yyvf22 pushed to branch main at Root / Kubernetes / FluxCD Commits: dd9a7fd2 by yyvf at 2025-08-04T15:20:26-03:00 refactor(fluxcd): move gitlab-runner to infrastructure - - - - - 8 changed files: - apps/stage/kustomization.yaml - + infrastructure/base/gitlab-runner/es.yaml - + infrastructure/base/gitlab-runner/helmrelease.yaml - + infrastructure/base/gitlab-runner/helmrepo.yaml - + infrastructure/base/gitlab-runner/kustomization.yaml - + infrastructure/base/gitlab-runner/ns.yaml - + infrastructure/base/gitlab-runner/pvc.yaml - infrastructure/stage/kustomization.yaml Changes: ===================================== apps/stage/kustomization.yaml ===================================== @@ -5,7 +5,6 @@ resources: # Apps - ../base/ademir - ../base/codimd - - ../base/gitlab-runner - ../base/harbor - ../base/keycloak - ../base/matrix ===================================== infrastructure/base/gitlab-runner/es.yaml ===================================== @@ -0,0 +1,25 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitlab-runner + namespace: gitlab-runner +spec: + refreshInterval: "15s" + secretStoreRef: + name: openbao + kind: ClusterSecretStore + target: + name: gitlab-runner + data: + - secretKey: tokenUnprivileged + remoteRef: + key: gitlab-runner + property: tokenUnprivileged + - secretKey: tokenPrivilegedRoot + remoteRef: + key: gitlab-runner + property: tokenPrivilegedRoot + - secretKey: tokenPrivilegedC3SL + remoteRef: + key: gitlab-runner + property: tokenPrivilegedC3SL ===================================== infrastructure/base/gitlab-runner/helmrelease.yaml ===================================== @@ -0,0 +1,195 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: unprivileged + namespace: gitlab-runner +spec: + interval: 1m + chart: + spec: + chart: gitlab-runner + sourceRef: + kind: HelmRepository + name: gitlab-runner + values: + replicas: 1 + gitlabUrl: https://gitlab.c3sl.ufpr.br + rbac: + create: true + serviceAccount: + create: true + runners: + executor: kubernetes + config: | + [[runners]] + shell = "bash" + environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"] + [runners.kubernetes] + image = "harbor.c3sl.ufpr.br/root/gitlab-runner-base:latest" + ephemeral_storage_limit = "5Gi" + helper_ephemeral_storage_limit = "5Gi" + service_ephemeral_storage_limit = "5Gi" + [[runners.kubernetes.volumes.pvc]] + name = "unprivileged-gitlab-runner-cache" + mount_path = "/cache" + [[runners.kubernetes.pod_spec]] + name = "ephemeral-pvc" + patch = ''' + containers: + - name: build + volumeMounts: + - name: builds + mountPath: /builds + - name: helper + volumeMounts: + - name: builds + mountPath: /builds + volumes: + - name: builds + ephemeral: + volumeClaimTemplate: + spec: + storageClassName: csi-rbd-sc + accessModes: [ ReadWriteOnce ] + resources: + requests: + storage: 5Gi + ''' + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + privileged: false + valuesFrom: + - kind: Secret + name: gitlab-runner + valuesKey: tokenUnprivileged + targetPath: runnerToken +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: privileged-root + namespace: gitlab-runner +spec: + interval: 1m + chart: + spec: + chart: gitlab-runner + sourceRef: + kind: HelmRepository + name: gitlab-runner + values: + replicas: 1 + gitlabUrl: https://gitlab.c3sl.ufpr.br + rbac: + create: true + serviceAccount: + create: true + runners: + executor: kubernetes + config: | + [[runners]] + shell = "bash" + environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"] + [runners.kubernetes] + privileged = true + image = "harbor.c3sl.ufpr.br/root/gitlab-runner-base:latest" + ephemeral_storage_limit = "5Gi" + helper_ephemeral_storage_limit = "5Gi" + service_ephemeral_storage_limit = "5Gi" + [[runners.kubernetes.volumes.pvc]] + name = "privileged-root-gitlab-runner-cache" + mount_path = "/cache" + [[runners.kubernetes.pod_spec]] + name = "ephemeral-pvc" + patch = ''' + containers: + - name: build + volumeMounts: + - name: builds + mountPath: /builds + - name: helper + volumeMounts: + - name: builds + mountPath: /builds + volumes: + - name: builds + ephemeral: + volumeClaimTemplate: + spec: + storageClassName: csi-rbd-sc + accessModes: [ ReadWriteOnce ] + resources: + requests: + storage: 5Gi + ''' + valuesFrom: + - kind: Secret + name: gitlab-runner + valuesKey: tokenPrivilegedRoot + targetPath: runnerToken +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: privileged-c3sl + namespace: gitlab-runner +spec: + interval: 1m + chart: + spec: + chart: gitlab-runner + sourceRef: + kind: HelmRepository + name: gitlab-runner + values: + replicas: 1 + gitlabUrl: https://gitlab.c3sl.ufpr.br + rbac: + create: true + serviceAccount: + create: true + runners: + executor: kubernetes + config: | + [[runners]] + shell = "bash" + environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"] + [runners.kubernetes] + privileged = true + image = "harbor.c3sl.ufpr.br/root/gitlab-runner-base:latest" + ephemeral_storage_limit = "5Gi" + helper_ephemeral_storage_limit = "5Gi" + service_ephemeral_storage_limit = "5Gi" + [[runners.kubernetes.volumes.pvc]] + name = "privileged-c3sl-gitlab-runner-cache" + mount_path = "/cache" + [[runners.kubernetes.pod_spec]] + name = "ephemeral-pvc" + patch = ''' + containers: + - name: build + volumeMounts: + - name: builds + mountPath: /builds + - name: helper + volumeMounts: + - name: builds + mountPath: /builds + volumes: + - name: builds + ephemeral: + volumeClaimTemplate: + spec: + storageClassName: csi-rbd-sc + accessModes: [ ReadWriteOnce ] + resources: + requests: + storage: 5Gi + ''' + valuesFrom: + - kind: Secret + name: gitlab-runner + valuesKey: tokenPrivilegedC3SL + targetPath: runnerToken ===================================== infrastructure/base/gitlab-runner/helmrepo.yaml ===================================== @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: gitlab-runner + namespace: gitlab-runner +spec: + interval: 1m0s + url: https://charts.gitlab.io ===================================== infrastructure/base/gitlab-runner/kustomization.yaml ===================================== @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - helmrepo.yaml + - helmrelease.yaml + - es.yaml + - pvc.yaml ===================================== infrastructure/base/gitlab-runner/ns.yaml ===================================== @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: gitlab-runner ===================================== infrastructure/base/gitlab-runner/pvc.yaml ===================================== @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: privileged-root-gitlab-runner-cache + namespace: gitlab-runner + labels: + app: gitlab-runner +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: privileged-c3sl-gitlab-runner-cache + namespace: gitlab-runner + labels: + app: gitlab-runner +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: unprivileged-gitlab-runner-cache + namespace: gitlab-runner + labels: + app: gitlab-runner +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi ===================================== infrastructure/stage/kustomization.yaml ===================================== @@ -2,8 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base/cilium + - ./ippool.yaml - ../base/ceph-csi - ../base/cert-manager - ../base/external-secrets + - ../base/gitlab-runner - ../base/etcd-backup - - ./ippool.yaml View it on GitLab: https://gitlab.c3sl.ufpr.br/root/k8s/fluxcd/-/commit/dd9a7fd214ab3377eb2688f... -- View it on GitLab: https://gitlab.c3sl.ufpr.br/root/k8s/fluxcd/-/commit/dd9a7fd214ab3377eb2688f... You're receiving this email because of your account on gitlab.c3sl.ufpr.br.