store token as secret

2021-05-20 12:51:16 -04:00
parent cf442ec78b
commit 711b6813e9
4 changed files with 23 additions and 540 deletions
--- a/README.md
+++ b/README.md
@@ -1,22 +1,13 @@
-# Create a gitlab runner in your namespace with Helm
+# Install Gitlab Runner
-Install:
+Create runner secret
 Edit runnerconfig.yaml and add your token
 ```bash
-helm upgrade --install --namespace automation services-runner -f values.yaml gitlab/gitlab-runner
+kubectl create secret generic gitlab-runner-secret --from-literal=runner-registration-token=$(vault kv get -field=runner-token secret/gitlab) --from-literal=runner-token=""
-helm install --namespace ducoterra reese-runner -f runnerconfig.yaml gitlab/gitlab-runner
+kubectl apply -f role.yaml
 ```
 Uninstall:
 ```bash
-helm delete --namespace ducoterra services-runner
+helm repo add gitlab https://charts.gitlab.io
-```
+helm install --namespace gitlab gitlab-runner -f values.yaml gitlab/gitlab-runner
 ## Giving the runner access to your namespace
 ```bash
 kubectl apply -f k8s
 ```
--- a/rolebinding.yaml
+++ b/rolebinding.yaml
@@ -1,12 +0,0 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: default-binding
 subjects:
 - kind: ServiceAccount
  name: default
  apiGroup: ""
 roleRef:
  kind: Role
  name: namespace-manager
  apiGroup: ""
--- a/runnerconfig.yaml.example
+++ b/runnerconfig.yaml.example
@@ -1,57 +0,0 @@
 # CONFIGURE ME
 runnerRegistrationToken: <PUT YOUR TOKEN HERE>
 gitlabUrl: https://gitlab.ducoterra.net/
 # PRE-CONFIGURED
 imagePullPolicy: IfNotPresent
 unregisterRunners: true
 terminationGracePeriodSeconds: 3600
 concurrent: 10
 checkInterval: 30
 rbac:
  clusterWideAccess: false
  serviceAccountName: gitlab-runner
 metrics:
  enabled: true
 runners:
  image: debian:10
  locked: false
  privileged: false
  pollTimeout: 180
  outputLimit: 4096
  cache: {}
  builds:
    cpuLimit: 1000m
    cpuLimitOverwriteMaxAllowed: 2000m
    memoryLimit: 1Gi
    memoryLimitOverwriteMaxAllowed: 2Gi
    cpuRequests: 1m
    cpuRequestsOverwriteMaxAllowed: 200m
    memoryRequests: 1Mi
    memoryRequestsOverwriteMaxAllowed: 256Mi
  services:
    cpuLimit: 1000m
    memoryLimit: 1Gi
    cpuRequests: 1m
    memoryRequests: 1Mi
  helpers:
    cpuLimit: 1000m
    memoryLimit: 1Gi
    cpuRequests: 1m
    memoryRequests: 1Mi
 securityContext:
  fsGroup: 65533
  runAsUser: 100
 resources: {}
  # limits:
  #   memory: "1Gi"
  #   cpu: "1"
  # requests:
  #   memory: "1Mi"
  #   cpu: "1m"
 affinity: {}
 nodeSelector: {}
 tolerations: []
 hostAliases: []
 podAnnotations: {}
 podLabels: {}
--- a/values.yaml
+++ b/values.yaml
@@ -1,477 +1,38 @@
-## GitLab Runner Image
+imagePullPolicy: Always
-##
+gitlabUrl: https://gitlab.ducoterra.net/
-## By default it's using gitlab/gitlab-runner:alpine-v{VERSION}
+unregisterRunners: true
 ## where {VERSION} is taken from Chart.yaml from appVersion field
 ##
 ## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/
 ##
 ## Note: If you change the image to the ubuntu release
 ##       don't forget to change the securityContext; 
 ##       these images run on different user IDs.
 ##
 # image: gitlab/gitlab-runner:alpine-v11.6.0
 ## Specify a imagePullPolicy
 ## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
 ##
 imagePullPolicy: IfNotPresent
 ## Specifying ImagePullSecrets on a Pod
 ## Kubernetes supports specifying container image registry keys on a Pod.
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
 ##
 # imagePullSecrets: 
 #   - name: "image-pull-secret"
 ## The GitLab Server URL (with protocol) that want to register the runner against
 ## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
 ##
 gitlabUrl: http://gitlab.ducoterra.net/
 ## The Registration Token for adding new Runners to the GitLab Server. This must
 ## be retrieved from your GitLab Instance.
 ## ref: https://docs.gitlab.com/ce/ci/runners/README.html
 ##
 runnerRegistrationToken: "KqHzzq_Bsf9yxk7JxjYW"
 ## The Runner Token for adding new Runners to the GitLab Server. This must
 ## be retrieved from your GitLab Instance. It is token of already registered runner.
 ## ref: (we don't yet have docs for that, but we want to use existing token)
 ##
 # runnerToken: ""
 #
 ## Unregister all runners before termination
 ##
 ## Updating the runner's chart version or configuration will cause the runner container
 ## to be terminated and created again. This may cause your Gitlab instance to reference
 ## non-existant runners. Un-registering the runner before termination mitigates this issue.
 ## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister
 ##
 # unregisterRunners: true
 ## When stopping the runner, give it time to wait for its jobs to terminate.
 ##
 ## Updating the runner's chart version or configuration will cause the runner container
 ## to be terminated with a graceful stop request. terminationGracePeriodSeconds
 ## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully.
 ## ref: https://docs.gitlab.com/runner/commands/#signals
 terminationGracePeriodSeconds: 3600
 ## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
 ## Provide resource name for a Kubernetes Secret Object in the same namespace,
 ## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory
 ## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
 ##
 # certsSecretName:
 ## Configure the maximum number of concurrent jobs
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 concurrent: 10
 ## Defines in seconds how often to check GitLab for a new builds
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 checkInterval: 30
 ## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 # logLevel:
 ## Configure GitLab Runner's logging format. Available values are: runner, text, json
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 # logFormat:
 ## Configure GitLab Runner's Sentry DSN.
 ## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 # sentryDsn:
 ## A custom bash script that will be executed prior to the invocation
 ## gitlab-runner process
 #
 #preEntrypointScript: |
 #  echo "hello"
 ## For RBAC support:
 rbac:
  create: false
  ## Define specific rbac permissions.
  # resources: ["pods", "pods/exec", "secrets"]
  # verbs: ["get", "list", "watch", "create", "patch", "delete"]
  ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
  ## cluster-wide or only within namespace
  clusterWideAccess: false
-
+  create: true
  ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
  ##
  # serviceAccountName: default
  ## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn
  ##
  ## ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
  ##
  # serviceAccountAnnotations: {}
  ## Use podSecurity Policy
  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
  podSecurityPolicy:
    enabled: false
    resourceNames:
    - gitlab-runner
  ## Specify one or more imagePullSecrets used for pulling the runner image
  ##
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
  ##
  # imagePullSecrets: []
 ## Configure integrated Prometheus metrics exporter
 ## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server
 metrics:
  enabled: true
 ## Configuration for the Pods that the runner launches for each new job
 ##
 runners:
-  config: |
+  image: debian:10
-    [[runners]]
+  locked: false
-      [runners.kubernetes]
+  secret: gitlab-runner-secret
-        image = "debian:10"
+  privileged: false
-
+  pollTimeout: 180
-  ## Which executor should be used
+  outputLimit: 4096
  ##
  # executor: kubernetes
  ## Default container image to use for builds when none is specified
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # image: ubuntu:16.04
  ## Specify one or more imagePullSecrets
  ##
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # imagePullSecrets: []
  ## Specify the image pull policy: never, if-not-present, always. The cluster default will be used if not set.
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # imagePullPolicy: ""
  ## Defines number of concurrent requests for new job from GitLab
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # requestConcurrency: 1
  ## Specify whether the runner should be locked to a specific project: true, false. Defaults to true.
  ##
  # locked: true
  ## Specify the tags associated with the runner. Comma-separated list of tags.
  ##
  ## ref: https://docs.gitlab.com/ce/ci/runners/#use-tags-to-limit-the-number-of-jobs-using-the-runner
  ##
  # tags: ""
  ## Specify the name for the runner.
  ##
  # name: ""
  ## Specify if jobs without tags should be run.
  ## If not specified, Runner will default to true if no tags were specified. In other case it will
  ## default to false.
  ##
  ## ref: https://docs.gitlab.com/ce/ci/runners/#runner-is-allowed-to-run-untagged-jobs
  ##
  # runUntagged: true
  ## Specify whether the runner should only run protected branches.
  ## Defaults to False.
  ##
  ## ref: https://docs.gitlab.com/ee/ci/runners/#prevent-runners-from-revealing-sensitive-information
  ##
  # protected: true
  ## Run all containers with the privileged flag enabled
  ## This will allow the docker:dind image to run if you need to run Docker
  ## commands. Please read the docs before turning this on:
  ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-dockerdind
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # privileged: false
  ## The name of the secret containing runner-token and runner-registration-token
  # secret: gitlab-runner
  ## Namespace to run Kubernetes jobs in (defaults to the same namespace of this release)
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # namespace:
  ## The amount of time, in seconds, that needs to pass before the runner will
  ## timeout attempting to connect to the container it has just created.
  ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # pollTimeout: 180
  ## Set maximum build log size in kilobytes, by default set to 4096 (4MB)
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # outputLimit: 4096
  ## Distributed runners caching
  ## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching
  ##
  ## If you want to use s3 based distributing caching:
  ## First of all you need to uncomment General settings and S3 settings sections.
  ##
  ## Create a secret 's3access' containing 'accesskey' & 'secretkey'
  ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
  ##
  ## $ kubectl create secret generic s3access \
  ##   --from-literal=accesskey="YourAccessKey" \
  ##   --from-literal=secretkey="YourSecretKey"
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  ##
  ## If you want to use gcs based distributing caching:
  ## First of all you need to uncomment General settings and GCS settings sections.
  ##
  ## Access using credentials file:
  ## Create a secret 'google-application-credentials' containing your application credentials file.
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
  ## You could configure
  ## $ kubectl create secret generic google-application-credentials \
  ##   --from-file=gcs-application-credentials-file=./path-to-your-google-application-credentials-file.json
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  ##
  ## Access using access-id and private-key:
  ## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'.
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
  ## You could configure
  ## $ kubectl create secret generic gcsaccess \
  ##   --from-literal=gcs-access-id="YourAccessID" \
  ##   --from-literal=gcs-private-key="YourPrivateKey"
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  ##
  ## If you want to use Azure-based distributed caching:
  ## First, uncomment General settings.
  ##
  ## Create a secret 'azureaccess' containing 'azure-account-name' & 'azure-account-key'
  ## ref: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
  ##
  ## $ kubectl create secret generic azureaccess \
  ##   --from-literal=azure-account-name="YourAccountName" \
  ##   --from-literal=azure-account-key="YourAccountKey"
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  cache: {}
    ## General settings
    ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template
    # cacheType: s3
    # cachePath: "gitlab_runner"
    # cacheShared: true
    ## S3 settings
    ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template
    # s3ServerAddress: s3.amazonaws.com
    # s3BucketName:
    # s3BucketLocation:
    # s3CacheInsecure: false
    ## GCS settings
    ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration and https://docs.gitlab.com/runner/install/kubernetes.html#using-cache-with-configuration-template
    # gcsBucketName:
    ## S3 the name of the secret.
    # secretName: s3access
    ## Use this line for access using gcs-access-id and gcs-private-key
    # secretName: gcsaccess
    ## Use this line for access using google-application-credentials file
    # secretName: google-application-credentials
    ## Use this line for access using Azure with azure-account-name and azure-account-key
    # secretName: azureaccess
  ## Build Container specific configuration
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  builds: {}
    # cpuLimit: 200m
    # cpuLimitOverwriteMaxAllowed: 400m
    # memoryLimit: 256Mi
    # memoryLimitOverwriteMaxAllowed: 512Mi
    # cpuRequests: 100m
    # cpuRequestsOverwriteMaxAllowed: 200m
    # memoryRequests: 128Mi
    # memoryRequestsOverwriteMaxAllowed: 256Mi
  ## Service Container specific configuration
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  services: {}
    # cpuLimit: 200m
    # memoryLimit: 256Mi
    # cpuRequests: 100m
    # memoryRequests: 128Mi
  ## Helper Container specific configuration
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  helpers: {}
    # cpuLimit: 200m
    # memoryLimit: 256Mi
    # cpuRequests: 100m
    # memoryRequests: 128Mi
    # image: "gitlab/gitlab-runner-helper:x86_64-${CI_RUNNER_REVISION}"
  ## Helper container security context configuration
  ## Refer to https://docs.gitlab.com/runner/executors/kubernetes.html#using-security-context
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # pod_security_context:
  #   run_as_non_root: true
  #   run_as_user: 100
  #   run_as_group: 100
  #   fs_group: 65533
  #   supplemental_groups: [101, 102]
  ## Service Account to be used for runners
  ##
  # serviceAccountName:
  ## If Gitlab is not reachable through $CI_SERVER_URL
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # cloneUrl:
  ## Specify node labels for CI job pods assignment
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # nodeSelector: {}
  ## Specify node tolerations for CI job pods assignment
  ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # nodeTolerations: {}
  ## Specify pod labels for CI job pods
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # podLabels: {}
  ## Specify annotations for job pods, useful for annotations such as iam.amazonaws.com/role
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # podAnnotations: {}
  ## Configure environment variables that will be injected to the pods that are created while
  ## the build is running. These variables are passed as parameters, i.e. `--env "NAME=VALUE"`,
  ## to `gitlab-runner register` command.
  ##
  ## Note that `envVars` (see below) are only present in the runner pod, not the pods that are
  ## created for each build.
  ##
  ## ref: https://docs.gitlab.com/runner/commands/#gitlab-runner-register
  ##
  ## DEPRECATED: See https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration
  # env:
  #   NAME: VALUE
 ## Configure securitycontext
 ## ref: http://kubernetes.io/docs/user-guide/security-context/
 ##
 securityContext:
  fsGroup: 65533
  runAsUser: 100
-  ## Note: values for the ubuntu image:
+resources:
-  # fsGroup: 999
+  limits:
-  # runAsUser: 999
+    memory: 2Gi
-
+    cpu: "4"
-## Configure resource requests and limits
+  requests:
-## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+    memory: 2Gi
-##
+    cpu: 1m
 resources: {}
  # limits:
  #   memory: 256Mi
  #   cpu: 200m
  # requests:
  #   memory: 128Mi
  #   cpu: 100m
 ## Affinity for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}
 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
 ##
 nodeSelector: {}
  # Example: The gitlab runner manager should not run on spot instances so you can assign
  # them to the regular worker nodes only.
  # node-role.kubernetes.io/worker: "true"
 ## List of node taints to tolerate (requires Kubernetes >= 1.6)
 ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
  # Example: Regular worker nodes may have a taint, thus you need to tolerate the taint
  # when you assign the gitlab runner manager with nodeSelector or affinity to the nodes.
  # - key: "node-role.kubernetes.io/worker"
  #   operator: "Exists"
 ## Configure environment variables that will be present when the registration command runs
 ## This provides further control over the registration process and the config.toml file
 ## ref: `gitlab-runner register --help`
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
 ##
 # envVars:
 #   - name: RUNNER_EXECUTOR
 #     value: kubernetes
 ## list of hosts and IPs that will be injected into the pod's hosts file
 hostAliases: []
  # Example:
  # - ip: "127.0.0.1"
  #   hostnames:
  #   - "foo.local"
  #   - "bar.local"
  # - ip: "10.1.2.3"
  #   hostnames:
  #   - "foo.remote"
  #   - "bar.remote"
 ## Annotations to be added to manager pod
 ##
 podAnnotations: {}
  # Example:
  # iam.amazonaws.com/role: <my_role_arn>
 ## Labels to be added to manager pod
 ##
 podLabels: {}
  # Example:
  # owner.team: <my_cool_team>
 ## HPA support for custom metrics:
 ## This section enables runners to autoscale based on defined custom metrics.
 ## In order to use this functionality, Need to enable a custom metrics API server by
 ## implementing "custom.metrics.k8s.io" using supported third party adapter
 ## Example: https://github.com/directxman12/k8s-prometheus-adapter
 ##
 #hpa: {}
  # minReplicas: 1
  # maxReplicas: 10
  # metrics:
  # - type: Pods
  #   pods:
  #     metricName: gitlab_runner_jobs
  #     targetAverageValue: 400m