-helm upgrade --install --namespace automation services-runner -f values.yaml gitlab/gitlab-runner
-helm install --namespace ducoterra reese-runner -f runnerconfig.yaml gitlab/gitlab-runner
+kubectl create secret generic gitlab-runner-secret --from-literal=runner-registration-token=$(vault kv get -field=runner-token secret/gitlab) --from-literal=runner-token=""
+kubectl apply -f role.yaml
 ```
 
-Uninstall:
-
 ```bash
-helm delete --namespace ducoterra services-runner
-```
-
-## Giving the runner access to your namespace
-
-```bash
-kubectl apply -f k8s
+helm repo add gitlab https://charts.gitlab.io
+helm install --namespace gitlab gitlab-runner -f values.yaml gitlab/gitlab-runner
 ```
diff --git a/rolebinding.yaml b/rolebinding.yaml
deleted file mode 100644
index 12c46e5..0000000
--- a/rolebinding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: default-binding
-subjects:
-- kind: ServiceAccount
-  name: default
-  apiGroup: ""
-roleRef:
-  kind: Role
-  name: namespace-manager
-  apiGroup: ""
\ No newline at end of file
diff --git a/runnerconfig.yaml.example b/runnerconfig.yaml.example
deleted file mode 100644
index 46ba626..0000000
--- a/runnerconfig.yaml.example
+++ /dev/null
@@ -1,57 +0,0 @@
-# CONFIGURE ME
-runnerRegistrationToken: <PUT YOUR TOKEN HERE>
-gitlabUrl: https://gitlab.ducoterra.net/
-
-# PRE-CONFIGURED
-imagePullPolicy: IfNotPresent
-unregisterRunners: true
-terminationGracePeriodSeconds: 3600
-concurrent: 10
-checkInterval: 30
-rbac:
-  clusterWideAccess: false
-  serviceAccountName: gitlab-runner
-metrics:
-  enabled: true
-runners:
-  image: debian:10
-  locked: false
-  privileged: false
-  pollTimeout: 180
-  outputLimit: 4096
-  cache: {}
-  builds:
-    cpuLimit: 1000m
-    cpuLimitOverwriteMaxAllowed: 2000m
-    memoryLimit: 1Gi
-    memoryLimitOverwriteMaxAllowed: 2Gi
-    cpuRequests: 1m
-    cpuRequestsOverwriteMaxAllowed: 200m
-    memoryRequests: 1Mi
-    memoryRequestsOverwriteMaxAllowed: 256Mi
-  services:
-    cpuLimit: 1000m
-    memoryLimit: 1Gi
-    cpuRequests: 1m
-    memoryRequests: 1Mi
-  helpers:
-    cpuLimit: 1000m
-    memoryLimit: 1Gi
-    cpuRequests: 1m
-    memoryRequests: 1Mi
-securityContext:
-  fsGroup: 65533
-  runAsUser: 100
-resources: {}
-  # limits:
-  #   memory: "1Gi"
-  #   cpu: "1"
-  # requests:
-  #   memory: "1Mi"
-  #   cpu: "1m"
-affinity: {}
-nodeSelector: {}
-tolerations: []
-hostAliases: []
-podAnnotations: {}
-podLabels: {}
\ No newline at end of file
diff --git a/values.yaml b/values.yaml
index c067e09..12e9118 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,477 +1,38 @@
-## GitLab Runner Image
-##
-## By default it's using gitlab/gitlab-runner:alpine-v{VERSION}
-## where {VERSION} is taken from Chart.yaml from appVersion field
-##
-## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/
-##
-## Note: If you change the image to the ubuntu release
-##       don't forget to change the securityContext; 
-##       these images run on different user IDs.
-##
-# image: gitlab/gitlab-runner:alpine-v11.6.0
-
-## Specify a imagePullPolicy
-## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
-## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
-##
-imagePullPolicy: IfNotPresent
-
-## Specifying ImagePullSecrets on a Pod
-## Kubernetes supports specifying container image registry keys on a Pod.
-## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
-##
-# imagePullSecrets: 
-#   - name: "image-pull-secret"
-
-## The GitLab Server URL (with protocol) that want to register the runner against
-## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
-##
-gitlabUrl: http://gitlab.ducoterra.net/
-
-## The Registration Token for adding new Runners to the GitLab Server. This must
-## be retrieved from your GitLab Instance.
-## ref: https://docs.gitlab.com/ce/ci/runners/README.html
-##
-runnerRegistrationToken: "KqHzzq_Bsf9yxk7JxjYW"
-
-## The Runner Token for adding new Runners to the GitLab Server. This must
-## be retrieved from your GitLab Instance. It is token of already registered runner.
-## ref: (we don't yet have docs for that, but we want to use existing token)
-##
-# runnerToken: ""
-#
-## Unregister all runners before termination
-##
-## Updating the runner's chart version or configuration will cause the runner container
-## to be terminated and created again. This may cause your Gitlab instance to reference
-## non-existant runners. Un-registering the runner before termination mitigates this issue.
-## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister
-##
-# unregisterRunners: true
-
-## When stopping the runner, give it time to wait for its jobs to terminate.
-##
-## Updating the runner's chart version or configuration will cause the runner container
-## to be terminated with a graceful stop request. terminationGracePeriodSeconds
-## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully.
-## ref: https://docs.gitlab.com/runner/commands/#signals
+imagePullPolicy: Always
+gitlabUrl: https://gitlab.ducoterra.net/
+unregisterRunners: true
 terminationGracePeriodSeconds: 3600
-
-## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
-## Provide resource name for a Kubernetes Secret Object in the same namespace,
-## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory
-## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
-##
-# certsSecretName:
-
-## Configure the maximum number of concurrent jobs
-## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
-##
 concurrent: 10
-
-## Defines in seconds how often to check GitLab for a new builds
-## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
-##
 checkInterval: 30
-
-## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic
-## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
-##
-# logLevel:
-
-## Configure GitLab Runner's logging format. Available values are: runner, text, json
-## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
-##
-# logFormat:
-
-## Configure GitLab Runner's Sentry DSN.
-## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
-##
-# sentryDsn:
-
-## A custom bash script that will be executed prior to the invocation
-## gitlab-runner process
-#
-#preEntrypointScript: |
-#  echo "hello"
-
-## For RBAC support:
 rbac:
-  create: false
-  ## Define specific rbac permissions.
-  # resources: ["pods", "pods/exec", "secrets"]
-  # verbs: ["get", "list", "watch", "create", "patch", "delete"]
-
-  ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
-  ## cluster-wide or only within namespace
   clusterWideAccess: false
-
-  ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
-  ##
-  # serviceAccountName: default
-
-  ## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn
-  ##
-  ## ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
-  ##
-  # serviceAccountAnnotations: {}
-
-  ## Use podSecurity Policy
-  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-  podSecurityPolicy:
-    enabled: false
-    resourceNames:
-    - gitlab-runner
-
-  ## Specify one or more imagePullSecrets used for pulling the runner image
-  ##
-  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
-  ##
-  # imagePullSecrets: []
-
-## Configure integrated Prometheus metrics exporter
-## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server
+  create: true
 metrics:
   enabled: true
-
-## Configuration for the Pods that the runner launches for each new job
-##
 runners:
-  config: |
-    [[runners]]
-      [runners.kubernetes]
-        image = "debian:10"
-
-  ## Which executor should be used
-  ##
-  # executor: kubernetes
-
-  ## Default container image to use for builds when none is specified
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # image: ubuntu:16.04
-
-  ## Specify one or more imagePullSecrets
-  ##
-  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # imagePullSecrets: []
-
-  ## Specify the image pull policy: never, if-not-present, always. The cluster default will be used if not set.
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # imagePullPolicy: ""
-
-  ## Defines number of concurrent requests for new job from GitLab
-  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # requestConcurrency: 1
-
-  ## Specify whether the runner should be locked to a specific project: true, false. Defaults to true.
-  ##
-  # locked: true
-
-  ## Specify the tags associated with the runner. Comma-separated list of tags.
-  ##
-  ## ref: https://docs.gitlab.com/ce/ci/runners/#use-tags-to-limit-the-number-of-jobs-using-the-runner
-  ##
-  # tags: ""
-
-  ## Specify the name for the runner.
-  ##
-  # name: ""
-
-  ## Specify if jobs without tags should be run.
-  ## If not specified, Runner will default to true if no tags were specified. In other case it will
-  ## default to false.
-  ##
-  ## ref: https://docs.gitlab.com/ce/ci/runners/#runner-is-allowed-to-run-untagged-jobs
-  ##
-  # runUntagged: true
-
-  ## Specify whether the runner should only run protected branches.
-  ## Defaults to False.
-  ##
-  ## ref: https://docs.gitlab.com/ee/ci/runners/#prevent-runners-from-revealing-sensitive-information
-  ##
-  # protected: true
-
-  ## Run all containers with the privileged flag enabled
-  ## This will allow the docker:dind image to run if you need to run Docker
-  ## commands. Please read the docs before turning this on:
-  ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # privileged: false
-
-  ## The name of the secret containing runner-token and runner-registration-token
-  # secret: gitlab-runner
-
-  ## Namespace to run Kubernetes jobs in (defaults to the same namespace of this release)
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # namespace:
-
-  ## The amount of time, in seconds, that needs to pass before the runner will
-  ## timeout attempting to connect to the container it has just created.
-  ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # pollTimeout: 180
-
-  ## Set maximum build log size in kilobytes, by default set to 4096 (4MB)
-  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # outputLimit: 4096
-
-  ## Distributed runners caching
-  ## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching
-  ##
-  ## If you want to use s3 based distributing caching:
-  ## First of all you need to uncomment General settings and S3 settings sections.
-  ##
-  ## Create a secret 's3access' containing 'accesskey' & 'secretkey'
-  ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
-  ##
-  ## $ kubectl create secret generic s3access \
-  ##   --from-literal=accesskey="YourAccessKey" \
-  ##   --from-literal=secretkey="YourSecretKey"
-  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
-  ##
-  ## If you want to use gcs based distributing caching:
-  ## First of all you need to uncomment General settings and GCS settings sections.
-  ##
-  ## Access using credentials file:
-  ## Create a secret 'google-application-credentials' containing your application credentials file.
-  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
-  ## You could configure
-  ## $ kubectl create secret generic google-application-credentials \
-  ##   --from-file=gcs-application-credentials-file=./path-to-your-google-application-credentials-file.json
-  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
-  ##
-  ## Access using access-id and private-key:
-  ## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'.
-  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
-  ## You could configure
-  ## $ kubectl create secret generic gcsaccess \
-  ##   --from-literal=gcs-access-id="YourAccessID" \
-  ##   --from-literal=gcs-private-key="YourPrivateKey"
-  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
-  ##
-  ## If you want to use Azure-based distributed caching:
-  ## First, uncomment General settings.
-  ##
-  ## Create a secret 'azureaccess' containing 'azure-account-name' & 'azure-account-key'
-  ## ref: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
-  ##
-  ## $ kubectl create secret generic azureaccess \
-  ##   --from-literal=azure-account-name="YourAccountName" \
-  ##   --from-literal=azure-account-key="YourAccountKey"
-  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
-
+  image: debian:10
+  locked: false
+  secret: gitlab-runner-secret
+  privileged: false
+  pollTimeout: 180
+  outputLimit: 4096
   cache: {}
-    ## General settings
-    ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template
-    # cacheType: s3
-    # cachePath: "gitlab_runner"
-    # cacheShared: true
-
-    ## S3 settings
-    ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template
-    # s3ServerAddress: s3.amazonaws.com
-    # s3BucketName:
-    # s3BucketLocation:
-    # s3CacheInsecure: false
-
-    ## GCS settings
-    ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template
-    # gcsBucketName:
-
-    ## S3 the name of the secret.
-    # secretName: s3access
-    ## Use this line for access using gcs-access-id and gcs-private-key
-    # secretName: gcsaccess
-    ## Use this line for access using google-application-credentials file
-    # secretName: google-application-credentials
-    ## Use this line for access using Azure with azure-account-name and azure-account-key
-    # secretName: azureaccess
-
-
-  ## Build Container specific configuration
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
   builds: {}
-    # cpuLimit: 200m
-    # cpuLimitOverwriteMaxAllowed: 400m
-    # memoryLimit: 256Mi
-    # memoryLimitOverwriteMaxAllowed: 512Mi
-    # cpuRequests: 100m
-    # cpuRequestsOverwriteMaxAllowed: 200m
-    # memoryRequests: 128Mi
-    # memoryRequestsOverwriteMaxAllowed: 256Mi
-
-  ## Service Container specific configuration
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
   services: {}
-    # cpuLimit: 200m
-    # memoryLimit: 256Mi
-    # cpuRequests: 100m
-    # memoryRequests: 128Mi
-
-  ## Helper Container specific configuration
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
   helpers: {}
-    # cpuLimit: 200m
-    # memoryLimit: 256Mi
-    # cpuRequests: 100m
-    # memoryRequests: 128Mi
-    # image: "gitlab/gitlab-runner-helper:x86_64-${CI_RUNNER_REVISION}"
-
-  ## Helper container security context configuration
-  ## Refer to https://docs.gitlab.com/runner/executors/kubernetes.html#using-security-context
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # pod_security_context:
-  #   run_as_non_root: true
-  #   run_as_user: 100
-  #   run_as_group: 100
-  #   fs_group: 65533
-  #   supplemental_groups: [101, 102]
-
-  ## Service Account to be used for runners
-  ##
-  # serviceAccountName:
-
-  ## If Gitlab is not reachable through $CI_SERVER_URL
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # cloneUrl:
-
-  ## Specify node labels for CI job pods assignment
-  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # nodeSelector: {}
-
-  ## Specify node tolerations for CI job pods assignment
-  ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # nodeTolerations: {}
-
-  ## Specify pod labels for CI job pods
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # podLabels: {}
-
-  ## Specify annotations for job pods, useful for annotations such as iam.amazonaws.com/role
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # podAnnotations: {}
-
-  ## Configure environment variables that will be injected to the pods that are created while
-  ## the build is running. These variables are passed as parameters, i.e. `--env "NAME=VALUE"`,
-  ## to `gitlab-runner register` command.
-  ##
-  ## Note that `envVars` (see below) are only present in the runner pod, not the pods that are
-  ## created for each build.
-  ##
-  ## ref: https://docs.gitlab.com/runner/commands/#gitlab-runner-register
-  ##
-  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
-  # env:
-  #   NAME: VALUE
-
-
-## Configure securitycontext
-## ref: http://kubernetes.io/docs/user-guide/security-context/
-##
 securityContext:
   fsGroup: 65533
   runAsUser: 100
-  ## Note: values for the ubuntu image:
-  # fsGroup: 999
-  # runAsUser: 999
-
-## Configure resource requests and limits
-## ref: http://kubernetes.io/docs/user-guide/compute-resources/
-##
-resources: {}
-  # limits:
-  #   memory: 256Mi
-  #   cpu: 200m
-  # requests:
-  #   memory: 128Mi
-  #   cpu: 100m
-
-## Affinity for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-##
+resources:
+  limits:
+    memory: 2Gi
+    cpu: "4"
+  requests:
+    memory: 2Gi
+    cpu: 1m
 affinity: {}
-
-## Node labels for pod assignment
-## Ref: https://kubernetes.io/docs/user-guide/node-selection/
-##
 nodeSelector: {}
-  # Example: The gitlab runner manager should not run on spot instances so you can assign
-  # them to the regular worker nodes only.
-  # node-role.kubernetes.io/worker: "true"
-
-## List of node taints to tolerate (requires Kubernetes >= 1.6)
-## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-##
 tolerations: []
-  # Example: Regular worker nodes may have a taint, thus you need to tolerate the taint
-  # when you assign the gitlab runner manager with nodeSelector or affinity to the nodes.
-  # - key: "node-role.kubernetes.io/worker"
-  #   operator: "Exists"
-
-## Configure environment variables that will be present when the registration command runs
-## This provides further control over the registration process and the config.toml file
-## ref: `gitlab-runner register --help`
-## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
-##
-# envVars:
-#   - name: RUNNER_EXECUTOR
-#     value: kubernetes
-
-## list of hosts and IPs that will be injected into the pod's hosts file
 hostAliases: []
-  # Example:
-  # - ip: "127.0.0.1"
-  #   hostnames:
-  #   - "foo.local"
-  #   - "bar.local"
-  # - ip: "10.1.2.3"
-  #   hostnames:
-  #   - "foo.remote"
-  #   - "bar.remote"
-
-## Annotations to be added to manager pod
-##
 podAnnotations: {}
-  # Example:
-  # iam.amazonaws.com/role: <my_role_arn>
-
-## Labels to be added to manager pod
-##
 podLabels: {}
-  # Example:
-  # owner.team: <my_cool_team>
-
-## HPA support for custom metrics:
-## This section enables runners to autoscale based on defined custom metrics.
-## In order to use this functionality, Need to enable a custom metrics API server by
-## implementing "custom.metrics.k8s.io" using supported third party adapter
-## Example: https://github.com/directxman12/k8s-prometheus-adapter
-##
-#hpa: {}
-  # minReplicas: 1
-  # maxReplicas: 10
-  # metrics:
-  # - type: Pods
-  #   pods:
-  #     metricName: gitlab_runner_jobs
-  #     targetAverageValue: 400m
\ No newline at end of file