gitlabUrl: https://gitlab.ics.muni.cz/ image: registry: registry.gitlab.com image: gitlab-org/ci-cd/gitlab-runner-ubi-images/gitlab-runner-ocp tag: v16.4.0 ## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry) ## the installation fails because dumb-init is not packaged in the image. However, the tini is present. ## This configuration will allow gitlab-runner-ubi-images users to explicitly enabled the use of `tini` instead of `dumb-init` useTini: true ## Specify a imagePullPolicy for the main runner deployment imagePullPolicy: IfNotPresent ## Specifying ImagePullSecrets on a Pod ## Kubernetes supports specifying container image registry keys on a Pod. ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod ## # imagePullSecrets: # - name: "image-pull-secret" ## Timeout, in seconds, for liveness and readiness probes of a runner pod. # probeTimeoutSeconds: 1 ## How many runner pods to launch. ## # replicas: 1 ## How many old ReplicaSets for this Deployment you want to retain # revisionHistoryLimit: 10 ## Unregister all runners before termination unregisterRunners: false ## When stopping the runner, give it time to wait for its jobs to terminate. ## ## Updating the runner's chart version or configuration will cause the runner container ## to be terminated with a graceful stop request. terminationGracePeriodSeconds ## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully. ## ref: https://docs.gitlab.com/runner/commands/#signals terminationGracePeriodSeconds: 3600 ## Configure the maximum number of concurrent jobs concurrent: 1 ## Defines in seconds how often to check GitLab for a new builds checkInterval: 30 logLevel: debug ## Configure GitLab Runner's logging format. Available values are: runner, text, json ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section ## # logFormat: ## Configure GitLab Runner's Sentry DSN. ## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section ## # sentryDsn: ## A custom bash script that will be executed prior to the invocation ## gitlab-runner process # #preEntrypointScript: | # echo "hello" ## Specify whether the runner should start the session server. ## Defaults to false ## ref: ## ## When sessionServer is enabled, the user can either provide a public publicIP ## or rely on the external IP auto discovery ## When a serviceAccountName is used with the automounting to the pod disable, ## we recommend the usage of the publicIP sessionServer: enabled: false # annotations: {} # timeout: 1800 # internalPort: 8093 # externalPort: 9000 # publicIP: "" # loadBalancerSourceRanges: # - 1.2.3.4/32 ## For RBAC support: rbac: enable: true ## Define list of rules to be added to the rbac role permissions. ## Each rule supports the keys: ## - apiGroups: default "" (indicates the core API group) if missing or empty. ## - resources: default "*" if missing or empty. ## - verbs: default "*" if missing or empty. ## ## Read more about the recommended rules on the following link ## ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#configuring-executor-service-account ## rules: [] # - resources: ["configmaps", "events", "pods", "pods/attach", "pods/exec", "secrets", "services"] # verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] # - apiGroups: [""] # resources: ["pods/exec"] # verbs: ["create", "patch", "delete"] ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs ## cluster-wide or only within namespace clusterWideAccess: false ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create) ## # serviceAccountName: default ## Specify annotations for Service Accounts, useful for annotations such as eks.amazonaws.com/role-arn. ## Values may refer other values as the _tpl_ function is implicitly applied. Mind the quotes when using this, e.g. ## serviceAccountAnnotations: ## eks.amazonaws.com/role-arn: "arn:aws:iam::{{ .Values.global.accountId }}:role/{{ .Values.global.iamRoleName }}" ## ## ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html ## # serviceAccountAnnotations: {} ## Use podSecurity Policy ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ podSecurityPolicy: enabled: false resourceNames: - gitlab-runner ## Specify one or more imagePullSecrets used for pulling the runner image ## ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account ## # imagePullSecrets: [] ## Configure integrated Prometheus metrics exporter metrics: enabled: false portName: metrics port: 9252 serviceMonitor: enabled: false ## Configure a service resource e.g., to allow scraping metrics via ## prometheus-operator serviceMonitor service: enabled: false type: ClusterIP ## Configuration for the Pods that the runner launches for each new job runners: ## The name of the secret containing runner-token and runner-registration-token secret: gitlab-runner-secret-3s # see https://docs.cypress.io/guides/getting-started/installing-cypress#Hardware config: | [[runners]] environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"] log_level = "debug" [runners.kubernetes] cap_drop = ["ALL"] allow_privilege_escalation = false namespace = "{{.Release.Namespace}}" image = "ubuntu:22.04" helper_image = "registry.gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/gitlab-runner-helper-ocp:x86_64-v16.4.0" cpu_request = "3" cpu_limit = "6" memory_request = "4Gi" memory_limit = "8Gi" service_cpu_request = "1" service_cpu_limit = "1" service_memory_request = "1Gi" service_memory_limit = "2Gi" helper_cpu_request = "1" helper_cpu_limit = "1" helper_memory_request = "1Gi" helper_memory_limit = "2Gi" pull_policy = ["always", "if-not-present"] [[runners.kubernetes.pod_spec]] name = "initseccompprofile" patch = ''' initContainers: - name: init-permissions securityContext: seccompProfile: type: "RuntimeDefault" containers: - name: helper securityContext: seccompProfile: type: "RuntimeDefault" - name: build securityContext: seccompProfile: type: "RuntimeDefault" - name: svc-0 securityContext: seccompProfile: type: "RuntimeDefault" - name: svc-1 securityContext: seccompProfile: type: "RuntimeDefault" - name: svc-2 securityContext: seccompProfile: type: "RuntimeDefault" ''' patch_type = "strategic" [runners.kubernetes.pod_security_context] run_as_non_root = true run_as_user = 1001 [runners.kubernetes.pod_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.init_permissions_container_security_context] run_as_non_root = true run_as_user = 1001 allow_privilege_escalation = false [runners.kubernetes.init_permissions_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.helper_container_security_context] run_as_non_root = true run_as_user = 1001 allow_privilege_escalation = false [runners.kubernetes.helper_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.service_container_security_context] run_as_non_root = true run_as_user = 1001 allow_privilege_escalation = false [runners.kubernetes.service_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.build_container_security_context] run_as_non_root = true run_as_user = 1001 allow_privilege_escalation = false [runners.kubernetes.build_container_security_context.capabilities] drop = [ "ALL" ] cache: {} ## Distributed runners caching ## ref: https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching ## ## If you want to use s3 based distributing caching: ## First of all you need to uncomment General settings and S3 settings sections. ## ## Create a secret 's3access' containing 'accesskey' & 'secretkey' ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/ ## ## $ kubectl create secret generic s3access \ ## --from-literal=accesskey="YourAccessKey" \ ## --from-literal=secretkey="YourSecretKey" ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ ## ## S3 the name of the secret. # secretName: s3access ## Specify the name of the scheduler which used to schedule runner pods. ## Kubernetes supports multiple scheduler configurations. ## ref: https://kubernetes.io/docs/reference/scheduling # schedulerName: "my-custom-scheduler" ## Configure securitycontext for the main container ## ref: http://kubernetes.io/docs/user-guide/security-context/ ## securityContext: runAsNonRoot: true privileged: false runAsUser: 1001 seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: drop: ["ALL"] ## Configure securitycontext valid for the whole pod ## ref: http://kubernetes.io/docs/user-guide/security-context/ ## podSecurityContext: runAsUser: 1001 runAsNonRoot: true # runAsGroup: 65533 fsGroup: 65533 supplementalGroups: [65533] fsGroupChangePolicy: OnRootMismatch seccompProfile: type: RuntimeDefault ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: # {} requests: cpu: 1 memory: 2Gi ephemeral-storage: 8Gi limits: cpu: 2 memory: 4Gi ephemeral-storage: 16Gi # limits: # memory: 256Mi # cpu: 200m # requests: # memory: 128Mi # cpu: 100m ## Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} # Example: The gitlab runner manager should not run on spot instances so you can assign # them to the regular worker nodes only. # node-role.kubernetes.io/worker: "true" ## List of node taints to tolerate (requires Kubernetes >= 1.6) ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] # Example: Regular worker nodes may have a taint, thus you need to tolerate the taint # when you assign the gitlab runner manager with nodeSelector or affinity to the nodes. # - key: "node-role.kubernetes.io/worker" # operator: "Exists" ## Configure environment variables that will be present when the registration command runs ## This provides further control over the registration process and the config.toml file ## ref: `gitlab-runner register --help` ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html ## # envVars: # - name: RUNNER_EXECUTOR # value: kubernetes ## list of hosts and IPs that will be injected into the pod's hosts file hostAliases: [] # Example: # - ip: "127.0.0.1" # hostnames: # - "foo.local" # - "bar.local" # - ip: "10.1.2.3" # hostnames: # - "foo.remote" # - "bar.remote" ## Annotations to be added to deployment ## deploymentAnnotations: {} # Example: # downscaler/uptime: ## Labels to be added to deployment ## deploymentLabels: {} # Example: # owner.team: ## Annotations to be added to manager pod ## podAnnotations: {} # Example: # iam.amazonaws.com/role: ## Labels to be added to manager pod ## podLabels: {} # Example: # owner.team: ## HPA support for custom metrics: ## This section enables runners to autoscale based on defined custom metrics. ## In order to use this functionality, Need to enable a custom metrics API server by ## implementing "custom.metrics.k8s.io" using supported third party adapter ## Example: https://github.com/directxman12/k8s-prometheus-adapter ## #hpa: {} # minReplicas: 1 # maxReplicas: 10 # metrics: # - type: Pods # pods: # metricName: gitlab_runner_jobs # targetAverageValue: 400m ## Configure priorityClassName for manager pod. See k8s docs for more info on how pod priority works: ## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" ## Secrets to be additionally mounted to the containers. ## All secrets are mounted through init-runner-secrets volume ## and placed as readonly at /init-secrets in the init container ## and finally copied to an in-memory volume runner-secrets that is ## mounted at /secrets. secrets: [] # Example: # - name: my-secret # - name: myOtherSecret # items: # - key: key_one # path: path_one ## Boolean to turn off the automountServiceAccountToken in the deployment ## ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume ## # automountServiceAccountToken: false ## Additional config files to mount in the containers in `/configmaps`. ## ## Please note that a number of keys are reserved by the runner. ## See https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml ## for a current list. configMaps: {} ## Additional volumeMounts to add to the runner container ## volumeMounts: - name: dshm mountPath: /dev/shm ## Additional volumes to add to the runner deployment ## volumes: - name: dshm emptyDir: medium: Memory sizeLimit: 8Gi