[Infrastructure as Code (IaC) Pulumi] Use Pulumi kubernetes (K8S) Helm Chart to deploy GitLabRunner

GitLab Runner

GitLab Runner is an application that works with GitLab CI/CD to run jobs in a pipeline.

This article is about how to use Pulumi, kubernetes (K8S) provider, Helm Chart and TypeScript SDK to deploy GitLab Runner within Kubernetes (K8S).

Prerequisites

• Kubernetes (K8S)

  Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications.

  See Getting started | Kubernetes - https://kubernetes.io/docs/setup/ to leanr more.

• Pulumi - Modern Infrastructure as Code - https://www.pulumi.com/

  Pulumi is a modern infrastructure-as-code platform that allows you to use common programming languages, tools, and frameworks, to provision, update, and manage cloud infrastructure resources.

  Install the Pulumi - https://www.pulumi.com/ CLI.

  # Mac OS X
  $ brew install pulumi

  See Download and Install | Pulumi - https://www.pulumi.com/docs/get-started/install/ to learn more about others OS.

• Node.js - https://nodejs.org/en/

  Node.js® is a JavaScript runtime built on Chrome’s V8 JavaScript engine.

  Install Node.js - https://nodejs.org/en/ CLI.

  # Mac OS X
  $ brew install node

  See Node.js - https://nodejs.org/en/ to learn more about others OS.

• [Iterate faster, innovate together | GitLab - https://about.gitlab.com/]

  Your GitLab server’s API is reachable from the cluster.

  Before registering a runner, you need to first:

  Install it on a server separate than where GitLab is installed

  Obtain a token:

  • For a shared runner, have an administrator go to the GitLab Admin Area and click Overview > Runners

  • For a group runner, go to Settings > CI/CD and expand the Runners section

  • For a project-specific runner, go to Settings > CI/CD and expand the Runners section

Usage

Pulumi New

Create the workspace directory.

$ mkdir -p col-example-pulumi-typescript-gitlab-runner

$ cd col-example-pulumi-typescript-gitlab-runner

Pulumi login into local file system.

$ pulumi login file://.
Logged in to cloudolife as cloudolife (file://.)
or visit https://pulumi.com/docs/reference/install/ for manual instructions and release notes.

Pulumi new a project with kubernetes-typescript SDK.

$ pulumi new kubernetes-typescript

The above command will create some files within the current directory.

tree . -L 1
.
├── node_modules/
├── package.json
├── package.json.lock
├── Pulumi.dev.yaml
├── Pulumi.yaml
└── main.ts

Install js-yaml package to load and parse yaml file.

$ npm i js-yaml

Pulumi Configuration

Configure Kubernetes

By default, Pulumi will look for a kubeconfig file in the following locations, just like kubectl:

• The environment variable: $KUBECONFIG,

• Or in current user’s default kubeconfig directory: ~/.kube/config

If the kubeconfig file is not in either of these locations, Pulumi will not find it, and it will fail to authenticate against the cluster. Set one of these locations to a valid kubeconfig file, if you have not done so already.

Configure Values.yaml

Edit values.yaml and replace content within {{ }}.

# values.yaml · master · GitLab.org / charts / GitLab Runner · GitLab
# https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/values.yaml

## The GitLab Server URL (with protocol) that want to register the runner against
## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
##
gitlabUrl: {{ .Values.gitlabUrl }}

## The registration token for adding new Runners to the GitLab server. This must
## be retrieved from your GitLab instance.
## ref: https://docs.gitlab.com/ee/ci/runners/
##
runnerRegistrationToken: {{ .Values.runnerRegistrationToken }}

## For RBAC support:
rbac:
  create: true

  ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
  ## cluster-wide or only within namespace
  clusterWideAccess: true

  ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
  ##
  serviceAccountName: gitlab-runner-gitlab-runner

  rules:
    - apiGroups: [""] #"" indicates the core API group
      resources: ["*"]
      verbs: ["*"]
    - apiGroups: ["networking.k8s.io"]
      resources: ["ingresses"]
      verbs: ["*"]
    - apiGroups: ["apps"]
      resources: ["deployments"]
      verbs: ["*"]

## Configuration for the Pods that the runner launches for each new job
##
runners:
  # runner configuration, where the multi line strings is evaluated as
  # template so you can specify helm values inside of it.
  #
  # tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
  # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
  config: |
    [[runners]]
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"

      ## Specify the name for the runner.
      ##
      name = "{{ .Values.runer.name }}"

  # Specify whether the runner should be locked to a specific project: true, false. Defaults to true.
  #
  locked: false

  # Specify the tags associated with the runner. Comma-separated list of tags.
  #
  # ref: https://docs.gitlab.com/ce/ci/runners/#use-tags-to-limit-the-number-of-jobs-using-the-runner
  #
  tags: ""

  # Specify the name for the runner.
  #
  name: {{ .Values.runer.name }}

  # Specify if jobs without tags should be run.
  # If not specified, Runner will default to true if no tags were specified. In other case it will
  # default to false.
  #
  # ref: https://docs.gitlab.com/ce/ci/runners/#runner-is-allowed-to-run-untagged-jobs
  #
  runUntagged: false

  # Specify whether the runner should only run protected branches.
  # Defaults to False.
  #
  # ref: https://docs.gitlab.com/ee/ci/runners/#prevent-runners-from-revealing-sensitive-information
  #
  protected: false

  # Service Account to be used for runners
  #
  serviceAccountName: gitlab-runner-gitlab-runner

See and modify main.ts file.

// main.ts

import * as pulumi from "@pulumi/pulumi";

import * as k8s from "@pulumi/kubernetes";

const yaml = require('js-yaml');
const fs   = require('fs');

const nameGitLabRunner = "gitlab-runner"

// kubernetes.core/v1.Namespace | Pulumi
// https://www.pulumi.com/docs/reference/pkg/kubernetes/core/v1/namespace/
const namespaceGitLabRunner = new k8s.core.v1.Namespace(nameGitLabRunner, {
    metadata: {
        name: nameGitLabRunner,
    },
})

const values = yaml.safeLoad(fs.readFileSync("./values.yaml", 'utf8'))

const charNameGitLabRunner = "gitlab-runner"

// kubernetes.helm.sh/v3.Chart | Pulumi
// https://www.pulumi.com/docs/reference/pkg/kubernetes/helm/v3/chart/

// GitLab Runner Helm Chart | GitLab
// https://docs.gitlab.com/runner/install/kubernetes.html
const charGitLabRunner = new k8s.helm.v3.Chart(charNameGitLabRunner, {
    chart: charNameGitLabRunner,
    version: "0.33.1",
    fetchOpts:{
        repo: "https://charts.gitlab.io",
    },
    namespace: namespaceGitLabRunner.metadata.name,
    values: values,
});

Pulumi Up

Run pulumi up to create the namespace and pods.

$ pulumi up

See pods about gitlab-runner.

$ kubectl get pods -n gitlab-runner
NAME                                           READY   STATUS    RESTARTS   AGE
gitlab-runner-gitlab-runner-864d89d666-9h8fq   1/1     Running   0          43h

Pulumi Destroy

Destroy all resources created by Pulumi.

$ pulumi destroy

FAQs

“system:serviceaccount:gitlab-runner:default” cannot get resource “deployments” in API group “apps” in the namespace “gitlab-runner”

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "nginx-deployment", Namespace: "gitlab-runner"
from server for: "nginx.yaml": deployments.apps "nginx-deployment" is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot get resource "deployments" in API group "apps" in the namespace "gitlab-runner"

Use ServiceAccount gitlab-runner-gitlab-runner to solve that issue.

# values.yaml · master · GitLab.org / charts / GitLab Runner · GitLab
# https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/values.yaml

# ...

## For RBAC support:
rbac:

  ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
  ##
+  serviceAccountName: gitlab-runner-gitlab-runner

+  rules:
+    - apiGroups: [""] #"" indicates the core API group
+      resources: ["*"]
+      verbs: ["*"]
+    - apiGroups: ["networking.k8s.io"]
+      resources: ["ingresses"]
+      verbs: ["*"]
+    - apiGroups: ["apps"]
+      resources: ["deployments"]
+      verbs: ["*"]

## Configuration for the Pods that the runner launches for each new job
##
runners:

  # Service Account to be used for runners
  #
+  serviceAccountName: gitlab-runner-gitlab-runner

# ...

References

[1] GitLab Runner Helm Chart | GitLab - https://docs.gitlab.com/runner/install/kubernetes.html

[2] Files · main · GitLab.org / charts / GitLab Runner · GitLab - https://gitlab.com/gitlab-org/charts/gitlab-runner/-/tree/main

[3] values.yaml · main · GitLab.org / charts / GitLab Runner · GitLab - https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/main/values.yaml

[4] GitLab Runner | GitLab - https://docs.gitlab.com/runner/

[5] Kubernetes Getting Started | Pulumi - https://www.pulumi.com/docs/get-started/kubernetes/

[6] Pulumi - Modern Infrastructure as Code - https://www.pulumi.com/

[7] Kubernetes - https://kubernetes.io/

[8] TypeScript: Typed JavaScript at Any Scale. - https://www.typescriptlang.org/

[9] Helm - https://helm.sh/