GitLab

yyvf22 pushed to branch main at Root / Kubernetes / FluxCD

Commits:

dd9a7fd2

by yyvf at 2025-08-04T15:20:26-03:00

refactor(fluxcd): move gitlab-runner to infrastructure

8 changed files:

apps/stage/kustomization.yaml
+ infrastructure/base/gitlab-runner/es.yaml
+ infrastructure/base/gitlab-runner/helmrelease.yaml
+ infrastructure/base/gitlab-runner/helmrepo.yaml
+ infrastructure/base/gitlab-runner/kustomization.yaml
+ infrastructure/base/gitlab-runner/ns.yaml
+ infrastructure/base/gitlab-runner/pvc.yaml
infrastructure/stage/kustomization.yaml

Changes:

apps/stage/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
    # Apps
    - ../base/ademir
    - ../base/codimd
 -  - ../base/gitlab-runner
    - ../base/harbor
    - ../base/keycloak
    - ../base/matrix

infrastructure/base/gitlab-runner/es.yaml

 +apiVersion: external-secrets.io/v1
 +kind: ExternalSecret
 +metadata:
 +  name: gitlab-runner
 +  namespace: gitlab-runner
 +spec:
 +  refreshInterval: "15s"
 +  secretStoreRef:
 +    name: openbao
 +    kind: ClusterSecretStore
 +  target:
 +    name: gitlab-runner
 +  data:
 +    - secretKey: tokenUnprivileged
 +      remoteRef:
 +        key: gitlab-runner
 +        property: tokenUnprivileged
 +    - secretKey: tokenPrivilegedRoot
 +      remoteRef:
 +        key: gitlab-runner
 +        property: tokenPrivilegedRoot
 +    - secretKey: tokenPrivilegedC3SL
 +      remoteRef:
 +        key: gitlab-runner
 +        property: tokenPrivilegedC3SL

infrastructure/base/gitlab-runner/helmrelease.yaml

 +apiVersion: helm.toolkit.fluxcd.io/v2beta1
 +kind: HelmRelease
 +metadata:
 +  name: unprivileged
 +  namespace: gitlab-runner
 +spec:
 +  interval: 1m
 +  chart:
 +    spec:
 +      chart: gitlab-runner
 +      sourceRef:
 +        kind: HelmRepository
 +        name: gitlab-runner
 +  values:
 +    replicas: 1
 +    gitlabUrl: https://gitlab.c3sl.ufpr.br
 +    rbac:
 +      create: true
 +    serviceAccount:
 +      create: true
 +    runners:
 +      executor: kubernetes
 +      config: |
 +        [[runners]]
 +          shell = "bash"
 +          environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"]
 +          [runners.kubernetes]
 +            image = "harbor.c3sl.ufpr.br/root/gitlab-runner-base:latest"
 +            ephemeral_storage_limit = "5Gi"
 +            helper_ephemeral_storage_limit = "5Gi"
 +            service_ephemeral_storage_limit = "5Gi"
 +          [[runners.kubernetes.volumes.pvc]]
 +            name = "unprivileged-gitlab-runner-cache"
 +            mount_path = "/cache"
 +          [[runners.kubernetes.pod_spec]]
 +            name = "ephemeral-pvc"
 +            patch = '''
 +              containers:
 +              - name: build
 +                volumeMounts:
 +                - name: builds
 +                  mountPath: /builds
 +              - name: helper
 +                volumeMounts:
 +                - name: builds
 +                  mountPath: /builds
 +              volumes:
 +              - name: builds
 +                ephemeral:
 +                  volumeClaimTemplate:
 +                    spec:
 +                      storageClassName: csi-rbd-sc
 +                      accessModes: [ ReadWriteOnce ]
 +                      resources:
 +                        requests:
 +                          storage: 5Gi
 +            '''
 +    securityContext:
 +      allowPrivilegeEscalation: false
 +      readOnlyRootFilesystem: false
 +      runAsNonRoot: true
 +      privileged: false
 +  valuesFrom:
 +    - kind: Secret
 +      name: gitlab-runner
 +      valuesKey: tokenUnprivileged
 +      targetPath: runnerToken
 +---
 +apiVersion: helm.toolkit.fluxcd.io/v2beta1
 +kind: HelmRelease
 +metadata:
 +  name: privileged-root
 +  namespace: gitlab-runner
 +spec:
 +  interval: 1m
 +  chart:
 +    spec:
 +      chart: gitlab-runner
 +      sourceRef:
 +        kind: HelmRepository
 +        name: gitlab-runner
 +  values:
 +    replicas: 1
 +    gitlabUrl: https://gitlab.c3sl.ufpr.br
 +    rbac:
 +      create: true
 +    serviceAccount:
 +      create: true
 +    runners:
 +      executor: kubernetes
 +      config: |
 +        [[runners]]
 +          shell = "bash"
 +          environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"]
 +          [runners.kubernetes]
 +            privileged = true
 +            image = "harbor.c3sl.ufpr.br/root/gitlab-runner-base:latest"
 +            ephemeral_storage_limit = "5Gi"
 +            helper_ephemeral_storage_limit = "5Gi"
 +            service_ephemeral_storage_limit = "5Gi"
 +          [[runners.kubernetes.volumes.pvc]]
 +            name = "privileged-root-gitlab-runner-cache"
 +            mount_path = "/cache"
 +          [[runners.kubernetes.pod_spec]]
 +            name = "ephemeral-pvc"
 +            patch = '''
 +              containers:
 +              - name: build
 +                volumeMounts:
 +                - name: builds
 +                  mountPath: /builds
 +              - name: helper
 +                volumeMounts:
 +                - name: builds
 +                  mountPath: /builds
 +              volumes:
 +              - name: builds
 +                ephemeral:
 +                  volumeClaimTemplate:
 +                    spec:
 +                      storageClassName: csi-rbd-sc
 +                      accessModes: [ ReadWriteOnce ]
 +                      resources:
 +                        requests:
 +                          storage: 5Gi
 +            '''
 +  valuesFrom:
 +    - kind: Secret
 +      name: gitlab-runner
 +      valuesKey: tokenPrivilegedRoot
 +      targetPath: runnerToken
 +---
 +apiVersion: helm.toolkit.fluxcd.io/v2beta1
 +kind: HelmRelease
 +metadata:
 +  name: privileged-c3sl
 +  namespace: gitlab-runner
 +spec:
 +  interval: 1m
 +  chart:
 +    spec:
 +      chart: gitlab-runner
 +      sourceRef:
 +        kind: HelmRepository
 +        name: gitlab-runner
 +  values:
 +    replicas: 1
 +    gitlabUrl: https://gitlab.c3sl.ufpr.br
 +    rbac:
 +      create: true
 +    serviceAccount:
 +      create: true
 +    runners:
 +      executor: kubernetes
 +      config: |
 +        [[runners]]
 +          shell = "bash"
 +          environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"]
 +          [runners.kubernetes]
 +            privileged = true
 +            image = "harbor.c3sl.ufpr.br/root/gitlab-runner-base:latest"
 +            ephemeral_storage_limit = "5Gi"
 +            helper_ephemeral_storage_limit = "5Gi"
 +            service_ephemeral_storage_limit = "5Gi"
 +          [[runners.kubernetes.volumes.pvc]]
 +            name = "privileged-c3sl-gitlab-runner-cache"
 +            mount_path = "/cache"
 +          [[runners.kubernetes.pod_spec]]
 +            name = "ephemeral-pvc"
 +            patch = '''
 +              containers:
 +              - name: build
 +                volumeMounts:
 +                - name: builds
 +                  mountPath: /builds
 +              - name: helper
 +                volumeMounts:
 +                - name: builds
 +                  mountPath: /builds
 +              volumes:
 +              - name: builds
 +                ephemeral:
 +                  volumeClaimTemplate:
 +                    spec:
 +                      storageClassName: csi-rbd-sc
 +                      accessModes: [ ReadWriteOnce ]
 +                      resources:
 +                        requests:
 +                          storage: 5Gi
 +            '''
 +  valuesFrom:
 +    - kind: Secret
 +      name: gitlab-runner
 +      valuesKey: tokenPrivilegedC3SL
 +      targetPath: runnerToken

infrastructure/base/gitlab-runner/helmrepo.yaml

 +apiVersion: source.toolkit.fluxcd.io/v1
 +kind: HelmRepository
 +metadata:
 +  name: gitlab-runner
 +  namespace: gitlab-runner
 +spec:
 +  interval: 1m0s
 +  url: https://charts.gitlab.io

infrastructure/base/gitlab-runner/kustomization.yaml

 +apiVersion: kustomize.config.k8s.io/v1beta1
 +kind: Kustomization
 +resources:
 +  - ns.yaml
 +  - helmrepo.yaml
 +  - helmrelease.yaml
 +  - es.yaml
 +  - pvc.yaml

infrastructure/base/gitlab-runner/ns.yaml

 +apiVersion: v1
 +kind: Namespace
 +metadata:
 +  labels:
 +    pod-security.kubernetes.io/enforce: privileged
 +  name: gitlab-runner

infrastructure/base/gitlab-runner/pvc.yaml

 +apiVersion: v1
 +kind: PersistentVolumeClaim
 +metadata:
 +  name: privileged-root-gitlab-runner-cache
 +  namespace: gitlab-runner
 +  labels:
 +    app: gitlab-runner
 +spec:
 +  accessModes:
 +    - ReadWriteOnce
 +  resources:
 +    requests:
 +      storage: 20Gi
 +---
 +apiVersion: v1
 +kind: PersistentVolumeClaim
 +metadata:
 +  name: privileged-c3sl-gitlab-runner-cache
 +  namespace: gitlab-runner
 +  labels:
 +    app: gitlab-runner
 +spec:
 +  accessModes:
 +    - ReadWriteOnce
 +  resources:
 +    requests:
 +      storage: 20Gi
 +---
 +apiVersion: v1
 +kind: PersistentVolumeClaim
 +metadata:
 +  name: unprivileged-gitlab-runner-cache
 +  namespace: gitlab-runner
 +  labels:
 +    app: gitlab-runner
 +spec:
 +  accessModes:
 +    - ReadWriteOnce
 +  resources:
 +    requests:
 +      storage: 20Gi

infrastructure/stage/kustomization.yaml

@@ -2,8 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
  kind: Kustomization
  resources:
    - ../base/cilium
 +  - ./ippool.yaml
    - ../base/ceph-csi
    - ../base/cert-manager
    - ../base/external-secrets
 +  - ../base/gitlab-runner
    - ../base/etcd-backup
 -  - ./ippool.yaml