# #Copyright (c) 2017 # apiVersion: v1 kind: Template labels: template: gitlab-runner-template metadata: annotations: description: | GitLab Runner Service. Before you start, please setup Security Context Constraints (SCC) for service accounts used for running containers (anyuid means commands inside containers can run as root) oc login -u system:admin oc adm policy add-scc-to-user anyuid -z sa-gitlab-runner -n CURRENT_PROJECT_NAME oc adm policy add-scc-to-user anyuid -z sa-minio -n CURRENT_PROJECT_NAME openshift.io/display-name: GitLab Runner Service tags: gitlab-runner creationTimestamp: null name: gitlab-runner objects: - apiVersion: v1 kind: ServiceAccount metadata: name: sa-gitlab-runner - apiVersion: v1 kind: RoleBinding metadata: name: edit groupNames: null subjects: - kind: ServiceAccount name: sa-gitlab-runner roleRef: name: edit - apiVersion: v1 kind: ServiceAccount metadata: name: sa-minio - apiVersion: v1 kind: ImageStream metadata: creationTimestamp: null labels: app: gitlab-runner name: gitlab-runner spec: dockerImageRepository: "" tags: - from: kind: DockerImage name: peerapach/gitlab-runner:latest name: latest importPolicy: scheduled: true - apiVersion: v1 kind: Service metadata: creationTimestamp: null name: ${GITLAB_RUNNER_SERVICE_NAME} spec: portalIP: "" ports: - name: 22-ssh nodePort: 0 port: 22 protocol: TCP targetPort: 22 selector: name: ${GITLAB_RUNNER_SERVICE_NAME} sessionAffinity: None type: ClusterIP - apiVersion: v1 kind: DeploymentConfig metadata: creationTimestamp: null name: dc-${GITLAB_RUNNER_SERVICE_NAME} spec: replicas: 1 selector: name: ${GITLAB_RUNNER_SERVICE_NAME} strategy: type: Recreate template: metadata: creationTimestamp: null labels: name: ${GITLAB_RUNNER_SERVICE_NAME} spec: containers: - capabilities: {} image: ' ' imagePullPolicy: IfNotPresent readinessProbe: exec: command: - /usr/bin/pgrep - gitlab-ci-multi initialDelaySeconds: 5 timeoutSeconds: 1 livenessProbe: exec: command: - /usr/bin/pgrep - gitlab-ci-multi initialDelaySeconds: 5 timeoutSeconds: 1 name: cnt-gitlab-runner ports: - containerPort: 22 protocol: TCP args: - run - --working-directory - /home/gitlab-runner - --config - /etc/gitlab-runner/config.toml - --service - gitlab-runner - --user - gitlab-runner env: - name: CI_SERVER_URL value: ${GITLAB_RUNNER_CI_URL} - name: REGISTRATION_TOKEN value: ${GITLAB_RUNNER_TOKEN} - name: RUNNER_EXECUTOR value: kubernetes - name: KUBERNETES_NAMESPACE value: ${GITLAB_RUNNER_NAMESPACE} - name: RUNNER_REQUEST_CONCURRENCY value: ${GITLAB_RUNNER_JOBS} resources: limits: memory: ${MEMORY_LIMIT} securityContext: capabilities: {} privileged: false terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /etc/gitlab-runner name: vol-gitlab-runner-config serviceAccountName: sa-gitlab-runner dnsPolicy: ClusterFirst restartPolicy: Always volumes: - configMap: name: cm-gitlab-runner name: vol-gitlab-runner-config triggers: - imageChangeParams: automatic: true containerNames: - cnt-gitlab-runner from: kind: ImageStreamTag name: gitlab-runner:latest lastTriggeredImage: "" type: ImageChange - type: ConfigChange - apiVersion: v1 kind: ConfigMap metadata: name: cm-gitlab-runner data: config.toml: | concurrent = ${GITLAB_RUNNER_JOBS} check_interval = 0 [[runners]] name = "GitLab Runner" url = "${GITLAB_RUNNER_CI_URL}" token = "${GITLAB_RUNNER_TOKEN}" executor = "kubernetes" [runners.kubernetes] namespace = "${GITLAB_RUNNER_NAMESPACE}" privileged = false host = "" cert_file = "" key_file = "" ca_file = "" image = "" cpus = "" memory = "" service_cpus = "" service_memory = "" helper_cpus = "" helper_memory = "" helper_image = "" [runners.cache] Type = "s3" ServerAddress = "${MINIO_SERVICE_NAME}:80" AccessKey = "${MINIO_ACCESS_KEY}" SecretKey = "${MINIO_SECRET_KEY}" BucketName = "bkt-gitlab-runner" Insecure = true ### minio integration for cache # based on the https://github.com/lwolf/kubernetes-gitlab/tree/master/minio - apiVersion: v1 kind: ImageStream metadata: creationTimestamp: null labels: app: minio name: is-minio spec: dockerImageRepository: "" tags: - from: kind: DockerImage name: minio/minio:${MINIO_IMAGE_DOCKER_TAG} name: minio_pseudo_tag importPolicy: scheduled: true status: dockerImageRepository: "" - apiVersion: v1 kind: Service metadata: creationTimestamp: null name: ${MINIO_SERVICE_NAME} spec: portalIP: "" ports: - name: http nodePort: 0 port: 80 protocol: TCP targetPort: 9000 selector: name: ${MINIO_SERVICE_NAME} sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: v1 kind: DeploymentConfig metadata: creationTimestamp: null name: dc-${MINIO_SERVICE_NAME} spec: replicas: 1 selector: name: ${MINIO_SERVICE_NAME} strategy: type: Recreate template: metadata: creationTimestamp: null labels: name: ${MINIO_SERVICE_NAME} spec: containers: - capabilities: {} image: ' ' imagePullPolicy: IfNotPresent readinessProbe: exec: command: - /usr/bin/pgrep - minio initialDelaySeconds: 5 timeoutSeconds: 1 livenessProbe: httpGet: path: /minio/login port: 9000 initialDelaySeconds: 15 timeoutSeconds: 10 name: cnt-minio ports: - containerPort: 9000 name: http protocol: TCP env: - name: MINIO_ACCESS_KEY value: ${MINIO_ACCESS_KEY} - name: MINIO_SECRET_KEY value: ${MINIO_SECRET_KEY} command: - /bin/sh - '-c' - >- /bin/mkdir -p /export/bkt-gitlab-runner; /usr/bin/minio server /export --config-dir /tmp resources: limits: cpu: 100m memory: 100Mi requests: cpu: 100m memory: 100Mi securityContext: capabilities: {} privileged: false terminationMessagePath: /dev/termination-log volumeMounts: - name: vol-minio-data-store mountPath: /export serviceAccountName: sa-minio dnsPolicy: ClusterFirst restartPolicy: Always volumes: - name: vol-minio-data-store emptyDir: {} triggers: - imageChangeParams: automatic: true containerNames: - cnt-minio from: kind: ImageStreamTag name: is-minio:minio_pseudo_tag lastTriggeredImage: "" type: ImageChange - type: ConfigChange status: {} parameters: - description: The GitLab CI coordinator URL (e.g. https://gitlab.com/). displayName: GitLab CI URL name: GITLAB_RUNNER_CI_URL required: true value: https://gitlab.com/ci - description: The runner token, it's not the one from Runners page. Please run 'gitlab-runner register' locally and then get real token from /etc/gitlab-runner/config.toml. displayName: GitLab Runner Token (It is not the one from Runners page, but the one from config.toml) name: GITLAB_RUNNER_TOKEN required: true - description: "The namespace/project where actual runners will run (requires correct scc/role config). Use current project name if unsure. " displayName: GitLab Runners Namespace name: GITLAB_RUNNER_NAMESPACE required: true - description: The count of jobs can be run concurrently. displayName: GitLab Runner jobs name: GITLAB_RUNNER_JOBS required: true value: "2" - description: Maximum amount of memory the container can use. displayName: Memory Limit name: MEMORY_LIMIT value: 512Mi - description: The name of the OpenShift Service exposed for the GitLab Runner. displayName: GitLab Runner Service Name name: GITLAB_RUNNER_SERVICE_NAME required: true value: gitlab-runner-service - description: Tag of GitLab Runner image (alpine or latest). Check https://hub.docker.com/r/peerapach/gitlab-runner/tags/ for list of supported values displayName: GitLab Runner Image Tag at Docker Hub name: GITLAB_RUNNER_IMAGE_DOCKER_TAG value: "latest" - description: The name of the OpenShift Service exposed for the Minio Cloud Storage. displayName: Minio Cloud Storage Service Name name: MINIO_SERVICE_NAME required: true value: minio-service - description: Tag of Minio Cloud Storage image (latest or edge). Check https://hub.docker.com/r/minio/minio/tags/ for list of supported values displayName: Minio Cloud Storage Image Tag at Docker Hub name: MINIO_IMAGE_DOCKER_TAG value: "latest" - description: Custom username or access key of 5 to 20 characters in length. displayName: Minio Cloud Storage Access Key name: MINIO_ACCESS_KEY from: '[a-zA-Z0-9]{20}' generate: expression - description: Custom password or secret key of 8 to 40 characters in length. displayName: Minio Cloud Storage Secret Key name: MINIO_SECRET_KEY from: '[a-zA-Z0-9]{40}' generate: expression