Refactor/gitlab operator

install.yaml

@@ -19,6 +19,7 @@
       tags:
         - cert-manager
         - cm
+        - always
 
     - name: confSyncer
       tags:
@@ -62,9 +63,9 @@
       tags:
         - vault
 
-    - name: sops
-      tags:
-        - sops
+    # - name: sops
+    #   tags:
+    #     - sops
 
     - name: argocd
       tags:

roles/gitlab-runner/tasks/main.yaml

@@ -9,27 +9,51 @@
     msg: "Gitlab ne semble pas avoir été provisionné sur le cluster veuillez l'installer avant"
   when: gitlab_ns | length == 0
 
-- name: Install gitlab-runner subscription and role
-  kubernetes.core.k8s:
-    template: "{{ item }}"
-  with_items:
-    - operator-subscription.yaml.j2
-    - gitlab-runner-auth.yaml.j2
-
-- name: Wait Gitlab Runner exists
+- name: Get dso-config inventory
   kubernetes.core.k8s_info:
-    api_version: apps.gitlab.com/v1beta2
-    kind: Runner
-    name: gitlab-runner
-    namespace: "{{ dsc.gitlab.namespace }}"
-  register: runner_kind
-  until: runner_kind.api_found
-  retries: 5
+    namespace: "{{ dsc.console.namespace }}"
+    kind: ConfigMap
+    name: dso-config
+  register: ansible_inventory
 
-- name: Add custom env
-  kubernetes.core.k8s:
-    template: custom-env.yaml.j2
+- name: Get gitlab token
+  ansible.builtin.set_fact:
+    gitlab_token: "{{ ansible_inventory.resources[0].data.GITLAB_TOKEN }}"
+
+- name: Initiate a runner in GitLab instance
+  ansible.builtin.uri:
+    validate_certs: "{{ dsc.exposedCA.type == 'none' }}"
+    url: "https://{{ gitlab_domain }}/api/v4/user/runners"
+    method: POST
+    headers:
+      "PRIVATE-TOKEN": "{{ gitlab_token }}"
+    body:
+      runner_type: instance_type
+      description: dso-runner
+      platform: null
+      run_untagged: true
+    body_format: form-urlencoded
+    status_code: [201]
+  changed_when: true
+  register: default_runner
 
-- name: Install gitlab instance
+- name: Add GitLab Runner helm repo
+  kubernetes.core.helm_repository:
+    name: gitlab
+    repo_url: https://charts.gitlab.io
+
+- name: Set GitLab Runner helm values
+  ansible.builtin.set_fact:
+    runner_values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}"
+
+- name: Create gitlab-runner role
   kubernetes.core.k8s:
-    template: gitlab-runner-instance.yaml.j2
+    template: gitlab-runner-auth.yaml.j2
+
+- name: Deploy GitLab Runner helm
+  kubernetes.core.helm:
+    name: gitlab-runner
+    chart_ref: gitlab/gitlab-runner
+    chart_version: "{{ dsc.gitlabRunner.chartVersion }}"
+    release_namespace: "{{ dsc.gitlab.namespace }}"
+    values: "{{ runner_values }}"

roles/gitlab-runner/templates/gitlab-runner-auth.yaml.j2

@@ -1,21 +1,4 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitlab-runner
-  namespace: {{ dsc.gitlab.namespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["pods", "secrets", "configmaps"]
-    verbs: ["list", "get", "watch", "create", "delete", "update"]
-  - apiGroups: [""]
-    resources: ["pods/exec", "pods/attach"]
-    verbs: ["create"]
-  - apiGroups: [""]
-    resources: ["pods/log"]
-    verbs: ["get"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: "RoleBinding"
 metadata:
   name: gitlab-runner-gitlab-runner
@@ -26,7 +9,7 @@ roleRef:
   name: gitlab-runner
 subjects:
   - kind: ServiceAccount
-    name: gitlab-runner-sa
+    name: gitlab-runner
     namespace: {{ dsc.gitlab.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -41,5 +24,5 @@ roleRef:
   name: system:openshift:scc:anyuid
 subjects:
 - kind: ServiceAccount
-  name: gitlab-runner-sa
+  name: gitlab-runner
   namespace: {{ dsc.gitlab.namespace }}

roles/gitlab-runner/templates/values.yaml.j2

@@ -0,0 +1,171 @@
+image:
+  registry: registry.gitlab.com
+  image: gitlab-org/gitlab-runner
+  # tag: alpine-v11.6.0
+
+imagePullPolicy: IfNotPresent
+
+replicas: 1
+
+## How many old ReplicaSets for this Deployment you want to retain
+revisionHistoryLimit: 2
+
+gitlabUrl: https://{{ gitlab_domain }}/
+
+runnerToken: "{{ default_runner.json.token }}"
+
+terminationGracePeriodSeconds: 3600
+
+## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
+## Provide resource name for a Kubernetes Secret Object in the same namespace,
+## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory
+## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates-targeting-the-gitlab-server
+
+##
+#certsSecretName: gitlab-wildcard-tls-chain
+{% if dsc.exposedCA != 'none' %}
+certsSecretName: exposed-ca
+{% endif %}
+
+concurrent: 10
+
+checkInterval: 30
+
+rbac:
+  create: true
+  rules:
+#    - apiGroups: [""]
+#      resources: ["pods", "secrets", "configmaps"]
+#      verbs: ["list", "get", "watch", "create", "delete", "update"]
+#    - apiGroups: [""]
+#      resources: ["pods/exec", "pods/attach"]
+#      verbs: ["create"]
+#    - apiGroups: [""]
+#      resources: ["pods/log"]
+#      verbs: ["get"]
+    - resources: ["configmaps", "events", "pods", "pods/attach", "pods/exec", "secrets", "services"]
+      verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+    - apiGroups: [""]
+      resources: ["pods/exec"]
+      verbs: ["create", "patch", "delete"]
+  clusterWideAccess: false
+  serviceAccountName: gitlab-runner
+  podSecurityPolicy:
+    enabled: true
+    resourceNames:
+    - gitlab-runner
+
+## Configuration for the Pods that the runner launches for each new job
+##
+runners:
+  # runner configuration, where the multi line strings is evaluated as
+  # template so you can specify helm values inside of it.
+  #
+  # tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
+  # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
+  config: |
+    [[runners]]
+      [runners.kubernetes]
+        namespace = "{{ dsc.gitlab.namespace }}"
+        image = "ubuntu:22.04"
+
+  ## Absolute path for an existing runner configuration file
+  ## Can be used alongside "volumes" and "volumeMounts" to use an external config file
+  ## Active if runners.config is empty or null
+  configPath: ""
+
+  ## Which executor should be used
+  ##
+  # executor: kubernetes
+
+  ## Specify the name for the runner.
+  ##
+  name: gitlab-runner
+
+  ## The name of the secret containing runner-token and runner-registration-token
+  secret: gitlab-runner-secret
+
+  cache: {}
+
+## Configure securitycontext for the main container
+## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ 
+##
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  privileged: false
+  capabilities:
+    drop: ["ALL"]
+
+## Configure securitycontext valid for the whole pod
+## ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ 
+##
+podSecurityContext:
+  runAsUser: 100
+  fsGroup: 65533
+
+## Configure resource requests and limits
+## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+##
+resources: {}
+  # limits:
+  #   memory: 256Mi
+  #   cpu: 200m
+  # requests:
+  #   memory: 128Mi
+  #   cpu: 100m
+
+## Configure environment variables that will be present when the registration command runs
+## This provides further control over the registration process and the config.toml file
+## ref: `gitlab-runner register --help`
+## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
+##
+envVars:
+  - name: RUNNER_EXECUTOR
+    value: kubernetes
+{% if dsc.proxy.enabled %}
+  - name: HTTP_PROXY
+    value: "{{ dsc.proxy.http_proxy }}"
+  - name: HTTPS_PROXY
+    value: "{{ dsc.proxy.https_proxy }}"
+  - name: NO_PROXY
+    value: "{{ dsc.proxy.no_proxy }}"
+{% endif %}
+
+## Annotations to be added to deployment
+##
+deploymentAnnotations: {}
+  # Example:
+  # downscaler/uptime: <my_uptime_period>
+
+## Labels to be added to deployment
+##
+deploymentLabels: {}
+  # Example:
+  # owner.team: <my_cool_team>
+
+## Annotations to be added to manager pod
+##
+podAnnotations: {}
+  # Example:
+  # iam.amazonaws.com/role: <my_role_arn>
+
+## Labels to be added to manager pod
+##
+podLabels: {}
+  # Example:
+  # owner.team: <my_cool_team>
+
+## Configure priorityClassName for manager pod. See k8s docs for more info on how pod priority works:
+##  https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+priorityClassName: ""
+
+volumeMounts:
+  - name: root-gitlab-runner
+    mountPath: /.gitlab-runner
+
+volumes:
+  - name: root-gitlab-runner
+    emptyDir:
+      medium: "Memory"